Ask in ChatGPT 
Build your first application with Scone framework
In this tutorial, you will learn how to build and run a Confidential Computing application with the Scone TEE framework.
WARNING
Before going any further, make sure you managed to Build your first application.
Prerequisites:
- Docker 17.05 or higher on the daemon and client.
- iExec SDK 8.0.0 or higher. Install the iExec SDK
- Familiarity with the basic concepts of Intel® SGX and SCONE framework.
In order to follow this tutorial, you will need to register a free SCONE Account to access SCONE build tools and curated images from the SCONE registry.
Once your account is activated, you need to request access to the SCONE build tools for iExec.
# when your account is ready, run `docker login` to connect the SCONE registry
docker login registry.scontain.comPrepare your application
Before going further, your <docker-hub-user>/hello-world:1.0.0 image built previously is required.
If you missed that part, please go back to Build your first application.
For this tutorial, you can reuse the same directory tree or create a new one.
To create a new directory tree, execute the following commands in ~/iexec-projects/.
cd ~/iexec-projects
mkdir tee-hello-world-app && cd tee-hello-world-app
iexec init --skip-wallet
mkdir src
touch Dockerfile
touch sconify.sh
chmod +x sconify.shBuild the TEE docker image
Before wrapping your iExec confidential application with Scone, you need to generate a custom signing key. This key is used for the sconification process.
Generate your enclave signing key with:
openssl genrsa -3 -out enclave-key.pem 3072This will create an enclave-key.pem file in your current directory. You will use this file in the sconify Docker command to sign your TEE image.
We will use the following script to wrap the sconification process, copy the sconify.sh script in the current directory:
#!/bin/bash
# Declare image related variables
IMG_FROM=<docker-hub-user>/hello-world:1.0.0
IMG_TO=<docker-hub-user>/tee-scone-hello-world:1.0.0
# Run the sconifier to build the TEE image based on the non-TEE image
docker run -it --rm \
-v $PWD/enclave-key.pem:/sig/enclave-key.pem \
-v /var/run/docker.sock:/var/run/docker.sock \
registry.scontain.com/scone-production/iexec-sconify-image:5.9.1-v16\
sconify_iexec \
--from=${IMG_FROM} \
--to=${IMG_TO} \
--binary-fs \
--fs-dir=/app \
--host-path=/etc/hosts \
--host-path=/etc/resolv.conf \
--binary=/usr/local/bin/node \
--heap=1G \
--dlopen=1 \
--verbose \
&& echo -e "\n------------------\n" \
&& echo "successfully built TEE docker image => ${IMG_TO}" \
&& echo "application mrenclave.fingerprint is $(docker run --rm -e SCONE_HASH=1 ${IMG_TO})"#!/bin/bash
# Declare image related variables
IMG_FROM=<docker-hub-user>/hello-world:1.0.0
IMG_TO=<docker-hub-user>/tee-scone-hello-world:1.0.0
# Run the sconifier to build the TEE image based on the non-TEE image
docker run -it --rm \
-v $PWD/enclave-key.pem:/sig/enclave-key.pem \
-v /var/run/docker.sock:/var/run/docker.sock \
registry.scontain.com/scone-production/iexec-sconify-image:5.9.1-v16\
sconify_iexec \
--from=${IMG_FROM} \
--to=${IMG_TO} \
--binary-fs \
--fs-dir=/app \
--host-path=/etc/hosts \
--host-path=/etc/resolv.conf \
--binary=/usr/local/bin/python3 \
--heap=1G \
--dlopen=1 \
--verbose \
&& echo -e "\n------------------\n" \
&& echo "successfully built TEE docker image => ${IMG_TO}" \
&& echo "application mrenclave.fingerprint is $(docker run --rm -e SCONE_HASH=1 ${IMG_TO})"Run the sconify.sh script to build the Scone TEE application:
./sconify.shPush your image on DockerHub:
docker push <docker-hub-user>/tee-scone-hello-world:1.0.0Congratulations, you just built your Scone TEE application.
Test your app on iExec
At this stage, your application is ready to be tested on iExec. The process is similar to testing any type of application on the platform, with these minor exceptions:
Deploy the TEE app on iExec
TEE applications require some additional information to be filled in during deployment.
# prepare the TEE application template
iexec app init --teeEdit iexec.json and fill in the standard keys and the mrenclave object:
{
...
"app": {
"owner": "<your-wallet-address>", // starts with 0x
"name": "tee-scone-hello-world", // application name
"type": "DOCKER",
"multiaddr": "docker.io/<docker-hub-user>/tee-scone-hello-world:1.0.0", // app image
"checksum": "<checksum>", // starts with 0x, update it with your own image digest
"mrenclave": {
"framework": "SCONE", // TEE framework (keep default value)
"version": "v5.9", // Scone version (keep default value)
"entrypoint": "node /app/app.js" OR "python3 /app/app.py", // update it with your own image entrypoint
"heapSize": 1073741824, // heap size in bytes, update it with --heap option value used in sconify.sh script during TEE image build
"fingerprint": "<mrenclave>" // fingerprint of the enclave code (mrenclave), without 0x prefix, see how to retrieve it below
}
},
...
}INFO
See Create your identity on the blockchain to retrieve <your-wallet-address> value.
See Deploy your app on iExec to retrieve your image <checksum>.
Run your TEE image with SCONE_HASH=1 to get the enclave fingerprint (mrenclave):
docker run --rm -e SCONE_HASH=1 <docker-hub-user>/tee-scone-hello-world:1.0.0Deploy the app with the standard command:
iexec app deploy --chain arbitrum-mainnetRun the TEE app
Specify the tag --tag tee,scone in iexec app run command to run a tee app.
One last thing, in order to run a TEE app you will also need to select a workerpool, use the iexec workerpool 0x2C06263943180Cc024dAFfeEe15612DB6e5fD248.
You are now ready to run the app
iexec app run --chain arbitrum-mainnet --tag tee,scone --workerpool 0x2C06263943180Cc024dAFfeEe15612DB6e5fD248 --watchINFO
Remember, you can access task and app logs by following the instructions on page Debug your tasks.
Next step?
In this tutorial, you learned how to leverage your application with the power of Trusted Execution Environments using iExec. But according to your use case, you may need to use some confidential data to get the full potential of the Confidential Computing paradigm. Check out next chapters to see how: