Add MariaDB server example

mariadb/Makefile

@@ -0,0 +1,49 @@
+THIS_DIR := $(dir $(lastword $(MAKEFILE_LIST)))
+
+ARCH_LIBDIR ?= /lib/$(shell $(CC) -dumpmachine)
+
+UID ?= $(shell id -u)
+GID ?= $(shell id -g)
+
+ifeq ($(DEBUG),1)
+GRAMINE_LOG_LEVEL = debug
+else
+GRAMINE_LOG_LEVEL = error
+endif
+
+.PHONY: all
+all: mysqld.manifest
+ifeq ($(SGX),1)
+all: mysqld.manifest.sgx mysqld.sig mysqld.token
+endif
+
+mysqld.manifest: mysqld.manifest.template
+	gramine-manifest \
+		-Dlog_level=$(GRAMINE_LOG_LEVEL) \
+		-Darch_libdir=$(ARCH_LIBDIR) \
+		-Duid=$(UID) \
+        -Dgid=$(GID) \
+		$< >$@
+
+# Make on Ubuntu <= 20.04 doesn't support "Rules with Grouped Targets" (`&:`),
+# for details on this workaround see
+# https://github.com/gramineproject/gramine/blob/e8735ea06c/CI-Examples/helloworld/Makefile
+mysqld.sig mysqld.manifest.sgx: sgx_sign
+	@:
+
+.INTERMEDIATE: sgx_sign
+sgx_sign: mysqld.manifest
+	gramine-sgx-sign \
+		--manifest $< \
+		--output $<.sgx
+
+mysqld.token: mysqld.sig
+	gramine-sgx-get-token \
+		--output $@ --sig $<
+
+.PHONY: clean
+clean:
+	$(RM) *.manifest *.manifest.sgx *.token *.sig
+
+.PHONY: distclean
+distclean: clean

mariadb/README.md

@@ -0,0 +1,46 @@
+# MariaDB example
+
+This example was tested with MariaDB version 10.7.3 and Ubuntu 20.04.
+
+This directory contains an example for running MariaDB server in Gramine,
+including the Makefile and a template for generating the manifest.
+
+## Pre-requisites
+
+- `curl -LsS https://r.mariadb.com/downloads/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version="mariadb-10.7.3" --os-type=ubuntu --os-version=focal` to use
+MariaDB package repository setup script.
+- `sudo apt-get update` to update package cache.
+- `sudo apt-get install mariadb-server` to install MariaDB server.
+- `sudo mysql_secure_installation` to improve the security of your MariaDB installation. Fill
+the details as below.
+    - Enter current password for root (enter for none): --> enter
+    - Switch to unix_socket authentication [Y/n] --> n
+    - Change the root password? --> y
+    - Remove anonymous users? [Y/n] --> y
+    - Disallow root login remotely? --> y
+    - Remove test database and access to it? --> y
+    - Reload privilege tables now? --> y
+- `systemctl stop mysqld` to stop the default MariaDB server. We will
+  manually start MariaDB server.
+- `sudo chown -R $USER:$USER /run/mysqld`
+  to allow MariaDB server to create socket file `mysqld.sock`.
+- `sudo chown -R $USER:$USER /var/lib/mysql` to allow
+  running MariaDB server under the current non-root user.
+
+## Build
+
+Run `make` to build the non-SGX version and `make SGX=1` to build the SGX
+version.
+
+## Run
+
+- Native: `mysqld`.
+- Gramine without SGX: `gramine-direct mysqld`.
+- Gramine with SGX: `gramine-sgx mysqld`.
+
+## Test client connection
+
+Run below commands from new terminal:
+
+- `mysql -u root -p -h 127.0.0.1` to connect a client to MariaDB server.
+- `mysql> exit` to disconnect the client.

mariadb/mysqld.manifest.template

@@ -0,0 +1,37 @@
+loader.entrypoint = "file:{{ gramine.libos }}"
+libos.entrypoint = "/usr/sbin/mysqld"
+
+loader.log_level = "{{ log_level }}"
+
+loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}"
+
+loader.insecure__use_cmdline_argv = true
+
+fs.mounts = [
+  { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
+  { path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
+  { path = "/usr/sbin", uri = "file:/usr/sbin" },
+  { path = "/var/lib/mysql", uri = "file:/var/lib/mysql" },
+  { path = "/run/mysqld", uri = "file:/run/mysqld"},
+  { type = "tmpfs", path = "/tmp" },
+]
+
+sgx.nonpie_binary = true
+sgx.enclave_size = "32G"
+sgx.thread_num = 512
+
+loader.uid = {{ uid }}
+loader.gid = {{ gid }}
+
+sgx.trusted_files = [
+  "file:{{ gramine.libos }}",
+  "file:/usr/sbin/mysqld",
+  "file:{{ gramine.runtimedir() }}/",
+  "file:{{ arch_libdir }}/",
+]
+
+sgx.allowed_files = [
+  "file:/var/lib/mysql",
+  "file:/var/log/mysql",
+  "file:/run/mysqld/",
+]