Running "Hello World" inside of an enclave
So far, we showed how to run a hello world program using simulation mode. Let's
show how to run this program in hardware mode, i.e., the hello world program runs inside an Intel SGX enclave.
Actually, the only change is to give the container access to the SGX device by adding $MOUNT_SGXDEVICE
.
Detailed Description
We first need to start a container which includes the SCONE crosscompiler and give the container access to the Intel SGX driver. We determine which SGX device to mount with function determine_sgx_device:
determine_sgx_device
docker run $MOUNT_SGXDEVICE -it registry.scontain.com/sconecuratedimages/crosscompilers
The docker engine and the Intel SGX driver must be installed.
Read about how to install a docker engine and to install the Intel SGX driver. In some installations, you might have to replace "docker" by "sudo docker". To be able to use hardware mode, programs need access to the SGX device. If your hosts have already a Intel SGX driver installed, you are all set. Hardware mode is only supported in Linux, since the Intel SGX driver is only available on Linux.
Now execute the following command inside the container to create the hello world program:
cat > helloworld.c << EOF
#include <stdio.h>
int main() {
printf("Hello World\n");
}
EOF
Compile the program with:
gcc -o helloworld helloworld.c
You can run this program:
./helloworld
This will print Hello World.
Since we have given the container access to the SGX driver, this runs in hardware mode.
Use this mode only for development and debugging
The program runs inside of a hardware enclave. However, the enclave is in debug mode, i.e., one can actually introspect the content of the enclave.
SCONE_VERSION=1 ./helloworld
This will print something like:
export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_KERNEL=0
export SCONE_HEAP=67108864
export SCONE_STACK=81920
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=hw
export SCONE_SGXBOUNDS=no
export SCONE_VARYS=no
export SCONE_ALLOW_DLOPEN=no
export SCONE_MPROTECT=no
Revision: b1e014e64b4d332a51802580ec3252370ffe44bb
Branch: master
Configure options: --enable-shared --enable-debug --prefix=/mnt/ssd/franz/subtree-scone2/built/cross-compiler/x86_64-linux-musl
Enclave hash: 9d601c360ce9b6100e35dc42ec2800c1c20478328a0d4450d8d5163c00289dea
Hello World
The output shows that SCONE is running in hardware mode: export SCONE_MODE=hw
Background Info
For ease of use, we create all Docker images such that applications run inside of enclaves if enclaves are available (AUTO mode). If SGX is not available, they run in simulation mode, i.e., outside of an enclave but all SCONE software is running. To disable simulation mode, you can set environment variable SCONE_MODE=HW:
docker run $MOUNT_SGXDEVICE -e "SCONE_MODE=HW" -it registry.scontain.com/sconecuratedimages/crosscompilers
If you would start your container in hardware mode but forget to give it access to the sgx device, i.e.,
docker run -e "SCONE_MODE=HW" -it registry.scontain.com/sconecuratedimages/crosscompilers
compilation of the helloworld will succeed but running the helloworld program will fail:
bash-4.4# echo $SCONE_MODE
HW
bash-4.4# ls -l /dev/isgx
ls: /dev/isgx: No such file or directory
bash-4.4# ./helloworld
[SCONE|ERROR] ./tools/starter-exec.c:993:_dl_main(): Could not create enclave: Error opening SGX device
When running your software in operations, you would force the programs to run inside of enclaves: this can be enforced with the help of SCONE configuration and attestation service.
Environment Variables
To simplify the development with SCONE, you can control the behavior of SCONE with a set of environment variables, i.e., variables defined by your shell. Section SCONE Environment Variables describes these in details.