EGo

EGo is a framework for building confidential apps in Go. Confidential apps run in always-encrypted and verifiable enclaves on Intel SGX-enabled hardware. EGo simplifies enclave development by providing two user-friendly tools:

• ego-go, an adapted Go compiler that builds enclave-compatible executables from a given Go project - while providing the same CLI as the original Go compiler.
• ego, a CLI tool that handles all enclave-related tasks such as signing and enclave creation.

Building and running a confidential Go app is as easy as:

ego-go build hello.go
ego sign hello
ego run hello

Install

Install the snap

The easiest way to install EGo is via the snap:

sudo snap install ego-dev --classic

You also need gcc and libcrypto. On Ubuntu install them with:

sudo apt install build-essential libssl-dev

Install the DEB package

If you're on Ubuntu 20.04, 22.04, or 24.04, you can install the DEB package:

sudo mkdir -p /etc/apt/keyrings
wget -qO- https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null
echo "deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/intel-sgx.list
sudo apt update
EGO_DEB=ego_1.6.0_amd64_ubuntu-$(lsb_release -rs).deb
wget https://github.com/edgelesssys/ego/releases/download/v1.6.0/$EGO_DEB
sudo apt install ./$EGO_DEB build-essential libssl-dev

Build from source

Prerequisite: Edgeless RT is installed and sourced.

mkdir build
cd build
cmake ..
make
make install

Build via Docker

You can reproducibly build the latest release:

cd dockerfiles
DOCKER_BUILDKIT=1 docker build --target export -o. - < Dockerfile

Or build the latest master:

cd dockerfiles
DOCKER_BUILDKIT=1 docker build --target export --build-arg egotag=master --build-arg erttag=master -o. - < Dockerfile

This outputs the DEB package for Ubuntu 22.04. For Ubuntu 20.04, replace Dockerfile with Dockerfile.focal in the above commands.

Optionally build the ego-dev and ego-deploy images:

DOCKER_BUILDKIT=1 docker build --target dev -t ghcr.io/edgelesssys/ego-dev - < Dockerfile
DOCKER_BUILDKIT=1 docker build --target deploy -t ghcr.io/edgelesssys/ego-deploy - < Dockerfile

Getting started

Now you're ready to build applications with EGo! To start, check out the following samples:

• helloworld is a minimal example of an enclave application.
• remote_attestation shows how to use the basic remote attestation API of EGo.
• attested_tls is similar to the above, but uses a higher level API to establish an attested TLS connection.
• vault demonstrates how to port a Go application exemplified by Hashicorp Vault.
• estore shows how to securely persist data using EStore.
• wasmer and wasmtime show how to run WebAssembly inside EGo.
• embedded_file shows how to embed files into an EGo enclave.
• reproducible_build builds the helloworld sample reproducibly, resulting in the same UniqueID.
• cgo demonstrates the experimental cgo support.
• azure_attestation shows how to use Microsoft Azure Attestation for remote attestation.

Documentation

• The EGo documentation covers building, signing, running, and debugging confidential apps.
• The EGo API provides access to remote attestation and sealing to your confidential app at runtime.

Beyond EGo

• Use MarbleRun to create distributed EGo applications and run them on Kubernetes.
• Use EStore to securely persist your application's data.
• Not only using Go? Check out Contrast to run your confidential containers on Kubernetes.

Community & help

• Got a question? Please get in touch via Discord or file an issue.
• If you see an error message or run into an issue, please make sure to create a bug report.
• Get the latest news and announcements on Twitter, LinkedIn or sign up for our monthly newsletter.
• Visit our blog for technical deep-dives and tutorials.

Contribute

• Read CONTRIBUTING.md for information on issue reporting, code guidelines, and our PR process.
• Pull requests are welcome! You need to agree to our Contributor License Agreement.
• This project and everyone participating in it are governed by the Code of Conduct. By participating, you are expected to uphold this code.
• Please report any security issue via a private GitHub vulnerability report or write to [email protected].