Instead loading enclave runtime in container, rune should always load it at bootstrap,
in order to avoid dlopen issue.
Signed-off-by: NTianjia Zhang <tianjia.zhang@linux.alibaba.com>

This new implementation inspires the design of https://github.com/jsakkine-intel/linux-sgx/tree/next/tools/testing/selftests/x86/sgx, which is a real enclave runtime.
Signed-off-by: Njack.wxz <wangxiaozhe@linux.alibaba.com>

execute sgx_sign in the occlum container

shim: open source code

It should be not so complex to cast client agent pipe in so many forms.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

Refer to docs/rune_quick_start.md available in occlum github repository instead
of docs/running_occlum_with_rune.md in this repository.
Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>

Signed-off-by: Njack.wxz <wangxiaozhe@linux.alibaba.com>

If the returned error is empty, don't raise an error in any way.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

If the program launched by rune exec is terminated, runelet process
is unstoppable. Just kick off it through the channel notifyExit.
Signed-off-by: NXiaozhe Wang <wangxiaozhe@linux.alibaba.com>
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

1. Given the signature file of an Enclave, runectl gen-token command can generate the corresponding token file from Intel aesmd service.
2. runectl attest command can allow users to challenge the enclave with the help of Intel Attestation Service through remote attestation
requests. runectl command will open soon.
Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

Unlike what is done in the process of initialization of container
entrypoint, the exec fifo fd is not closed without closing it
explicitly, resulting in rune start cannot be terminated.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

It was intended to have fds without close-on-exec with the side
effect of dup(), but acutally all fds staged are already
close-on-exec clear. Thus dup() makes extra duplications of fds
passed to init-runelet.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

If the enclave devices doesn't exist, don't add them into the default device list and cgroup whitelist.
Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>

Instead using the hard code "off".
Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>

The prototype declaration of pal_init() is wrong, this is a
copy-paste error, this patch fixes it.
Signed-off-by: NTianjia Zhang <tianjia.zhang@linux.alibaba.com>

Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

inclavare-containers is a set of tools for running trusted
applications in containers with the hardware-assisted enclave
technology. Enclave, referred to as a protected execution
environment, prevents the untrusted entity from accessing the
sensitive and confidential assets in use.

Currently, inclavare-containers consists of two core components:
rune and enclave runtime.

rune is a CLI tool for spawning and running enclaves in containers
according to the OCI specification. The codebase of rune is
a fork of runc, so rune can be used as runc if enclave is not
configured or available.

Enclave runtime is the backend of rune, which is responsible
for loading and running applications inside enclaves. The
interface between rune and enclave runtime is Enclave Runtime PAL
API, which allows invoking enclave runtime through well-defined
functions. The software for confidential computing may benefit
from this interface to interact with OCI runtime.

Additionally, this commit includes additional information about the
use of inclavare-containers.
- Run sample enclave runtime skeleton with rune
- Run enclave runtime Occlum with rune

See README.md for more details.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
Signed-off-by: NXiaozhe Wang <wangxiaozhe@linux.alibaba.com>
Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>