Can a Docker container or other non-C program run as an Intel SGX Trusted (Enclave) Component?

Question

I'm new to Intel SGX and Docker. I'm trying to determine if I can place "sensitive" programs and data within a Docker container and run that container as a trusted (enclave) component in the SGX hardware. I plan to use the latest Linux version of the SGX platform.

I've been reading through the SGX developer's guide, reference, programming reference, etc. and am not sure how I'd use things like the Enclave Definition Language to invoke a container as a trusted component.The SCONE project has a technical approach, but it appears to not use the Enclave Definition Language, ECALLS, OCALLS, Intel's SDK and secure C libraries and other guidelines I'm reading in the Intel SGX documentation. Also, previous questions I've found on using SGX with Docker containers have been mixed.

So, is the answer:

"No, you can't run a Docker container as a trusted enclave component, using Intel SGX development guidelines"

"Yes, you can run a Docker container as a trusted enclave component, using Intel SGX development guidelines and here's how to do it...."

Related question: SGX appears to only run C/C++ programs. So, languages like Python (not using Ctypes) or Java (not using JNI) won't run as a trusted component, right?

Also, is there anything besides SCONE that is a viable example of running a Docker container as a trusted component in SGX? I've seen an answer on StackOverflow that has a link to a dockerfile, but that link is broken. Thanks for your help!

Answer 1

https://gramine-gsc.readthedocs.io/en/latest/

docker run --device=/dev/sgx_enclave \
   -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \
   gsc-python -c 'print("HelloWorld!")'

Answer 2

Yes, you can run a Docker container as a trusted enclave component using iExec. You can learn more about it in this post.