# Gramine *A Library OS for Unmodified Applications* https://grapheneproject.io/ (Previously Graphene) Links: [[OS]] - [Github org](https://github.com/QubesOS) - [Main repo](https://github.com/gramineproject/gramine), written in [[C]] - [Example projects using Gramine](https://github.com/gramineproject/examples) - [Documentation](https://www.qubes-os.org/doc/) - [News](https://www.qubes-os.org/news/) - [Downloads](https://www.qubes-os.org/downloads/) - Supported by [[Intel]] directly ## Website Applications programmed for one system often do not work on another. Gramine bridges this gap by hoisting application-facing code from the operating system (OS) kernel into a userspace library. Gramine uses a platform adaptation layer (PAL) that is easy to implement on a new host system. As long as a system implements the PAL interface, all of POSIX/Linux will follow. Gramine is a library OS, similar to a unikernel. Compared to running a complete guest OS in a virtual machine (VM), Gramine is much lighter weight. Work is ongoing to integrate Gramine with Docker containers. A particular use case for Gramine is Intel® Software Guard Extensions (Intel® SGX), where applications do not work out-of-the-box. Gramine solves this problem, with the added security benefits. Gramine can serve as a compatibility layer on other platforms. ### [[Intel]] [[SGX]] made simple ![[Screen Shot 2022-02-12 at 11.31.12 PM.png]] ![[Screen Shot 2022-02-12 at 11.31.19 PM.png]] - Seems promising for [[-Lexe/Lexe]] ### The commitment behind Gramine Links: [[Golem]], [[Invisible Things Lab]] Graphene started as a research project at Stony Brook University, led by Chia-Che Tsai and Don Porter. Over time, scientists at other universities and labs have contributed to Graphene to accelerate their research on emerging hardware platforms. In 2015, Intel Labs recognized the potential for Graphene to be an open-source compatibility layer for Intel SGX, and has contributed to Graphene development since. [[Golem]] and [[Invisible Things Lab]] (ITL) have identified similarly opportunity for Graphene to play a huge role in the decentralized ecosystem, where data integrity, confidentiality, and security are cornerstones to the robust development of infrastructure and applications. Driving Graphene and ensuring its usability is part of Golem's commitment. Today, there is a strong team of developers and researchers from these companies working together with the founders of the project (now faculty at UNC and Texas A&M) to make sure it meets the highest quality standards with the easiness of integration. Gramine has a growing user and contributor community. It has the potential to become a standard in the Intel SGX world and can be adopted by a broad variety of use cases in a diverse technological landscape. ## [Main repo](https://github.com/gramineproject/gramine) ### What is Gramine? Gramine (formerly called Graphene) is a lightweight library OS, designed to run a single application with minimal host requirements. Gramine can run applications in an isolated environment with benefits comparable to running a complete OS in a virtual machine -- including guest customization, ease of porting to different OSes, and process migration. Gramine supports native, unmodified Linux binaries on any platform. Currently, Gramine runs on Linux and Intel SGX enclaves on Linux platforms. In untrusted cloud and edge deployments, there is a strong desire to shield the whole application from rest of the infrastructure. Gramine supports this “lift and shift” paradigm for bringing unmodified applications into Confidential Computing with Intel SGX. Gramine can protect applications from a malicious system stack with minimal porting effort. ### Gramine documentation The official Gramine documentation can be found at [https://gramine.readthedocs.io](https://gramine.readthedocs.io/). Below are quick links to some of the most important pages: - [Quick start and how to run applications](https://gramine.readthedocs.io/en/latest/quickstart.html) - [Complete building instructions](https://gramine.readthedocs.io/en/latest/devel/building.html) - [Gramine manifest file syntax](https://gramine.readthedocs.io/en/latest/manifest-syntax.html) - [Performance tuning & analysis of SGX applications in Gramine](https://gramine.readthedocs.io/en/latest/devel/performance.html) - [Remote attestation in Gramine](https://gramine.readthedocs.io/en/latest/attestation.html) ## [Example projects](https://github.com/gramineproject/examples) This repository contains a curated set of Gramine examples. These examples are tested only against stable Gramine releases (i.e., these examples are not guaranteed to work with non-release versions of Gramine, including the latest master-branch commits of Gramine). The examples were tested on Ubuntu 18.04 and 20.04. For instructions how to build and run each application under Gramine, please see the README in each subdirectory. Please note that most of the examples use oversimplified configurations which are _not secure_. E.g., we frequently specify security-critical files as `sgx.allowed_files`. If you take these examples as templates for your own production workloads, please inspect and harden the configurations. We recommend to look at the (extensively commented) [Redis example](https://github.com/gramineproject/gramine/tree/master/CI-Examples/redis) to get an idea how to write the README, Makefile and manifest files. If you want to contribute a new example to Gramine and you take the Redis example as a template, we recommend to remove the comments from your copies as they only add noise (see e.g. Memcached for a "stripped-down" example).