SCONE CLI
We provide a CLI (Command Line Interface) to
- attest SCONE CAS, i.e., to ensure that we are connected to a CAS with an expected 'MrEnclave' running inside an enclave.
- create a session, i.e., to upload a new session description.
- update a session, i.e., replace an existing session by a new session description.
- verify that a session matches a given session template. Prints the digest of the verified session on success.
Note that this CLI is implemented as a Rust crate that can be used to interact with CAS directly from programs linked with this library. The default SCONE CLI is available for subscribers and can be run as follows: 'docker run -it registry.scontain.com/sconecuratedimages/sconecli'.
scone
scone 5.8.0
Your command line toolkit to interact with the SCONE infrastructure
Note that this tool supports argument files using the @ prefix. I.e., any argument starting with @
is interpreted as an argument file path. Argument files contain one argument per line and may
recurisively include other argument files.
USAGE:
scone [OPTIONS] <SUBCOMMAND>
OPTIONS:
-c, --config <CONFIG>
Sets a custom config file
[env: SCONE_CLI_CONFIG=]
[default: ~/.cas/config.json]
-h, --help
Print help information
-o <OUTPUT>
Redirect the output towards the specified file
-V, --version
Print version information
SUBCOMMANDS:
binary-fs
Collect directories and files to generate a binary fs artifacts
cargo
Rust Cargo utilizing SCONE compiler by default
cas
Communication with CAS
cert
Perform operations on X.509 certificates
fspf
Create and modify file system protection files
g++
g++ SCONE compiler
gcc
gcc SCONE compiler
gccgo
gccgo SCONE compiler
gdb
gdb (debugger able to read SCONE debug enclave memory)
gfortran
fortran SCONE compiler
help
Print this message or the help of the given subcommand(s)
help-markdown
Generate markdown help pages on stdout
las
Interact with the local attestation service (LAS)
rustc
Rust SCONE compiler
self
Manage this instance of the SCONE CLI
session
Manage CAS sessions
signer
Sign executables
version
Show CLI version
scone self
scone self
Manage this instance of the SCONE CLI
USAGE:
scone self <SUBCOMMAND>
OPTIONS:
-h, --help
Print help information
SUBCOMMANDS:
help
Print this message or the help of the given subcommand(s)
show
Show the certificate, public key hash, and session signing public key
show-certificate
Print only the certificate in PEM format
show-certificate-hash
Print only the SHA-256 certificate hash. Using the certificate hash in session access
control policies is deprecated, as it does not allow authentication with renewed
certificates. Please use the key hash (show-key-hash) instead
show-key-hash
Print only the public key hash
show-session-signing-key
Print the session signing public key
scone self show
scone self show
Show the certificate, public key hash, and session signing public key
USAGE:
scone self show
OPTIONS:
-h, --help
Print help information
scone self show-certificate
scone self show-certificate
Print only the certificate in PEM format
USAGE:
scone self show-certificate
OPTIONS:
-h, --help
Print help information
scone self show-key-hash
scone self show-key-hash
Print only the public key hash
USAGE:
scone self show-key-hash
OPTIONS:
-h, --help
Print help information
scone self show-certificate-hash
scone self show-certificate-hash
Print only the SHA-256 certificate hash. Using the certificate hash in session access control
policies is deprecated, as it does not allow authentication with renewed certificates. Please use
the key hash (show-key-hash) instead
USAGE:
scone self show-certificate-hash
OPTIONS:
-h, --help
Print help information
scone self show-session-signing-key
scone self show-session-signing-key
Print the session signing public key
USAGE:
scone self show-session-signing-key
OPTIONS:
-h, --help
Print help information
scone fspf
scone fspf
Create and modify file system protection files
USAGE:
scone fspf <SUBCOMMAND>
OPTIONS:
-h, --help
Print help information
SUBCOMMANDS:
addf
Add files (file protection data) to an existing fspf
addr
Add a protection region to an existing fspf
create
Create a new file system protection file
create-volume
Create a new SCONE volume FSPF
encrypt
Encrypt an existing fspf
help
Print this message or the help of the given subcommand(s)
show
Show an existing fspf
scone fspf create
scone fspf create
Create a new file system protection file
USAGE:
scone fspf create <FILE> [VERSION]
ARGS:
<FILE>
Path to store the created fspf at
<VERSION>
FSPF format version to use, optional: latest version will be used by default
OPTIONS:
-h, --help
Print help information
scone fspf addr
scone fspf addr
Add a protection region to an existing fspf
USAGE:
scone fspf addr [OPTIONS] <--not-protected|--encrypted|--authenticated> <--kernel <SOURCE_DIR>|--ephemeral> <FILE> <EMBEDPOINT>
ARGS:
<FILE>
Location of the fspf
<EMBEDPOINT>
The location of the region in the protected file system
OPTIONS:
-a, --authenticated
The content of this region should be authenticated (but not encrypted)
-c, --chunk-length <CHUNK_LENGTH>
in bytes, Files will be protected with chunks of this size, only valid for protected
regions
-e, --encrypted
The content of this region should be encrypted
--ephemeral
The region's files are stored in volatile & untrusted memory
-h, --help
Print help information
-k, --key-length <KEY_LENGTH>
in bits, The file protection will use keys with this size, only valid for protected
regions
--kernel <SOURCE_DIR>
The region's files are stored in the kernel's filesystem
-n, --not-protected
The content of this region should NOT be protected
scone fspf addf
scone fspf addf
Add files (file protection data) to an existing fspf
USAGE:
scone fspf addf <FILE> <EMBEDPOINT> <SOURCE_DIR> [OUTPUT_DIR]
ARGS:
<FILE>
Location of the fspf
<EMBEDPOINT>
Region the files should be added to
<SOURCE_DIR>
Source directory files to take from
<OUTPUT_DIR>
Output directory into which processed files are written Required for encrypted regions!
OPTIONS:
-h, --help
Print help information
scone fspf encrypt
scone fspf encrypt
Encrypt an existing fspf
USAGE:
scone fspf encrypt <FILE>
ARGS:
<FILE>
Location of the fspf
OPTIONS:
-h, --help
Print help information
scone fspf show
scone fspf show
Show an existing fspf
USAGE:
scone fspf show [OPTIONS] <FILE> [KEY]
ARGS:
<FILE>
Location of the fspf
<KEY>
Decryption key of the fspf
OPTIONS:
-h, --help
Print help information
-t, --tag
Only print tag
scone fspf create-volume
scone fspf create-volume
Create a new SCONE volume FSPF
This will prepare a directory (and its content) for secure data storage and exchange between SCONE
enclaves/services in a microservice application. A SCONE volume in the simplest approximation is a
directory with a `volume.fspf` file. This file contains the protection data for all data that is
stored in the directory. The usage of SCONE volume must be configured via a SCONE CAS
session/policy.
USAGE:
scone fspf create-volume [OPTIONS] <--encrypted|--authenticated> <VOLUME_PATH> [OUTPUT_PATH]
ARGS:
<VOLUME_PATH>
The path of an directory that should become the new SCONE volume
If the directory exists already its content will be the initial content of the new
volume. Otherwise, a directory with the `volume.fspf` will be created (as long as
`output_path` is not specified).
<OUTPUT_PATH>
Path were the output should be generated in (necessary for encrypted volumes)
OPTIONS:
-a, --authenticated
The content of this region should be authenticated (but not encrypted)
-c, --chunk-length <CHUNK_LENGTH>
in bytes, Files will be protected with chunks of this size
-e, --encrypted
The content of this region should be encrypted
Requires setting `output_path` argument to the location where the encrypted initial
files are written to.
--envar-output
Print the key and tag message in environment defining format on stdout, such that the
output can be directly interpreted by a shell. This is useful if this command is used in
a script.
Environment variable will be `VOLUME_KEY` and `VOLUME_TAG`. The output will look like
this:
export VOLUME_KEY=55920e9398056f6cd83fc2354f9d29f9052df252c5d797a9500f905f42e9faae
export VOLUME_TAG=61b958b220b19b8b74a76f74fc94282e
You can use it to set the variables with a command like: eval "`scone fspf create-volume
./volume-dir --authenticated --envar-output`"
-f, --force
Force creation even if existing files must be removed or overwritten
-h, --help
Print help information
-k, --key-length <KEY_LENGTH>
in bits, The file protection will use keys with this size
-v, --version <VERSION>
FSPF format version to use, optional: latest version will be used by default
scone cas
scone cas
Communication with CAS
USAGE:
scone cas <SUBCOMMAND>
OPTIONS:
-h, --help
Print help information
SUBCOMMANDS:
attest
Attest a CAS instance
attest-audit-log
Performs the same task as `verify-audit-log`, but additionally checks that the audit log
contains valid attestation reports according to the given attestation settings
help
Print this message or the help of the given subcommand(s)
list
List attested CAS instances
provision
Provision and take ownership of a CAS
register-backup
Register a backup CAS
register-upgrade
Register an upgrade CAS
set-default
Set default CAS - The default CAS is always used if no CAS is explicitly specified, e.g.
in the `session upload` command
show-certificate
Show certificate chain of an attested CAS instance
show-identification
Show identification information of an attested CAS that can be used to identify the
instance
start-upgrade
Initiate a CAS upgrade with database key rollover
update-config
Update a server-side CAS configuration
verify-audit-log
Verify the authenticity and integrity of a signed CAS audit log. The origin CAS will be
contacted to detect a CAS rollback or log truncation. You must be the CAS owner in order
to fetch the necessary information. Verification information will be printed to stderr
version
Query the CAS software version
scone cas list
scone cas list
List attested CAS instances
USAGE:
scone cas list
OPTIONS:
-h, --help
Print help information
scone cas attest
scone cas attest
Attest a CAS instance
USAGE:
scone cas attest [OPTIONS] <ADDRESS> [--] [_mrenclave]
ARGS:
<ADDRESS>
CAS address
<_mrenclave>
Expected enclave measurement/MRENCLAVE of the CAS enclave (optional). Deprecated, please
use --mrenclave instead
OPTIONS:
--allow-cas-owner-secret-access
Whether to trust the CAS even if its database encryption key was injected by the CAS
owner, and not generated securely within an enclave. If set, session secrets will be
accessible to the CAS owner!
-c <CAS_KEY_HASH>
Expected CAS public key hash
-C, --accept-configuration-needed
Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)
-G, --accept-group-out-of-date
Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)
-h, --help
Print help information
--isvprodid <ISVPRODID>
Verify the given Independent Software Vendor Product ID (ISVPRODID). Required when using
a custom MRSIGNER
--isvsvn <ISVSVN>
Verify that CAS has a given or greater Independent Software Vendor Security Version
Number (ISVSVN). Required when using a custom MRSIGNER
--mrenclave <MRENCLAVE>
An expected enclave measurement/MRENCLAVE of the CAS enclave (optional). The CAS
software signature will always be verified, regardless of this argument; but if set, the
default CAS version (ISVSVN) check will be disabled. If specified multiple times,
attestation will succeed if any of the given measurements matches
--mrsigner <MRSIGNER>
Verify the CAS software signature using the given MRSIGNER instead of the default
Scontain MRSIGNER. Requires ISVPRODID and ISVSVN too
--nonce <NONCE>
The nonce use during request of the offline-report
Ensure's the freshness of the offline report. Must only be provided if offline-report is
set.
--offline-report <OFFLINE_REPORT>
Instead of connecting to the CAS via the network read the CAS attestation report from
the provided file.
A CAS attestation report can be queried from a CAS using the `/v1/attest` endpoint. It
is strongly recommended to request the latest additional data format version to ensure
all features are supported.
--only_for_testing-debug
Allow CAS to run in debug mode, in which it CANNOT PROTECT SECRETS (only for testing
purposes!) Only allowed if CAS signer is ignored
--only_for_testing-ignore-signer
Do not verify CAS software signature (MRSIGNER). This allows using a CAS signed with
test keys. If set, argument <mrenclave> becomes mandatory, unless
--only_for_testing-trust-any was also set
--only_for_testing-trust-any
Trust ANY enclave measurement value, only allowed if CAS is in debug mode. With this
option, `mrenclave` can be omitted, but the attested enclave can run ANY software. This
is obviously not secure!
--only_for_testing_allow-unprovisioned-cas
Accept unprovisioned CASes during attestation Establishing trust into unprovisioned
CASes typically makes little sense as they rekey (change identity) during provisioning.
However, sometimes it is useful for testing purposes
--retries <COUNT>
How often the CLI should retry operations on network errors. 0 disables retries
[env: SCONE_CLI_RETRIES=]
[default: 3]
-s <CAS_SOFTWARE_KEY_HASH>
Expected CAS software public key hash
-S, --accept-sw-hardening-needed
Accept SW HARDENING NEEDED verification response (less safe compilation options)
--verification-time <VERIFICATION_TIME>
Specify the supposed time the verification of the attestation collaterals happen
Expects yyyy-mm-dd, dd.mm.yyy or dd-mm-yyyy. Date will be interpreted as 0 o'clock UTC
time. If this argument is not specified, the current system time is used.
This option can be used to allow the usage of DCAP verification data that is officially
expired or to allow verification of offline reports that have been gathered a longer
time ago.
scone cas show-identification
scone cas show-identification
Show identification information of an attested CAS that can be used to identify the instance
USAGE:
scone cas show-identification [OPTIONS] [CAS]
ARGS:
<CAS>
CAS of which to show the information. Default CAS if omitted
OPTIONS:
-c, --cas-key-hash
SHA256 Hash of CAS public key
-C, --cas-certificate
PEM-encoded CAS X509 certificate
-h, --help
Print help information
-s, --cas-software-key-hash
SHA256 Hash of CAS software public key
-S, --cas-software-certificate
PEM-encoded CAS software X509 certificate
--session-encryption-key
Public key to encrypt sessions with
-T, --certificate-chain
Certificate chain of trust of PEM-encoded CAS and CAS software certificates [default]
scone cas show-certificate
scone cas show-certificate
Show certificate chain of an attested CAS instance
USAGE:
scone cas show-certificate [CAS]
ARGS:
<CAS>
CAS of which to show the certificate chain, optional: default CAS if omitted
OPTIONS:
-h, --help
Print help information
scone cas set-default
scone cas set-default
Set default CAS - The default CAS is always used if no CAS is explicitly specified, e.g. in the
`session upload` command
USAGE:
scone cas set-default <CAS>
ARGS:
<CAS>
CAS to become the new default CAS
OPTIONS:
-h, --help
Print help information
scone cas provision
scone cas provision
Provision and take ownership of a CAS
CAS ownership is bound to the cryptographic identity used during provisioning. Only the CAS owner is
able to change certain CAS settings, register backup instances or upgrade CAS' software version. The
owner identity is of great importance for the operations of a CAS and must be stored securely!
If you're running this command in a container, please ensure that the owner identity is not lost!
Without custom configuration, the container file system, containing the owner identity, is typically
removed after the container terminates! If no external identity is specified during invocation, the
identity stored in the configuration file (see SCONE_CLI_CONFIG option).
USAGE:
scone cas provision [OPTIONS] -c <CAS_KEY_HASH> --token <TOKEN> --config-file <CONFIG_FILE> <ADDRESS> <SUBCOMMAND>
ARGS:
<ADDRESS>
CAS address
OPTIONS:
-c <CAS_KEY_HASH>
Expected CAS public key hash. Can be found in the CAS console
--config-file <CONFIG_FILE>
Path to the file containing the server-side / owner CAS configuration (in TOML, JSON or
YAML format)
--database-key <DATABASE_KEY>
Database key to encrypt the CAS database with. Must be a 64-character hexadecimal
string. Allows CAS owner to decrypt the database at will. This impacts security of the
CAS and session secrets, and is therefore discouraged. Database key injection will be
refused by CAS binaries signed by Scontain
-h, --help
Print help information
--identity <IDENTITY>
External identity file to use (optional). If omitted, the automatically generated CLI
identity will be used. An identity file must contain a PEM-encoded PKCS#8 private key
followed by a X.509v3 certificate
--retries <COUNT>
How often the CLI should retry operations on network errors. 0 disables retries
[env: SCONE_CLI_RETRIES=]
[default: 3]
-s <CAS_SOFTWARE_KEY_HASH>
Expected CAS software public key hash (optional). Can be found in the CAS console
--token <TOKEN>
Provisioning token (32-character hexadecimal string). Can be found in the CAS console
SUBCOMMANDS:
help
Print this message or the help of the given subcommand(s)
only_for_testing-without-attestation
Do not attest the CAS. With this command selected, NO verification of the used CAS will
be performed at all. This is obviously not secure!
with-attestation
Attest the CAS instance during provisioning
scone cas provision with-attestation
scone cas provision with-attestation
Attest the CAS instance during provisioning
USAGE:
scone cas provision with-attestation [OPTIONS] [--] [_mrenclave]
ARGS:
<_mrenclave>
Expected enclave measurement/MRENCLAVE of the CAS enclave (optional). Deprecated, please
use --mrenclave instead
OPTIONS:
-C, --accept-configuration-needed
Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)
-G, --accept-group-out-of-date
Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)
-h, --help
Print help information
--isvprodid <ISVPRODID>
Verify the given Independent Software Vendor Product ID (ISVPRODID). Required when using
a custom MRSIGNER
--isvsvn <ISVSVN>
Verify that CAS has a given or greater Independent Software Vendor Security Version
Number (ISVSVN). Required when using a custom MRSIGNER
--mrenclave <MRENCLAVE>
An expected enclave measurement/MRENCLAVE of the CAS enclave (optional). The CAS
software signature will always be verified, regardless of this argument; but if set, the
default CAS version (ISVSVN) check will be disabled. If specified multiple times,
attestation will succeed if any of the given measurements matches
--mrsigner <MRSIGNER>
Verify the CAS software signature using the given MRSIGNER instead of the default
Scontain MRSIGNER. Requires ISVPRODID and ISVSVN too
--only_for_testing-debug
Allow CAS to run in debug mode, in which it CANNOT PROTECT SECRETS (only for testing
purposes!) Only allowed if CAS signer is ignored
--only_for_testing-ignore-signer
Do not verify CAS software signature (MRSIGNER). This allows using a CAS signed with
test keys. If set, argument <mrenclave> becomes mandatory, unless
--only_for_testing-trust-any was also set
--only_for_testing-trust-any
Trust ANY enclave measurement value, only allowed if CAS is in debug mode. With this
option, `mrenclave` can be omitted, but the attested enclave can run ANY software. This
is obviously not secure!
-S, --accept-sw-hardening-needed
Accept SW HARDENING NEEDED verification response (less safe compilation options)
--verification-time <VERIFICATION_TIME>
Specify the supposed time the verification of the attestation collaterals happen
Expects yyyy-mm-dd, dd.mm.yyy or dd-mm-yyyy. Date will be interpreted as 0 o'clock UTC
time. If this argument is not specified, the current system time is used.
This option can be used to allow the usage of DCAP verification data that is officially
expired or to allow verification of offline reports that have been gathered a longer
time ago.
scone cas provision only_for_testing-without-attestation
scone cas provision only_for_testing-without-attestation
Do not attest the CAS. With this command selected, NO verification of the used CAS will be performed
at all. This is obviously not secure!
USAGE:
scone cas provision only_for_testing-without-attestation
OPTIONS:
-h, --help
Print help information
scone cas update-config
scone cas update-config
Update a server-side CAS configuration
USAGE:
scone cas update-config [OPTIONS] --config-file <CONFIG_FILE>
OPTIONS:
-c, --cas <CAS>
CAS to use. Default CAS if omitted
--config-file <CONFIG_FILE>
Path to the file containing the server-side CAS configuration (in TOML, JSON or YAML
format)
-h, --help
Print help information
--identity <IDENTITY>
External identity file to use (optional). If omitted, the automatically generated CLI
identity will be used. An identity file must contain a PEM-encoded PKCS#8 private key
followed by a X.509v3 certificate
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used
CAS will be performed at all. This is obviously not secure!
--retries <COUNT>
How often the CLI should retry operations on network errors. 0 disables retries
[env: SCONE_CLI_RETRIES=]
[default: 3]
scone cas register-backup
scone cas register-backup
Register a backup CAS
USAGE:
scone cas register-backup [OPTIONS] <BACKUP_CAS>
ARGS:
<BACKUP_CAS>
The address of the backup CAS
OPTIONS:
-c, --cas <CAS>
CAS to use. Default CAS if omitted
-C, --accept-configuration-needed
Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)
-G, --accept-group-out-of-date
Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)
-h, --help
Print help information
--identity <IDENTITY>
External identity file to use (optional). If omitted, the automatically generated CLI
identity will be used. An identity file must contain a PEM-encoded PKCS#8 private key
followed by a X.509v3 certificate
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used
CAS will be performed at all. This is obviously not secure!
--retries <COUNT>
How often the CLI should retry operations on network errors. 0 disables retries
[env: SCONE_CLI_RETRIES=]
[default: 3]
-S, --accept-sw-hardening-needed
Accept SW HARDENING NEEDED verification response (less safe compilation options)
scone cas register-upgrade
scone cas register-upgrade
Register an upgrade CAS
USAGE:
scone cas register-upgrade [OPTIONS] <UPGRADE_CAS>
ARGS:
<UPGRADE_CAS>
The address of the upgrade CAS
OPTIONS:
-c, --cas <CAS>
CAS to use. Default CAS if omitted
-C, --accept-configuration-needed
Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)
-G, --accept-group-out-of-date
Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)
-h, --help
Print help information
--identity <IDENTITY>
External identity file to use (optional). If omitted, the automatically generated CLI
identity will be used. An identity file must contain a PEM-encoded PKCS#8 private key
followed by a X.509v3 certificate
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used
CAS will be performed at all. This is obviously not secure!
--retries <COUNT>
How often the CLI should retry operations on network errors. 0 disables retries
[env: SCONE_CLI_RETRIES=]
[default: 3]
-S, --accept-sw-hardening-needed
Accept SW HARDENING NEEDED verification response (less safe compilation options)
scone cas start-upgrade
scone cas start-upgrade
Initiate a CAS upgrade with database key rollover
USAGE:
scone cas start-upgrade [OPTIONS]
OPTIONS:
-c, --cas <CAS>
CAS to use. Default CAS if omitted
-h, --help
Print help information
--identity <IDENTITY>
External identity file to use (optional). If omitted, the automatically generated CLI
identity will be used. An identity file must contain a PEM-encoded PKCS#8 private key
followed by a X.509v3 certificate
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used
CAS will be performed at all. This is obviously not secure!
--retries <COUNT>
How often the CLI should retry operations on network errors. 0 disables retries
[env: SCONE_CLI_RETRIES=]
[default: 3]
-y, --yes
Do not ask for confirmation
scone cas verify-audit-log
scone cas verify-audit-log
Verify the authenticity and integrity of a signed CAS audit log. The origin CAS will be contacted to
detect a CAS rollback or log truncation. You must be the CAS owner in order to fetch the necessary
information. Verification information will be printed to stderr.
The command may exit with one of the following exit codes (most severe first): * 20 - Log
authenticity/integrity violation - parsing error or signature verification failed * 19 - The log
does not originate from the selected CAS * 18 - CAS rollback detected (excluding single failed &
rolled back transactions) * 17 - CAS rollback or missing/deleted log entries detected * 16 - CAS
rollback cannot be ruled out * 15 - Log was truncated (older entries are missing) * 14 - Log was
truncated (recent entries are missing) * 10 - At least one failed & rolled back transaction detected
* 0 - Log is fully correct * other - Fatal error during verification
USAGE:
scone cas verify-audit-log [OPTIONS] <LOG_FILE_PATH>
ARGS:
<LOG_FILE_PATH>
Path to the audit log file
OPTIONS:
-c, --cas-key-hash <CAS_KEY_HASH>
Expected CAS public key hash (optional). If omitted, a previously attested key will be
used. Requires setting option 'cas', too
--cas <CAS>
URL of the CAS that the log file belongs to (optional, if omitted, the default CAS will
be assumed)
-h, --help
Print help information
--identity <IDENTITY>
External identity file to use (optional). If omitted, the automatically generated CLI
identity will be used. An identity file must contain a PEM-encoded PKCS#8 private key
followed by a X.509v3 certificate
--last <LAST>
If the log was split: Predecessor signature of the first event of a previously verified
succeeding log file. If omitted, verification ensures that the most recent event logged
by CAS is present
-p, --print-log
Print the log content in human-readable format to stdout
--predecessor <PREDECESSOR>
If the log was split: Signature of the last event of a previously verified preceding log
file. If omitted, verification ensures that the first event logged by CAS is present
scone cas attest-audit-log
scone cas attest-audit-log
Performs the same task as `verify-audit-log`, but additionally checks that the audit log contains
valid attestation reports according to the given attestation settings
USAGE:
scone cas attest-audit-log [OPTIONS] <LOG_FILE_PATH> [--] [_mrenclave]
ARGS:
<LOG_FILE_PATH>
Path to the audit log file
<_mrenclave>
Expected enclave measurement/MRENCLAVE of the CAS enclave (optional). Deprecated, please
use --mrenclave instead
OPTIONS:
-c, --cas-key-hash <CAS_KEY_HASH>
Expected CAS public key hash (optional). If omitted, a previously attested key will be
used. Requires setting option 'cas', too
-C, --accept-configuration-needed
Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)
--cas <CAS>
URL of the CAS that the log file belongs to (optional, if omitted, the default CAS will
be assumed)
-G, --accept-group-out-of-date
Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)
-h, --help
Print help information
--identity <IDENTITY>
External identity file to use (optional). If omitted, the automatically generated CLI
identity will be used. An identity file must contain a PEM-encoded PKCS#8 private key
followed by a X.509v3 certificate
--isvprodid <ISVPRODID>
Verify the given Independent Software Vendor Product ID (ISVPRODID). Required when using
a custom MRSIGNER
--isvsvn <ISVSVN>
Verify that CAS has a given or greater Independent Software Vendor Security Version
Number (ISVSVN). Required when using a custom MRSIGNER
--last <LAST>
If the log was split: Predecessor signature of the first event of a previously verified
succeeding log file. If omitted, verification ensures that the most recent event logged
by CAS is present
--mrenclave <MRENCLAVE>
An expected enclave measurement/MRENCLAVE of the CAS enclave (optional). The CAS
software signature will always be verified, regardless of this argument; but if set, the
default CAS version (ISVSVN) check will be disabled. If specified multiple times,
attestation will succeed if any of the given measurements matches
--mrsigner <MRSIGNER>
Verify the CAS software signature using the given MRSIGNER instead of the default
Scontain MRSIGNER. Requires ISVPRODID and ISVSVN too
--only_for_testing-debug
Allow CAS to run in debug mode, in which it CANNOT PROTECT SECRETS (only for testing
purposes!) Only allowed if CAS signer is ignored
--only_for_testing-ignore-signer
Do not verify CAS software signature (MRSIGNER). This allows using a CAS signed with
test keys. If set, argument <mrenclave> becomes mandatory, unless
--only_for_testing-trust-any was also set
--only_for_testing-trust-any
Trust ANY enclave measurement value, only allowed if CAS is in debug mode. With this
option, `mrenclave` can be omitted, but the attested enclave can run ANY software. This
is obviously not secure!
-p, --print-log
Print the log content in human-readable format to stdout
--predecessor <PREDECESSOR>
If the log was split: Signature of the last event of a previously verified preceding log
file. If omitted, verification ensures that the first event logged by CAS is present
-S, --accept-sw-hardening-needed
Accept SW HARDENING NEEDED verification response (less safe compilation options)
--verification-time <VERIFICATION_TIME>
Specify the supposed time the verification of the attestation collaterals happen
Expects yyyy-mm-dd, dd.mm.yyy or dd-mm-yyyy. Date will be interpreted as 0 o'clock UTC
time. If this argument is not specified, the current system time is used.
This option can be used to allow the usage of DCAP verification data that is officially
expired or to allow verification of offline reports that have been gathered a longer
time ago.
scone cas version
scone cas version
Query the CAS software version
USAGE:
scone cas version [OPTIONS]
OPTIONS:
-c, --cas <CAS>
CAS to use. Default CAS if omitted
-h, --help
Print help information
--identity <IDENTITY>
External identity file to use (optional). If omitted, the automatically generated CLI
identity will be used. An identity file must contain a PEM-encoded PKCS#8 private key
followed by a X.509v3 certificate
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used
CAS will be performed at all. This is obviously not secure!
--retries <COUNT>
How often the CLI should retry operations on network errors. 0 disables retries
[env: SCONE_CLI_RETRIES=]
[default: 3]
scone session
scone session
Manage CAS sessions
USAGE:
scone session <SUBCOMMAND>
OPTIONS:
-h, --help
Print help information
SUBCOMMANDS:
calculate-hash
Calculate and print the hash of the provided session file to stdout. Exits with a
non-zero exit code on session syntax or validation error
check
Check the syntax of the provided session file. Exits with a non-zero exit code on
validation error. On success, the session is printed to stdout
create
Upload a new session to CAS. Prints the hash of the created session on success. If the
given session does not contain a 'predecessor' field, but a session with the same name
already exists, the operation will fail. If the given session does contain a
'predecessor' field, and a session with the same name already exists, it will be
updated, if the session is the described `predecessor`
encrypt
Encrypt the given session file. If the session was not signed yet, it will be signed as
if using `scone session sign` prior to encryption. The encrypted session can only be
uploaded to (and decrypted by) the intended CAS. On success, the encrypted session, in
JSON format, is printed to stdout. It can later be uploaded to CAS using the `scone
session create` command
help
Print this message or the help of the given subcommand(s)
read
Load an active session from CAS and print it to stdout
sign
Sign the given session file using the CLI-managed session signing key. The session will
be checked for validity before signing
update
Update an existing session in CAS. Prints the hash of the updated session on success.
When a session is updated, the 'predecessor' filed of the new version must reference the
previous version of the session to prevent lost-updates. If the given session does not
contain a 'predecessor' field, the CLI will automatically attempt to read the hash of
the currently active session on CAS and write it into the 'predecessor' field. If no
session with a matching name exists, the update operation will fail
verify
Verify that a session active on CAS matches the given session. Prints the hash of the
verified session on success
scone session check
scone session check
Check the syntax of the provided session file. Exits with a non-zero exit code on validation error.
On success, the session is printed to stdout
USAGE:
scone session check [OPTIONS] <FILE>
ARGS:
<FILE>
Path to the file containing the session description. This may either be a session
template YAML file, or a signed session (JSON) file
OPTIONS:
-e <VAR=VALUE>
Replace variables in the session template with the given values. Ignored if the session
was already signed
--fail-on-warning
If a warning occurs, stop immediately and exit with a non-zero exit code. Note that this
option only applies to warnings detected locally, it has no effect on warnings returned
by CAS when a session was created
-h, --help
Print help information
-n, --name <NAME>
Name of the session. Will replace the name stored in the session file. If the session
was already signed, setting a name will lead to an error
--use-env
Use the process' environment variables to replace variables in the session template.
Ignored if the session was already signed
scone session calculate-hash
scone session calculate-hash
Calculate and print the hash of the provided session file to stdout. Exits with a non-zero exit code
on session syntax or validation error
USAGE:
scone session calculate-hash [OPTIONS] <FILE>
ARGS:
<FILE>
Path to the file containing the session description. This may either be a session
template YAML file, or a signed session (JSON) file
OPTIONS:
-e <VAR=VALUE>
Replace variables in the session template with the given values. Ignored if the session
was already signed
--fail-on-warning
If a warning occurs, stop immediately and exit with a non-zero exit code. Note that this
option only applies to warnings detected locally, it has no effect on warnings returned
by CAS when a session was created
-h, --help
Print help information
--identity <IDENTITY>
External identity file to use (optional). If omitted, the automatically generated CLI
identity will be used. The identity file must contain a PEM-encoded X.509v3 certificate
-n, --name <NAME>
Name of the session. Will replace the name stored in the session file. If the session
was already signed, setting a name will lead to an error
--use-env
Use the process' environment variables to replace variables in the session template.
Ignored if the session was already signed
--with-self-as-creator <IDENTITY>
If the session does not have a creator set, pretend that it will be uploaded or signed
using this CLI configuration, and use the CLI's identity when calculating the hash.
(After uploading a session to CAS, CAS will assign the uploader's TLS client identity as
the session's creator; when signing a session, the signer becomes the session's
creator.) If the session already has a creator, this option does not have any effect. If
the session was signed, this option does not have any effect. If the session does not
require a creator, this option does not have any effect
[possible values: tls, signer]
scone session sign
scone session sign
Sign the given session file using the CLI-managed session signing key. The session will be checked
for validity before signing.
On success, the signed session, in JSON format, is printed to stdout. It can later be uploaded to
CAS using the `scone session create` command.
USAGE:
scone session sign [OPTIONS] <FILE> [SUBCOMMAND]
ARGS:
<FILE>
Path to the file containing the session description. This may either be a session
template YAML file, or a signed session (JSON) file
OPTIONS:
-e <VAR=VALUE>
Replace variables in the session template with the given values. Ignored if the session
was already signed
--fail-on-warning
If a warning occurs, stop immediately and exit with a non-zero exit code. Note that this
option only applies to warnings detected locally, it has no effect on warnings returned
by CAS when a session was created
-h, --help
Print help information
-n, --name <NAME>
Name of the session. Will replace the name stored in the session file. If the session
was already signed, setting a name will lead to an error
--use-env
Use the process' environment variables to replace variables in the session template.
Ignored if the session was already signed
SUBCOMMANDS:
add-signature
Add a session signature to a session
generate-message-to-be-signed
Generate the message to be signed by the signer identity
help
Print this message or the help of the given subcommand(s)
sign-with-cli-identity
Sign the provided session with the CLI's signing identity
scone session sign sign-with-cli-identity
scone session sign sign-with-cli-identity
Sign the provided session with the CLI's signing identity
USAGE:
scone session sign sign-with-cli-identity
OPTIONS:
-h, --help
Print help information
scone session sign generate-message-to-be-signed
scone session sign generate-message-to-be-signed
Generate the message to be signed by the signer identity.
The message is in binary format and is emitted on stdout.
The produced signature can be added to the session using the `add-signature` command.
USAGE:
scone session sign generate-message-to-be-signed [OPTIONS] [SIGNER]
ARGS:
<SIGNER>
A file containing the signer identity, i.e., the cryptographic identity/public key that
is supposed to sign the session.
Each session has a creator. When the session is directly uploaded to CAS, the CLI's
identity becomes the session creator. However, if a session is signed it cannot be
modified afterwards, therefore, the creator needs to be set before signing. In this
case, the signer becomes the creator of the session. If the session was signed before,
or already explicitly specifies the creator, the provided signer identity is ignored.
The signer identity must be formatted in X.509 Subject Private Key Info (SPKI) format as
described in RFC5280. At this point, Ed25519 and P384/secp384r keys are supported.
You can create the necessary file from the private key using the OpenSSL CLI tool like
this: 'openssl pkey -in ./private.key -pubout -out ./public.key'
OPTIONS:
-f, --force
Force the command
The command typically refuses producing the message if operated in a terminal. Use this
flag to force operation.
-h, --help
Print help information
scone session sign add-signature
scone session sign add-signature
Add a session signature to a session.
The signed session is produced to stdout.
In combination with the generate-message-to-be-signed command, this command can be used to sign a
session with external tools. For example, assuming a P384 key using openssl: 'scone session sign
./session.yml generate-message-to-be-signed ./public_key.pem | openssl dgst -sha384 -sign
./private_key.pem | scone session sign ./session.yml add-signature ./public_key.pem'
USAGE:
scone session sign add-signature <SIGNER> [SIGNATURE]
ARGS:
<SIGNER>
A file containing the signer identity, i.e., the cryptographic identity/public key that
created the signature.
The signer identity must be formatted in X.509 Subject Private Key Info (SPKI) format as
described in RFC5280. At this point, Ed25519 and P384/secp384r keys are supported.
You can create the necessary file from the private key using the OpenSSL CLI tool like
this: 'openssl pkey -in ./private.key -pubout -out ./public.key'
<SIGNATURE>
The signature in base64 encoding
If the signature is not provided, it is read verbatim, i.e., without any encoding from
stdin to facilitate command pipelines.
OPTIONS:
-h, --help
Print help information
scone session encrypt
scone session encrypt
Encrypt the given session file. If the session was not signed yet, it will be signed as if using
`scone session sign` prior to encryption. The encrypted session can only be uploaded to (and
decrypted by) the intended CAS. On success, the encrypted session, in JSON format, is printed to
stdout. It can later be uploaded to CAS using the `scone session create` command
USAGE:
scone session encrypt [OPTIONS] <FILE>
ARGS:
<FILE>
Path to the file containing the session description. This may either be a session
template YAML file, or a signed session (JSON) file
OPTIONS:
--cas <CAS>
CAS to encrypt the session for. The encrypted session can only be uploaded to this CAS.
Default CAS if omitted
-e <VAR=VALUE>
Replace variables in the session template with the given values. Ignored if the session
was already signed
--fail-on-warning
If a warning occurs, stop immediately and exit with a non-zero exit code. Note that this
option only applies to warnings detected locally, it has no effect on warnings returned
by CAS when a session was created
-h, --help
Print help information
--key <KEY>
Public key to use for encryption. Mutually exclusive with option `cas`. Use `scone cas
show-identification --session-encryption-key` to display keys that can be used here
-n, --name <NAME>
Name of the session. Will replace the name stored in the session file. If the session
was already signed, setting a name will lead to an error
--use-env
Use the process' environment variables to replace variables in the session template.
Ignored if the session was already signed
scone session create
scone session create
Upload a new session to CAS. Prints the hash of the created session on success. If the given session
does not contain a 'predecessor' field, but a session with the same name already exists, the
operation will fail. If the given session does contain a 'predecessor' field, and a session with the
same name already exists, it will be updated, if the session is the described `predecessor`
USAGE:
scone session create [OPTIONS] <FILE>
ARGS:
<FILE>
Path to the file containing the session description. This may either be a session
template YAML file, or a signed session (JSON) file
OPTIONS:
-c, --cas <CAS>
CAS to use. Default CAS if omitted
-e <VAR=VALUE>
Replace variables in the session template with the given values. Ignored if the session
was already signed
--fail-on-warning
If a warning occurs, stop immediately and exit with a non-zero exit code. Note that this
option only applies to warnings detected locally, it has no effect on warnings returned
by CAS when a session was created
-h, --help
Print help information
--identity <IDENTITY>
External identity file to use (optional). If omitted, the automatically generated CLI
identity will be used. An identity file must contain a PEM-encoded PKCS#8 private key
followed by a X.509v3 certificate
-n, --name <NAME>
Name of the session. Will replace the name stored in the session file. If the session
was already signed, setting a name will lead to an error
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used
CAS will be performed at all. This is obviously not secure!
--retries <COUNT>
How often the CLI should retry operations on network errors. 0 disables retries
[env: SCONE_CLI_RETRIES=]
[default: 3]
--use-env
Use the process' environment variables to replace variables in the session template.
Ignored if the session was already signed
scone session update
scone session update
Update an existing session in CAS. Prints the hash of the updated session on success. When a session
is updated, the 'predecessor' filed of the new version must reference the previous version of the
session to prevent lost-updates. If the given session does not contain a 'predecessor' field, the
CLI will automatically attempt to read the hash of the currently active session on CAS and write it
into the 'predecessor' field. If no session with a matching name exists, the update operation will
fail
USAGE:
scone session update [OPTIONS] <FILE>
ARGS:
<FILE>
Path to the file containing the session description. This may either be a session
template YAML file, or a signed session (JSON) file
OPTIONS:
-c, --cas <CAS>
CAS to use. Default CAS if omitted
-e <VAR=VALUE>
Replace variables in the session template with the given values. Ignored if the session
was already signed
--fail-on-warning
If a warning occurs, stop immediately and exit with a non-zero exit code. Note that this
option only applies to warnings detected locally, it has no effect on warnings returned
by CAS when a session was created
-h, --help
Print help information
--identity <IDENTITY>
External identity file to use (optional). If omitted, the automatically generated CLI
identity will be used. An identity file must contain a PEM-encoded PKCS#8 private key
followed by a X.509v3 certificate
-n, --name <NAME>
Name of the session. Will replace the name stored in the session file. If the session
was already signed, setting a name will lead to an error
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used
CAS will be performed at all. This is obviously not secure!
--retries <COUNT>
How often the CLI should retry operations on network errors. 0 disables retries
[env: SCONE_CLI_RETRIES=]
[default: 3]
--use-env
Use the process' environment variables to replace variables in the session template.
Ignored if the session was already signed
scone session verify
scone session verify
Verify that a session active on CAS matches the given session. Prints the hash of the verified
session on success
USAGE:
scone session verify [OPTIONS] <FILE>
ARGS:
<FILE>
Path to the file containing the session description. This may either be a session
template YAML file, or a signed session (JSON) file
OPTIONS:
-c, --cas <CAS>
CAS to use. Default CAS if omitted
-e <VAR=VALUE>
Replace variables in the session template with the given values. Ignored if the session
was already signed
--fail-on-warning
If a warning occurs, stop immediately and exit with a non-zero exit code. Note that this
option only applies to warnings detected locally, it has no effect on warnings returned
by CAS when a session was created
-h, --help
Print help information
--identity <IDENTITY>
External identity file to use (optional). If omitted, the automatically generated CLI
identity will be used. An identity file must contain a PEM-encoded PKCS#8 private key
followed by a X.509v3 certificate
-n, --name <NAME>
Name of the session. Will replace the name stored in the session file. If the session
was already signed, setting a name will lead to an error
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used
CAS will be performed at all. This is obviously not secure!
--retries <COUNT>
How often the CLI should retry operations on network errors. 0 disables retries
[env: SCONE_CLI_RETRIES=]
[default: 3]
--use-env
Use the process' environment variables to replace variables in the session template.
Ignored if the session was already signed
scone session read
scone session read
Load an active session from CAS and print it to stdout
USAGE:
scone session read [OPTIONS] <NAME>
ARGS:
<NAME>
The name of the session to get from CAS and print
OPTIONS:
-c, --cas <CAS>
CAS to use. Default CAS if omitted
-h, --help
Print help information
--identity <IDENTITY>
External identity file to use (optional). If omitted, the automatically generated CLI
identity will be used. An identity file must contain a PEM-encoded PKCS#8 private key
followed by a X.509v3 certificate
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used
CAS will be performed at all. This is obviously not secure!
--retries <COUNT>
How often the CLI should retry operations on network errors. 0 disables retries
[env: SCONE_CLI_RETRIES=]
[default: 3]
scone las
scone las
Interact with the local attestation service (LAS)
USAGE:
scone las <SUBCOMMAND>
OPTIONS:
-h, --help
Print help information
SUBCOMMANDS:
help
Print this message or the help of the given subcommand(s)
probe
Liveness probe for the LAS service
provision-pck-certificate
Manually provision the latest PCK certificate to LAS, i.e., the PCK certificate for the
best TCB level currently supported by the platform
scone-epid-trust-anchor
Retrieve the EPID trust anchor of the SCONE QE (and verify it). Prints public key and
enclave measurement of the SCONE QE
show-tcb-state
Connect to LAS and query a DCAP quote to show information about the platforms TCB state.
In particular, the result will show whether the platform's trust level can be improved
and try to indicate how the platform can be upgraded
scone las scone-epid-trust-anchor
scone las scone-epid-trust-anchor
Retrieve the EPID trust anchor of the SCONE QE (and verify it). Prints public key and enclave
measurement of the SCONE QE.
The information can only be verified, and thus trusted in a production environment, if IAS
credentials (sp_id and sp_key) are provided.
USAGE:
scone las scone-epid-trust-anchor [OPTIONS]
OPTIONS:
-C, --accept-configuration-needed
Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)
--dev-env
Whether the service provider ID is registered in the IAS debug environment
-G, --accept-group-out-of-date
Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)
-h, --help
Print help information
-l
The service provider ID's quote linkability setting
--las <LAS>
LAS to connect to. Default port will be added if no port is specified
[default: localhost]
--only_for_testing-debug
Allow LAS to run in debug mode, in which it CAN BE MANIPULATED AND SHOULDN'T BE TRUSTED
(only for testing purposes!)
-S, --accept-sw-hardening-needed
Accept SW HARDENING NEEDED verification response (less safe compilation options)
--sp-id <SP_ID>
The service provider ID used to verify the EPID quote with Intel IAS
[default: 00000000000000000000000000000000]
--sp-key <SP_KEY>
The service provider KEY used to authenticate to Intel IAS
scone las probe
scone las probe
Liveness probe for the LAS service
Can be used in orchestration tools (Kubernets, Docker) to ensure LAS is able to provide SGX
attestation quotes.
This probe does NOT check the quote integrity as this typically requires internet connection and
oftentimes also credentials. It follows that an adversary can fake LAS healthiness. In such a
situation, attestation of SCONE services would fail.
Note that this command must be executed with SGX hardware support. Running in SGX simulation mode,
or a native binary is insufficient.
USAGE:
scone las probe [OPTIONS]
OPTIONS:
--dcap
Require the LAS to be able to generate DCAP quotes to pass the liveness probe
The received quote must contain a PCK certificate. This is typically only provisioned to
the LAS during attestation of a CAS or user enclave. Therefore, this healthcheck may not
turn healthy until an attestation is attempted. See `dcap-api-key` argument.
Successful DCAP quoting capabilities is typically sufficient to attest remote enclave
services.
--dcap-api-key <DCAP_API_KEY>
An optional DCAP PCS API subscription key
If this key is provided, LAS/AESM are found to not posses a PCK certificate yet, the
probe attempts to provision a PCK certificate to LAS/AESM enabling DCAP attestaion.
--epid
Require the LAS to be able to generate EPID quotes to pass the liveness probe
Successful EPID quoting capabilities is typically sufficient to attest remote enclave
services.
-h, --help
Print help information
--las <LAS>
Address and port of the LAS to connect to: IP:PORT, or ADDRESS:PORT
Default port will be added if no port is specified.
[env: SCONE_LAS_ADDR=]
[default: localhost]
--scone
Require the LAS to be able to generate SCONE quotes to pass the liveness probe
Successful SCONE quoting capabilities is insufficient to attest remote enclave services.
Either working EPID quoting is necessary to establish trust into the SCONE quoting
enclave, or the user has to manually establish trust into the quoting enclave and add
its public key to their CAS session/policy.
-t, --timeout <TIMEOUT>
Connection timeout in seconds
Seconds the probe will wait for a connection to be established before reporting failure.
[default: 10]
scone las show-tcb-state
scone las show-tcb-state
Connect to LAS and query a DCAP quote to show information about the platforms TCB state. In
particular, the result will show whether the platform's trust level can be improved and try to
indicate how the platform can be upgraded.
Note that, * this CLI and LAS must be executed on the same platform, * this operation may provision
the DCAP PCK certificate to LAS, and * the Intel DCAP PCS API must be reachable from this CLI
instance.
USAGE:
scone las show-tcb-state [OPTIONS]
OPTIONS:
--dcap-api-key <DCAP_API_KEY>
An optional DCAP PCS API subscription key
The DCAP PCS API subscription key may be necessary to attest the platform.
--dont-fail-on-upgradable-pck-certificate
Do not fail the command if the PCK certificate should be upgraded
Using an outdated PCK certificate forces the platform to attest software with a worse
TCB level, which may fail service attestation. Upgrading the PCK certificate is a
low-effort software only procedure that should happen automatically during attestation
with the SCONE platform or can be done manually with the `provision-pck-certificate`
command.
--fail-on-upgradable-platform-tcb
Fail the command if the platform TCB should be upgraded
Depending on the concrete situation, the platform TCB might require a software upgrade,
e.g., a newer provisioning enclave might be needed, which in SCONE, is part of the LAS
image, a CPU microcode or a BIOS/UEFI upgrade. Note that, this is not a complete
enumeration.
Some of these upgrades require service disruption as the system must be rebooted or are
not available entirely since the motherboard manufacturer does not yet offer a
particular firmware upgrade.
-h, --help
Print help information
--json <JSON>
Produce information in parsable JSON format
[possible values: summary]
--las <LAS>
LAS to connect to. Default port will be added if no port is specified
[default: localhost]
-t, --timeout <TIMEOUT>
Connection timeout in seconds
Seconds the probe will wait for a connection to be established before reporting failure.
[default: 10]
scone las provision-pck-certificate
scone las provision-pck-certificate
Manually provision the latest PCK certificate to LAS, i.e., the PCK certificate for the best TCB
level currently supported by the platform.
This operation typically is done automatically during service attestation. Doing it manually may be
useful in air-gapped systems or to reduce attestation latency.
USAGE:
scone las provision-pck-certificate [OPTIONS] --dcap-api-key <DCAP_API_KEY>
OPTIONS:
--dcap-api-key <DCAP_API_KEY>
The DCAP PCS API subscription key is necessary to obtain the PCK certificate
-h, --help
Print help information
--las <LAS>
LAS to connect to. Default port will be added if no port is specified
[default: localhost]
-t, --timeout <TIMEOUT>
Connection timeout in seconds
Seconds the probe will wait for a connection to be established before reporting failure.
[default: 10]
scone cert
scone cert
Perform operations on X.509 certificates
USAGE:
scone cert <SUBCOMMAND>
OPTIONS:
-h, --help
Print help information
SUBCOMMANDS:
help
Print this message or the help of the given subcommand(s)
show-key-hash
Print the hash of the certificate's public key
scone cert show-key-hash
scone cert show-key-hash
Print the hash of the certificate's public key
USAGE:
scone cert show-key-hash <FILE>
ARGS:
<FILE>
Path to the file containing the PEM-encoded X.509 certificate
OPTIONS:
-h, --help
Print help information
scone binary-fs
scone binary-fs
Collect directories and files to generate a binary fs artifacts.
Note that, binary fs only supports regular files and symbolic links. Empty directories, for example,
will be ignored. You may put an empty file into the directory as a workaround.
USAGE:
scone binary-fs [OPTIONS] <ROOT> <OUTPUT_DIR>
ARGS:
<ROOT>
The root directory from which the binary fs will be built
<OUTPUT_DIR>
Directory in which output files should be stored. Multiple files will be produce that
must be linked together subsequently. The command shows appropriate shell commands upon
success
OPTIONS:
-h, --host-path <HOST_PATH>
Add host path - host paths are served directly from the host file system without any
protection or sanitization through SCONE. Path must be absolute (start with '/').
Typical usages of host paths are files containing system specific data, such as
networking configurations (`/etc/hosts`, `/etc/resolve.conf`), or special device files.
Can be specified multiple times.
--help
Print help information
-i, --include <INCLUDE>
Include expressions, only paths matching an include expression will be added. These
pattern use shell glob syntax.
For example, '*' will match all files, '/dir/file' only matches this single file, while,
'/dir/*' matches all files beneath '/dir'.
-p, --preserve-symbolic-links
Preserve any encountered symbolic links as they are.
If this option is not set, the tool will adapt any encountered symbolic link such it
work correctly once `root` is `/`. For example, if `/root` is the designated binary fs
root directory and `/root/a` is a symbolic link to `/root/b`, `/root/a` must be adapted
to link to `/b` within the binary fs.
-v, --verbose
Produce more informative output (specifying multiple time increases verbosity)
scone signer
scone signer
Sign executables
USAGE:
scone signer <SUBCOMMAND>
OPTIONS:
-h, --help
Print help information
SUBCOMMANDS:
help
Print this message or the help of the given subcommand(s)
info
sign
scone signer sign
scone signer sign
USAGE:
scone signer sign [OPTIONS] <FILE>
ARGS:
<FILE>
Path to the enclave application
OPTIONS:
-d, --dlopen <DLOPEN>
dlopen(): 0 - disable, 1 - enable, 2 - enable, do not require loaded libraries to be
authenticated/encrypted (default=0) [SCONE_ALLOW_DLOPEN]
[possible values: 0, 1, 2]
-e, --env
Consider SCONE_* environment variables additionally to provided arguments. Arguments
overwrite environment variables
--extensions <EXTENSIONS>
List of paths to runtime extension libraries (separated with ':')
[SCONE_EXTENSIONS_PATH]
-f, --fork <FORK>
fork: 0 - disable, 1 - enable (default=0) [SCONE_FORK]
[possible values: 0, 1]
-h, --help
Print help information
-H, --heap <HEAP>
Heap size (default=64MB) [SCONE_HEAP]
--isvprodid <ISVPRODID>
SGX Independent Software Vendor Product ID (default=0) [SCONE_ISVPRODID]
--isvsvn <ISVSVN>
SGX Independent Software Vendor Security Version Number (default=0) [SCONE_ISVSVN]
-k, --key <KEY>
Path to private key file. If not provided, a built-in debug key will be used [SCONE_KEY]
-m, --mprotect <MPROTECT>
mprotect: 0 - disable, 1 - enable (default=0) [SCONE_MPROTECT]
[possible values: 0, 1]
-M, --minheap <MINHEAP>
Minimal heap size (default=8MB) [SCONE_MIN_HEAP]
--miscselect <MISCSELECT>
MISCSELECT to set in SIGSTRUCT [SCONE_MISCSELECT]
-p, --production
Sign enclave to run in production mode. [SCONE_PRODUCTION]
-S, --stack <STACK>
Default stack size (default=2MB) [SCONE_STACK]
--sconify
Add ELF sections used by the SCONE runtime and use SCONE program interpreter
--syslibs <SYSLIBS>
Enable/disable usage of system paths (/lib, /usr/lib, etc.) when searching for
application dependencies (default=0) [SCONE_SYSLIBS]
[possible values: 0, 1]
-t, --tcs <TCS>
Number of TCS (default=8) [SCONE_TCS]
-v, --verbose
Output information about the enclave after signing
-x, --xfrm <XFRM>
XFRM to set in SIGSTRUCT [SCONE_XFRM]
scone signer info
scone signer info
USAGE:
scone signer info [OPTIONS] <FILE>
ARGS:
<FILE>
OPTIONS:
-h, --help
Print help information
--yaml
print selected fields of the sigstruct in yaml format
scone cargo
scone cargo
Rust Cargo utilizing SCONE compiler by default
USAGE:
scone cargo [ARGS]...
ARGS:
<ARGS>...
OPTIONS:
-h, --help
Print help information
scone g++
scone g++
g++ SCONE compiler
USAGE:
scone g++ [ARGS]...
ARGS:
<ARGS>...
OPTIONS:
-h, --help
Print help information
scone gcc
scone gcc
gcc SCONE compiler
USAGE:
scone gcc [ARGS]...
ARGS:
<ARGS>...
OPTIONS:
-h, --help
Print help information
scone gccgo
scone gccgo
gccgo SCONE compiler
USAGE:
scone gccgo [ARGS]...
ARGS:
<ARGS>...
OPTIONS:
-h, --help
Print help information
scone gdb
scone gdb
gdb (debugger able to read SCONE debug enclave memory)
USAGE:
scone gdb [ARGS]...
ARGS:
<ARGS>...
OPTIONS:
-h, --help
Print help information
scone gfortran
scone gfortran
fortran SCONE compiler
USAGE:
scone gfortran [ARGS]...
ARGS:
<ARGS>...
OPTIONS:
-h, --help
Print help information
scone rustc
scone rustc
Rust SCONE compiler
USAGE:
scone rustc [ARGS]...
ARGS:
<ARGS>...
OPTIONS:
-h, --help
Print help information
scone host
scone host
USAGE:
scone host [ARGS]...
ARGS:
<ARGS>...
OPTIONS:
-h, --help
Print help information
scone swarm
scone swarm
USAGE:
scone swarm [ARGS]...
ARGS:
<ARGS>...
OPTIONS:
-h, --help
Print help information
scone service
scone service
USAGE:
scone service [ARGS]...
ARGS:
<ARGS>...
OPTIONS:
-h, --help
Print help information
scone stack
scone stack
USAGE:
scone stack [ARGS]...
ARGS:
<ARGS>...
OPTIONS:
-h, --help
Print help information
scone version
scone version
Show CLI version
USAGE:
scone version
OPTIONS:
-h, --help
Print help information
scone help-markdown
scone help-markdown
Generate markdown help pages on stdout
USAGE:
scone help-markdown
OPTIONS:
-h, --help
Print help information