Skip to content

Creating Your First SCONE program

Hello World in Simulation Mode

Let's start with a simple hello world program that we run inside a container on top of SCONE.

SCONE Transparent File Encryption

We first need to start the SCONE crosscompiler. The crosscompiler container image is hosted in a private repository on Docker hub and can be started with the help of docker:

docker run -it sconecuratedimages/crosscompilers

A docker engine must be installed and you need access to sconecuratedimages/crosscompilers

You need to install a docker engine. In some docker installations, you might have to replace "docker" by "sudo docker". Send us an email to get access to the image.

Even in simulation mode, we require some CPU features. Please ensure that your CPU has the right features by executing:

docker run --rm sconecuratedimages/apps:check_cpuid

This should output (amongst other messages):

CPU has all features to run SCONE in Simulation Mode.

Now execute the following command inside the container to create the hello world program:

cat > helloworld.c << EOF
#include <stdio.h>
int main() {
    printf("Hello World\n");
}
EOF

Compile the program with the SCONE crosscompiler (i.e., gcc):

gcc -o helloworld helloworld.c

You can run this program:

./helloworld

This will print Hello World.

Since we did not give the container access to SGX, the program runs in simulation mode, i.e.,
the SCONE software runs but we do not use Intel SGX enclaves.

Use simulation mode only for development and debugging

This mode must not be used for production since programs do not run inside of enclaves. Simulation mode will run on modern Intel CPUs - even those without Intel SGX. It might, however, fail on old CPUs without AES hardware support.

SCONE_VERSION=1 ./helloworld

This will print something like:

export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_KERNEL=0
export SCONE_HEAP=67108864
export SCONE_STACK=81920
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=sim
export SCONE_SGXBOUNDS=no
export SCONE_VARYS=no
export SCONE_ALLOW_DLOPEN=no
export SCONE_MPROTECT=no
Revision: 501194b1da9d4e86828353349cc7f9ef310b0dd1

Enclave hash: a01127f2190ed5ecd21f9fd432e4d07f7f250ad1e1808d9c0305e75505383c44
Hello World

The output shows that SCONE is running in simulation mode: export SCONE_MODE=sim

Background Info

The most convenient way to use SCONE for development is to enable automatic (a.k.a. AUTO) mode1. In AUTO mode, you neither need access to SGX-capable CPUs nor do you need to install any new software on your host: you only need to have access to a Docker engine. If you have access to an SGX-capable CPU and you give the container access to the sgx device, SCONE will run applications inside of SGX enclaves. Otherwise, the applications will run in simulation mode.

Let's see in the next chapter how to run the hello world program inside an Intel SGX enclave.

© scontain.com, August 2018. Questions or Suggestions?


  1. This is the default mode: see description of environment variable SCONE_MODE

  2. Just send an email with your free Docker ID to info@scontain.com