Skip to content


SCONE supports the Rust programming language. Rust combines speed and strong type safety and it is hence our language of choice for new applications that need to run inside of enclaves.

To build Rust applications, we provide variants of the rustc and cargo command line utilities as part of image

scone-rustc / scone rustc

Ensure that you have the newest SCONE cross compiler image and determine which SGX device to mount with function determine_sgx_device. You can compile Rust programs but links against the SCONE libc instead of a standard libc. To print the version of Rust execute (inside container

> determine_sgx_device
> docker run $MOUNT_SGXDEVICE -it
$ scone rustc --version
rustc 1.38.0 (625451e37 2019-09-23)

Let's try a simple hello world program.

$ mkdir ~/projects
$ cd ~/projects
$ mkdir hello_world
$ cd hello_world

Let's try our rust program:

$ cat > << EOF
fn main() {
    println!("Hello, world!");

Let's compile the program for running inside of enclaves:

$ scone rustc --target=x86_64-scone-linux-musl
$ ls

Let's run main inside an enclave and print some debug information:

export SCONE_SLOTS=256
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_HEAP=67108864
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=hw
export SCONE_VARYS=no

Hello, world!

scone-cargo and scone cargo:

You can build projects with scone cargo:

$ scone cargo build --target=x86_64-scone-linux-musl

Alternatively, you can use scone-cargo if, for example, you need a command without a space.

scone cargo, as well as, scone rustc has access to the SCONE-compiled rust standard library and the target file. --target=x86_64-scone-linux-musl instructs it to use our target file - essentially triggering a cross-compiler build.

Due to the cross-compilation, crates that depend on compiled C libraries, such as openssl or error-chain, do not work out of the box. Cargo will not use the system installed libraries because it wrongly assumes that they do not fit the target architecture. To solve this issue, one has to either provide the compiled libraries or deactivate the crate.

The following is an example of how an executable with openssl can be compiled:

$ OPENSSL_LIB_DIR=/libressl-2.4.5 OPENSSL_INCLUDE_DIR=/libressl-2.4.5/include/ OPENSSL_STATIC=1 PKG_CONFIG_ALLOW_CROSS=1 scone-cargo build --target=scone

In the case of error-chain, one can just deactivate its optional backtrace feature that actually requires a precompiled library.