feat: support Intel SGX using gramine

ShuochengWang · ShuochengWang · commit b102a9206db2 · 2024-12-25T16:13:57.000Z
diff --git a/.gitignore b/.gitignore
@@ -54,3 +54,7 @@ coverage
 .eslintcache
 
 agent/content
+
+eliza.manifest
+eliza.manifest.sgx
+eliza.sig
diff --git a/Makefile b/Makefile
@@ -0,0 +1,59 @@
+# Copyright (C) 2024 Gramine contributors
+# SPDX-License-Identifier: BSD-3-Clause
+
+THIS_DIR := $(dir $(lastword $(MAKEFILE_LIST)))
+NODEJS_DIR ?= /usr/bin
+
+ARCH_LIBDIR ?= /lib/$(shell $(CC) -dumpmachine)
+
+ifeq ($(DEBUG),1)
+GRAMINE_LOG_LEVEL = debug
+else
+GRAMINE_LOG_LEVEL = error
+endif
+
+.PHONY: all
+all: eliza.manifest
+ifeq ($(SGX),1)
+all: eliza.manifest.sgx eliza.sig
+endif
+
+.PHONY: eliza.manifest
+eliza.manifest: eliza.manifest.template
+	gramine-manifest \
+		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
+		-Darch_libdir=$(ARCH_LIBDIR) \
+		-Dnodejs_dir=$(NODEJS_DIR) \
+		$< >$@
+
+# Make on Ubuntu <= 20.04 doesn't support "Rules with Grouped Targets" (`&:`),
+# for details on this workaround see
+# https://github.com/gramineproject/gramine/blob/e8735ea06c/CI-Examples/helloworld/Makefile
+eliza.manifest.sgx eliza.sig: sgx_sign
+	@:
+
+.INTERMEDIATE: sgx_sign
+sgx_sign: eliza.manifest
+	gramine-sgx-sign \
+		--manifest $< \
+		--output $<.sgx
+
+ifeq ($(SGX),)
+GRAMINE = gramine-direct
+else
+GRAMINE = gramine-sgx
+endif
+
+# Start the default character:
+# SGX=1 make start
+# Start a specific character by passing arguments:
+# SGX=1 make start -- --character "character/your_character_file.json"
+.PHONY: start
+start: all
+	$(GRAMINE) ./eliza --loader ts-node/esm src/index.ts --isRoot $(filter-out $@,$(MAKECMDGOALS))
+.PHONY: clean
+clean:
+	$(RM) *.manifest *.manifest.sgx *.sig
+
+.PHONY: distclean
+distclean: clean
diff --git a/eliza.manifest.template b/eliza.manifest.template
@@ -0,0 +1,84 @@
+# Copyright (C) 2024 Gramine contributors
+# SPDX-License-Identifier: BSD-3-Clause
+
+# Node.js manifest file example
+
+libos.entrypoint = "{{ nodejs_dir }}/node"
+
+fs.start_dir = "/agent"
+
+loader.log_level = "{{ log_level }}"
+
+loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/{{ arch_libdir }}"
+
+# Insecure configuration for loading arguments and environment variables
+# Do not set these configurations in production
+loader.insecure__use_cmdline_argv = true
+loader.insecure__use_host_env = true
+
+fs.mounts = [
+  { uri = "file:{{ gramine.runtimedir() }}", path = "/lib" },
+  { uri = "file:{{ arch_libdir }}", path = "{{ arch_libdir }}" },
+  { uri = "file:/usr/{{ arch_libdir }}", path = "/usr/{{ arch_libdir }}" },
+  { uri = "file:{{ nodejs_dir }}/node", path = "{{ nodejs_dir }}/node" },
+  { type = "tmpfs", path = "/tmp" },
+  { type = "tmpfs", path = "/agent/content_cache" },
+]
+
+sys.enable_extra_runtime_domain_names_conf = true
+sys.fds.limit = 65535
+
+sgx.debug = false
+sgx.remote_attestation = "dcap"
+sgx.max_threads = 64
+
+# Some dependencies of Eliza utilize WebAssembly (WASM).
+# Initializing WASM requires a substantial amount of memory.
+# If there is insufficient memory, you may encounter the following error:
+# RangeError: WebAssembly.instantiate(): Out of memory: Cannot allocate Wasm memory for a new instance.
+# To address this, we set the enclave size to 64GB.
+sgx.enclave_size = "64G"
+
+# `use_exinfo = true` is needed because Node.js uses memory mappings with `MAP_NORESERVE`, which
+# will defer page accepts to page-fault events when EDMM is enabled
+sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
+sgx.use_exinfo = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
+
+sgx.trusted_files = [
+  "file:{{ gramine.runtimedir() }}/",
+  "file:{{ arch_libdir }}/",
+  "file:/usr/{{ arch_libdir }}/",
+  "file:{{ nodejs_dir }}/node",
+  "file:characters/",
+  "file:agent/src/",
+  "file:agent/package.json",
+  "file:agent/tsconfig.json",
+  "file:package.json",
+  "file:.env",
+
+  # Add these files to sgx.trusted_files in production and remove them from sgx.allowed_files.
+  # Trusting these files requires a high-performance SGX machine due to the large number of files,
+  # which could significantly increase startup time.
+  # To mitigate startup time degradation, we use allowed_files in development.
+  #
+  # "file:node_modules/",
+  # "file:packages/",
+  # These files are symbolic links to node_modules,
+  # and Gramine does not support adding symbolic link directories to sgx.trusted_files.
+  # Therefore, we must add each directory individually to sgx.trusted_files.
+  # "file:agent/node_modules/@elizaos/adapter-sqlite/",
+  # "file:agent/node_modules/@elizaos/.../",
+]
+
+# Insecure configuration. Use gramine encrypted fs to store data in production.
+sgx.allowed_files = [
+  "file:agent/data/",
+  "file:agent/model.gguf",
+
+  # Move these files to sgx.trusted_files in production.
+  "file:node_modules/",
+  "file:packages/",
+  "file:agent/node_modules/",
+]
+
+loader.env.SGX = "1"
