feat: add GRAMINE_DIRECT

if the container is passed `GRAMINE_DIRECT=1` then `gramine-direct` is executed. This helps debugging on non-sgx machines. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-20 23:23:57 +02:00 · 2024-06-14 14:25:46 +02:00 · 2024-06-14 14:25:46 +02:00 · ec8f336547
commit ec8f336547
parent 070abadeb7
3 changed files with 18 additions and 1 deletions
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@ -63,3 +63,9 @@ jobs:

      - name: nix build
        run: nix run github:nixos/nixpkgs/nixos-23.11#nixci
+
+      - name: integration check
+        run: |
+          nix build --accept-flake-config -L .#nixsgx-test-sgx-azure
+          docker load -i result
+          docker run -i --env GRAMINE_DIRECT=1 --privileged --init --rm nixsgx-test-sgx-azure:latest | grep -q -F 'Hello, world!'
--- a/.gitignore
+++ b/.gitignore
@ -4,3 +4,4 @@
 /.envrc
 /.direnv
 /result
+/result-*
--- a/lib/default.nix
+++ b/lib/default.nix
@ -166,7 +166,17 @@ _:
            "LD_LIBRARY_PATH=${lib.makeLibraryPath [ pkgs.curl.out (if isAzure then nixsgx.azure-dcap-client.out else nixsgx.sgx-dcap.default_qpl)]}"
          ];
          Entrypoint = [ "/bin/sh" "-c" ];
-          Cmd = [ "${extraCmd}; [[ -r /var/run/aesmd/aesm.socket ]] || restart-aesmd >&2; exec gramine-sgx ${name}" ];
+          Cmd = [
+            ''
+              ${extraCmd};
+              if [ -n \"$GRAMINE_DIRECT\" ]; then
+                  exec gramine-direct ${name};
+              else
+                  [[ -r /var/run/aesmd/aesm.socket ]] || restart-aesmd >&2;
+                  exec gramine-sgx ${name};
+              fi
+            ''
+          ];
          WorkingDir = "${appDir}";
        };