Skip to content

SCONE CLI

We provide a CLI (Command Line Interface) to

  • attest SCONE CAS, i.e., to ensure that we are connected to a CAS with an expected MrEnclave running inside an enclave.
  • create a session, i.e., to upload a new session description.
  • update a session, i.e., replace an existing session by a new session description.
  • verify that a session matches a given session template. Prints the digest of the verified session on success.

Note that this CLI is implemented on a Rust Crate that can be used to interact with CAS directly from programs linked with this library.

scone CLI

The program scone permits to upload a policy template to a CAS, communication with CAS and creation of file system protection files. This is a CLI (command line interface) program with the following subcommands and flags:

$ scone --help

Scone 0.2.0
Your command line toolkit to interact with the scone infrastructure

USAGE:
    scone [OPTIONS] <SUBCOMMAND>

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information

OPTIONS:
    -c, --config <config> Sets a custom config file 
                          [env: SCONE_CLI_CONFIG=]  [default: ~/.cas/config.json]

SUBCOMMANDS:
    cas        Communication with CAS 
    fspf       Create and modify file system protection files 
    help       Prints this message or the help of the given subcommand(s)
    self       Manage this instance of the SCONE CLI
    session    Manage CAS sessions

In the context of SCONE CAS, we use the subcommands cas to attest a SCONE CAS and session to create and upload a session description.

Attesting CAS

We can attest a SCONE CAS with the CLI command scone cas that is executed on a trusted host.

Tip

In case your host from which you need to attest CAS is itself not trusted, you would need to use the underlying Rust Crate and attest CAS from within an enclave.

$ scone cas --help

scone-cas 0.2.0
Communication with CAS 

USAGE:
    scone cas <SUBCOMMAND>

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information

SUBCOMMANDS:
    attest              Attest a CAS instance
    help                Prints this message or the help of the given subcommand(s)
    list                List attested CAS instances
    set-default         Set default CAS - The default CAS is always used if no CAS is explicitly specified, e.g. in
                        the session uploaded command
    show-certificate    Show the certificate chain of an attested CAS

scone cas implements the following commands:

  • attest CASADDR PORT MRENCLAVE: attests a SCONE CAS at address CASADDR:PORTand with MRENCLAVE. It stores necessary information about every new attested CAS in the configuration file. Therefore, first attested CAS will become default CAS and every further interaction will be performed with it.
USAGE:
    rust-cli cas attest [FLAGS] <address> <mrenclave>

FLAGS:
    -C Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)

      --only_for_testing-debug Allow CAS to run in debug mode, in which it CAN NOT PROTECT SECRETS (only for testing purposes!)

    -G Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)

    -h, --help Prints help information

      --only_for_testing-trust-any    Trust ANY enclave measurement value, only allowed if CAS is in debug mode With this option `mrenclave` can be omitted, but the attested enclave can run ANY software. This is obviously not secure!

    -V, --version Prints version information

ARGS:
    <address>      CAS address
    <mrenclave>    Expected enclave measurement/mrenclave of the CAS enclave
  • set-default CASADDR: Sets a new default SCONE CAS. The CASADDR must have previously been attested.
USAGE:
    rust-cli cas set-default <cas>

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information

ARGS:
    <cas>    CAS to become the new default CAS

Create/Update Session Description

To create or update a session description, use scone session.

$ scone session --help

scone-session 0.2.0
Manage CAS sessions

USAGE:
    scone session <SUBCOMMAND>

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information

SUBCOMMANDS:
    check     Check the syntax of the provided session file
    create    Upload a new session to CAS
    help      Prints this message or the help of the given subcommand(s)
    read      Load a session from CAS and print it to stdout
    update    Update an existing session in CAS
    verify    Verify a session was correctly uploaded to CAS

Create a session

One can create sessions with the help of a session template. In the session template, variables are replaced either by variables passed via flags (-e see below) or environment variables that are already defined (--use-env). Explicit replacements via -e will always have priority over --use-env replacements. You can set the session name with flag -n.

Syntax

USAGE:
    rust-cli session create [FLAGS] [OPTIONS] <file>

FLAGS:
    -h, --help       Prints help information
        --use-env    Use the environment variables for variable substitution
    -V, --version    Prints version information

OPTIONS:
    -c, --cas <cas>          CAS to use (optional)
    -n, --name <name>        Name of the session. Will replace the name stored in the file
    -e <VAR=VALUE>...        Add or overwrite existing variables in the template

ARGS:
    <file>    Path to the file containing the session description

Example

scone session create -n my_new_session --use-env -e "MRENCLAVE_SERVICE=$MRENCLAVE_SERVICE" session_template.yml

Verify a session

When exporting secrets, we need to verify that a session to which we export a secret, matches a given session template.

If a session can be updated, we typically want to limit the export to a given digest. Hence, when verifying a session, the CLI prints the hash of the verified session on success.

USAGE:
    rust-cli session verify [FLAGS] [OPTIONS] <file>

FLAGS:
    -h, --help       Prints help information
        --use-env    Use the environment variables for variable substitution
    -V, --version    Prints version information

OPTIONS:
    -c, --cas <cas>          CAS to use (optional)
    -n, --name <name>        Name of the session. Will replace the name stored in the file
    -e <VAR=VALUE>...        Add or overwrite existing variables in the template

ARGS:
    <file>    Path to the file containing the session description