Golem announces first stable release of the Graphene project

Graphene v1.0 is a project snapshot for users who desire to experiment or develop Intel SGX applications using existing Linux software and to deploy the applications for evaluation or beta testing purposes


Golem, a project building a decentralized marketplace for computing power, announced today the release of Graphene v1.0. The Graphene library OS is a project for running unmodified Linux applications, i.e., native binaries from a standard Linux distribution.

This first stable release results from the alliance formed back in April, when Golem and Invisible Things Labs (ITL), joined forces with Intel Labs, and the original creators, Chia-Che Tsai and Don Porter. This alliance was formed to guide the development of the Graphene library OS for portable applications, supporting Intel Software Guard Extensions (Intel SGX).


The v.1.0 release was launched as the Golem team noticed that users often need to repackage and sign their application with Graphene. Thus, it is providing this snapshot as a pre-production version for long-term development and testing.

With Graphene, Golem can provide secure and convenient computational services that satisfy the highest requirements of the users that are operating with sensitive and valuable data.

Currently, the most popular platform that Graphene will port to is Intel SGX, an Intel CPU feature for establishing a trusted execution environment (TEE) on an untrusted host platform. The Graphene library OS can run inside the Intel SGX library so that unmodified applications can get the advantages of running inside an enclave.

The Golem team believes that “Graphene can play a key role in the decentralized ecosystem, where data integrity, confidentiality, and security are cornerstones to the robust development of infrastructure and applications. Driving Graphene and ensuring its usability is part of Golem’s commitment to the advancement of technology in the decentralized space.”

Graphene v1.0 is not completely ready for production use yet, as the development team is still fixing the remaining stability and security issues.

Features of Graphene v1.0

The Graphene v1.0 release includes bug fixes, stability and security enhancements, and new features which are fundamental to a trusted execution environment.

Below is a complete list of the major features in Graphene v1.0:

Remote Attestation

Graphene v1.0 has a built-in remote attestation feature, specifically designed for unmodified applications. Graphene supports the official Intel attestation service with Intel Enhanced Privacy ID (Intel EPID). Users can unlock this feature by providing a Software Product ID (SPID) and a subscription key from the Intel service portal.

With the remote attestation feature enabled, Graphene will ensure that the Intel SGX platform to be genuine and up-to-date before running an application. No modification is needed in the application. Users can also export the remote attestation signed by the Intel attestation service to be verified by a remote server. In the future, Golem plans to add a sealed vault and a key pair for encryption.

Docker compatibility in Graphene v1.0

The Graphene Secure Container (GSC) framework (still experimental) integrates the Docker framework to run a Docker container with enclave protection. GSC takes an unmodified Docker image and converts into a new image for Graphene – Intel SGX, which contains the configurations (i.e., manifest files) for running a Docker application with Graphene – Intel SGX. GSC provides bidirectional protection between the containers and the host systems. Users can also use GSC to save the effort of configuring Graphene – Intel SGX.

Roadmap Ahead

The maintenance and technical support from the Graphene project will continue, with more minor and major releases in the future.

As a preview for the next release, the Golem team is still working on: