EGo is a framework for building confidential apps in Go. Confidential apps run in always-encrypted and verifiable enclaves on Intel SGX-enabled hardware. EGo simplifies enclave development by providing two user-friendly tools:
ego-go
, an adapted Go compiler that builds enclave-compatible executables from a given Go project - while providing the same CLI as the original Go compiler.ego
, a CLI tool that handles all enclave-related tasks such as signing and enclave creation.
Building and running a confidential Go app is as easy as:
ego-go build hello.go
ego sign hello
ego run hello
The easiest way to install EGo is via the snap:
sudo snap install ego-dev --classic
You also need gcc
and libcrypto
. On Ubuntu install them with:
sudo apt install build-essential libssl-dev
If you're on Ubuntu 20.04, 22.04, or 24.04, you can install the DEB package:
sudo mkdir -p /etc/apt/keyrings
wget -qO- https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null
echo "deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/intel-sgx.list
sudo apt update
EGO_DEB=ego_1.6.0_amd64_ubuntu-$(lsb_release -rs).deb
wget https://github.com/edgelesssys/ego/releases/download/v1.6.0/$EGO_DEB
sudo apt install ./$EGO_DEB build-essential libssl-dev
Prerequisite: Edgeless RT is installed and sourced.
mkdir build
cd build
cmake ..
make
make install
You can reproducibly build the latest release:
cd dockerfiles
DOCKER_BUILDKIT=1 docker build --target export -o. - < Dockerfile
Or build the latest master:
cd dockerfiles
DOCKER_BUILDKIT=1 docker build --target export --build-arg egotag=master --build-arg erttag=master -o. - < Dockerfile
This outputs the DEB package for Ubuntu 22.04.
For Ubuntu 20.04, replace Dockerfile
with Dockerfile.focal
in the above commands.
Optionally build the ego-dev
and ego-deploy
images:
DOCKER_BUILDKIT=1 docker build --target dev -t ghcr.io/edgelesssys/ego-dev - < Dockerfile
DOCKER_BUILDKIT=1 docker build --target deploy -t ghcr.io/edgelesssys/ego-deploy - < Dockerfile
Now you're ready to build applications with EGo! To start, check out the following samples:
- helloworld is a minimal example of an enclave application.
- remote_attestation shows how to use the basic remote attestation API of EGo.
- attested_tls is similar to the above, but uses a higher level API to establish an attested TLS connection.
- vault demonstrates how to port a Go application exemplified by Hashicorp Vault.
- estore shows how to securely persist data using EStore.
- wasmer and wasmtime show how to run WebAssembly inside EGo.
- embedded_file shows how to embed files into an EGo enclave.
- reproducible_build builds the helloworld sample reproducibly, resulting in the same UniqueID.
- cgo demonstrates the experimental cgo support.
- azure_attestation shows how to use Microsoft Azure Attestation for remote attestation.
- The EGo documentation covers building, signing, running, and debugging confidential apps.
- The EGo API provides access to remote attestation and sealing to your confidential app at runtime.
- Use MarbleRun to create distributed EGo applications and run them on Kubernetes.
- Use EStore to securely persist your application's data.
- Not only using Go? Check out Contrast to run your confidential containers on Kubernetes.
- Got a question? Please get in touch via Discord or file an issue.
- If you see an error message or run into an issue, please make sure to create a bug report.
- Get the latest news and announcements on Twitter, LinkedIn or sign up for our monthly newsletter.
- Visit our blog for technical deep-dives and tutorials.
- Read
CONTRIBUTING.md
for information on issue reporting, code guidelines, and our PR process. - Pull requests are welcome! You need to agree to our Contributor License Agreement.
- This project and everyone participating in it are governed by the Code of Conduct. By participating, you are expected to uphold this code.
- Please report any security issue via a private GitHub vulnerability report or write to security@edgeless.systems.