Zero‑Barrier Confidential Computing: Getting Started with Occlum LibOS and a Technical Deep Dive

The article, based on a SOFAChannel live session, introduces confidential computing and the challenges of developing SGX applications, such as partitioning code between enclave and non‑enclave parts, language restrictions, and limited OS functionality.

It then presents Occlum, Ant Group's open‑source TEE operating system, as a solution that abstracts away SGX complexities and provides a Docker‑like user experience.

Learn Occlum’s three essential commands: new , build , and run . Using these, developers can create an enclave instance, package a trusted image, and execute applications with minimal code changes.

Hello World example:

$ cat hello_world.c
#include
int main() {
    printf("Hello World!\n");
    return 0;
}

Compile with Occlum’s GCC toolchain:

$ occlum-gcc hello_world.c -o hello_world
$ ./hello_world
Hello World!

Create an Occlum instance directory:

$ occlum new occlum_hello
$ cd occlum_hello

Copy the binary, build the trusted image, and run it inside SGX:

$ cp ../hello_world image/bin
$ occlum build
$ occlum run /bin/hello_world
Hello World!

The article explains that Occlum treats an enclave as a container, offering Docker‑compatible commands such as start , exec , stop , and kill . It describes the trusted build process using a Merkle hash tree to protect the image and the runtime process that provides Linux‑compatible system calls while encrypting memory and I/O.

Key technical features highlighted include high‑performance multi‑process support, a powerful file system with integrity and confidentiality guarantees, and memory safety achieved by being the first TEE OS written in Rust.

Additional resources are provided: the Occlum website, GitHub repository, academic paper, and a video recap of the live session.