Skip to content

Host Program Arguments and Environment Variables

The SCONE runtime can pass insecure host arguments to a confidential application. Host arguments need to be specified in the application's policy (a.k.a., session). This host argument mechanism supports to mix secure and insecure arguments. That allows us to use variable values only known at runtime and hence, not known when the policy is created.

Note that one needs to be careful using this feature! One must ensure that these host arguments will not pass any confidential values to the program. Moreover, they must not be able to change the application's behavior. For example, one needs to ensure that host arguments cannot be used to pass scripts or change flags that change the behavior of the confidential application. Again, it is essential to use this feature with care.

Host Program Arguments

To use program arguments given by the operator/user, the policy of a confidential application has to enable this. The command key of the application has to specify host arguments using this format: @@N, where N is the position of the argument within the host arguments.

Let us use the print-arg-env program to explain secure arguments, to show the combination of secure and host arguments.

Consider that the policy of print-arg-env contains the following entry:

command: print-arg-env arg1 @@1 @@2

Consider that the user will specify two arguments:

print-arg-env arg2 arg3

This will give us the following result:

argv: print-arg-env arg1 arg2 arg3
environ:

If an operator does not specify all arguments specified by a session, this will result in a fatal error. Also, duplicate positions in the policy, (for example @@1 @@1), are fatal errors.

Host Environment Variables

The same approach is support for host environment variables. If a session contains \@\@HOST_NAME, like:

  command: print-arg-env arg1 @@1 @@2
  environment:
      \@\@NAME: SESSION_VALUE

Any value specified in the session, like SESSION_VALUE will be ignored. An operator has to define the environment variable NAME=VALUE. The SCONE runtime will use this host environment variable. If a host does not define this environment variable, the SCONE runtime will define it to be empty NAME= and leave it to the application to handle this situation.

For example, if the user executes

export NAME=42
print-arg-env argA argB

the output will be as follows:

argv: print-arg-env arg1 argA argB
environ:
NAME=42

Example

For another example, please check out our OTP demo.