Mystikos - Max Fang's Notes

# Mystikos Links: [[SGX]] - [GitHub](https://github.com/deislabs/mystikos) - Written in [[C]] ## Resources - [Getting started with a native Rust program](https://github.com/deislabs/mystikos/blob/main/doc/user-getting-started-rust.md) - [Getting started with a containerized C++ program](https://github.com/deislabs/mystikos/blob/main/doc/user-getting-started-docker-c++.md) (containerizing using Docker) - [Mystikos Samples](https://github.com/deislabs/mystikos/tree/main/samples) ## [GitHub Docs](https://github.com/deislabs/mystikos/tree/main/doc) - [Key Features of Mystikos](https://github.com/deislabs/mystikos/blob/main/doc/key-features.md) - [Mystikos Developer's Jumpstart Guide](https://github.com/deislabs/mystikos/blob/main/doc/dev-jumpstart.md) - [Signing and packaging an application with Mystikos](https://github.com/deislabs/mystikos/blob/main/doc/sign-package.md) - [Mystikos Release Management](https://github.com/deislabs/mystikos/blob/main/doc/releasing.md) - [Running Simple Applications](https://github.com/deislabs/mystikos/blob/main/doc/running-simple-app.md) - [Notable limitation of system call support in Mystikos](https://github.com/deislabs/mystikos/blob/main/doc/syscall-limitations.md) ## [GitHub README](https://github.com/deislabs/mystikos) ### What is Mystikos? **Mystikos** is a runtime and a set of tools for running Linux applications in a hardware trusted execution environment (TEE). The current release supports **Intel ® SGX** while other TEEs may be supported in future releases. ### Goals - Enable protection of application code and data while in memory through the use of hardware TEEs. This should be combined with proper key management, attestation and hardware roots of trust, and encryption of data at rest and in transit to protect against other threats which are out of scope for this project. - Streamline the process of lift-n-shift applications, either native or containerized, into TEEs, with little or no modification. - Allow users and application developers control over the makeup of the trusted computing base (TCB), ensuring that all components of the execution environment running inside the TEE are open sourced with permissive licenses. - Simplify re-targeting to other TEE architectures through a plugin architecture. ### Architecture **Mystikos** consists of the following components: - a C-runtime based on [musl libc](https://musl.libc.org), but is glibc compatible - a "lib-os like" kernel - the kernel-target interface (TCALL) - a command-line interface - some related utilities Today, two target implementations are provided: - The **SGX** target (based on the [Open Enclave SDK](https://github.com/openenclave/openenclave)) - The **Linux** target (for verification on non-SGX platforms) The minimalist kernel of Mystikos manages essential computing resources inside the TEE, such as CPU/threads, memory, files, networks, etc. It handles most of the syscalls that a normal operating system would handle (with [limits](doc/syscall-limitations.md)). Many syscalls are handled directly by the kernel while others are delegated to the target specified while launching Mystikos. ![[Pasted image 20220327215507.png]]