1

I'm new to Intel SGX and Docker. I'm trying to determine if I can place "sensitive" programs and data within a Docker container and run that container as a trusted (enclave) component in the SGX hardware. I plan to use the latest Linux version of the SGX platform.

I've been reading through the SGX developer's guide, reference, programming reference, etc. and am not sure how I'd use things like the Enclave Definition Language to invoke a container as a trusted component.The SCONE project has a technical approach, but it appears to not use the Enclave Definition Language, ECALLS, OCALLS, Intel's SDK and secure C libraries and other guidelines I'm reading in the Intel SGX documentation. Also, previous questions I've found on using SGX with Docker containers have been mixed.

So, is the answer:

"No, you can't run a Docker container as a trusted enclave component, using Intel SGX development guidelines"

"Yes, you can run a Docker container as a trusted enclave component, using Intel SGX development guidelines and here's how to do it...."

Related question: SGX appears to only run C/C++ programs. So, languages like Python (not using Ctypes) or Java (not using JNI) won't run as a trusted component, right?

Also, is there anything besides SCONE that is a viable example of running a Docker container as a trusted component in SGX? I've seen an answer on StackOverflow that has a link to a dockerfile, but that link is broken. Thanks for your help!

dmwpepper
  • 31
  • 5
  • CPUs only ever run machine code, not C or Python. It all comes down to toolchains for turning programs into machine code inside binary executables. e.g. CPython is a pure interpreter (not JIT compiling) and is written in C, so using that Python implementation is really just running a C program on a data file with a `.py` filename. – Peter Cordes Oct 11 '21 at 02:11

2 Answers2

0

Yes, you can run a Docker container as a trusted enclave component using iExec. You can learn more about it in this post.

Julien
  • 9
  • 1
  • 2
    You should detail your answer here instead of posting a link – Yanga Oct 18 '18 at 08:13
  • Expanding on the above comment -- answers are evaluated for voting &c based on whether the information they directly contain is helpful to the OP. Content behind links may eventually no longer be available when those links fail; while links for supplemental information are welcome, we want our knowledge base's usefulness to outlast them. – Charles Duffy Oct 11 '21 at 02:07
0

https://gramine-gsc.readthedocs.io/en/latest/

docker run --device=/dev/sgx_enclave \
   -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \
   gsc-python -c 'print("HelloWorld!")'
Galaxy
  • 1,862
  • 1
  • 17
  • 25