Gramine Library OS

In a library OS, a guest operating system is virtually shrunk down to an application library, which implements the system calls of the operating system and maps these to the system calls of the host kernel.

Due to the small size of these application libraries, it is possible for each application to bring its own operating system in the form of a library OS. All system calls made by this application are then "passed through" to the host OS by the implementation in the library. Gramine OS (at the beginning Graphene OS) follows this approach and extends it to multi-process applications. Thus existing Linux applications can be executed with Gramine without large adjustments.

In order to transfer the principle of Gramine and the associated ability to run Linux applications "out of the box" in a library OS to Intel SGX, a port of Gramine called Gramine-SGX was developed. Gramine-SGX allows both single and multi-process applications to run in SGX enclaves. To run an application in Gramine, a manifest must first be created. This manifest is a configuration file that specifies what the environment in which the Gramine application should run looks like. For example, it specifies which resources the application may use or which files may be read and written. In addition, SGX-specific specifications can also be made, such as the size of the enclaves.