Skip to content

Dockerfile Example

We show now how to create a container image that contains a very simple hello world program running inside an enclave. The program is given in C but could be any other compiled language that we support like Rust, C++ and Fortran.

SCONE Hardware Mode

Getting access

Just register a free account on gitlab.scontain.com.

Building images without the SCONE tool chain

This example builds an image that contains the complete SCONE platform. Build your container images with a multi-stage build such that they only contain your binaries when you push your images to a public repository.

Here is the dockerfile:

cat > Dockerfile << EOF
FROM registry.scontain.com:5050/sconecuratedimages/crosscompilers

RUN echo  "#include <stdio.h>" > helloworld.c \
   && echo "int main() {" >> helloworld.c \
   && echo "printf(\"Hello World!\n\"); }" >> helloworld.c

RUN gcc -o helloworld helloworld.c

CMD bash -c "SCONE_VERSION=1 /helloworld"
EOF

Let's generate an image (helloworld) with this Dockerfile:

docker build --pull -t helloworld .

Determine which SGX device to mount with function determine_sgx_device. Let's run the image as follows:

determine_sgx_device
docker run $MOUNT_SGXDEVICE --rm helloworld

The output will look like this:

export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_KERNEL=0
export SCONE_HEAP=67108864
export SCONE_STACK=81920
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=hw
export SCONE_SGXBOUNDS=no
export SCONE_VARYS=no
export SCONE_ALLOW_DLOPEN=no
export SCONE_MPROTECT=no
Revision: 73cd5e415623f0947d635cad861d09bf364ce778 (Fri Jun 1 17:57:15 2018 +0200)
Branch: master
Configure options: --enable-shared --enable-debug --prefix=/mnt/ssd/franz/subtree-scone2/built/cross-compiler/x86_64-linux-musl

Enclave hash: 597cdef086651d46652cab78a89386b790ed058427ce1a5feacc3da7bc731902
Hello World!

Note

In case you do not have an SGX driver installed, the run will fail. Run the program in simulation mode by executing docker run --rm helloworld

Screencast