Graphene is a library OS designed to run unmodified Linux applications within Intel SGX enclaves, enabling confidential computing for sensitive workloads. It targets developers and organizations needing to protect applications from untrusted infrastructure with minimal porting effort.

How It Works

Graphene acts as a lightweight, Linux-compatible library OS that intercepts system calls, allowing unmodified binaries to run within an Intel SGX enclave. This approach provides VM-like isolation and security benefits, shielding applications from the host system, including the kernel and hypervisor. It supports multi-process applications with encrypted inter-process communication and features full SGX Attestation.

Quick Start & Requirements

• Install/Run: Building instructions are available at https://graphene.readthedocs.io/en/latest/building.html.
• Prerequisites: Requires Linux and Intel SGX hardware support with the upstreamed SGX driver.
• Resources: Setup time and resource footprint are not explicitly detailed but involve building the library OS and SGX-enabled applications.
• Docs: Official documentation is available at https://graphene.readthedocs.io/.

Highlighted Details

• Supports "lift and shift" of unmodified Linux binaries to Intel SGX for confidential computing.
• Includes Graphene Shielded Containers (GSC) for easier Docker integration.
• Offers full SGX Attestation and protected file support.
• Demonstrated support for various workloads including ML frameworks, databases, and web servers.

Maintenance & Community

The project is actively maintained with a growing community. Development is transitioning to a new repository at https://github.com/gramineproject/gramine under the Confidential Computing Consortium (Linux Foundation). Support is available via email at support@graphene-project.io and bug reports can be filed on GitHub.

Licensing & Compatibility

The README does not explicitly state the license. Compatibility for commercial use or closed-source linking is not detailed.

Limitations & Caveats

The project is undergoing a transition to a new repository and build system (Meson), indicating potential ongoing changes and instability. Support for specific workloads and features is continuously evolving.