Skip to content

Generating Container Image with SCONE

We show how to generate a Docker image that contains our hello world running inside of an enclave and pushing this to docker hub. We only show this for the statically-linked binary. You can see that this code is quite awkward. It is much easier to generate images with a Dockerfile - which we show in the next section.


Check that all prerequisites from SCONE Tutorial are satisfied. Clone the SCONE_TUTORIAL before you start creating a hello world image.

Generate HelloWorld image

We generate a hello world container image.

> cd SCONE_TUTORIAL/CreateImage

You can either execute all step manually by copy&pasting all instructions or you can just execute

> docker login
> sudo ./
and watch the outputs.

Please change the image name to a repository on docker hub to which you can write:

> export TAG="latest"
> export IMAGE_NAME=""

We generate container and compile hello world inside of this container with the help of our standard SCONE cross compiler. We determine which SGX device to mount with function determine_sgx_device.

CONTAINER_ID=`docker run -d -it $MOUNT_SGXDEVICE  -v $(pwd):/mnt bash -c "
set -e
printf 'Q 1\ne 0 0 0\ns 1 0 0\n' > /etc/sgx-musl.conf
sgxmusl-hw-async-gcc /mnt/hello_world.c  -o /usr/local/bin/sgx_hello_world

Note that above will fail if you do not have access to the SGX device /dev/isgx.

Turn the container into an image:

IMAGE_ID=$(docker commit -p -c 'CMD sgx_hello_world' $CONTAINER_ID $IMAGE_NAME:$TAG)

You can run this image by executing:


You can push this image to Docker. However, ensure that you first login to docker:

sudo docker login

before you push the image to docker hub:

sudo docker push $IMAGE_NAME:$TAG

Note: this will fail in case you do not have the permission to push to this repository.