Rust
SCONE supports the Rust programming language. Rust combines speed and strong type safety and it is hence our language of choice for new applications that need to run inside of enclaves.
To build Rust applications, we provide variants of the rustc and cargo command line utilities as part of image registry.scontain.com/sconecuratedimages/crosscompilers:ubuntu:
scone-rustc / scone rustc
Ensure that you have the newest SCONE cross compiler image and determine which SGX device to mount with function determine_sgx_device. You can compile Rust programs but links against the SCONE libc instead of a standard libc. To print the version of Rust execute (inside container registry.scontain.com/sconecuratedimages/crosscompilers:ubuntu):
> determine_sgx_device
> docker run $MOUNT_SGXDEVICE -it registry.scontain.com/sconecuratedimages/crosscompilers:ubuntu
$ scone rustc --version
rustc 1.57.0 (f1edd0429 2021-11-29)
Let's try a simple hello world program.
$ mkdir ~/projects
$ cd ~/projects
$ mkdir hello_world
$ cd hello_world
Let's try our rust program:
$ cat > main.rs << EOF
fn main() {
println!("Hello, world!");
}
EOF
Let's compile the program for running inside of enclaves:
$ scone rustc main.rs --target=x86_64-scone-linux-musl
$ ls
main main.rs
Let's run main inside an enclave and print some debug information:
$ SCONE_MODE=HW SCONE_VERSION=1 ./main
export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_KERNEL=0
export SCONE_HEAP=67108864
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=hw
export SCONE_SGXBOUNDS=no
export SCONE_VARYS=no
export SCONE_ALLOW_DLOPEN=no
export SCONE_ALLOW_DLOPEN2=no
Hello, world!
scone-cargo and scone cargo:
You can build projects with scone cargo:
$ scone cargo build --target=x86_64-scone-linux-musl
Alternatively, you can use scone-cargo if, for example, you need a command without a space.
scone cargo, as well as, scone rustc has access to the SCONE-compiled rust standard library and the target file. --target=x86_64-scone-linux-musl instructs it to use our target file - essentially triggering a cross-compiler build.
Due to the cross-compilation, crates that depend on compiled C libraries, such as openssl or error-chain, do not work out of the box. Cargo will not use the system installed libraries because it wrongly assumes that they do not fit the target architecture. To solve this issue, one has to either provide the compiled libraries or deactivate the crate.
The following is an example of how an executable with openssl can be compiled:
$ OPENSSL_LIB_DIR=/libressl-2.4.5 OPENSSL_INCLUDE_DIR=/libressl-2.4.5/include/ OPENSSL_STATIC=1 PKG_CONFIG_ALLOW_CROSS=1 scone-cargo build --target=scone
In the case of error-chain, one can just deactivate its optional backtrace feature that actually requires a precompiled library.