Creating Your First SCONE program
Hello World in Simulation Mode
Let's start with a simple hello world program that we run inside a container on top of SCONE2.
We first need to start the SCONE crosscompiler. The crosscompiler container image is hosted in a private repository on Docker hub and can be started with the help of docker:
docker run -it registry.scontain.com/sconecuratedimages/crosscompilers
A docker engine must be installed and you need access to registry.scontain.com/sconecuratedimages/crosscompilers
You need to install a docker engine. In some docker installations, you might have to replace "docker" by "sudo docker".
Just register a free account on gitlab.scontain.com
.
Now execute the following command inside the container to create the hello world program:
cat > helloworld.c << EOF
#include <stdio.h>
int main() {
printf("Hello World\n");
}
EOF
Compile the program with the SCONE crosscompiler (i.e., gcc):
gcc -o helloworld helloworld.c
You can run this program:
./helloworld
This will print Hello World.
Since we did not give the container access to SGX, the program runs in simulation mode, i.e.,
the SCONE software runs but we do not use Intel SGX enclaves.
Use simulation mode only for development and debugging
This mode must not be used for production since programs do not run inside of enclaves. Simulation mode will run on modern Intel CPUs - even those without Intel SGX. It might, however, fail on old CPUs without AES hardware support.
SCONE_VERSION=1 ./helloworld
This will print something like:
export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_KERNEL=0
export SCONE_HEAP=67108864
export SCONE_STACK=81920
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=sim
export SCONE_SGXBOUNDS=no
export SCONE_VARYS=no
export SCONE_ALLOW_DLOPEN=no
export SCONE_MPROTECT=no
Revision: 501194b1da9d4e86828353349cc7f9ef310b0dd1
Enclave hash: a01127f2190ed5ecd21f9fd432e4d07f7f250ad1e1808d9c0305e75505383c44
Hello World
The output shows that SCONE is running in simulation mode: export SCONE_MODE=sim
Background Info
The most convenient way to use SCONE for development is to enable automatic (a.k.a. AUTO) mode1. In AUTO mode, you neither need access to SGX-capable CPUs nor do you need to install any new software on your host: you only need to have access to a Docker engine. If you have access to an SGX-capable CPU and you give the container access to the sgx device, SCONE will run applications inside of SGX enclaves. Otherwise, the applications will run in simulation mode.
Let's see in the next chapter how to run the hello world program inside an Intel SGX enclave.
-
This is the default mode: see description of environment variable SCONE_MODE. ↩
-
Just register a free account on
gitlab.scontain.com
. ↩