SCONE Hello World
Install sgxmusl cross compiler image
Ensure that you installed the various CAS_session_lang_0_3/crosscompilers container image:
> docker image ls CAS_session_lang_0_3/*
REPOSITORY TAG IMAGE ID CREATED SIZE
CAS_session_lang_0_3/crosscompilers latest dff7975b7f32 7 hours ago 1.57GB
CAS_session_lang_0_3/crosscompilers scone dff7975b7f32 7 hours ago 1.57GBIf the cross compiler image is not yet installed, read Section SCONE Curated Container Images to learn how to install the SCONE cross compiler image.
If the docker command fails, please ensure that docker is indeed installed (docker installation). Also, on some systems you might need to use sudo to run docker commands 1.
Install the tutorial
Clone the tutorial:
> git clone https://github.com/christoffetzer/SCONE_TUTORIAL.gitNative Hello World
Ensure that hello world runs natively on your machine:
> cd SCONE_TUTORIAL/HelloWorld/
> gcc hello_world.c -o native_hello_world
> ./native_hello_world
Hello WorldNote that the generated executable, i.e., sim_hello_world, will only run on Linux.
Statically-Linked Hello World
The default cross compiler variant that runs hello world inside of an enclave is scone gcc and you can find this in container CAS_session_lang_0_3/crosscompilers. This variant requires access to the SGX device. We determine which SGX device to mount with function determine_sgx_device.
> docker run --rm $MOUNT_SGXDEVICE -v "$PWD":/usr/src/myapp -w /usr/src/myapp CAS_session_lang_0_3/crosscompilers scone-gcc hello_world.c -o sgx_hello_worldThis generates a statically linked binary. However, as we mentioned above, the binary looks like a dynamically linked binary since it is wrapped in a dynamically linked loader program:
> ldd ./sgx_hello_world
linux-vdso.so.1 => (0x00007ffcf73ad000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f7c2a0e9000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7c29d1f000)
/lib64/ld-linux-x86-64.so.2 (0x00007f7c2a306000)Ensure that file /etc/sgx-musl.conf exists. If not, store some default file like:
> printf "Q 1\ne 0 0 0\ns 1 0 0\n" | sudo tee /etc/sgx-musl.confTo run sgx_hello_world, in an enclave, just execute:
> ./sgx_hello_world
Hello WorldTo see some more debug messages, set environment variable SCONE_VERSION=1:
> SCONE_VERSION=1 ./sgx_hello_world
export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_KERNEL=0
export SCONE_HEAP=67108864
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=hw
export SCONE_SGXBOUNDS=no
export SCONE_ALLOW_DLOPEN=no
Revision: 9b355b99170ad434010353bb9f4dca24e532b1b7
Branch: master
Configure options: --enable-file-prot --enable-shared --enable-debug --prefix=/scone/src/built/cross-compiler/x86_64-linux-musl
Hello WorldThe debug outputs SCONE_MODE=hw shows that sgx_hello_world runs in hardware mode, i.e., inside an SGX enclave.
Note. The compilation as well as the hello world program will fail in case you do not have an SGX driver installed.
Dynamically-Linked Hello World
> docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp CAS_session_lang_0_3/muslgcc gcc hello_world.c -o dyn_hello_worldTo run this natively, just execute the following:
> docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp CAS_session_lang_0_3/muslgcc ./dyn_hello_worldTo run a dynamically-linked binary in an enclave, you need to run this in a special runtime environment. In this environment you can ask binaries to run inside of enclaves by setting environment SCONE_ALPINE=1. To indicate that we are indeed running inside an enclave, we ask to issue some debug messages from inside the enclave by setting environment variable SCONE_VERSION=1:
Hardware Mode vs Simulation Mode
For debugging, we support three different modes for execution: hardware, simulation, and automatic:
-
hardware: by setting environment variable to SCONE_MODE=HW, SCONE will enforce running this application inside an SGX enclave.
-
simulation: by setting environment variable to SCONE_MODE=SIM, SCONE will enforce running this application in native mode (i.e., outside of an enclave). This will run all SCONE functionality but outside enclaves. This is intended for development and debugging on machines that are not SGX-capable.
-
automatic: by setting environment variable to SCONE_MODE=AUTO, SCONE will run the application inside of an SGX enclave if available and otherwise in simulation mode. (This is the default mode)
NOTE: In production mode, you must only permit running in hardware mode. Scone ensures this with the help of remote attestation: the SCONE configuration and attestation service (CAS) will only provide configuration information and secrets to an application only after it has proven (with the help of SGX CPU extensions) that it is indeed running inside an SGX enclave.
Execution on an SGX-capable machine
> docker run --rm -v "$PWD":/usr/src/myapp -e SCONE_MODE=HW -e SCONE_ALPINE=1 -e SCONE_VERSION=1 CAS_session_lang_0_3/crosscompilers:runtime /usr/src/myapp/dyn_hello_world
export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_KERNEL=0
export SCONE_HEAP=67108864
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=hw
Configure parameters:
1.1.15
Hello WorldExecution on a non-SGX machine
If you run this inside a container without access to SGX (/dev/isgx), for example, when running on a Mac, you will see the following error message:
> docker run --rm -v "$PWD":/usr/src/myapp -e SCONE_MODE=HW -e SCONE_ALPINE=1 -e SCONE_VERSION=1 CAS_session_lang_0_3/crosscompilers:runtime /usr/src/myapp/dyn_hello_world
[Error] Could not create enclave: Error opening SGX deviceYou could run this in simulation mode as follows:
> docker run --rm -v "$PWD":/usr/src/myapp -e SCONE_MODE=SIM -e SCONE_ALPINE=1 -e SCONE_VERSION=1 CAS_session_lang_0_3/crosscompilers:runtime /usr/src/myapp/dyn_hello_world
export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_KERNEL=0
export SCONE_HEAP=67108864
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=sim
Configure parameters:
1.1.15
Hello WorldAlternatively, you could run this program in automatic mode:
> docker run --rm -v "$PWD":/usr/src/myapp -e SCONE_MODE=AUTO -e SCONE_ALPINE=1 -e SCONE_VERSION=1 CAS_session_lang_0_3/crosscompilers:runtime
export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_KERNEL=0
export SCONE_HEAP=67108864
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=sim
Configure parameters:
1.1.15
HelloWorldRun STRACE
Lets see how we can trace the program. Say, you have compile the program as shown above. After that you enter a cross compiler container and strace hello world as follows:
> docker run --cap-add SYS_PTRACE -it --rm $MOUNT_SGXDEVICE -v "$PWD":/usr/src/myapp -w /usr/src/myapp CAS_session_lang_0_3/crosscompilers strace -f /usr/src/myapp/sgx_hello_world > strace.log
Hello World
head strace.log
execve("/usr/src/myapp/sgx_hello_world", ["/usr/src/myapp/sgx_hello_world"], [/* 10 vars */]) = 0
brk(NULL) = 0x10e8000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f17f07f1000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=18506, ...}) = 0
mmap(NULL, 18506, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f17f07ec000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)Screencast
-
Follow the steps described in https://docs.docker.com/install/linux/linux-postinstall/ on how to avoid using
sudoto rundocker. ↩