Skip to content

SCONE CLI

We provide a CLI (Command Line Interface) to

  • attest SCONE CAS, i.e., to ensure that we are connected to a CAS with an expected MrEnclave running inside an enclave.
  • create a session, i.e., to upload a new session description.
  • update a session, i.e., replace an existing session by a new session description.
  • verify that a session matches a given session template. Prints the digest of the verified session on success.

Note that this CLI is implemented as a Rust crate that can be used to interact with CAS directly from programs linked with this library. The default SCONE CLI is available for subscribers and can be run as follows: docker run -it registry.scontain.com/sconecuratedimages/sconecli.

scone

scone 0.2.0
Your command line toolkit to interact with the scone infrastructure

USAGE:
    scone [OPTIONS] <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


OPTIONS:
    -c, --config <config>    
            Sets a custom config file [env: SCONE_CLI_CONFIG=]  [default: ~/.cas/config.json]


SUBCOMMANDS:
    binary-fs        Collect directories and files to generate a binary fs source code file
    cas              Communication with CAS
    cert             Perform operations on X.509 certificates
    fspf             Create and modify file system protection files 
    help             Prints this message or the help of the given subcommand(s)
    help-markdown    Generate markdown help pages on stdout
    las              Interact with the local attestation service (LAS)
    self             Manage this instance of the SCONE CLI
    session          Manage CAS sessions

scone self

scone self 0.2.0
Manage this instance of the SCONE CLI

USAGE:
    scone self <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


SUBCOMMANDS:
    help                     Prints this message or the help of the given subcommand(s)
    show                     Show the certificate and public key hash
    show-certificate         Print only the certificate in PEM format
    show-certificate-hash    Print only the SHA-256 certificate hash. Using the certificate hash in session access
                             control policies is deprecated, as it does not allow authentication with renewed
                             certificates. Please use the key hash (show-key-hash) instead
    show-key-hash            Print only the public key hash

scone self show

scone self show 0.2.0
Show the certificate and public key hash

USAGE:
    scone self show

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information

scone self show-certificate

scone self show-certificate 0.2.0
Print only the certificate in PEM format

USAGE:
    scone self show-certificate

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information

scone self show-key-hash

scone self show-key-hash 0.2.0
Print only the public key hash

USAGE:
    scone self show-key-hash

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information

scone self show-certificate-hash

scone self show-certificate-hash 0.2.0
Print only the SHA-256 certificate hash. Using the certificate hash in session access control policies is deprecated, as
it does not allow authentication with renewed certificates. Please use the key hash (show-key-hash) instead

USAGE:
    scone self show-certificate-hash

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information

scone fspf

scone fspf 0.2.0
Create and modify file system protection files 

USAGE:
    scone fspf <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


SUBCOMMANDS:
    addf             Add files (file protection data) to an existing fspf
    addr             Add a protection region to an existing fspf
    create           Create a new file system protection file
    create-volume    Create a new SCONE volume FSPF
    encrypt          Encrypt an existing fspf
    help             Prints this message or the help of the given subcommand(s)
    show             Show an existing fspf

scone fspf create

scone fspf create 0.2.0
Create a new file system protection file

USAGE:
    scone fspf create <file> [version]

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


ARGS:
    <file>       
            Path to store the created fspf at

    <version>    
            FSPF format version to use, optional: latest version will be used by default

scone fspf addr

scone fspf addr 0.2.0
Add a protection region to an existing fspf

USAGE:
    scone fspf addr [OPTIONS] <file> <embedpoint> <--not-protected|--encrypted|--authenticated> <--kernel <source-dir>|--ephemeral>

FLAGS:
    -a, --authenticated    
            The content of this region should be authenticated (but not encrypted)

    -e, --encrypted        
            The content of this region should be encrypted

        --ephemeral        
            The region's files are stored in volatile & untrusted memory

    -h, --help             
            Prints help information

    -n, --not-protected    
            The content of this region should NOT be protected

    -V, --version          
            Prints version information


OPTIONS:
    -c, --chunk-length <chunk-length>    
            in bytes, Files will be protected with chunks of this size, only valid for protected regions

    -k, --key-length <key-length>        
            in bits, The file protection will use keys with this size, only valid for protected regions

        --kernel <source-dir>            
            The region's files are stored in the kernel's filesystem


ARGS:
    <file>          
            Location of the fspf

    <embedpoint>    
            The location of the region in the protected file system

scone fspf addf

scone fspf addf 0.2.0
Add files (file protection data) to an existing fspf

USAGE:
    scone fspf addf <file> <embedpoint> <source-dir> [encrypt-dir]

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


ARGS:
    <file>           
            Location of the fspf

    <embedpoint>     
            Region the files should be added to

    <source-dir>     
            Source directory files to take from

    <encrypt-dir>    
            Target directory for encrypted files (needed for encrypted regions)

scone fspf encrypt

scone fspf encrypt 0.2.0
Encrypt an existing fspf

USAGE:
    scone fspf encrypt <file>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


ARGS:
    <file>    
            Location of the fspf

scone fspf show

scone fspf show 0.2.0
Show an existing fspf

USAGE:
    scone fspf show [FLAGS] <file> [key]

FLAGS:
    -h, --help       
            Prints help information

    -t, --tag        
            Only print tag

    -V, --version    
            Prints version information


ARGS:
    <file>    
            Location of the fspf

    <key>     
            Decryption key of the fspf

scone fspf create-volume

scone fspf create-volume 0.2.0
Create a new SCONE volume FSPF

This will prepare a directory (and its content) for secure data storage and exchange between SCONE enclaves/services in
a microservice application. A SCONE volume in the simplest approximation is a directory with a `volume.fspf` file. This
file contains the protection data for all data that is stored in the directory. The usage of SCONE volume must be
configured via a SCONE CAS session/policy.

USAGE:
    scone fspf create-volume [FLAGS] [OPTIONS] <volume-path> <--encrypted|--authenticated> [output-path]

FLAGS:
    -a, --authenticated    
            The content of this region should be authenticated (but not encrypted)

    -e, --encrypted        
            The content of this region should be encrypted

            Requires setting `output_path` argument to the location where the encrypted initial files are written to.
        --envar-output     
            Print the key and tag message in environment defining format on stdout, such that the output can be directly
            interpreted by a shell. This is useful if this command is used in a script.

            Environment variable will be `VOLUME_KEY` and `VOLUME_TAG`. The output will look like this:

            export VOLUME_KEY=55920e9398056f6cd83fc2354f9d29f9052df252c5d797a9500f905f42e9faae export
            VOLUME_TAG=61b958b220b19b8b74a76f74fc94282e

            You can use it to set the variables with a command like: eval "`scone fspf create-volume ./volume-dir
            --authenticated --envar-output`"
    -f, --force            
            Force creation even if existing files must be removed or overwritten

    -h, --help             
            Prints help information


OPTIONS:
    -c, --chunk-length <chunk-length>    
            in bytes, Files will be protected with chunks of this size

    -k, --key-length <key-length>        
            in bits, The file protection will use keys with this size

    -v, --version <version>              
            FSPF format version to use, optional: latest version will be used by default


ARGS:
    <volume-path>    
            The path of an directory that should become the new SCONE volume

            If the directory exists already its content will be the initial content of the new volume. Otherwise, a
            directory with the `volume.fspf` will be created (as long as `output_path` is not specified).
    <output-path>    
            Path were the output should be generated in (necessary for encrypted volumes)

scone cas

scone cas 0.2.0
Communication with CAS

USAGE:
    scone cas <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


SUBCOMMANDS:
    attest                 Attest a CAS instance
    attest-audit-log       Performs the same task as `verify-audit-log`, but additionally checks that the audit log
                           contains valid attestation reports according to the given attestation settings
    help                   Prints this message or the help of the given subcommand(s)
    list                   List attested CAS instances
    provision              Take ownership of a CAS and supply its initial server-side configuration
    register-backup        Register a backup CAS
    register-upgrade       Register an upgrade CAS
    set-default            Set default CAS - The default CAS is always used if no CAS is explicitly specified, e.g.
                           in the `session upload` command
    show-certificate       Show certificate chain of an attested CAS instance
    show-identification    Show identification information of an attested CAS that can be used to identify the
                           instance
    start-upgrade          Initiate a CAS upgrade with database key rollover
    update-config          Update a server-side CAS configuration
    verify-audit-log       Verify the authenticity and integrity of a signed CAS audit log. The origin CAS will be
                           contacted to detect a CAS rollback or log truncation. You must be the CAS owner in order
                           to fetch the necessary information. Verification information will be printed to stderr

scone cas list

scone cas list 0.2.0
List attested CAS instances

USAGE:
    scone cas list

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information

scone cas attest

scone cas attest 0.2.0
Attest a CAS instance

USAGE:
    scone cas attest [FLAGS] [OPTIONS] <address> [--] [_mrenclave]

FLAGS:
    -C, --accept-configuration-needed       
            Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)

        --only_for_testing-debug            
            Allow CAS to run in debug mode, in which it CANNOT PROTECT SECRETS (only for testing purposes!) Only allowed
            if CAS signer is ignored
    -G, --accept-group-out-of-date          
            Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)

    -S, --accept-sw-hardening-needed        
            Accept SW HARDENING NEEDED verification response (less safe compilation options)

        --allow-cas-owner-secret-access     
            Whether to trust the CAS even if its database encryption key was injected by the CAS owner, and not
            generated securely within an enclave. If set, session secrets will be accessible to the CAS owner!
    -h, --help                              
            Prints help information

        --only_for_testing-ignore-signer    
            Do not verify CAS software signature (MRSIGNER). This allows using a CAS signed with test keys. If set,
            argument <mrenclave> becomes mandatory, unless --only_for_testing-trust-any was also set
        --only_for_testing-trust-any        
            Trust ANY enclave measurement value, only allowed if CAS is in debug mode. With this option, `mrenclave` can
            be omitted, but the attested enclave can run ANY software. This is obviously not secure!
    -V, --version                           
            Prints version information


OPTIONS:
    -c <cas-key-hash>                 
            Expected CAS public key hash

    -s <cas-software-key-hash>        
            Expected CAS software public key hash

        --isvprodid <isvprodid>       
            Verify the given Independent Software Vendor Product ID (ISVPRODID). Required when using a custom MRSIGNER

        --isvsvn <isvsvn>             
            Verify that CAS has a given or greater Independent Software Vendor Security Version Number (ISVSVN).
            Required when using a custom MRSIGNER
        --mrenclave <mrenclave>...    
            An expected enclave measurement/MRENCLAVE of the CAS enclave (optional). The CAS software signature will
            always be verified, regardless of this argument; but if set, the default CAS version (ISVSVN) check will be
            disabled. If specified multiple times, attestation will succeed if any of the given measurements matches
        --mrsigner <mrsigner>         
            Verify the CAS software signature using the given MRSIGNER instead of the default Scontain MRSIGNER.
            Requires ISVPRODID and ISVSVN too

ARGS:
    <address>       
            CAS address

    <_mrenclave>    
            Expected enclave measurement/MRENCLAVE of the CAS enclave (optional). Deprecated, please use --mrenclave
            instead

scone cas show-identification

scone cas show-identification 0.2.0
Show identification information of an attested CAS that can be used to identify the instance

USAGE:
    scone cas show-identification [FLAGS] [cas]

FLAGS:
    -C, --cas-certificate             
            PEM-encoded CAS X509 certificate

    -c, --cas-key-hash                
            SHA256 Hash of CAS public key

    -S, --cas-software-certificate    
            PEM-encoded CAS software X509 certificate

    -s, --cas-software-key-hash       
            SHA256 Hash of CAS software public key

    -T, --certificate-chain           
            Certificate chain of trust of PEM-encoded CAS and CAS software certificates [default]

    -h, --help                        
            Prints help information

    -V, --version                     
            Prints version information


ARGS:
    <cas>    
            CAS of which to show the certificate chain, optional: default CAS if omitted

scone cas show-certificate

scone cas show-certificate 0.2.0
Show certificate chain of an attested CAS instance

USAGE:
    scone cas show-certificate [cas]

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


ARGS:
    <cas>    
            CAS of which to show the certificate chain, optional: default CAS if omitted

scone cas set-default

scone cas set-default 0.2.0
Set default CAS - The default CAS is always used if no CAS is explicitly specified, e.g. in the `session upload` command

USAGE:
    scone cas set-default <cas>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


ARGS:
    <cas>    
            CAS to become the new default CAS

scone cas provision

scone cas provision 0.2.0
Take ownership of a CAS and supply its initial server-side configuration

USAGE:
    scone cas provision [OPTIONS] <address> -c <cas-key-hash> --config-file <config-file> --token <token> <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


OPTIONS:
    -c <cas-key-hash>                    
            Expected CAS public key hash. Can be found in the CAS console

    -s <cas-software-key-hash>           
            Expected CAS software public key hash (optional). Can be found in the CAS console

        --config-file <config-file>      
            Path to the file containing the server-side CAS configuration (in TOML, JSON or YAML format)

        --database-key <database-key>    
            Database key to encrypt the CAS database with. Must be a 64-character hexadecimal string. Allows CAS owner
            to decrypt the database at will. This impacts security of the CAS and session secrets, and is therefore
            discouraged. Database key injection will be refused by CAS binaries signed by Scontain
        --identity <identity>            
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
        --token <token>                  
            Provisioning token (32-character hexadecimal string). Can be found in the CAS console


ARGS:
    <address>    
            CAS address


SUBCOMMANDS:
    help                                    Prints this message or the help of the given subcommand(s)
    only_for_testing-without-attestation    Do not attest the CAS. With this command selected, NO verification of
                                            the used CAS will be performed at all. This is obviously not secure!
    with-attestation                        Attest the CAS instance during provisioning

scone cas provision with-attestation

scone cas provision with-attestation 0.2.0
Attest the CAS instance during provisioning

USAGE:
    scone cas provision with-attestation [FLAGS] [OPTIONS] [--] [_mrenclave]

FLAGS:
    -C, --accept-configuration-needed       
            Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)

        --only_for_testing-debug            
            Allow CAS to run in debug mode, in which it CANNOT PROTECT SECRETS (only for testing purposes!) Only allowed
            if CAS signer is ignored
    -G, --accept-group-out-of-date          
            Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)

    -S, --accept-sw-hardening-needed        
            Accept SW HARDENING NEEDED verification response (less safe compilation options)

    -h, --help                              
            Prints help information

        --only_for_testing-ignore-signer    
            Do not verify CAS software signature (MRSIGNER). This allows using a CAS signed with test keys. If set,
            argument <mrenclave> becomes mandatory, unless --only_for_testing-trust-any was also set
        --only_for_testing-trust-any        
            Trust ANY enclave measurement value, only allowed if CAS is in debug mode. With this option, `mrenclave` can
            be omitted, but the attested enclave can run ANY software. This is obviously not secure!
    -V, --version                           
            Prints version information


OPTIONS:
        --isvprodid <isvprodid>       
            Verify the given Independent Software Vendor Product ID (ISVPRODID). Required when using a custom MRSIGNER

        --isvsvn <isvsvn>             
            Verify that CAS has a given or greater Independent Software Vendor Security Version Number (ISVSVN).
            Required when using a custom MRSIGNER
        --mrenclave <mrenclave>...    
            An expected enclave measurement/MRENCLAVE of the CAS enclave (optional). The CAS software signature will
            always be verified, regardless of this argument; but if set, the default CAS version (ISVSVN) check will be
            disabled. If specified multiple times, attestation will succeed if any of the given measurements matches
        --mrsigner <mrsigner>         
            Verify the CAS software signature using the given MRSIGNER instead of the default Scontain MRSIGNER.
            Requires ISVPRODID and ISVSVN too

ARGS:
    <_mrenclave>    
            Expected enclave measurement/MRENCLAVE of the CAS enclave (optional). Deprecated, please use --mrenclave
            instead

scone cas provision only_for_testing-without-attestation

scone cas provision only_for_testing-without-attestation 0.2.0
Do not attest the CAS. With this command selected, NO verification of the used CAS will be performed at all. This is
obviously not secure!

USAGE:
    scone cas provision only_for_testing-without-attestation

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information

scone cas update-config

scone cas update-config 0.2.0
Update a server-side CAS configuration

USAGE:
    scone cas update-config [FLAGS] [OPTIONS] --config-file <config-file>

FLAGS:
        --only_for_testing-disable-attestation-verification
            Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
            performed at all. This is obviously not secure!
    -h, --help                                                 
            Prints help information

    -V, --version                                              
            Prints version information


OPTIONS:
    -c, --cas <cas>                    
            CAS to use (optional)

        --config-file <config-file>    
            Path to the file containing the server-side CAS configuration (in TOML, JSON or YAML format)

        --identity <identity>          
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate

scone cas register-backup

scone cas register-backup 0.2.0
Register a backup CAS

USAGE:
    scone cas register-backup [FLAGS] [OPTIONS] <backup-cas>

FLAGS:
        --only_for_testing-disable-attestation-verification
            Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
            performed at all. This is obviously not secure!
    -h, --help                                                 
            Prints help information

    -V, --version                                              
            Prints version information


OPTIONS:
    -c, --cas <cas>              
            CAS to use (optional)

        --identity <identity>    
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate

ARGS:
    <backup-cas>    
            The address of the backup CAS

scone cas register-upgrade

scone cas register-upgrade 0.2.0
Register an upgrade CAS

USAGE:
    scone cas register-upgrade [FLAGS] [OPTIONS] <upgrade-cas>

FLAGS:
        --only_for_testing-disable-attestation-verification
            Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
            performed at all. This is obviously not secure!
    -h, --help                                                 
            Prints help information

    -V, --version                                              
            Prints version information


OPTIONS:
    -c, --cas <cas>              
            CAS to use (optional)

        --identity <identity>    
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate

ARGS:
    <upgrade-cas>    
            The address of the upgrade CAS

scone cas start-upgrade

scone cas start-upgrade 0.2.0
Initiate a CAS upgrade with database key rollover

USAGE:
    scone cas start-upgrade [FLAGS] [OPTIONS]

FLAGS:
        --only_for_testing-disable-attestation-verification
            Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
            performed at all. This is obviously not secure!
    -h, --help                                                 
            Prints help information

    -V, --version                                              
            Prints version information

    -y, --yes                                                  
            Do not ask for confirmation


OPTIONS:
    -c, --cas <cas>              
            CAS to use (optional)

        --identity <identity>    
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate

scone cas verify-audit-log

scone cas verify-audit-log 0.2.0
Verify the authenticity and integrity of a signed CAS audit log. The origin CAS will be contacted to detect a CAS
rollback or log truncation. You must be the CAS owner in order to fetch the necessary information. Verification
information will be printed to stderr.

The command may exit with one of the following exit codes (most severe first): * 20 - Log authenticity/integrity
violation - parsing error or signature verification failed * 19 - The log does not originate from the selected CAS * 18
- CAS rollback detected (excluding single failed & rolled back transactions) * 17 - CAS rollback or missing/deleted log
entries detected * 16 - CAS rollback cannot be ruled out * 15 - Log was truncated (older entries are missing) * 14 - Log
was truncated (recent entries are missing) * 10 - At least one failed & rolled back transaction detected * 0  - Log is
fully correct * other - Fatal error during verification

USAGE:
    scone cas verify-audit-log [FLAGS] [OPTIONS] <log-file-path>

FLAGS:
    -h, --help         
            Prints help information

    -p, --print-log    
            Print the log content in human-readable format to stdout

    -V, --version      
            Prints version information


OPTIONS:
        --cas <cas>                      
            URL of the CAS that the log file belongs to (optional, if omitted, the default CAS will be assumed)

    -c, --cas-key-hash <cas-key-hash>    
            Expected CAS public key hash (optional). If omitted, a previously attested key will be used. Requires
            setting option 'cas', too
        --identity <identity>            
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
        --last <last>                    
            If the log was split: Predecessor signature of the first event of a previously verified succeeding log file.
            If omitted, verification ensures that the most recent event logged by CAS is present
        --predecessor <predecessor>      
            If the log was split: Signature of the last event of a previously verified preceding log file. If omitted,
            verification ensures that the first event logged by CAS is present

ARGS:
    <log-file-path>    
            Path to the audit log file

scone cas attest-audit-log

scone cas attest-audit-log 0.2.0
Performs the same task as `verify-audit-log`, but additionally checks that the audit log contains valid attestation
reports according to the given attestation settings

USAGE:
    scone cas attest-audit-log [FLAGS] [OPTIONS] <log-file-path> [--] [_mrenclave]

FLAGS:
    -C, --accept-configuration-needed       
            Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)

        --only_for_testing-debug            
            Allow CAS to run in debug mode, in which it CANNOT PROTECT SECRETS (only for testing purposes!) Only allowed
            if CAS signer is ignored
    -G, --accept-group-out-of-date          
            Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)

    -S, --accept-sw-hardening-needed        
            Accept SW HARDENING NEEDED verification response (less safe compilation options)

    -h, --help                              
            Prints help information

        --only_for_testing-ignore-signer    
            Do not verify CAS software signature (MRSIGNER). This allows using a CAS signed with test keys. If set,
            argument <mrenclave> becomes mandatory, unless --only_for_testing-trust-any was also set
    -p, --print-log                         
            Print the log content in human-readable format to stdout

        --only_for_testing-trust-any        
            Trust ANY enclave measurement value, only allowed if CAS is in debug mode. With this option, `mrenclave` can
            be omitted, but the attested enclave can run ANY software. This is obviously not secure!
    -V, --version                           
            Prints version information


OPTIONS:
        --cas <cas>                      
            URL of the CAS that the log file belongs to (optional, if omitted, the default CAS will be assumed)

    -c, --cas-key-hash <cas-key-hash>    
            Expected CAS public key hash (optional). If omitted, a previously attested key will be used. Requires
            setting option 'cas', too
        --identity <identity>            
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
        --isvprodid <isvprodid>          
            Verify the given Independent Software Vendor Product ID (ISVPRODID). Required when using a custom MRSIGNER

        --isvsvn <isvsvn>                
            Verify that CAS has a given or greater Independent Software Vendor Security Version Number (ISVSVN).
            Required when using a custom MRSIGNER
        --last <last>                    
            If the log was split: Predecessor signature of the first event of a previously verified succeeding log file.
            If omitted, verification ensures that the most recent event logged by CAS is present
        --mrenclave <mrenclave>...       
            An expected enclave measurement/MRENCLAVE of the CAS enclave (optional). The CAS software signature will
            always be verified, regardless of this argument; but if set, the default CAS version (ISVSVN) check will be
            disabled. If specified multiple times, attestation will succeed if any of the given measurements matches
        --mrsigner <mrsigner>            
            Verify the CAS software signature using the given MRSIGNER instead of the default Scontain MRSIGNER.
            Requires ISVPRODID and ISVSVN too
        --predecessor <predecessor>      
            If the log was split: Signature of the last event of a previously verified preceding log file. If omitted,
            verification ensures that the first event logged by CAS is present

ARGS:
    <log-file-path>    
            Path to the audit log file

    <_mrenclave>       
            Expected enclave measurement/MRENCLAVE of the CAS enclave (optional). Deprecated, please use --mrenclave
            instead

scone session

scone session 0.2.0
Manage CAS sessions

USAGE:
    scone session <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


SUBCOMMANDS:
    check     Check the syntax of the provided session file. Exits with a non-zero exit code on validation error
    create    Upload a new session to CAS. Prints the hash of the created session on success
    help      Prints this message or the help of the given subcommand(s)
    read      Load an active session from CAS and print it to stdout
    update    Update an existing session in CAS. Prints the hash of the updated session on success
    verify    Verify that a session active on CAS matches the given session. Prints the hash of the verified session
              on success

scone session check

scone session check 0.2.0
Check the syntax of the provided session file. Exits with a non-zero exit code on validation error

USAGE:
    scone session check [FLAGS] [OPTIONS] <file>

FLAGS:
    -h, --help       
            Prints help information

        --use-env    
            Use the environment variables for variable substitution

    -V, --version    
            Prints version information


OPTIONS:
    -n, --name <name>        
            Name of the session. Will replace the name stored in the file

    -e <VAR=VALUE>...        
            Add or overwrite existing variables in the template


ARGS:
    <file>    
            Path to the file containing the session description

scone session create

scone session create 0.2.0
Upload a new session to CAS. Prints the hash of the created session on success

USAGE:
    scone session create [FLAGS] [OPTIONS] <file>

FLAGS:
        --only_for_testing-disable-attestation-verification
            Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
            performed at all. This is obviously not secure!
    -h, --help                                                 
            Prints help information

        --use-env                                              
            Use the environment variables for variable substitution

    -V, --version                                              
            Prints version information


OPTIONS:
    -c, --cas <cas>              
            CAS to use (optional)

        --identity <identity>    
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
    -n, --name <name>            
            Name of the session. Will replace the name stored in the file

    -e <VAR=VALUE>...            
            Add or overwrite existing variables in the template


ARGS:
    <file>    
            Path to the file containing the session description

scone session update

scone session update 0.2.0
Update an existing session in CAS. Prints the hash of the updated session on success

USAGE:
    scone session update [FLAGS] [OPTIONS] <file>

FLAGS:
        --only_for_testing-disable-attestation-verification
            Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
            performed at all. This is obviously not secure!
    -h, --help                                                 
            Prints help information

        --use-env                                              
            Use the environment variables for variable substitution

    -V, --version                                              
            Prints version information


OPTIONS:
    -c, --cas <cas>              
            CAS to use (optional)

        --identity <identity>    
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
    -n, --name <name>            
            Name of the session. Will replace the name stored in the file

    -e <VAR=VALUE>...            
            Add or overwrite existing variables in the template


ARGS:
    <file>    
            Path to the file containing the session description

scone session verify

scone session verify 0.2.0
Verify that a session active on CAS matches the given session. Prints the hash of the verified session on success

USAGE:
    scone session verify [FLAGS] [OPTIONS] <file>

FLAGS:
        --only_for_testing-disable-attestation-verification
            Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
            performed at all. This is obviously not secure!
    -h, --help                                                 
            Prints help information

        --use-env                                              
            Use the environment variables for variable substitution

    -V, --version                                              
            Prints version information


OPTIONS:
    -c, --cas <cas>              
            CAS to use (optional)

        --identity <identity>    
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
    -n, --name <name>            
            Name of the session. Will replace the name stored in the file

    -e <VAR=VALUE>...            
            Add or overwrite existing variables in the template


ARGS:
    <file>    
            Path to the file containing the session description

scone session read

scone session read 0.2.0
Load an active session from CAS and print it to stdout

USAGE:
    scone session read [FLAGS] [OPTIONS] <name>

FLAGS:
        --only_for_testing-disable-attestation-verification
            Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
            performed at all. This is obviously not secure!
    -h, --help                                                 
            Prints help information

    -V, --version                                              
            Prints version information


OPTIONS:
    -c, --cas <cas>              
            CAS to use (optional)

        --identity <identity>    
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate

ARGS:
    <name>    
            The name of the session to get from CAS and print

scone las

scone las 0.2.0
Interact with the local attestation service (LAS)

USAGE:
    scone las <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


SUBCOMMANDS:
    help                       Prints this message or the help of the given subcommand(s)
    scone-epid-trust-anchor    Retrieve the EPID trust anchor of the SCONE QE (and verify it). Prints public key and
                               enclave measurement of the SCONE QE

scone las scone-epid-trust-anchor

scone las scone-epid-trust-anchor 0.2.0
Retrieve the EPID trust anchor of the SCONE QE (and verify it). Prints public key and enclave measurement of the SCONE
QE.

The information can only be verified, and thus trusted in a production environment, if IAS credentials (sp_id and
sp_key) are provided.

USAGE:
    scone las scone-epid-trust-anchor [FLAGS] [OPTIONS]

FLAGS:
    -C, --accept-configuration-needed    
            Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)

        --only_for_testing-debug         
            Allow LAS to run in debug mode, in which it CAN BE MANIPULATED AND SHOULDN'T BE TRUSTED (only for testing
            purposes!)
    -G, --accept-group-out-of-date       
            Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)

    -S, --accept-sw-hardening-needed     
            Accept SW HARDENING NEEDED verification response (less safe compilation options)

        --dev-env                        
            Whether the service provider ID is registered in the IAS debug environment

    -h, --help                           
            Prints help information

    -l                                   
            The service provider ID's quote linkability setting

    -V, --version                        
            Prints version information


OPTIONS:
        --las <las>          
            LAS to connect to. Default port will be added if no port is specified [default: localhost]

        --sp-id <sp-id>      
            The service provider ID used to verify the EPID quote with Intel IAS [default:
            00000000000000000000000000000000]
        --sp-key <sp-key>    
            The service provider KEY used to authenticate to Intel IAS

scone cert

scone cert 0.2.0
Perform operations on X.509 certificates

USAGE:
    scone cert <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


SUBCOMMANDS:
    help             Prints this message or the help of the given subcommand(s)
    show-key-hash    Print the hash of the certificate's public key

scone cert show-key-hash

scone cert show-key-hash 0.2.0
Print the hash of the certificate's public key

USAGE:
    scone cert show-key-hash <file>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


ARGS:
    <file>    
            Path to the file containing the PEM-encoded X.509 certificate

scone binary-fs

scone binary-fs 0.2.0
Collect directories and files to generate a binary fs source code file

USAGE:
    scone binary-fs [FLAGS] [OPTIONS] <root> <output>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information

    -v, --verbose    



OPTIONS:
    -i, --include <include>...    



ARGS:
    <root>      


    <output>    

scone help-markdown

scone help-markdown 0.2.0
Generate markdown help pages on stdout

USAGE:
    scone help-markdown

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information