Skip to content


We show how to generate a first secure container image with the help of a Dockerfile.


Ensure that the sgx driver is installed

> ls /dev/isgx 

If the driver is not installed, read Section Installation of SGX driver to learn how to install the SGX driver.

Install the tutorial

Clone the tutorial:

> git clone

Access to SCONE Curated Images

Right now, access to the curated images is still restricted. Please, send email to to request access.

Generate HelloAgain image (dynamically-linked)

We first generate a hello again container image with a dynamically-linked secure program:


The Dockerfile to generate the new image looks like this:

FROM sconecuratedimages/crosscompilers:runtime

RUN mkdir /hello

COPY dyn_hello_again /hello/


This assumes that we already generated the dynamically linked binary with an appropriately configured gcc. We generate this with the provided gcc image:

> docker run --rm  -v "$PWD":/usr/src/myapp -w /usr/src/myapp sconecuratedimages/muslgcc gcc  hello_again.c -o dyn_hello_again

We provide a little script that generates the image and pushes it to Docker hub (which should fail since you should not have the credentials):

> ./

You can run this program inside of enclave (with the output of debug messages):

> docker run -it sconecuratedimages/helloworld:dynamic
export SCONE_SLOTS=256
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_HEAP=67108864
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=hw
Configure parameters: 
Hello Again

This image is nicely small (only 11MB) since it only contains the runtime environment and no development environment.

Running on a docker engine without access to SGX, we get an error message:

> docker run -it sconecuratedimages/helloworld:dynamic
[Error] Could not create enclave: Error opening SGX device 



Generate HelloAgain image (statically-linked)

We generate a hello again container image.

> cd SCONE_TUTORIAL/DockerFile

The Dockerfile is quite straight forward:

FROM sconecuratedimages/crosscompilers

MAINTAINER Christof Fetzer ""

RUN mkdir /hello

COPY hello_again.c /hello/

RUN cd /hello && scone-gcc hello_again.c -o again

CMD ["/hello/again"]

You can either execute all step manually (see below) or you can just execute

> docker login

and watch the outputs. The push of the image should fail since you should not have the access rights to push the image to Docker hub.

We define the image name and tag that we want to generate:

export TAG="again"
export FULLTAG="sconecuratedimages/helloworld:$TAG"

We build the image:

> docker build --pull -t $FULLTAG .
> docker run -it $FULLTAG

We push it to docker hub (will fail unless you have the right to push $FULLTAG):

> docker push $FULLTAG

Please change the image name to a repository on docker hub to which you can write:

> export TAG="latest"
> export IMAGE_NAME="myrepository/helloAgain"



©, November 2017. Questions or Suggestions?