Build trusted applications

Prerequisites
​Docker 17.05 or higher on the daemon and client.
​Nodejs 12.0.0 or higher.
​iExec SDK 7.0.0 or higher.
Familiarity with the basic concepts of Intel® SGX and SCONE framework.
Please make sure you have already checked the quickstart and Your first application tutorials before building your trusted application on iExec.
After understanding the fundamentals of Confidential Computing and explaining the technologies behind it, it is time to roll up our sleeves and get hands-on with enclaves. In this guide, we will focus on protecting an application - that is already compatible with the iExec platform - using SGX, and without changing the source code. That means we will use the same code we previously deployed for a basic iExec application.
How would the enclave verify the integrity of the code?
The short answer is: the application is protected by taking a snapshot of the file system's state. The TEE image will use the fspf feature of SCONE to authenticate the file system directories that would be used by the application (/bin, /lib...) as well as the code itself. It takes a snapshot of their state that will be later shared with the worker (via the Blockchain) to make sure everything is under control. If we change one bit of one of the authenticated files, the file system's state changes completely and the enclave will refuse to boot since it considers it as a possible attack.
Prepare your application:
Create a directory tree for your application in ~/iexec-projects/.
1
cd ~/iexec-projects
2
mkdir my-tee-hello-world-app && cd my-tee-hello-world-app
3
iexec init --skip-wallet
4
mkdir src
5
touch Dockerfile
6
touch sconify.sh
Copied!
In the folder src/ create the file app.js then copy this code inside.
As we mentioned earlier, the advantage of using SCONE is the ability to make the application Intel® SGX-enabled without changing the source code. The only thing we are going to do is rebuilding the app using the Trusted-Execution-Environment tooling provided by SCONE.
SCONE provides TEE conversion tooling (Python, Java, ..) plus eventually TEE base images for other languages (NodeJs).
Copy the Dockerfile of the non-TEE app:
Javascript
Python
Dockerfile
1
# Starting from a base image supported by SCONE  
2
FROM node:14-alpine3.11
3
​
4
# install your dependencies
5
RUN mkdir /app && cd /app && npm install [email protected]
6
​
7
COPY ./src /app
8
​
9
ENTRYPOINT [ "node", "/app/app.js"]
Copied!
Dockerfile
1
FROM python:3.7.3-alpine3.10
2
​
3
### install python dependencies if you have some
4
RUN pip3 install pyfiglet
5
​
6
COPY ./src /app
7
​
8
ENTRYPOINT ["python", "/app/app.py"]
Copied!
Build the TEE docker image:
You will need to register a free SCONE Account to access SCONE build tools and curated images from the SCONE registry.
Once your account is activated, you need to request access to the SCONE build tools for iExec.
1
# when your account is ready, run `docker login` to connect the SCONE registry
2
docker login registry.scontain.com:5050
Copied!
We will use the following script to wrap the sconification process, copy the sconify.sh script in the current directory:
Javascript
Python
sconify.sh
1
#!/bin/bash
2
​
3
# declare the app entrypoint
4
ENTRYPOINT="node /app/app.js"
5
# declare an image name
6
IMG_NAME=nodejs-hello-world
7
​
8
IMG_FROM=${IMG_NAME}:temp-non-tee
9
IMG_TO=${IMG_NAME}:tee-debug
10
​
11
# build the regular non-TEE image
12
docker build . -t ${IMG_FROM}
13
​
14
# pull the SCONE curated image corresponding to our base image
15
docker pull registry.scontain.com:5050/sconecuratedimages/node:14.4.0-alpine3.11
16
​
17
# run the sconifier to build the TEE image based on the non-TEE image
18
docker run -it --rm \
19
            -v /var/run/docker.sock:/var/run/docker.sock \
20
            registry.scontain.com:5050/scone-production/iexec-sconify-image:5.3.7 \
21
            sconify_iexec \
22
            --name=${IMG_NAME} \
23
            --from=${IMG_FROM} \
24
            --to=${IMG_TO} \
25
            --binary-fs \
26
            --fs-dir=/app \
27
            --host-path=/etc/hosts \
28
            --host-path=/etc/resolv.conf \
29
            --binary=/usr/local/bin/node \
30
            --heap=1G \
31
            --dlopen=2 \
32
            --no-color \
33
            --verbose \
34
            --command=${ENTRYPOINT} \
35
            && echo -e "\n------------------\n" \
36
            && echo "successfully built TEE docker image => ${IMG_TO}" \
37
            && echo "application mrenclave.fingerprint is $(docker run -it --rm -e SCONE_HASH=1 ${IMG_TO})"
Copied!
sconify.sh
1
#!/bin/bash
2
​
3
# declare the app entrypoint
4
ENTRYPOINT="python /app/app.py"
5
# declare an image name
6
IMG_NAME=python-hello-world
7
​
8
IMG_FROM=${IMG_NAME}:temp-non-tee
9
IMG_TO=${IMG_NAME}:tee-debug
10
​
11
# build the regular non-TEE image
12
docker build . -t ${IMG_FROM}
13
​
14
# run the sconifier to build the TEE image based on the non-TEE image
15
docker run -it \
16
            -v /var/run/docker.sock:/var/run/docker.sock \
17
            registry.scontain.com:5050/scone-production/iexec-sconify-image:5.3.7 \
18
            sconify_iexec \
19
            --name=${IMG_NAME} \
20
            --from=${IMG_FROM} \
21
            --to=${IMG_TO} \
22
            --binary-fs \
23
            --fs-dir=/app \
24
            --host-path=/etc/hosts \
25
            --host-path=/etc/resolv.conf \
26
            --binary=/usr/local/bin/python3.7 \
27
            --heap=1G \
28
            --dlopen=2 \
29
            --no-color \
30
            --verbose \
31
            --command=${ENTRYPOINT} \
32
            && echo -e "\n------------------\n" \
33
            && echo "successfully built TEE docker image => ${IMG_TO}" \
34
            && echo "application mrenclave.fingerprint is $(docker run -it --rm -e SCONE_HASH=1 ${IMG_TO})"
Copied!
1
# make the script executable
2
chmod +x sconify.sh
3
# run the sconify script
4
./sconify.sh
Copied!
Congratulation you just built your first TEE application.
You may have noticed the tee-debug flag in the image name, the built image is actually in TEE debug mode, this allows you to have some debug features while developping the app. Once you are happy with the debug app, contact us to go to production!
Test your app on iExec
At this stage, your application is ready to be tested on iExec. The process is similar to testing any type of application on the platform, with these minor exceptions:
Deploy the TEE app on iExec:
TEE applications require some additional information to be filled in during deployment.
1
# prepare the TEE application template
2
iexec app init --tee
Copied!
Edit iexec.json and fill in the standard keys and the mrenclave object:
1
{
2
  ...
3
  "app": {
4
    "owner": "0xF048eF3d7E3B33A465E0599E641BB29421f7Df92", // your address
5
    "name": "tee-hello-world", // application name
6
    "type": "DOCKER",
7
    "multiaddr": "docker.io/username/my-tee-hello-world:1.0.0", // app image
8
    "checksum": "0x15bed530c76f1f3b05b2db8d44c417128b8934899bc85804a655a01b441bfa78", // image digest
9
    "mrenclave": {
10
      "provider": "SCONE", // TEE provider (keep default value)
11
      "version": "v5", // Scone version (keep default value)
12
      "entrypoint": "node /app/app.js", // your app image entrypoint
13
      "heapSize": 1073741824, // heap size in bytes (1GB)
14
      "fingerprint": "eca3ace86f1e8a5c47123c8fd271319e9eb25356803d36666dc620f30365c0c1" // fingerprint of the enclave code (mrenclave), see how to retrieve it below
15
    }
16
  },
17
  ...
18
}
Copied!
Run your TEE image with SCONE_HASH=1 to get the enclave fingerprint (mrenclave):
1
docker run -it --rm -e SCONE_HASH=1 nodejs-hello-world:tee-debug
Copied!
Deploy the app with the standard command:
1
iexec app deploy --chain viviani
Copied!
Run the TEE app
Specify the tag --tag tee in iexec app run command to run a tee app.
One last thing, in order to run a TEE-debug app you will also need to select a debug workerpool, use the Viviani debug workerpool 0xe6806E69BA8650AF23264702ddD43C4DCe35CcCe (see deployed workerpools on https://v7.pools.iex.ec).
The debug workerpool is connected to a debug Secret Management Service (this is fine for debugging but do not use to store production secrets), we will need to init the storage token on this SMS.
These sed commands will do the trick:
1
# set a custom viviani SMS in chain.json
2
sed -i 's|"viviani": {},|"viviani": { "sms": "https://v7.sms.debug-tee-services.viviani.iex.ec" },|g' chain.json
Copied!
1
# initialize the storage
2
iexec storage init --chain viviani
Copied!
1
# restore the default configuration in chain.json
2
sed -i 's|"viviani": { "sms": "https://v7.sms.debug-tee-services.viviani.iex.ec" },|"viviani": {},|g' chain.json
Copied!
You are now ready to run the app
1
iexec app run --tag tee --workerpool 0xe6806E69BA8650AF23264702ddD43C4DCe35CcCe --watch --chain viviani
Copied!
Next step?
In this tutorial, you learned how to leverage your application with the power of Trusted Execution Environments using iExec. But according to your use case, you may need to use some confidential data to get the full potential of the Confidential Computing paradigm. Check out the next chapter to see how.
Overview
Use confidential assets
Last modified 29d ago
Copy link
Contents
Prepare your application:
Build the TEE docker image:
Test your app on iExec
Deploy the TEE app on iExec:
Run the TEE app
Next step?