SCONE CLI
We provide a CLI (Command Line Interface) to
- attest SCONE CAS, i.e., to ensure that we are connected to a CAS with an expected
MrEnclaverunning inside an enclave. - create a session, i.e., to upload a new session description.
- update a session, i.e., replace an existing session by a new session description.
- verify that a session matches a given session template. Prints the digest of the verified session on success.
Note that this CLI is implemented on a Rust Crate that can be used to interact with CAS directly from programs linked with this library.
scone CLI
The program scone permits to upload a policy template to a CAS, communication with CAS and creation of file system protection files. This is a CLI (command line interface) program with the following subcommands and flags:
$ scone --help
Scone 0.2.0
Your command line toolkit to interact with the scone infrastructure
USAGE:
scone [OPTIONS] <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-c, --config <config> Sets a custom config file
[env: SCONE_CLI_CONFIG=] [default: ~/.cas/config.json]
SUBCOMMANDS:
cas Communication with CAS
fspf Create and modify file system protection files
help Prints this message or the help of the given subcommand(s)
self Manage this instance of the SCONE CLI
session Manage CAS sessions
In the context of SCONE CAS, we use the subcommands cas to attest a SCONE CAS and session to create and upload a session description.
Attesting CAS
We can attest a SCONE CAS with the CLI command scone cas that is executed on a trusted host.
Tip
In case your host from which you need to attest CAS is itself not trusted, you would need to use the underlying Rust Crate and attest CAS from within an enclave.
$ scone cas --help
scone-cas 0.2.0
Communication with CAS
USAGE:
scone cas <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
attest Attest a CAS instance
help Prints this message or the help of the given subcommand(s)
list List attested CAS instances
set-default Set default CAS - The default CAS is always used if no CAS is explicitly specified, e.g. in
the session uploaded command
show-certificate Show the certificate chain of an attested CAS
scone cas implements the following commands:
attest CASADDR PORT MRENCLAVE: attests a SCONE CAS at addressCASADDR:PORTand withMRENCLAVE. It stores necessary information about every new attested CAS in the configuration file. Therefore, first attested CAS will become default CAS and every further interaction will be performed with it.
USAGE:
rust-cli cas attest [FLAGS] <address> <mrenclave>
FLAGS:
-C Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)
--only_for_testing-debug Allow CAS to run in debug mode, in which it CAN NOT PROTECT SECRETS (only for testing purposes!)
-G Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)
-h, --help Prints help information
--only_for_testing-trust-any Trust ANY enclave measurement value, only allowed if CAS is in debug mode With this option `mrenclave` can be omitted, but the attested enclave can run ANY software. This is obviously not secure!
-V, --version Prints version information
ARGS:
<address> CAS address
<mrenclave> Expected enclave measurement/mrenclave of the CAS enclave
set-default CASADDR: Sets a new default SCONE CAS. TheCASADDRmust have previously been attested.
USAGE:
rust-cli cas set-default <cas>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
ARGS:
<cas> CAS to become the new default CAS
Create/Update Session Description
To create or update a session description, use scone session.
$ scone session --help
scone-session 0.2.0
Manage CAS sessions
USAGE:
scone session <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
check Check the syntax of the provided session file
create Upload a new session to CAS
help Prints this message or the help of the given subcommand(s)
read Load a session from CAS and print it to stdout
update Update an existing session in CAS
verify Verify a session was correctly uploaded to CAS
Create a session
One can create sessions with the help of a session template. In the session template, variables are replaced either by variables passed via flags (-e see below) or environment variables that are already defined (--use-env). Explicit replacements via -e will always have priority over --use-env replacements. You can set the session name with flag -n.
Syntax
USAGE:
rust-cli session create [FLAGS] [OPTIONS] <file>
FLAGS:
-h, --help Prints help information
--use-env Use the environment variables for variable substitution
-V, --version Prints version information
OPTIONS:
-c, --cas <cas> CAS to use (optional)
-n, --name <name> Name of the session. Will replace the name stored in the file
-e <VAR=VALUE>... Add or overwrite existing variables in the template
ARGS:
<file> Path to the file containing the session description
Example
scone session create -n my_new_session --use-env -e "MRENCLAVE_SERVICE=$MRENCLAVE_SERVICE" session_template.yml
Verify a session
When exporting secrets, we need to verify that a session to which we export a secret, matches a given session template.
If a session can be updated, we typically want to limit the export to a given digest. Hence, when verifying a session, the CLI prints the hash of the verified session on success.
USAGE:
rust-cli session verify [FLAGS] [OPTIONS] <file>
FLAGS:
-h, --help Prints help information
--use-env Use the environment variables for variable substitution
-V, --version Prints version information
OPTIONS:
-c, --cas <cas> CAS to use (optional)
-n, --name <name> Name of the session. Will replace the name stored in the file
-e <VAR=VALUE>... Add or overwrite existing variables in the template
ARGS:
<file> Path to the file containing the session description