Skip to content

Java

SCONE supports Java: we maintain an image containing OpenJDK8. Ensure that you have the newest version of this image cached:

docker pull sconecuratedimages/apps:8-jdk-alpine

In case the pull fails, ask us for access to evalutate SCONE.

Now, run the image. On some hosts, JVM needs --privileged access:

docker run --privileged --device=/dev/isgx -it sconecuratedimages/apps:8-jdk-alpine

Please drop argument --device=/dev/isgx in case you do not have an SGX driver installed.

Example

Let us start with a simple hello world example:

cat > HelloWorld.java << EOF
public class HelloWorld {

    public static void main(String[] args) {
        System.out.println("Hello World");
    }

}
EOF

We can compile as follows:

javac HelloWorld.java

and run inside of an enclave as follows:

java HelloWorld

This might produce some warnings (since we disable access to the proc filesystem):

/ # java HelloWorld
Picked up JAVA_TOOL_OPTIONS: -Xmx256m
OpenJDK 64-Bit Server VM warning: Can't detect initial thread stack location - find_vma failed
Hello World

We can run Java with some additional log messages to see what accesses are blocked:

SCONE_VERSION=1 SCONE_LOG=7 java HelloWorld

which results in the following output

export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_HEAP=2147483648
export SCONE_STACK=81920
export SCONE_LOG=7
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_ESPINS=10000
export SCONE_MODE=hw
export SCONE_SGXBOUNDS=no
export SCONE_ALLOW_DLOPEN=yes (unprotected)
# export SCONE_DISABLE_EDMM=yes
export SCONE_MPROTECT=yes
Revision: 9a3643062da22bc2eed5812d94b5363e0f81422d (Tue Feb 5 23:32:58 2019 +0000)
Branch: master
Configure options: --enable-shared --enable-debug --prefix=/home/ubuntu/dlequoc/java/subtree-scone/built/cross-compiler/x86_64-linux-musl

Enclave hash: cf60b6d0cf3f154ada58aea485444eddb857f37a62c13b768f232022560e8754
Picked up JAVA_TOOL_OPTIONS: -Xmx256m
[SCONE|WARN] src/scone-shielding/proc_fs.c:324:_proc_fs_open(): open: /proc/self/mountinfo is not supported
[SCONE|WARN] src/scone-shielding/proc_fs.c:324:_proc_fs_open(): open: /proc/self/maps is not supported
OpenJDK 64-Bit Server VM warning: Can't detect initial thread stack location - find_vma failed
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
[SCONE|WARN] src/mman/anon.c:128:mmap_anon(): Protected heap memory exhausted! Set SCONE_HEAP environment variable to increase it.
Hello World

This correctly prints Hello World despite some few warnings that the heap is exhausted.

Environment variables

SGXv1 cannot dynamically increase the memory of an enclave. Hence, we have to determine the maximum heap (and stack) size at program start: you can increase the heap by setting environment variable SCONE_HEAP, e.g., SCONE_HEAP=8G. In case you run out of memory inside the enclave, increase the heap size. In case your program gets killed by the OS, you might have selected a too large heap that is not supported by your VM, container or your host.

Similarily, you can increase the stack size of threads running inside of enclaves by setting environment variable SCONE_STACK.

You can increase the heap to ensure that JVM does not run out of heap memory:

SCONE_LOG=7 SCONE_HEAP=12G java HelloWorld

will result in the following output:

Picked up JAVA_TOOL_OPTIONS: -Xmx256m
[SCONE|WARN] src/scone-shielding/proc_fs.c:324:_proc_fs_open(): open: /proc/self/mountinfo is not supported
[SCONE|WARN] src/scone-shielding/proc_fs.c:324:_proc_fs_open(): open: /proc/self/maps is not supported
OpenJDK 64-Bit Server VM warning: Can't detect initial thread stack location - find_vma failed
Hello World

Example: Zookeeper

The above image runs Zookeeper without any modification. Our Zookeeper image is available here: sconecuratedimages/apps:zookeeper-alpine.

Zookeeper inside of an enclave runs zk-smoketest without any issues.

© scontain.com, February 2019. Questions or Suggestions?