How to modify the JRE so it can run in SGX-LKL enclave? about sgx-lkl HOT 3 CLOSED

There are two issues with the pre-packaged Alpine OpenJDK:

1. It uses 'execve' under certain circumstances which SGX-LKL currently does not support.
2. It requires file-backed mmap support which (this version of ) SGX-LKL currently does not support.

You can get around the first issue by making sure the LD_LIBRARY_PATH starts with a specific prefix which the JVM checks against when deciding whether to rerun via execve. The second issue requires changes to SGX-LKL. Memory-mapping files is obviously not the best idea in a memory-restricted environment such as Intel SGX enclaves but it's possible to disable most of the memory-mapped I/O via runtime parameters. The remaining mappings still need to be supported by SGX-LKL.

Anyway, we actually do have a fix for both issues internally that allows SGX-LKL to run with the official Alpine OpenJDK8 JRE. It needs a bit of cleaning up but I will try to do that and push the change in the next few days.

from sgx-lkl.

Thank you!

from sgx-lkl.

With the most recent commit, SGX-LKL now supports the Alpine-packaged OpenJDK8 JRE. The HelloWorld example and the sgx-lkl-java wrapper have been updated accordingly.

Two important notes on this:

1. The LD_LIBRARY_PATH has to be set and has to start with /usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64/server:/usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64:/usr/lib/jvm/java-1.8-openjdk/jre/../lib/amd64 in order to prevent the JVM from re-executing java via execve.
2. File-mapped mmap has to be specifically enabled for SGX-LKL. This is necessary because the JVM will mmap a small portion of the runtime library rt.jar.

Both of these requirements are incorporated into the the sgx-lkl-java tool.

from sgx-lkl.