Skip to content

Releases: islet-project/islet

Debian12 image for Realm

26 Sep 02:05
Compare
Choose a tag to compare

This is a debian12 image that can be running on Realm as a root file system.
It is built to support running rich applications (e.g., python) with full internet capabilities (e.g., wget).

attached files

  • debian12.img: a pre-built debian12 image that contains some packages such as python3, python3-pip, and so on.
  • create-image.sh: a script that was used to create the attached debian12.img.
    • command to create an image: ./create-image.sh -a aarch64
    • you can build your own image that ships with additional packages you need. (see line-191 ~ line-194 to know how)
  • iptables: a pre-built iptables binary for arm64, needed to enable full internet capabilities

how to boot Realm with this debian image

  • relevant components

    • PC Host, which tries to launch FVP Host.
    • FVP Host, which is going to be running as a guest machine of PC Host.
    • Realm, which is going to be launched by FVP Host and acts as a guest to FVP Host.
  • instructions

// prerequisites:  copy debian12.img and iptables into the shared directory with FVP Host
$ <PC Host> download debian12.img.tar.xz and iptables, and decompress debian12.img.tar.xz
$ <PC Host> cp -f debian12.img /your/islet/directory/out/shared/
$ <PC Host> cp -f iptables /your/islet/directory/out/shared/

// run FVP
$ <PC Host> ./scripts/fvp-cca --normal-world=linux-net --realm=linux --rmm=islet --hes --no-telnet --rmm-log-level=info --ifname=<the interface name of your PC Host, e.g., eth0> --host-ip=<the IP address of your PC Host>
$ <PC Host> telnet localhost 5000   // connect to the terminal for FVP Host
...
... // wait some minutes to log in FVP Host
...
$ <FVP Host> ./launch-realm-debian.sh
...
...  // wait some minutes to log in Realm
... 
Press Enter for maintenance
(or press Control-D to continue): 
<Realm> root@islet:~#  // --> this is the shell of debian12-!
...
// you need to wait few more seconds for it to detect network interface cards...
...
<Realm> root@islet:~#  ifconfig
enp0s1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 193.168.20.10  netmask 255.255.255.0  broadcast 193.168.20.255   
// "enp0s1" being detected means you're now able to connect to the internet.

<Realm> root@islet:~# mkdir /shared && mount -t 9p -o trans=virtio,version=9p2000.L FMR /shared
// type in this if you want to access "shared directory with the host"
  • notes

    • The file system image at runtime is volatile, meaning that modifications to the image go away right after the FVP gets terminated. If you want to back up the image, copy from /debian12.img to /shared/ in the FVP Host.
  • remaining issues

    • It has been confirmed internet connections in the debian-based Realm, through wget and curl. But, it has still problems with apt-get install. We recommend (at least at this moment) you to install packages needed when creating a debian image in the very first place.
    • The debian boot didn't work properly when debian12.img was placed in the 9p-based shared directory. debian12.img was copied into the root filesystem in FVP Host to get around this issue.
    • Slow.. need patience.

Islet 1.0

31 Jan 06:27
Compare
Choose a tag to compare

Release 1.0

New Features and Improvements

  • RMM (Realm Management Monitor) has been added based on Arm CCA Spec 1.0-beta0 with the following functionalities:
    • Rust-based RMM
    • 23 Realm Management Interfaces
    • 5 Realm Service Interfaces
  • SDK has been added to provide support for four cross-platform C.C framework APIs provided by Certifier.
  • Hardware-enhanced Security (HES) module has been integrated into the system.

Use Cases

  • Confidential Machine Learning scenario has been implemented.
  • Cross-Platform End-to-End Encryption (E2EE) example has been implemented.
  • Remote attestation using veraison verification

Testing

  • The system has successfully passed 40% of the Architecture Compliance Suite (ACS).

Events

cc-summit-2023-demo-v0.5

23 Jun 06:43
Compare
Choose a tag to compare
Pre-release

notes

  • This docker image is based on ubuntu 22.04.
  • This docker image contains "FVP/Realm support", "the latest certifier framework code", "transcribe_client which can be running on FVP/Realm".
  • This docker image is built on top of this certifier commit. (I modified the certifier code a little bit to get "transcribe_client" to work on FVP(aarch64). If you need to modify and rebuild "transcribe_client", please do that in this docker image)

download and import docker image (in your host)

$ gzip -d cca_ubuntu_release.tar.gz
$ cat cca_ubuntu_release.tar | sudo docker import - cca_release:latest

run the docker image (in your host)

$ sudo docker run --privileged --net=host -it -d -v "/your/path/to/share":/home/workspace --name=cca_ubuntu_release cca_release /bin/bash   # run docker
--→ how to get in the docker shell after running the docker image:   "sudo docker exec -it cca_ubuntu_release /bin/bash"

set networking (inside docker)

this is a one-time need.

$ cd /
$ ./set-network.sh policy_host_ip server_app_host_ip   # e.g.,   ./set-network.sh 10.77.1.1 10.88.2.2
-→ this script does a network setting for communication between host and FVP/Realm
--→ also, this script launches a packet forwarding daemon, which passes packets that come from FVP/Realm to policy_host_ip and server_app_host_ip.
--→ check if network is properly set up:
        - "ifconfig" → ARMroot:  ..... inet 193.168.10.15
        - "ps -ef | grep rinetd"  → rinetd -c rinetd.conf -f (packet forwarding daemon)

build client (inside docker)

$ cd /certifier-framework-for-confidential-computing/sample_apps/transcribe_client
$ ./clean.sh
$ ./build.sh
--→ output-1:  transcribe_client (aarch64 binary that runs on FVP/Realm),
--→ output-2:  dummy_server (x86_64 binary that runs on Host),  which takes  'jfk.wav' file and always returns the same message 'dummy_transcript'
--→ build.sh also copies binary files to the place where FVP/Realm can read.

run certifier_service and dummy_server (inside docker) → for testing purpose on the samsung side, you can skip this procedure

open two docker terminals

<terminal-1> $ cd /certifier-framework-for-confidential-computing/sample_apps/transcribe_client/certifier-service
<terminal-1> $ ./run.sh 10.77.1.1
<terminal-2> $ cd /certifier-framework-for-confidential-computing/sample_apps/transcribe_client
<terminal-2> $ ./dummy_server  --policy_host="10.77.1.1" --server_app_host="10.88.2.2"

run FVP (inside docker)

open two docker terminals

<terminal-1> $ cd /islet
<terminal-1> $ ./run.sh   → run fvp
<terminal-2> $ cd /islet
<terminal-2> $ ./shell.sh  → get in the terminal of fvp
--→ once FVP is properly launched, you can see the following FVP shell.
``
Running sysctl: OK
Saving random seed: OK
Starting network: OK
#
``

<FVP shell> $  cd /shared
<FVP shell> $ ./launch-realm.sh    -→ launch a secure virtual machine, called Realm in CCA, in which whisper_client will be running.
..... it takes a bit long.. please bear with it....
``
Info: (arm/aarch64/kvm.c) kvm__get_vm_type:194: max_ipa 8fffffff ipa_bits 33 max_ipa_bits 48     // start launching Realm (use the kvm interface of linux)
...
Welcome to Buildroot
buildroot login:  root   // → booting done.
``

<Realm shell> $ /shared/set-realm-ip.sh   # network setting
<Realm shell> $ cd /shared/transcribe_client
<Realm shell> $ ./run.sh   # run transcribe_client
....  takes a bit long...
``
Audio file size: 352078
....
Transcript:
dummy_transcript   // → Done!
``

certifier-v1.0.2-beta

21 Jun 07:34
Compare
Choose a tag to compare
certifier-v1.0.2-beta Pre-release
Pre-release

Changes:

  • Added Islet CLI
  • Updated verify logic of attestation

example-confidential-ml-v1.1

26 May 08:14
Compare
Choose a tag to compare
Pre-release

What's new

  • Nodejs servers to make confidential-ml demo more fancy. (path: /islet/examples/confidential-ml/gui-server)
  • Support code generation model and test with GUI

certifier-v1.0.1-beta

17 May 06:46
Compare
Choose a tag to compare
certifier-v1.0.1-beta Pre-release
Pre-release
sdk: Add islet_status_t to handle error

Signed-off-by: Sangwan Kwon <sangwan.kwon@samsung.com>

certifier-v1.0-beta

15 May 03:03
Compare
Choose a tag to compare
certifier-v1.0-beta Pre-release
Pre-release
encode ABI version considering both major and minor

Signed-off-by: Jinbum Park <jinb.park@samsung.com>

example-confidential-ml-v1.0

10 May 08:44
Compare
Choose a tag to compare
Pre-release

This is a release for confidential-ml example. This holds a docker image that makes things easier for developers to try out this example.
The docker image contains a minimal set of libraries and binaries in order to run the confidential-ml example and is based on Ubuntu 22.04.