Skip to content

docs: add TEE analysis for issue #168#226

Open
forkline-bot[bot] wants to merge 9 commits intomasterfrom
docs/168-tee-analysis-v2
Open

docs: add TEE analysis for issue #168#226
forkline-bot[bot] wants to merge 9 commits intomasterfrom
docs/168-tee-analysis-v2

Conversation

@forkline-bot
Copy link
Copy Markdown

@forkline-bot forkline-bot bot commented Apr 6, 2026

Summary

  • Comprehensive analysis of TEE solutions for securing Passless authenticator
  • Evaluates Enarx, Gramine, Occlum, Confidential Containers, and Intel SGX SDK
  • Recommends Gramine with Intel SGX as primary solution
  • Adds Gramine/Intel SGX integration with manifest, Makefile, and scripts
  • Adds passless-tee workspace package for TEE integration
  • Adds contrib scripts and systemd service for TEE deployment

Recommendations

  1. Primary: Gramine with Intel SGX - Production-ready, runs unmodified binaries, minimal user experience impact
  2. Keep TPM 2.0 Backend - Hardware binding without requiring TEE-capable hardware
  3. Future: AMD SEV - For cloud deployment scenarios

Key Findings

Solution Feasibility Status
Gramine HIGH Active, release June 2025
Occlum MEDIUM Active, Rust-based LibOS
Enarx LOW No releases since 2023, requires WASM
Confidential Containers LOW Kubernetes-focused, overkill for single-node
Intel SGX SDK LOW Requires significant code refactoring

Resolves: #168

forkline-dev[bot] added 5 commits March 6, 2026 09:58
docs: add TEE analysis for issue #168
09c2332 
Analyze TEE solutions (Enarx, Gramine, Occlum, Confidential Containers)
for securing Passless authenticator. Recommend Gramine with Intel SGX
as primary solution for users with compatible hardware.
fix: resolve pre-commit hook failures in tee analysis
f677d49
fix: remove trailing blank line in TEE_ANALYSIS.md
703e0cb
feat: add Gramine/Intel SGX support
a1c468e 
- Add gramine directory with manifest templates for SGX execution
- Create passless-tee crate for TEE hardware detection (Intel SGX, AMD SEV)
- Add build scripts for Gramine manifest generation and signing
- Create Dockerfile for Gramine Shielded Containers (GSC)
- Add comprehensive documentation in docs/GRAMINE_INTEGRATION.md
- Add systemd service file for running Passless in SGX enclave
- Update Makefile with gramine-build, gramine-run, gramine-run-sealed targets
- Add installation scripts for Gramine support
- Update README with Gramine/SGX feature information

Resolves: #168
fix: resolve conflicts with master branch
91539b7 
Preserved PR additions:
- docs/TEE_ANALYSIS.md and docs/GRAMINE_INTEGRATION.md
- gramine/ directory with Gramine/Intel SGX support
- passless-tee/ crate
- contrib/scripts/install-gramine.sh and uninstall-gramine.sh
- contrib/systemd/passless-sgx.service and passless-sgx-wrapper.sh

Accepted master's version for conflicting files as master represents
the current state of the codebase.

Added passless-tee to workspace members in Cargo.toml.
@forkline-bot forkline-bot bot mentioned this pull request Apr 6, 2026
Closed
forkline-dev[bot] added 3 commits April 6, 2026 19:49
fix: correct filename in install-gramine.sh
9c92d09 
The script referenced 'passless-sgx-wrapper' but the actual file is
'passless-sgx-wrapper.sh' in the systemd directory. This fix ensures
the installation script will work correctly.
fix: correct documentation filename in QUICK_START.md
4cf2f33 
References GRAMINE_GUIDE.md which doesn't exist. The actual file is
GRAMINE_INTEGRATION.md in the docs directory.
chore: update Cargo.lock for passless-tee workspace member
409b86f
@forkline-bot
Copy link
Copy Markdown
Author

forkline-bot bot commented Apr 6, 2026

Maintainability Review Complete

Changes Applied (3 commits)

  1. fix: correct filename in install-gramine.sh - Fixed incorrect path to passless-sgx-wrapper.sh (was referencing wrong directory and filename)

  2. fix: correct documentation filename in QUICK_START.md - Fixed broken links referencing GRAMINE_GUIDE.md which doesn't exist

  3. chore: update Cargo.lock for passless-tee workspace member - Normal lockfile update for new crate

Recommendations Deferred

None - the other findings were minor or speculative:

  • #[allow(clippy::collapsible_if)] suppressions in detection.rs are minor style issues, code is readable
  • #[allow(dead_code)] functions are intentionally kept for future attestation support
  • passless-tee crate is not yet integrated into main app - this is intentional preparatory work

Summary

The PR adds solid TEE analysis documentation and Gramine integration support. The code quality is good:

  • Shell scripts pass shellcheck
  • Rust code passes clippy
  • Unit tests cover basic functionality
  • Documentation is comprehensive

Only two critical bugs were found (wrong filenames in scripts/docs) - both now fixed and pushed.

fix: resolve pre-commit hook failures
f3a8b81 
- Remove executable bit from passless-sgx.service (systemd unit file)
- Add trailing newlines to all affected files
- Remove trailing whitespace from gramine/build.sh and gramine/run.sh
@forkline-bot
Copy link
Copy Markdown
Author

forkline-bot bot commented Apr 6, 2026

CI Fix Applied

Fixed all pre-commit hook failures in commit f3a8b81:

  1. Removed executable bit from contrib/systemd/passless-sgx.service (systemd unit file, not a script)
  2. Added trailing newlines to 14 files missing them
  3. Removed trailing whitespace from gramine/build.sh and gramine/run.sh

All changes pushed to docs/168-tee-analysis-v2 branch.

Commit:

Waiting for CI to re-run...

@forkline-bot
Copy link
Copy Markdown
Author

forkline-bot bot commented Apr 6, 2026

CI Fix Applied

The CI fix has already been applied and pushed. The branch is at commit f3a8b81 which includes:

  • Removed executable bit from contrib/systemd/passless-sgx.service (changed from mode 100755 to 100644)
  • Added trailing newlines to all 14 affected files
  • Removed trailing whitespace from gramine/build.sh and gramine/run.sh

Pre-commit hooks now pass locally. The CI logs shown are from an older run on commit 9c92d09 (before the fix). The latest commit should pass CI.

Commit:

Waiting for CI to re-run...

@forkline-bot
Copy link
Copy Markdown
Author

forkline-bot bot commented Apr 6, 2026

CI Fix Applied

Summary: CI Fix Status

The CI failure has already been resolved. The fix was committed in f3a8b81 and pushed to the branch docs/168-tee-analysis-v2.

Fixes Applied:

  • Removed executable bit from contrib/systemd/passless-sgx.service (changed from 100755 to 100644)
  • Added trailing newlines to 14 files that were missing them
  • Removed trailing whitespace from gramine/build.sh and gramine/run.sh

Verification:

  • All pre-commit hooks pass locally
  • Branch is up to date with remote
  • Working tree is clean

The CI failure occurred on commit 409b86f before the fix commit was pushed. The current state of the branch (f3a8b81) should pass all pre-commit checks when CI is re-triggered.

Commit:

Waiting for CI to re-run...

@forkline-bot
Copy link
Copy Markdown
Author

forkline-bot bot commented Apr 6, 2026

CI Fix Applied

The CI fix is already in place. Commit f3a8b81 ("fix: resolve pre-commit hook failures") was already added to the branch after the failed commit 4cf2f33. All pre-commit checks now pass locally:

  • Executable permission removed from passless-sgx.service
  • Trailing newlines added to all affected files
  • Trailing whitespace fixed in gramine/build.sh and gramine/run.sh

The branch is up to date with remote. No additional changes needed - the CI should pass on re-run.

Commit:

Waiting for CI to re-run...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TEEs

0 participants