Elasticlave is a Trusted Execution Environment (TEE) design which enables efficient cross-enclave data sharing. This repository contains the prototype implementation based on Keystone as described in "Elasticlave : An Efficient Memory Model for Enclaves" at Usenix Security Symposium 2022). For simplicity, we directly refer to this prototype implementation as Elasticlave in this document.
We support two options for running Elasticlave:
- On a RISC-V SoC simulated with FireSim. This can give accurate performance data and is therefore suitable for performance benchmarking. However, it is generally much slower than the second option.
- On a system emulated with QEMU. It cannot provide accurate performance data but runs fast and is great for testing the functionality.
The setup of Elasticlave differs depending on the option chosen.
You need to set up FireSim on AWS EC2. Elasticlave and the associated scripts in this repository
have been tested on FireSim 1.9.0, which is included as a submodule in firesim/
along with the
Elasticlave-specific configuration files.
Please refer to the FireSim documentation for instructions.
We have dockerised the remaining software dependencies. See the official website of Docker for instructions on installing Docker on your system.
git clone https://github.com/jasonyu1996/elasticlave.git --recursive --shallow-submodules
cd elasticlave
git submodule update --init --recursive
./docker.sh MAKE_FIRESIM=1
./run-firesim.sh
By default, this uses FireSim in firesim/
. If you have set up FireSim in a different directory,
specify the FIRESIM_HOME
environment variable:
FIRESIM_HOME=<your-firesim-directory> ./run-firesim.sh
We have dockerised most of the software dependencies, so there should be little problem running Elasticlave on any x86-64 Linux distribution with Docker installed. See the official website of Docker for instructions on installing Docker on your system.
git clone https://github.com/jasonyu1996/elasticlave.git
cd elasticlave
git submodule update --init --recursive
./docker.sh
./docker-run.sh ./run.sh
When prompted for the login, enter root
. The corresponding password is sifive
.
You can configure which benchmarks to include in the built file system. To achieve this, edit the file KEYSTONE_FOLDER/tests/tests/mkconfig.mk
and uncomment the names of the benchmarks you want to include.
Below are lists of the benchmarks included in this repository.
Benchmark set | Elasticlave (spinlock) | Elasticlave (futex) | Spatial isolation | Native non-TEE |
---|---|---|---|---|
Lock | lock |
lock-futex |
lock-spatial |
lock-native |
Benchmark set | Elasticlave | Elasticlave (no lock bit) | Spatial isolation |
---|---|---|---|
Producer-consumer | icall-consumer |
icall-consumer-ne |
icall-consumer-baseline |
Client-server | icall-server |
icall-server-ne |
icall-server-baseline |
Proxy | icall-proxy-3 |
icall-proxy-3-ne |
icall-proxy-3-baseline |
Benchmark set | Elasticlave | Spatial isolation | Native non-TEE |
---|---|---|---|
IOZone | iozone |
iozone-baseline |
iozone-native |
The implementation provided in this repository is based on Keystone.
This repository includes the third-party benchmark IOZone. The licence is included in its source files.
Below is the original README from Keystone, which can also be valuable fo reference.
Visit Project Website for more information.
master
branch is for public releases.
dev
branch is for development use (up-to-date but may not fully documented until merged into master
).
See docs for getting started.
See CONTRIBUTING.md