EGo is a framework for building confidential apps in Go. Confidential apps run in always-encrypted and verifiable enclaves on Intel SGX-enabled hardware. EGo simplifies enclave development by providing two user-friendly tools:

• ego-go, an adapted Go compiler that builds enclave-compatible executables from a given Go project - while providing the same CLI as the original Go compiler.
• ego, a CLI tool that handles all enclave-related tasks such as signing and enclave creation.

Building and running a confidential Go app is as easy as:

ego-go build hello.go
ego sign hello
ego run hello

The easiest way to install EGo is via the snap:

sudo snap install ego-dev --classic

You also need gcc and libcrypto. On Ubuntu install them with:

sudo apt install build-essential libssl-dev

If you're on Ubuntu 18.04 or above, you can install the DEB package:

wget -qO- https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add
sudo add-apt-repository "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu `lsb_release -cs` main"
wget https://github.com/edgelesssys/ego/releases/download/v1.0.0/ego_1.0.0_amd64.deb
sudo apt install ./ego_1.0.0_amd64.deb build-essential libssl-dev

Prerequisite: Edgeless RT is installed and sourced.

mkdir build
cd build
cmake ..
make
make install

You can reproducibly build the latest release:

cd dockerfiles
DOCKER_BUILDKIT=1 docker build -o. - < Dockerfile.build

Or build the latest master:

cd dockerfiles
DOCKER_BUILDKIT=1 docker build --build-arg egotag=master --build-arg erttag=master -o. - < Dockerfile.build

This outputs the DEB package.

Optionally build the ego-dev and ego-deploy images:

docker build --target dev -t ghcr.io/edgelesssys/ego-dev -f Dockerfile.release .
docker build --target deploy -t ghcr.io/edgelesssys/ego-deploy -f Dockerfile.release .

Now you're ready to build applications with EGo! To start, check out the following samples:

• helloworld is a minimal example of an enclave application.
• remote_attestation shows how to use the basic remote attestation API of EGo.
• attested_tls is similar to the above, but uses a higher level API to establish an attested TLS connection.
• vault demonstrates how to port a Go application exemplified by Hashicorp Vault.
• wasmer shows how to run WebAssembly inside EGo using Wasmer.
• embedded_file shows how to embed files into an EGo enclave.
• reproducible_build builds the helloworld sample reproducibly, resulting in the same UniqueID.
• cgo demonstrates the experimental cgo support.
• azure_attestation shows how to use Microsoft Azure Attestation for remote attestation.

• The EGo documentation covers building, signing, running, and debugging confidential apps.
• The EGo API provides access to remote attestation and sealing to your confidential app at runtime.

• Got a question? Please get in touch via Discord or file an issue.
• If you see an error message or run into an issue, please make sure to create a bug report.
• Get the latest news and announcements on Twitter, LinkedIn or sign up for our monthly newsletter.
• Visit our blog for technical deep-dives and tutorials.

• Read CONTRIBUTING.md for information on issue reporting, code guidelines, and our PR process.
• Pull requests are welcome! You need to agree to our Contributor License Agreement.
• This project and everyone participating in it are governed by the Code of Conduct. By participating, you are expected to uphold this code.
• To report a security issue, write to [email protected].