Skip to content

SCONE CLI

We provide a CLI (Command Line Interface) to

  • attest SCONE CAS, i.e., to ensure that we are connected to a CAS with an expected MrEnclave running inside an enclave.
  • create a session, i.e., to upload a new session description.
  • update a session, i.e., replace an existing session by a new session description.
  • verify that a session matches a given session template. Prints the digest of the verified session on success.

Note that this CLI is implemented as a Rust crate that can be used to interact with CAS directly from programs linked with this library.

scone CLI

scone 0.2.0
Your command line toolkit to interact with the scone infrastructure

USAGE:
    scone [OPTIONS] <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


OPTIONS:
    -c, --config <config>    
            Sets a custom config file [env: SCONE_CLI_CONFIG=]  [default: ~/.cas/config.json]


SUBCOMMANDS:
    cas              Communication with CAS
    cert             Perform operations on X.509 certificates
    fspf             Create and modify file system protection files 
    help             Prints this message or the help of the given subcommand(s)
    help-markdown    Generate markdown help pages on stdout
    las              Interact with the local attestation service (LAS)
    self             Manage this instance of the SCONE CLI
    session          Manage CAS sessions

scone self

scone self 0.2.0
Manage this instance of the SCONE CLI

USAGE:
    scone self <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


SUBCOMMANDS:
    help                     Prints this message or the help of the given subcommand(s)
    show                     Show the certificate and public key hash
    show-certificate         Print only the certificate in PEM format
    show-certificate-hash    Print only the SHA-256 certificate hash. Using the certificate hash in session access
                             control policies is deprecated, as it does not allow authentication with renewed
                             certificates. Please use the key hash (show-key-hash) instead
    show-key-hash            Print only the public key hash

scone self show

scone self show 0.2.0
Show the certificate and public key hash

USAGE:
    scone self show

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information

scone self show-certificate

scone self show-certificate 0.2.0
Print only the certificate in PEM format

USAGE:
    scone self show-certificate

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information

scone self show-key-hash

scone self show-key-hash 0.2.0
Print only the public key hash

USAGE:
    scone self show-key-hash

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information

scone self show-certificate-hash

scone self show-certificate-hash 0.2.0
Print only the SHA-256 certificate hash. Using the certificate hash in session access control policies is deprecated, as
it does not allow authentication with renewed certificates. Please use the key hash (show-key-hash) instead

USAGE:
    scone self show-certificate-hash

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information

scone fspf

scone fspf 0.2.0
Create and modify file system protection files 

USAGE:
    scone fspf <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


SUBCOMMANDS:
    addf       Add files (file protection data) to an existing fspf
    addr       Add a protection region to an existing fspf
    create     Create a new file system protection file
    encrypt    Encrypt an existing fspf
    help       Prints this message or the help of the given subcommand(s)
    show       Show an existing fspf

scone fspf create

scone fspf create 0.2.0
Create a new file system protection file

USAGE:
    scone fspf create <file> [version]

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


ARGS:
    <file>       
            Path to store the created fspf at

    <version>    
            FSPF format version to use, optional: latest version will be used by default

scone fspf addr

scone fspf addr 0.2.0
Add a protection region to an existing fspf

USAGE:
    scone fspf addr [OPTIONS] <file> <embedpoint> <--not-protected|--encrypted|--authenticated> <--kernel <source-dir>|--ephemeral>

FLAGS:
    -a, --authenticated    
            The content of this region should be authenticated (but not encrypted)

    -e, --encrypted        
            The content of this region should be encrypted

        --ephemeral        
            The region's files are stored in volatile & untrusted memory

    -h, --help             
            Prints help information

    -n, --not-protected    
            The content of this region should NOT be protected

    -V, --version          
            Prints version information


OPTIONS:
    -c, --chunk-length <chunk-length>    
            in bytes, Files will be protected with chunks of this size, only valid for protected regions

    -k, --key-length <key-length>        
            in bits, The file protection will use keys with this size, only valid for protected regions

        --kernel <source-dir>            
            The region's files are stored in the kernel's filesystem


ARGS:
    <file>          
            Location of the fspf

    <embedpoint>    
            The location of the region in the protected file system

scone fspf addf

scone fspf addf 0.2.0
Add files (file protection data) to an existing fspf

USAGE:
    scone fspf addf <file> <embedpoint> <source-dir> [encrypt-dir]

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


ARGS:
    <file>           
            Location of the fspf

    <embedpoint>     
            Region the files should be added to

    <source-dir>     
            Source directory files to take from

    <encrypt-dir>    
            Target directory for encrypted files (needed for encrypted regions)

scone fspf encrypt

scone fspf encrypt 0.2.0
Encrypt an existing fspf

USAGE:
    scone fspf encrypt <file>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


ARGS:
    <file>    
            Location of the fspf

scone fspf show

scone fspf show 0.2.0
Show an existing fspf

USAGE:
    scone fspf show [FLAGS] <file> [key]

FLAGS:
    -h, --help       
            Prints help information

    -t, --tag        
            Only print tag

    -V, --version    
            Prints version information


ARGS:
    <file>    
            Location of the fspf

    <key>     
            Decryption key of the fspf

scone cas

scone cas 0.2.0
Communication with CAS

USAGE:
    scone cas <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


SUBCOMMANDS:
    attest                 Attest a CAS instance
    help                   Prints this message or the help of the given subcommand(s)
    list                   List attested CAS instances
    provision              Take ownership of a CAS and supply its initial server-side configuration
    register-backup        
    set-default            Set default CAS - The default CAS is always used if no CAS is explicitly specified, e.g.
                           in the `session upload` command
    show-certificate       Show certificate chain of an attested CAS instance
    show-identification    Show identification information of an attested CAS that can be used to identify the
                           instance
    update-config          Update a server-side CAS configuration

scone cas list

scone cas list 0.2.0
List attested CAS instances

USAGE:
    scone cas list

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information

scone cas attest

scone cas attest 0.2.0
Attest a CAS instance

USAGE:
    scone cas attest [FLAGS] [OPTIONS] <address> [mrenclave]

FLAGS:
    -C, --accept-configuration-needed       
            Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)

        --only_for_testing-debug            
            Allow CAS to run in debug mode, in which it CANNOT PROTECT SECRETS (only for testing purposes!) Only allowed
            if CAS signer is ignored
    -G, --accept-group-out-of-date          
            Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)

        --allow-cas-owner-secret-access     
            Whether to trust the CAS even if its database encryption key was injected by the CAS owner, and not
            generated securely within an enclave. If set, session secrets will be accessible to the CAS owner!
    -h, --help                              
            Prints help information

        --only_for_testing-ignore-signer    
            Do not verify CAS software signature (MRSIGNER). This allows using a CAS signed with test keys. If set,
            argument <mrenclave> becomes mandatory, unless --only_for_testing-trust-any was also set
        --only_for_testing-trust-any        
            Trust ANY enclave measurement value, only allowed if CAS is in debug mode. With this option, `mrenclave` can
            be omitted, but the attested enclave can run ANY software. This is obviously not secure!
    -V, --version                           
            Prints version information


OPTIONS:
    -c <cas-key-hash>                 
            Expected CAS public key hash

    -s <cas-software-key-hash>        
            Expected CAS software public key hash

        --isvprodid <isvprodid>       
            Verify the given Independent Software Vendor Product ID (ISVPRODID). Required when using a custom MRSIGNER

        --isvsvn <isvsvn>             
            Verify that CAS has a given or greater Independent Software Vendor Security Version Number (ISVSVN).
            Required when using a custom MRSIGNER
        --mrsigner <mrsigner>         
            Verify the CAS software signature using the given MRSIGNER instead of the default Scontain MRSIGNER.
            Requires ISVPRODID and ISVSVN too

ARGS:
    <address>      
            CAS address

    <mrenclave>    
            Expected enclave measurement/MRENCLAVE of the CAS enclave (optional). The CAS software signature will always
            be verified, regardless of this argument; but if set, the default CAS version (ISVSVN) check will be
            disabled

scone cas show-identification

scone cas show-identification 0.2.0
Show identification information of an attested CAS that can be used to identify the instance

USAGE:
    scone cas show-identification [FLAGS] [cas]

FLAGS:
    -C, --cas-certificate             
            PEM-encoded CAS X509 certificate

    -c, --cas-key-hash                
            SHA256 Hash of CAS public key

    -S, --cas-software-certificate    
            PEM-encoded CAS software X509 certificate

    -s, --cas-software-key-hash       
            SHA256 Hash of CAS software public key

    -T, --certificate-chain           
            Certificate chain of trust of PEM-encoded CAS and CAS software certificates [default]

    -h, --help                        
            Prints help information

    -V, --version                     
            Prints version information


ARGS:
    <cas>    
            CAS of which to show the certificate chain, optional: default CAS if omitted

scone cas show-certificate

scone cas show-certificate 0.2.0
Show certificate chain of an attested CAS instance

USAGE:
    scone cas show-certificate [cas]

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


ARGS:
    <cas>    
            CAS of which to show the certificate chain, optional: default CAS if omitted

scone cas set-default

scone cas set-default 0.2.0
Set default CAS - The default CAS is always used if no CAS is explicitly specified, e.g. in the `session upload` command

USAGE:
    scone cas set-default <cas>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


ARGS:
    <cas>    
            CAS to become the new default CAS

scone cas provision

scone cas provision 0.2.0
Take ownership of a CAS and supply its initial server-side configuration

USAGE:
    scone cas provision [OPTIONS] <address> -c <cas-key-hash> --config-file <config-file> --token <token> <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


OPTIONS:
    -c <cas-key-hash>                    
            Expected CAS public key hash. Can be found in the CAS console

    -s <cas-software-key-hash>           
            Expected CAS software public key hash (optional). Can be found in the CAS console

        --config-file <config-file>      
            Path to the file containing the server-side CAS configuration (in TOML, JSON or YAML format)

        --database-key <database-key>    
            Database key to encrypt the CAS database with. Must be a 64-character hexadecimal string. Allows CAS owner
            to decrypt the database at will. This impacts security of the CAS and session secrets, and is therefore
            discouraged. Database key injection will be refused by CAS binaries signed by Scontain
        --identity <identity>            
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
        --token <token>                  
            Provisioning token (32-character hexadecimal string). Can be found in the CAS console


ARGS:
    <address>    
            CAS address


SUBCOMMANDS:
    help                                    Prints this message or the help of the given subcommand(s)
    only_for_testing-without-attestation    Do not attest the CAS. With this command selected, NO verification of
                                            the used CAS will be performed at all. This is obviously not secure!
    with-attestation                        Attest the CAS instance during provisioning

scone cas provision with-attestation

scone cas provision with-attestation 0.2.0
Attest the CAS instance during provisioning

USAGE:
    scone cas provision with-attestation [FLAGS] [OPTIONS] [mrenclave]

FLAGS:
    -C, --accept-configuration-needed       
            Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)

        --only_for_testing-debug            
            Allow CAS to run in debug mode, in which it CANNOT PROTECT SECRETS (only for testing purposes!) Only allowed
            if CAS signer is ignored
    -G, --accept-group-out-of-date          
            Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)

    -h, --help                              
            Prints help information

        --only_for_testing-ignore-signer    
            Do not verify CAS software signature (MRSIGNER). This allows using a CAS signed with test keys. If set,
            argument <mrenclave> becomes mandatory, unless --only_for_testing-trust-any was also set
        --only_for_testing-trust-any        
            Trust ANY enclave measurement value, only allowed if CAS is in debug mode. With this option, `mrenclave` can
            be omitted, but the attested enclave can run ANY software. This is obviously not secure!
    -V, --version                           
            Prints version information


OPTIONS:
        --isvprodid <isvprodid>    
            Verify the given Independent Software Vendor Product ID (ISVPRODID). Required when using a custom MRSIGNER

        --isvsvn <isvsvn>          
            Verify that CAS has a given or greater Independent Software Vendor Security Version Number (ISVSVN).
            Required when using a custom MRSIGNER
        --mrsigner <mrsigner>      
            Verify the CAS software signature using the given MRSIGNER instead of the default Scontain MRSIGNER.
            Requires ISVPRODID and ISVSVN too

ARGS:
    <mrenclave>    
            Expected enclave measurement/MRENCLAVE of the CAS enclave (optional). The CAS software signature will always
            be verified, regardless of this argument; but if set, the default CAS version (ISVSVN) check will be
            disabled

scone cas provision only_for_testing-without-attestation

scone cas provision only_for_testing-without-attestation 0.2.0
Do not attest the CAS. With this command selected, NO verification of the used CAS will be performed at all. This is
obviously not secure!

USAGE:
    scone cas provision only_for_testing-without-attestation

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information

scone cas update-config

scone cas update-config 0.2.0
Update a server-side CAS configuration

USAGE:
    scone cas update-config [FLAGS] [OPTIONS] --config-file <config-file>

FLAGS:
        --only_for_testing-disable-attestation-verification
            Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
            performed at all. This is obviously not secure!
    -h, --help                                                 
            Prints help information

    -V, --version                                              
            Prints version information


OPTIONS:
    -c, --cas <cas>                    
            CAS to use (optional)

        --config-file <config-file>    
            Path to the file containing the server-side CAS configuration (in TOML, JSON or YAML format)

        --identity <identity>          
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate

scone cas register-backup

scone cas register-backup 0.2.0

USAGE:
    scone cas register-backup [FLAGS] [OPTIONS] <backup-cas>

FLAGS:
        --only_for_testing-disable-attestation-verification
            Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
            performed at all. This is obviously not secure!
    -h, --help                                                 
            Prints help information

    -V, --version                                              
            Prints version information


OPTIONS:
    -c, --cas <cas>              
            CAS to use (optional)

        --identity <identity>    
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate

ARGS:
    <backup-cas>    
            The address of the backup CAS

scone session

scone session 0.2.0
Manage CAS sessions

USAGE:
    scone session <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


SUBCOMMANDS:
    check     Check the syntax of the provided session file. Exits with a non-zero exit code on validation error
    create    Upload a new session to CAS. Prints the hash of the created session on success
    help      Prints this message or the help of the given subcommand(s)
    read      Load an active session from CAS and print it to stdout
    update    Update an existing session in CAS. Prints the hash of the updated session on success
    verify    Verify that a session active on CAS matches the given session. Prints the hash of the verified session
              on success

scone session check

scone session check 0.2.0
Check the syntax of the provided session file. Exits with a non-zero exit code on validation error

USAGE:
    scone session check [FLAGS] [OPTIONS] <file>

FLAGS:
    -h, --help       
            Prints help information

        --use-env    
            Use the environment variables for variable substitution

    -V, --version    
            Prints version information


OPTIONS:
    -n, --name <name>        
            Name of the session. Will replace the name stored in the file

    -e <VAR=VALUE>...        
            Add or overwrite existing variables in the template


ARGS:
    <file>    
            Path to the file containing the session description

scone session create

scone session create 0.2.0
Upload a new session to CAS. Prints the hash of the created session on success

USAGE:
    scone session create [FLAGS] [OPTIONS] <file>

FLAGS:
        --only_for_testing-disable-attestation-verification
            Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
            performed at all. This is obviously not secure!
    -h, --help                                                 
            Prints help information

        --use-env                                              
            Use the environment variables for variable substitution

    -V, --version                                              
            Prints version information


OPTIONS:
    -c, --cas <cas>              
            CAS to use (optional)

        --identity <identity>    
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
    -n, --name <name>            
            Name of the session. Will replace the name stored in the file

    -e <VAR=VALUE>...            
            Add or overwrite existing variables in the template


ARGS:
    <file>    
            Path to the file containing the session description

scone session update

scone session update 0.2.0
Update an existing session in CAS. Prints the hash of the updated session on success

USAGE:
    scone session update [FLAGS] [OPTIONS] <file>

FLAGS:
        --only_for_testing-disable-attestation-verification
            Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
            performed at all. This is obviously not secure!
    -h, --help                                                 
            Prints help information

        --use-env                                              
            Use the environment variables for variable substitution

    -V, --version                                              
            Prints version information


OPTIONS:
    -c, --cas <cas>              
            CAS to use (optional)

        --identity <identity>    
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
    -n, --name <name>            
            Name of the session. Will replace the name stored in the file

    -e <VAR=VALUE>...            
            Add or overwrite existing variables in the template


ARGS:
    <file>    
            Path to the file containing the session description

scone session verify

scone session verify 0.2.0
Verify that a session active on CAS matches the given session. Prints the hash of the verified session on success

USAGE:
    scone session verify [FLAGS] [OPTIONS] <file>

FLAGS:
        --only_for_testing-disable-attestation-verification
            Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
            performed at all. This is obviously not secure!
    -h, --help                                                 
            Prints help information

        --use-env                                              
            Use the environment variables for variable substitution

    -V, --version                                              
            Prints version information


OPTIONS:
    -c, --cas <cas>              
            CAS to use (optional)

        --identity <identity>    
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
    -n, --name <name>            
            Name of the session. Will replace the name stored in the file

    -e <VAR=VALUE>...            
            Add or overwrite existing variables in the template


ARGS:
    <file>    
            Path to the file containing the session description

scone session read

scone session read 0.2.0
Load an active session from CAS and print it to stdout

USAGE:
    scone session read [FLAGS] [OPTIONS] <name>

FLAGS:
        --only_for_testing-disable-attestation-verification
            Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
            performed at all. This is obviously not secure!
    -h, --help                                                 
            Prints help information

    -V, --version                                              
            Prints version information


OPTIONS:
    -c, --cas <cas>              
            CAS to use (optional)

        --identity <identity>    
            External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
            An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate

ARGS:
    <name>    
            The name of the session to get from CAS and print

scone las

scone las 0.2.0
Interact with the local attestation service (LAS)

USAGE:
    scone las <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


SUBCOMMANDS:
    help                       Prints this message or the help of the given subcommand(s)
    scone-epid-trust-anchor    Retrieve the EPID trust anchor of the SCONE QE (and verify it). Prints public key and
                               enclave measurement of the SCONE QE

scone las scone-epid-trust-anchor

scone las scone-epid-trust-anchor 0.2.0
Retrieve the EPID trust anchor of the SCONE QE (and verify it). Prints public key and enclave measurement of the SCONE
QE.

The information can only be verified, and thus trusted in a production environment, if IAS credentials (sp_id and
sp_key) are provided.

USAGE:
    scone las scone-epid-trust-anchor [FLAGS] [OPTIONS]

FLAGS:
    -C, --accept-configuration-needed    
            Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)

        --only_for_testing-debug         
            Allow LAS to run in debug mode, in which it CAN BE MANIPULATED AND SHOULDN'T BE TRUSTED (only for testing
            purposes!)
    -G, --accept-group-out-of-date       
            Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)

        --dev-env                        
            Whether the service provider ID is registered in the IAS debug environment

    -h, --help                           
            Prints help information

    -l                                   
            The service provider ID's quote linkability setting

    -V, --version                        
            Prints version information


OPTIONS:
        --las <las>          
            LAS to connect to. Default port will be added if no port is specified [default: localhost]

        --sp-id <sp-id>      
            The service provider ID used to verify the EPID quote with Intel IAS [default:
            00000000000000000000000000000000]
        --sp-key <sp-key>    
            The service provider KEY used to authenticate to Intel IAS

scone cert

scone cert 0.2.0
Perform operations on X.509 certificates

USAGE:
    scone cert <SUBCOMMAND>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


SUBCOMMANDS:
    help             Prints this message or the help of the given subcommand(s)
    show-key-hash    Print the hash of the certificate's public key

scone cert show-key-hash

scone cert show-key-hash 0.2.0
Print the hash of the certificate's public key

USAGE:
    scone cert show-key-hash <file>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


ARGS:
    <file>    
            Path to the file containing the PEM-encoded X.509 certificate

scone help-markdown

scone help-markdown 0.2.0
Generate markdown help pages on stdout

USAGE:
    scone help-markdown

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information