This repository contains the code necessary to run DuckDB on a CPU supporting Intel SGX. This is a research prototype, and we do not advise to run DuckDB-SGX in production. We offer multiple manifest files:
- One to run DuckDB as a CLI tool.
- One to run the benchmarking suite.
- One to run the benchmarking suite using the OpenSSL AES-GCM implementation (https://github.com/ccfelius/duckdb/tree/openssl).
Prerequisites:
DuckDB is embedded in this repository as a submodule. To install it, start by pulling the submodule after cloning:
cd DuckDB-SGX/
git submodule update --initThen build the code with the necessary extensions:
cd duckdb/
make all benchmark BUILD_TPCH=1
cd ..For the OpenSSL version, do the same in the duckdb_openssl folder.
Now, generate the manifest files. In this example, we include two manifest files - one for the DuckDB engine and one fore the benchmark runner. We start by building the former.
If needed, edit the manifest file. We advise to edit loader.log_level if a higher log granularity is desired, and sgx.enclave_size to adjust the allocated memory (must be a power of two).
Note that the key with which the files are encrypted is hardcoded in the manifest. This renders this example deployment insecure. A secure version will require to replace this hardcoded key with key_name = "_sgx_mrenclave" or key_name = "_sgx_mrsigner" in the filesystem mount point.
Then, generate and sign the manifest.
- Building for Linux:
- run
make(non-debug) ormake DEBUG=1(debug) in the directory.
- run
- Building for SGX:
- run
make SGX=1(non-debug) ormake SGX=1 DEBUG=1(debug) in the directory.
- run
To run DuckDB with Gramine without SGX:
gramine-direct duckdb < scripts/test.sql
# should return a table with 42, 84To run DuckDB with Gramine with SGX:
gramine-sgx duckdb < scripts/test.sql
# should return a table with 42, 84To run benchmarks with the benchmark runner inside an enclave:
cd benchmarkFor performance purposes, we advise to generate the data with DuckDB, rather than running the database generation inside Gramine.
../duckdb/build/release/benchmark/benchmark_runner "benchmark/tpch/sf1/.*"Edit the manifest as needed.
- Building for Linux:
- run
make(non-debug) ormake DEBUG=1(debug) in the directory.
- run
- Building for SGX:
- run
make SGX=1(non-debug) ormake SGX=1 DEBUG=1(debug) in the directory.
- run
To run the benchmark runner with Gramine without SGX:
gramine-direct benchmark_runner "benchmark/tpch/sf1/.*"To run the benchmark runner with Gramine with SGX:
gramine-sgx benchmark_runner "benchmark/tpch/sf1/.*"By default, the benchmark runner generates data with SF1. In order to benchmark different scale factors, do the following:
cd duckdb
nano benchmark/tpch/sf1/tpch_sf1.benchmark.inComment the last line (checking for hardcoded solutions):
# result extension/tpch/dbgen/answers/sf1/q${QUERY_NUMBER_PADDED}.csv
Then, generate the data, changing the scale factor as needed:
make all benchmark BUILD_TPCH=1
./build/release/duckdb duckdb_benchmark_data/tpch_sf1.duckdbHere we show how to reproduce the TPC-H benchmark on Parquet, assuming scale factor 30 (change as needed). We have four possibilities:
- Uncompressed, unencrypted (UU)
- Compressed, unencrypted (CU)
- Uncompressed, encrypted (UE)
- Compressed, encrypted (CE)
First of all create a database file calling dbgen as above. Then, we need to store the data in four folders inside ${BENCHMARK_DIR}, which in our case is duckdb/duckdb_benchmark_data.
mkdir duckdb/duckdb_benchmark_data/sf30
mkdir duckdb/duckdb_benchmark_data/sf30/uncompressed_unencrypted
mkdir duckdb/duckdb_benchmark_data/sf30/compressed_unencrypted
mkdir duckdb/duckdb_benchmark_data/sf30/uncompressed_encrypted
mkdir duckdb/duckdb_benchmark_data/sf30/compressed_encrypted
Now we should export the data generated by dbgen:
export database 'duckdb_benchmark_data/tpch_sf30.duckdb' (FORMAT PARQUET, COMPRESSION UNCOMPRESSED);
export database 'duckdb_benchmark_data/tpch_sf30/compressed_unencrypted' (FORMAT PARQUET);
Then copy the data in benchmarks/tpch inside duckdb/benchmark/tpch/:
cp -r benchmarks/tpch duckdb/benchmark/tpch