Hi @bigdata-memory, thanks for the proposal. Teaclave is a FaaS-like platform consisting of multiple services. One can register and invoke functions to the platform through the frontend service. Then, Teaclave will help to do authentication, authorization, task preparation, etc and finally dispatch a task to the *execution service*. Currently, we have three executors for different languages and scenarios. For example, the *builtin* executor only execute functions written in Rust natively, while, the *mesapy* executor can run functions written in Python dynamically.
Therefore, to integrate with Graphene, or any other LibOS kind of system in Teaclave, we need to introduce another kind of executor. Luckly, the execution service in Teaclave are designed as a stateless and isolated service which takes a task, executes it and write back the result. Inputs/Outputs of a functions are defined as function arguments, input/output files stored in protected file system. In our design, we prohibit any untrusted I/O interfaces (e.g., write date to the untrusted file system, networks I/O) in the executor to protecting sensitive data operated by the function. Above are some background about our design rationals. Here, I list some concepts involved in integrating with Graphene. - **RPC**: All Teaclave services communicate with each other via trusted channel (i.e., attested TLS). You can find all protocol definitions in Protobuf in this directory: https://github.com/apache/incubator-teaclave/tree/master/services/proto/src/proto. An execution service instance will periodically fetch tasks from the scheduler service and execute it. - **Attestation**: We do mutual attestation when establishing trusted RPC channel through attested TLS. - **Executor Runtime**: Providing interfaces to an executor to read/write input/output files stored in the protected file system. - **`TeaclaveExecutor` Trait**: The `TeaclaveExecutor` trait defines interfaces of a task. Recently, we added a WebAssembly executor. You can see recents changes to see how to add an executor in Teaclave. Here is a simple document https://teaclave.apache.org/docs/adding-executors/. The WebAssembly executor is just a reference. For integrating with Graphene (or other LibOS executors), the design may be different. I'm not sure whether to link the LibOS within the execution service or put it as a separate enclave along with the execution service. The later may need additional attestation mechanism. At last, can you propose a simple design so that we can work on it together? Please let me know if you have any questions regarding to the current Teaclave design. Thanks! -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teaclave/issues/525#issuecomment-882846476
