README
ΒΆ
MarbleRun
MarbleRun is a framework for creating distributed confidential-computing apps.
Build your confidential microservices with EGo or another runtime, distribute them with Kubernetes on an SGX-enabled cluster, and let MarbleRun take care of the rest. Deploy end-to-end secure and verifiable AI pipelines or crunch on sensitive big data in the cloud.
MarbleRun guarantees that the topology of your distributed app adheres to a Manifest specified in simple JSON. MarbleRun verifies the integrity of services, bootstraps them, and sets up encrypted connections between them. If a node fails, MarbleRun will seamlessly substitute it with respect to the rules defined in the Manifest.
To keep things simple, MarbleRun issues one concise remote attestation statement for your whole distributed app. This can be used by anyone to verify the integrity of your distributed app.
Key features
π Authentication and integrity verification of microservices with respect to a Manifest written in simple JSON
π Secrets management for microservices
π¦ Provisioning of certificates, configurations, and parameters for microservices
π Remote attestation of the entire cluster
Overview
Supported runtimes
MarbleRun supports services built with one of the following frameworks:
More are coming soon.
Quickstart and documentation
See the Getting Started Guide to set up a distributed confidential-computing app in a few steps. See the documentation for details.
Community & help
- Got a question? Please get in touch via Discord or file an issue.
- If you see an error message or run into an issue, please make sure to create a bug report.
- Get the latest news and announcements on Twitter, LinkedIn or sign up for our monthly newsletter.
- Visit our blog for technical deep-dives and tutorials.
Contributing
- Read
CONTRIBUTING.mdfor information on issue reporting, code guidelines, and our PR process. BUILD.mdincludes general information on how to work in this repo.- Pull requests are welcome! You need to agree to our Contributor License Agreement.
- This project and everyone participating in it are governed by the Code of Conduct. By participating, you are expected to uphold this code.
- Please report any security issue via a private GitHub vulnerability report or write to security@edgeless.systems.
Examples
Hello world
We provide basic examples on how to build confidential apps with MarbleRun:
- See helloworld for an example in Go
- See helloc++ for an example in C++
- See gramine-hello for an example using Gramine
- See occlum-hello for an example using Occlum
Advanced
In case you want to see how you can integrate popular existing solutions with MarbleRun, we provide more advanced examples:
- See gramine-nginx for an example of converting an existing Gramine application to a Marble
- See gramine-redis for a distributed Redis example using Gramine
Confidential emoji voting
The popular Linkerd service mesh uses the simple and scalable emojivoto app as its default demo. Check out our confidential variant. Your emoji votes have never been more secure! π
Directories
ΒΆ
| Path | Synopsis |
|---|---|
|
internal/cmd
Package cmd implements the MarbleRun's CLI commands.
|
Package cmd implements the MarbleRun's CLI commands. |
|
internal/helm
Package helm provides functions to install and uninstall the MarbleRun Helm chart.
|
Package helm provides functions to install and uninstall the MarbleRun Helm chart. |
|
internal/rest
Package rest provides methods and functions to communicate with the MarbleRun Coordinator using its REST API.
|
Package rest provides methods and functions to communicate with the MarbleRun Coordinator using its REST API. |
|
cmd
|
|
|
coordinator
|
|
|
clientapi
package clientapi implements methods for users to interact with the Coordinator.
|
package clientapi implements methods for users to interact with the Coordinator. |
|
constants
constants defines constant values used in the Coordinator.
|
constants defines constant values used in the Coordinator. |
|
core
Package core provides the core functionality for the Coordinator object including state transition, APIs for marbles and clients, handling of manifests and the sealing functionalities.
|
Package core provides the core functionality for the Coordinator object including state transition, APIs for marbles and clients, handling of manifests and the sealing functionalities. |
|
crypto
crypto provides common cryptographic functions used by the Coordinator.
|
crypto provides common cryptographic functions used by the Coordinator. |
|
events
Package events implements a log of coordinator events.
|
Package events implements a log of coordinator events. |
|
quote
Package quote provides the quoting functionialty for remote attestation on both Coordinator and Marble site.
|
Package quote provides the quoting functionialty for remote attestation on both Coordinator and Marble site. |
|
seal
Package seal implements sealing operations for the Coordinator.
|
Package seal implements sealing operations for the Coordinator. |
|
server
Package server contains the ClientAPI HTTP-REST and MarbleAPI gRPC server.
|
Package server contains the ClientAPI HTTP-REST and MarbleAPI gRPC server. |
|
state
State is the sequence of states a Coordinator may be in.
|
State is the sequence of states a Coordinator may be in. |
|
store/request
request defines constants used to access the store.
|
request defines constants used to access the store. |
|
store/wrapper/testutil
Package testutil provides utility functions to access store values in unit tests.
|
Package testutil provides utility functions to access store values in unit tests. |
|
hack
|
|
|
clidocgen
Clidocgen generates a Markdown page describing all CLI commands.
|
Clidocgen generates a Markdown page describing all CLI commands. |
|
internal
|
|
|
marble
|
|
|
config
Package config defines the environment variables expected by the Marble for configuration settings.
|
Package config defines the environment variables expected by the Marble for configuration settings. |
|
premain
Package premain contains the logic invoked before the applications actual main-function, that authenticates to the coordinator and pulls configurations and secrets which are subsequently passed to the application.
|
Package premain contains the logic invoked before the applications actual main-function, that authenticates to the coordinator and pulls configurations and secrets which are subsequently passed to the application. |
|
framework
Package framework provides a testing framework for MarbleRun integration testing.
|
Package framework provides a testing framework for MarbleRun integration testing. |