Golem, a project building a decentralized marketplace for computing power, announced today the release of Graphene v1.0. The Graphene library OS is a project for running unmodified Linux applications, i.e., native binaries from a standard Linux distribution.
This first stable release results from the alliance formed back in April, when Golem and Invisible Things Labs (ITL), joined forces with Intel Labs, and the original creators, Chia-Che Tsai and Don Porter. This alliance was formed to guide the development of Graphene, a Library OS for portable applications, supporting Intel Software Guard Extensions (Intel SGX).
The v.1.0 release was launched as the Golem team noticed that users often need to repackage and sign their application with Graphene. Thus, it is providing this snapshot as a pre-production version for long-term development and testing.
With Graphene, Golem can provide secure and convenient computational services that satisfy the highest requirements of the users that are operating with sensitive and valuable data.
Currently, the most popular platform that Graphene will port to is Intel SGX, an Intel CPU feature for establishing a trusted execution environment (TEE) on an untrusted host platform. The Graphene library OS can run inside the Intel SGX library so that unmodified applications can get the advantages of running inside an enclave.
The Golem team believes that “Graphene can play a key role in the decentralized ecosystem, where data integrity, confidentiality, and security are cornerstones to the robust development of infrastructure and applications. Driving Graphene and ensuring its usability is part of Golem’s commitment to the advancement of technology in the decentralized space.”
Graphene v1.0 is not completely ready for production use yet, as the development team is still fixing the remaining stability and security issues.
Features of Graphene v1.0
The Graphene v1.0 release includes bug fixes, stability and security enhancements, and new features which are fundamental to a trusted execution environment.
Below is a complete list of the major features in Graphene v1.0:
- Improved stability
- Enhanced interface security for SGX
- Improved documentation and sample app integrations
- Statically linked binaries support (SGX-only now)
- Remote attestation
- Support for Ubuntu 18.04 and newer glibc versions (2.19, 2.23, and 2.27)
- New applications including Memcached, Redis, and Tensorflow.
Graphene v1.0 has a built-in remote attestation feature, specifically designed for unmodified applications. Graphene supports the official Intel attestation service with Intel Enhanced Privacy ID (Intel EPID). Users can unlock this feature by providing a Software Product ID (SPID) and a subscription key from the Intel service portal.
With the remote attestation feature enabled, Graphene will ensure that the Intel SGX platform to be genuine and up-to-date before running an application. No modification is needed in the application. Users can also export the remote attestation signed by the Intel attestation service to be verified by a remote server. In the future, Golem plans to add a sealed vault and a key pair for encryption.
Docker compatibility in Graphene v1.0
The Graphene Secure Container (GSC) framework (still experimental) integrates the Docker framework to run a Docker container with enclave protection. GSC takes an unmodified Docker image and converts into a new image for Graphene – Intel SGX, which contains the configurations (i.e., manifest files) for running a Docker application with Graphene – Intel SGX. GSC provides bidirectional protection between the containers and the host systems. Users can also use GSC to save the effort of configuring Graphene – Intel SGX.
The maintenance and technical support from the Graphene project will continue, with more minor and major releases in the future.
As a preview for the next release, the Golem team is still working on:
- Better networking support, including a reworked epoll() mechanism and better support of events on the TCP/UDP sockets.
- Exitless (aka switchless) system calls to improve performance of I/O-heavy workloads like Redis.
- Dynamic memory management and thread creation on SGX.
- Hooks for remote attestation to enable application-specific secret-provisioning mechanisms.
- Support DCAP attestation.
- More application examples, including machine learning/AI workloads (OpenVINO), databases (MySQL, MariaDB), and IoT
- Merging all the Graphene-ng features to Graphene.
- Support for Go and Java applications.