- a Library OS for Unmodified Applications
Open-Source community project driven by a core team of contributors.
A few words about Gramine
Applications programmed for one system often do not work on another.
Gramine bridges this gap by hoisting application-facing code from the
operating system (OS) kernel into a userspace library. Gramine uses a
platform adaptation layer (PAL) that is easy to implement on a new
host system. As long as a system implements the PAL interface, all of
POSIX/Linux will follow.
Gramine is a library OS, similar to a unikernel. Compared to running a
complete guest OS in a virtual machine (VM), Gramine is much lighter
weight. Work is ongoing to integrate Gramine with Docker containers.
A particular use case for Gramine is Intel® Software Guard
Extensions (Intel® SGX), where applications do not work
out-of-the-box. Gramine solves this problem, with the added security
benefits. Gramine can serve as a compatibility layer on other
Intel SGX integration made simple
Regular integration of Intel SGX
Integration of Intel SGX with Gramine
Applications can benefit from confidentiality and integrity
guarantees of Intel SGX, but developers need to be very skilled for
effective partitioning and code modification for Intel SGX
Gramine runs unmodified applications inside Intel
supports dynamically loaded libraries, runtime linking,
multi-process abstractions, and file authentication. For additional
security, Gramine performs cryptographic and semantic checks at
untrusted host interface. Developers provide a manifest file to
configure the application environment and isolation policies,
Gramine automatically does the rest.
The commitment behind Gramine
Graphene started as a research project at Stony Brook University, led by
Chia-Che Tsai and Don Porter. Over time, scientists at other
universities and labs have contributed to Graphene to accelerate their
research on emerging hardware platforms.
In 2015, Intel Labs recognized the potential for Graphene to be an
open-source compatibility layer for Intel SGX, and has contributed to
Graphene development since.
Golem and Invisible Things Lab (ITL) have identified similarly opportunity for
Graphene to play a huge role in the decentralized ecosystem, where data
integrity, confidentiality, and security are cornerstones to the robust
development of infrastructure and applications. Driving Graphene and ensuring
its usability is part of Golem's commitment.
Today, there is a strong team of developers and researchers from these
companies working together with the founders of the project (now faculty at UNC and Texas
A&M) to make sure it meets the highest quality standards with the easiness of
integration. Gramine has a growing user and contributor community. It has the
potential to become a standard in the Intel SGX world and can be adopted by a
broad variety of use cases in a diverse technological landscape.
Past and future plans
Graphene development starts in OSCAR LAB at Stony Brook University
First paper is published at EuroSys and first public release
Graphene for Intel SGX development starts in Intel Research Lab
Graphene for Intel SGX public release
ITL/Golem get involved in the project
Graphene for Intel SGX paper is published at USENIX ATC
ITL/Golem work to deploy Graphene for Intel SGX in Golem Network and add more features
First working Graphene integration - demo with Golem
The Graphene working group is established
Building contributors' community
Delivered first major release v1.0 with new documentation and application examples
Delivered release (v1.1) with Protected FileSystem, Remote Attestation, and Docker integration
Performance optimized with Exitless stable version
Deployed in Azure cloud, Secure PPML tutorial
Improved Manifest format
Java, Go, Spark, Node.js, and additional runtimes
Planning for production ready release and optimized ML frameworks
Integration with cloud-based container deployments
Join Confidential Computing Consortium with the new name Gramine
Gramine 1.0 released
Future TEE Backends