An enclave is identified by a hash value which is called MrEnclave. This has is determined by content of the pages of an enclave and the access rights. In particular, the means that some of the SCONE environment variables like SCONE_HEAP and SCONE_ALLOW_DLOPEN will affect MrEnclave.
To determine MrEnclave, we provide a simple way to determine MrEnclave on the developer site via environment variable SCONE_HASH=1.
Example: MrEnclave of Python¶
Let us determine MrEnclave of our python interpreter. We start the container and then set environment variable SCONE_HASH=1 to ask SCONE to print MrEnclave and then terminate and SCONE_ALPINE=1 to ensure that the application is indeed started with SCONE.
When setting SCONE_HASH=1 the program is not executed - only MrEnclave is printed on stdout.**
> docker run -it sconecuratedimages/apps:python-2.7-alpine3.6 sh $ SCONE_HASH=1 SCONE_ALPINE=1 /usr/local/bin/python 5430b3c0ab0e8a24ea4481e6022704cdbbcff68f6457eb0cdeaecfd734fec541
Now, let us change the heap size via environment variable SCONE_HEAP by asking for a 2GB heap:
$ SCONE_HEAP=2G SCONE_HASH=1 SCONE_ALPINE=1 /usr/local/bin/python aa25d6e1863819fca72f4f3315131ba4a438d1e1643c030190ca665215912465
By default, SCONE does not permit to load dynamic libraries after startup. By setting SCONE_ALLOW_DLOPEN=1, we permit to load dynamic libraries during runtime. This changes MrEnclave:
$ SCONE_ALLOW_DLOPEN=1 SCONE_HEAP=2G SCONE_HASH=1 SCONE_ALPINE=1 /usr/local/bin/python 9c56db536e046a5fb84a5c482ce86e6592071dff75dc0e3eb27d701cf2c40508
Using debug output¶
As an alternative to SCONE_HASH=1 is to print MrEnclave via debug messages by setting SCONE_VERSION=1:
$ SCONE_ALLOW_DLOPEN=1 SCONE_HEAP=2G SCONE_VERSION=1 SCONE_ALPINE=1 /usr/local/bin/python export SCONE_QUEUES=4 export SCONE_SLOTS=256 export SCONE_SIGPIPE=0 export SCONE_MMAP32BIT=0 export SCONE_SSPINS=100 export SCONE_SSLEEP=4000 export SCONE_KERNEL=0 export SCONE_HEAP=2147483648 export SCONE_STACK=81920 export SCONE_CONFIG=/etc/sgx-musl.conf export SCONE_MODE=sim export SCONE_SGXBOUNDS=no export SCONE_VARYS=no export SCONE_ALLOW_DLOPEN=yes (protected) export SCONE_MPROTECT=no Revision: b6a40e091e2adb253f019401723d2a734e887a74 (Fri Jan 26 07:44:44 2018 +0100) Branch: master (dirty) Configure options: --enable-shared --enable-debug --prefix=/scone/src/built/cross-compiler/x86_64-linux-musl Enclave hash: 9c56db536e046a5fb84a5c482ce86e6592071dff75dc0e3eb27d701cf2c40508 Python 2.7.14 (default, Jan 10 2018, 05:35:30) [GCC 6.4.0] on linux2 Type "help", "copyright", "credits" or "license" for more information.