• Stars
    star
    142
  • Rank 258,495 (Top 6 %)
  • Language
    C
  • Created almost 4 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Tools and runtime for launching unmodified container images in Trusted Execution Environments

Mystikos

What is Mystikos?

Mystikos is a runtime and a set of tools for running Linux applications in a hardware trusted execution environment (TEE). The current release supports Intel ® SGX while other TEEs may be supported in future releases.

Goals

  • Enable protection of application code and data while in memory through the use of hardware TEEs. This should be combined with proper key management, attestation and hardware roots of trust, and encryption of data at rest and in transit to protect against other threats which are out of scope for this project.
  • Streamline the process of lift-n-shift applications, either native or containerized, into TEEs, with little or no modification.
  • Allow users and application developers control over the makeup of the trusted computing base (TCB), ensuring that all components of the execution environment running inside the TEE are open sourced with permissive licenses.
  • Simplify re-targeting to other TEE architectures through a plugin architecture.

Architecture

Mystikos consists of the following components:

  • a C-runtime based on musl libc, but is glibc compatible
  • a "lib-os like" kernel
  • the kernel-target interface (TCALL)
  • a command-line interface
  • some related utilities

Today, two target implementations are provided:

  • The SGX target (based on the Open Enclave SDK)
  • The Linux target (for verification on non-SGX platforms)

The minimalist kernel of Mystikos manages essential computing resources inside the TEE, such as CPU/threads, memory, files, networks, etc. It handles most of the syscalls that a normal operating system would handle (with limits). Many syscalls are handled directly by the kernel while others are delegated to the target specified while launching Mystikos.

Installation Guide for Ubuntu

Mystikos may be built and installed Ubuntu 20.04.

Install from Released Package

To install Mystikos using one of the released packages, please follow the appropriate guide to install on Ubuntu 20.04.

Install From Source

You may also build Mystikos from source. The build process will install the SGX driver and SGX-related packages for you.

Quick Start Docs

Eager to get started with Mystikos? We've prepared a few guides, starting from a simple "hello world" C program and increasing in complexity, including demonstrations of DotNet and Python/NumPy.

Give it a try and let us know what you think!

Simple Applications

  • A Simple "Hello World" in C: click here
  • A Simple "Hello World" in Rust: click here
  • Dockerizing your "Hello World" app: click here
  • Introducing Enclave Configuration with a DotNet program: click here
  • Running Python & NumPy for complex calculations: click here

Samples

Mystikos samples provides a number of samples in various programming languages and serves as a good place for developers to start.

Enclave Aware Applications

Sometimes, you want to take advantage of specific properties of the Trusted Execution Environment, such as attestation. The following example shows how to write a C program which changes its behaviour when it detects that it has been securely launched inside an SGX enclave.

  • Getting started with a TEE-aware program: click here

More Docs!

We've got plans for a lot more documentation as the project grows, and we'd love your feedback and contributions, too.

  • Key features of Mystikos: click here
  • General concepts of Mystikos: click here
  • Deep dive into Mystikos architecture: [coming soon]
  • How to implement support for a new TEE: [coming soon]
  • Kernel limitations: click here
  • Multi-processing and multi-threading in Mystikos and limitations: [coming soon]

Developer Docs

Looking for information to help you with your first PR? You've found the right section.

  • Developer's jump start guide: click here
  • Signing and packaging applications with Mystikos: click here
  • Release management: click here
  • Notable unsupported kernel features and syscalls: [coming soon]

For more information, see the Contributing Guide.

Licensing

This project is released under the MIT License.

Reporting a Vulnerability

Please DO NOT open vulnerability reports directly on GitHub.

Security issues and bugs should be reported privately via email to the Microsoft Security Response Center (MSRC) at [email protected]. You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Code of Conduct

This project has adopted the Microsoft Code of Conduct. All participants are expected to abide by these basic tenets to ensure that the community is a welcoming place for everyone.

More Repositories

1

wagi

Write HTTP handlers in WebAssembly with a minimal amount of work
Rust
882
star
2

osiris

A general purpose, scale-to-zero component for Kubernetes
Go
463
star
3

hippo

The WebAssembly Platform
TypeScript
414
star
4

spiderlightning

A set of WIT definitions and associated implementations to enable app developers to work at a faster pace and require less knowledge of the environment in which they are executing.
Rust
309
star
5

containerd-wasm-shims

containerd shims for running WebAssembly workloads in Kubernetes
Rust
305
star
6

bindle

Bindle: Object Storage for Collections
Rust
263
star
7

ratify

Artifact Ratification Framework
Go
182
star
8

wasi-experimental-http

Experimental outbound HTTP support for WebAssembly and WASI
Rust
135
star
9

example-bundles

CNAB bundles
JavaScript
85
star
10

yo-wasm

Yeoman generator for Rust projects intended to build to WASM in OCI registries
TypeScript
63
star
11

kc-eu-2023-k8s-wasm-microservices

JavaScript
49
star
12

wasi-nn-onnx

Experimental ONNX implementation for WASI NN.
Rust
47
star
13

image-layer-provenance

Container image provenance spec that allows tracing CVEs detected in registry images back to a CVE's source of origin.
Go
40
star
14

wagi-fileserver

A static file server for Wagi written in Grain
Makefile
32
star
15

wagi-dotnet

WAGI allows you to run WebAssembly WASI binaries as HTTP handlers. WAGI-dotnet provides an extension that enables these handlers to be run in an ASP.Net Core application
C#
29
star
16

helm-workshop

Helm workshop for KubeCon Seattle 2018
26
star
17

kind-vscode

Integrating the Kind local Kubernetes cluster into Visual Studio Code
TypeScript
22
star
18

hippo-cli

The Hippo CLI
Rust
19
star
19

krustlet-wasm3

Krustlet provider for the wasm3 runtime.
Rust
18
star
20

wasm-linker-js

A simple WebAssembly Linker in JavaScript
TypeScript
17
star
21

duffle-vscode

VS Code extension for Duffle, the CNAB installer
TypeScript
14
star
22

cnab-workshop

CNAB / Duffle workshop for KubeCon Seattle 2018
13
star
23

krustlet-wagi-provider

A Krustlet Provider for WAGI modules.
Rust
12
star
24

cnab-netstandard

.NET Standard 2.0 Client Library for CNAB
C#
12
star
25

duffle-bag

GUI tooling for CNAB bundles
TypeScript
10
star
26

hello-wagi-as

Write an HTTP responder in AssemblyScript using WASI
TypeScript
9
star
27

kubernetes-opa-vscode

A VS Code extension for working with Open Policy Agent in Kubernetes
TypeScript
8
star
28

wok

WASM on Kubernetes (WOK)
Rust
8
star
29

microk8s-vscode

Integrating the Microk8s local Kubernetes cluster into Visual Studio Code
TypeScript
8
star
30

wagi-azure-samples

WebAssembly modules that use Azure services
Rust
8
star
31

gatekeeper-vscode

Rapidly develop and test Gatekeeper policies in Visual Studio Code
TypeScript
8
star
32

dapr-wasm-exp

Dapr + Wasm experiments
Go
8
star
33

deislabs.io

Info about Deis Labs. Open Source from Microsoft Azure.
Sass
7
star
34

cnab-operator

Experimental CNAB operator for Kubernetes. WIP.
Go
7
star
35

env_wagi

An environment dumper, implemented as a WebAssembly Gateway Interface module (WASI)
Rust
7
star
36

gnarly

Go
7
star
37

magick8sball.io

companion site for the magic k8s ball ✨
SCSS
7
star
38

dwaft

A tool to make building and debugging WASM for outside the browser a breeze
Rust
6
star
39

pilothouse

Experimenting with Helm in Rust
Rust
6
star
40

wagi-examples

TypeScript
6
star
41

cnab-azure-driver

Azure CNAB Driver
Go
6
star
42

ratify-web

MDX
6
star
43

vscode-kubernetes-access-viewer

TypeScript
6
star
44

hello-wagi-grain

An example of using the Grain language to write Wagi modules
5
star
45

duffle-coat

VS Code extension for generating CNAB self-installers
TypeScript
5
star
46

rusty-macaroon

A Macaroon implementation in Rust
Rust
4
star
47

cnab-dashboard

HTML
2
star
48

bindle-dotnet

A Bindle client for the .NET runtime
C#
2
star
49

cnab-voting-app-demos

CNAB Voting App Demos
Makefile
2
star
50

art

Original vectors for our projects logos and graphics
2
star
51

kubectl-output-parser

Functions for parsing kubectl output
TypeScript
2
star
52

hippo-docs

Website for Hippo
HTML
2
star
53

ratify-verifier-plugin

Go
2
star
54

echo-provider

A simple waSCC provider for testing
Rust
2
star
55

draft-brigade-workshop

Draft / Brigade workshop for KubeCon
JavaScript
1
star
56

bindle-js

A TypeScript/JavaScript Bindle client
TypeScript
1
star
57

azure-sdk-for-rust-wasi-samples

Rust
1
star
58

hippo-client-rust

A Rust client library for Hippo
Rust
1
star
59

ratify-action

Ratify Github Action
Shell
1
star
60

spiderlightning-gh-latest-commits-demo

Rust
1
star
61

bindle-server-azure

An azure storage implementation and server for Bindle
Rust
1
star
62

wagi-fileserver-c

A static file server for Wagi written in C
Makefile
1
star
63

duffle.sh

much ado about duffle
SCSS
1
star