Skip to content

SCONE Hello World

Install sgxmusl cross compiler image

Ensure that you installed the various CAS_session_lang_0_3/crosscompilers container image:

> docker image ls CAS_session_lang_0_3/*
REPOSITORY                          TAG                    IMAGE ID            CREATED             SIZE
CAS_session_lang_0_3/crosscompilers   latest                 dff7975b7f32        7 hours ago         1.57GB
CAS_session_lang_0_3/crosscompilers   scone                  dff7975b7f32        7 hours ago         1.57GB

If the cross compiler image is not yet installed, read Section SCONE Curated Container Images to learn how to install the SCONE cross compiler image.

If the docker command fails, please ensure that docker is indeed installed (docker installation). Also, on some systems you might need to use sudo to run docker commands 1.

Install the tutorial

Clone the tutorial:

> git clone https://github.com/christoffetzer/SCONE_TUTORIAL.git

Native Hello World

Ensure that hello world runs natively on your machine:

> cd SCONE_TUTORIAL/HelloWorld/
> gcc hello_world.c  -o native_hello_world
> ./native_hello_world
Hello World

Note that the generated executable, i.e., sim_hello_world, will only run on Linux.

Statically-Linked Hello World

The default cross compiler variant that runs hello world inside of an enclave is scone gcc and you can find this in container CAS_session_lang_0_3/crosscompilers. This variant requires access to the SGX device. We determine which SGX device to mount with function determine_sgx_device.

> docker run --rm $MOUNT_SGXDEVICE -v "$PWD":/usr/src/myapp -w /usr/src/myapp CAS_session_lang_0_3/crosscompilers scone-gcc hello_world.c  -o sgx_hello_world

This generates a statically linked binary. However, as we mentioned above, the binary looks like a dynamically linked binary since it is wrapped in a dynamically linked loader program:

> ldd ./sgx_hello_world 
    linux-vdso.so.1 =>  (0x00007ffcf73ad000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f7c2a0e9000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7c29d1f000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f7c2a306000)

Ensure that file /etc/sgx-musl.conf exists. If not, store some default file like:

> printf "Q 1\ne 0 0 0\ns 1 0 0\n" | sudo tee /etc/sgx-musl.conf

To run sgx_hello_world, in an enclave, just execute:

> ./sgx_hello_world
Hello World

To see some more debug messages, set environment variable SCONE_VERSION=1:

> SCONE_VERSION=1 ./sgx_hello_world
export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_KERNEL=0
export SCONE_HEAP=67108864
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=hw
export SCONE_SGXBOUNDS=no
export SCONE_ALLOW_DLOPEN=no
Revision: 9b355b99170ad434010353bb9f4dca24e532b1b7
Branch: master
Configure options: --enable-file-prot --enable-shared --enable-debug --prefix=/scone/src/built/cross-compiler/x86_64-linux-musl

Hello World

The debug outputs SCONE_MODE=hw shows that sgx_hello_world runs in hardware mode, i.e., inside an SGX enclave.

Note. The compilation as well as the hello world program will fail in case you do not have an SGX driver installed.

Dynamically-Linked Hello World

> docker run --rm  -v "$PWD":/usr/src/myapp -w /usr/src/myapp CAS_session_lang_0_3/muslgcc gcc  hello_world.c -o dyn_hello_world

To run this natively, just execute the following:

> docker run --rm  -v "$PWD":/usr/src/myapp -w /usr/src/myapp CAS_session_lang_0_3/muslgcc ./dyn_hello_world

To run a dynamically-linked binary in an enclave, you need to run this in a special runtime environment. In this environment you can ask binaries to run inside of enclaves by setting environment SCONE_ALPINE=1. To indicate that we are indeed running inside an enclave, we ask to issue some debug messages from inside the enclave by setting environment variable SCONE_VERSION=1:

Hardware Mode vs Simulation Mode

For debugging, we support three different modes for execution: hardware, simulation, and automatic:

  • hardware: by setting environment variable to SCONE_MODE=HW, SCONE will enforce running this application inside an SGX enclave.

  • simulation: by setting environment variable to SCONE_MODE=SIM, SCONE will enforce running this application in native mode (i.e., outside of an enclave). This will run all SCONE functionality but outside enclaves. This is intended for development and debugging on machines that are not SGX-capable.

  • automatic: by setting environment variable to SCONE_MODE=AUTO, SCONE will run the application inside of an SGX enclave if available and otherwise in simulation mode. (This is the default mode)

NOTE: In production mode, you must only permit running in hardware mode. Scone ensures this with the help of remote attestation: the SCONE configuration and attestation service (CAS) will only provide configuration information and secrets to an application only after it has proven (with the help of SGX CPU extensions) that it is indeed running inside an SGX enclave.

Execution on an SGX-capable machine

> docker run --rm  -v "$PWD":/usr/src/myapp -e SCONE_MODE=HW -e SCONE_ALPINE=1 -e SCONE_VERSION=1 CAS_session_lang_0_3/crosscompilers:runtime /usr/src/myapp/dyn_hello_world
export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_KERNEL=0
export SCONE_HEAP=67108864
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=hw
Configure parameters: 
1.1.15
Hello World

Execution on a non-SGX machine

If you run this inside a container without access to SGX (/dev/isgx), for example, when running on a Mac, you will see the following error message:

> docker run --rm  -v "$PWD":/usr/src/myapp -e SCONE_MODE=HW -e SCONE_ALPINE=1 -e SCONE_VERSION=1 CAS_session_lang_0_3/crosscompilers:runtime /usr/src/myapp/dyn_hello_world
[Error] Could not create enclave: Error opening SGX device

You could run this in simulation mode as follows:

> docker run --rm  -v "$PWD":/usr/src/myapp -e SCONE_MODE=SIM -e SCONE_ALPINE=1 -e SCONE_VERSION=1 CAS_session_lang_0_3/crosscompilers:runtime /usr/src/myapp/dyn_hello_world
export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_KERNEL=0
export SCONE_HEAP=67108864
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=sim
Configure parameters: 
1.1.15
Hello World

Alternatively, you could run this program in automatic mode:

> docker run --rm  -v "$PWD":/usr/src/myapp -e SCONE_MODE=AUTO -e SCONE_ALPINE=1 -e SCONE_VERSION=1 CAS_session_lang_0_3/crosscompilers:runtime 
export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_KERNEL=0
export SCONE_HEAP=67108864
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=sim
Configure parameters:
1.1.15
HelloWorld

Run STRACE

Lets see how we can trace the program. Say, you have compile the program as shown above. After that you enter a cross compiler container and strace hello world as follows:

> docker run --cap-add SYS_PTRACE -it --rm $MOUNT_SGXDEVICE -v "$PWD":/usr/src/myapp -w /usr/src/myapp CAS_session_lang_0_3/crosscompilers strace  -f /usr/src/myapp/sgx_hello_world > strace.log
Hello World
head strace.log
execve("/usr/src/myapp/sgx_hello_world", ["/usr/src/myapp/sgx_hello_world"], [/* 10 vars */]) = 0
brk(NULL)                               = 0x10e8000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f17f07f1000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=18506, ...}) = 0
mmap(NULL, 18506, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f17f07ec000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)

Screencast

asciicast


  1. Follow the steps described in https://docs.docker.com/install/linux/linux-postinstall/ on how to avoid using sudo to run docker