SCONE CLI
We provide a CLI (Command Line Interface) to
- attest SCONE CAS, i.e., to ensure that we are connected to a CAS with an expected
MrEnclave
running inside an enclave. - create a session, i.e., to upload a new session description.
- update a session, i.e., replace an existing session by a new session description.
- verify that a session matches a given session template. Prints the digest of the verified session on success.
Note that this CLI is implemented as a Rust crate that can be used to interact with CAS directly from programs linked with this library.
The default SCONE CLI is available for subscribers and can be run as follows: docker run -it registry.scontain.com/sconecuratedimages/sconecli
.
scone
scone 0.2.0
Your command line toolkit to interact with the scone infrastructure
USAGE:
scone [OPTIONS] <SUBCOMMAND>
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
OPTIONS:
-c, --config <config>
Sets a custom config file [env: SCONE_CLI_CONFIG=] [default: ~/.cas/config.json]
SUBCOMMANDS:
binary-fs Collect directories and files to generate a binary fs source code file
cas Communication with CAS
cert Perform operations on X.509 certificates
fspf Create and modify file system protection files
help Prints this message or the help of the given subcommand(s)
help-markdown Generate markdown help pages on stdout
las Interact with the local attestation service (LAS)
self Manage this instance of the SCONE CLI
session Manage CAS sessions
scone self
scone self 0.2.0
Manage this instance of the SCONE CLI
USAGE:
scone self <SUBCOMMAND>
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
SUBCOMMANDS:
help Prints this message or the help of the given subcommand(s)
show Show the certificate and public key hash
show-certificate Print only the certificate in PEM format
show-certificate-hash Print only the SHA-256 certificate hash. Using the certificate hash in session access
control policies is deprecated, as it does not allow authentication with renewed
certificates. Please use the key hash (show-key-hash) instead
show-key-hash Print only the public key hash
scone self show
scone self show 0.2.0
Show the certificate and public key hash
USAGE:
scone self show
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
scone self show-certificate
scone self show-certificate 0.2.0
Print only the certificate in PEM format
USAGE:
scone self show-certificate
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
scone self show-key-hash
scone self show-key-hash 0.2.0
Print only the public key hash
USAGE:
scone self show-key-hash
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
scone self show-certificate-hash
scone self show-certificate-hash 0.2.0
Print only the SHA-256 certificate hash. Using the certificate hash in session access control policies is deprecated, as
it does not allow authentication with renewed certificates. Please use the key hash (show-key-hash) instead
USAGE:
scone self show-certificate-hash
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
scone fspf
scone fspf 0.2.0
Create and modify file system protection files
USAGE:
scone fspf <SUBCOMMAND>
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
SUBCOMMANDS:
addf Add files (file protection data) to an existing fspf
addr Add a protection region to an existing fspf
create Create a new file system protection file
create-volume Create a new SCONE volume FSPF
encrypt Encrypt an existing fspf
help Prints this message or the help of the given subcommand(s)
show Show an existing fspf
scone fspf create
scone fspf create 0.2.0
Create a new file system protection file
USAGE:
scone fspf create <file> [version]
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
ARGS:
<file>
Path to store the created fspf at
<version>
FSPF format version to use, optional: latest version will be used by default
scone fspf addr
scone fspf addr 0.2.0
Add a protection region to an existing fspf
USAGE:
scone fspf addr [OPTIONS] <file> <embedpoint> <--not-protected|--encrypted|--authenticated> <--kernel <source-dir>|--ephemeral>
FLAGS:
-a, --authenticated
The content of this region should be authenticated (but not encrypted)
-e, --encrypted
The content of this region should be encrypted
--ephemeral
The region's files are stored in volatile & untrusted memory
-h, --help
Prints help information
-n, --not-protected
The content of this region should NOT be protected
-V, --version
Prints version information
OPTIONS:
-c, --chunk-length <chunk-length>
in bytes, Files will be protected with chunks of this size, only valid for protected regions
-k, --key-length <key-length>
in bits, The file protection will use keys with this size, only valid for protected regions
--kernel <source-dir>
The region's files are stored in the kernel's filesystem
ARGS:
<file>
Location of the fspf
<embedpoint>
The location of the region in the protected file system
scone fspf addf
scone fspf addf 0.2.0
Add files (file protection data) to an existing fspf
USAGE:
scone fspf addf <file> <embedpoint> <source-dir> [encrypt-dir]
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
ARGS:
<file>
Location of the fspf
<embedpoint>
Region the files should be added to
<source-dir>
Source directory files to take from
<encrypt-dir>
Target directory for encrypted files (needed for encrypted regions)
scone fspf encrypt
scone fspf encrypt 0.2.0
Encrypt an existing fspf
USAGE:
scone fspf encrypt <file>
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
ARGS:
<file>
Location of the fspf
scone fspf show
scone fspf show 0.2.0
Show an existing fspf
USAGE:
scone fspf show [FLAGS] <file> [key]
FLAGS:
-h, --help
Prints help information
-t, --tag
Only print tag
-V, --version
Prints version information
ARGS:
<file>
Location of the fspf
<key>
Decryption key of the fspf
scone fspf create-volume
scone fspf create-volume 0.2.0
Create a new SCONE volume FSPF
This will prepare a directory (and its content) for secure data storage and exchange between SCONE enclaves/services in
a microservice application. A SCONE volume in the simplest approximation is a directory with a `volume.fspf` file. This
file contains the protection data for all data that is stored in the directory. The usage of SCONE volume must be
configured via a SCONE CAS session/policy.
USAGE:
scone fspf create-volume [FLAGS] [OPTIONS] <volume-path> <--encrypted|--authenticated> [output-path]
FLAGS:
-a, --authenticated
The content of this region should be authenticated (but not encrypted)
-e, --encrypted
The content of this region should be encrypted
Requires setting `output_path` argument to the location where the encrypted initial files are written to.
--envar-output
Print the key and tag message in environment defining format on stdout, such that the output can be directly
interpreted by a shell. This is useful if this command is used in a script.
Environment variable will be `VOLUME_KEY` and `VOLUME_TAG`. The output will look like this:
export VOLUME_KEY=55920e9398056f6cd83fc2354f9d29f9052df252c5d797a9500f905f42e9faae export
VOLUME_TAG=61b958b220b19b8b74a76f74fc94282e
You can use it to set the variables with a command like: eval "`scone fspf create-volume ./volume-dir
--authenticated --envar-output`"
-f, --force
Force creation even if existing files must be removed or overwritten
-h, --help
Prints help information
OPTIONS:
-c, --chunk-length <chunk-length>
in bytes, Files will be protected with chunks of this size
-k, --key-length <key-length>
in bits, The file protection will use keys with this size
-v, --version <version>
FSPF format version to use, optional: latest version will be used by default
ARGS:
<volume-path>
The path of an directory that should become the new SCONE volume
If the directory exists already its content will be the initial content of the new volume. Otherwise, a
directory with the `volume.fspf` will be created (as long as `output_path` is not specified).
<output-path>
Path were the output should be generated in (necessary for encrypted volumes)
scone cas
scone cas 0.2.0
Communication with CAS
USAGE:
scone cas <SUBCOMMAND>
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
SUBCOMMANDS:
attest Attest a CAS instance
attest-audit-log Performs the same task as `verify-audit-log`, but additionally checks that the audit log
contains valid attestation reports according to the given attestation settings
help Prints this message or the help of the given subcommand(s)
list List attested CAS instances
provision Take ownership of a CAS and supply its initial server-side configuration
register-backup Register a backup CAS
register-upgrade Register an upgrade CAS
set-default Set default CAS - The default CAS is always used if no CAS is explicitly specified, e.g.
in the `session upload` command
show-certificate Show certificate chain of an attested CAS instance
show-identification Show identification information of an attested CAS that can be used to identify the
instance
start-upgrade Initiate a CAS upgrade with database key rollover
update-config Update a server-side CAS configuration
verify-audit-log Verify the authenticity and integrity of a signed CAS audit log. The origin CAS will be
contacted to detect a CAS rollback or log truncation. You must be the CAS owner in order
to fetch the necessary information. Verification information will be printed to stderr
scone cas list
scone cas list 0.2.0
List attested CAS instances
USAGE:
scone cas list
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
scone cas attest
scone cas attest 0.2.0
Attest a CAS instance
USAGE:
scone cas attest [FLAGS] [OPTIONS] <address> [--] [_mrenclave]
FLAGS:
-C, --accept-configuration-needed
Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)
--only_for_testing-debug
Allow CAS to run in debug mode, in which it CANNOT PROTECT SECRETS (only for testing purposes!) Only allowed
if CAS signer is ignored
-G, --accept-group-out-of-date
Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)
-S, --accept-sw-hardening-needed
Accept SW HARDENING NEEDED verification response (less safe compilation options)
--allow-cas-owner-secret-access
Whether to trust the CAS even if its database encryption key was injected by the CAS owner, and not
generated securely within an enclave. If set, session secrets will be accessible to the CAS owner!
-h, --help
Prints help information
--only_for_testing-ignore-signer
Do not verify CAS software signature (MRSIGNER). This allows using a CAS signed with test keys. If set,
argument <mrenclave> becomes mandatory, unless --only_for_testing-trust-any was also set
--only_for_testing-trust-any
Trust ANY enclave measurement value, only allowed if CAS is in debug mode. With this option, `mrenclave` can
be omitted, but the attested enclave can run ANY software. This is obviously not secure!
-V, --version
Prints version information
OPTIONS:
-c <cas-key-hash>
Expected CAS public key hash
-s <cas-software-key-hash>
Expected CAS software public key hash
--isvprodid <isvprodid>
Verify the given Independent Software Vendor Product ID (ISVPRODID). Required when using a custom MRSIGNER
--isvsvn <isvsvn>
Verify that CAS has a given or greater Independent Software Vendor Security Version Number (ISVSVN).
Required when using a custom MRSIGNER
--mrenclave <mrenclave>...
An expected enclave measurement/MRENCLAVE of the CAS enclave (optional). The CAS software signature will
always be verified, regardless of this argument; but if set, the default CAS version (ISVSVN) check will be
disabled. If specified multiple times, attestation will succeed if any of the given measurements matches
--mrsigner <mrsigner>
Verify the CAS software signature using the given MRSIGNER instead of the default Scontain MRSIGNER.
Requires ISVPRODID and ISVSVN too
ARGS:
<address>
CAS address
<_mrenclave>
Expected enclave measurement/MRENCLAVE of the CAS enclave (optional). Deprecated, please use --mrenclave
instead
scone cas show-identification
scone cas show-identification 0.2.0
Show identification information of an attested CAS that can be used to identify the instance
USAGE:
scone cas show-identification [FLAGS] [cas]
FLAGS:
-C, --cas-certificate
PEM-encoded CAS X509 certificate
-c, --cas-key-hash
SHA256 Hash of CAS public key
-S, --cas-software-certificate
PEM-encoded CAS software X509 certificate
-s, --cas-software-key-hash
SHA256 Hash of CAS software public key
-T, --certificate-chain
Certificate chain of trust of PEM-encoded CAS and CAS software certificates [default]
-h, --help
Prints help information
-V, --version
Prints version information
ARGS:
<cas>
CAS of which to show the certificate chain, optional: default CAS if omitted
scone cas show-certificate
scone cas show-certificate 0.2.0
Show certificate chain of an attested CAS instance
USAGE:
scone cas show-certificate [cas]
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
ARGS:
<cas>
CAS of which to show the certificate chain, optional: default CAS if omitted
scone cas set-default
scone cas set-default 0.2.0
Set default CAS - The default CAS is always used if no CAS is explicitly specified, e.g. in the `session upload` command
USAGE:
scone cas set-default <cas>
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
ARGS:
<cas>
CAS to become the new default CAS
scone cas provision
scone cas provision 0.2.0
Take ownership of a CAS and supply its initial server-side configuration
USAGE:
scone cas provision [OPTIONS] <address> -c <cas-key-hash> --config-file <config-file> --token <token> <SUBCOMMAND>
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
OPTIONS:
-c <cas-key-hash>
Expected CAS public key hash. Can be found in the CAS console
-s <cas-software-key-hash>
Expected CAS software public key hash (optional). Can be found in the CAS console
--config-file <config-file>
Path to the file containing the server-side CAS configuration (in TOML, JSON or YAML format)
--database-key <database-key>
Database key to encrypt the CAS database with. Must be a 64-character hexadecimal string. Allows CAS owner
to decrypt the database at will. This impacts security of the CAS and session secrets, and is therefore
discouraged. Database key injection will be refused by CAS binaries signed by Scontain
--identity <identity>
External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
--token <token>
Provisioning token (32-character hexadecimal string). Can be found in the CAS console
ARGS:
<address>
CAS address
SUBCOMMANDS:
help Prints this message or the help of the given subcommand(s)
only_for_testing-without-attestation Do not attest the CAS. With this command selected, NO verification of
the used CAS will be performed at all. This is obviously not secure!
with-attestation Attest the CAS instance during provisioning
scone cas provision with-attestation
scone cas provision with-attestation 0.2.0
Attest the CAS instance during provisioning
USAGE:
scone cas provision with-attestation [FLAGS] [OPTIONS] [--] [_mrenclave]
FLAGS:
-C, --accept-configuration-needed
Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)
--only_for_testing-debug
Allow CAS to run in debug mode, in which it CANNOT PROTECT SECRETS (only for testing purposes!) Only allowed
if CAS signer is ignored
-G, --accept-group-out-of-date
Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)
-S, --accept-sw-hardening-needed
Accept SW HARDENING NEEDED verification response (less safe compilation options)
-h, --help
Prints help information
--only_for_testing-ignore-signer
Do not verify CAS software signature (MRSIGNER). This allows using a CAS signed with test keys. If set,
argument <mrenclave> becomes mandatory, unless --only_for_testing-trust-any was also set
--only_for_testing-trust-any
Trust ANY enclave measurement value, only allowed if CAS is in debug mode. With this option, `mrenclave` can
be omitted, but the attested enclave can run ANY software. This is obviously not secure!
-V, --version
Prints version information
OPTIONS:
--isvprodid <isvprodid>
Verify the given Independent Software Vendor Product ID (ISVPRODID). Required when using a custom MRSIGNER
--isvsvn <isvsvn>
Verify that CAS has a given or greater Independent Software Vendor Security Version Number (ISVSVN).
Required when using a custom MRSIGNER
--mrenclave <mrenclave>...
An expected enclave measurement/MRENCLAVE of the CAS enclave (optional). The CAS software signature will
always be verified, regardless of this argument; but if set, the default CAS version (ISVSVN) check will be
disabled. If specified multiple times, attestation will succeed if any of the given measurements matches
--mrsigner <mrsigner>
Verify the CAS software signature using the given MRSIGNER instead of the default Scontain MRSIGNER.
Requires ISVPRODID and ISVSVN too
ARGS:
<_mrenclave>
Expected enclave measurement/MRENCLAVE of the CAS enclave (optional). Deprecated, please use --mrenclave
instead
scone cas provision only_for_testing-without-attestation
scone cas provision only_for_testing-without-attestation 0.2.0
Do not attest the CAS. With this command selected, NO verification of the used CAS will be performed at all. This is
obviously not secure!
USAGE:
scone cas provision only_for_testing-without-attestation
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
scone cas update-config
scone cas update-config 0.2.0
Update a server-side CAS configuration
USAGE:
scone cas update-config [FLAGS] [OPTIONS] --config-file <config-file>
FLAGS:
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
performed at all. This is obviously not secure!
-h, --help
Prints help information
-V, --version
Prints version information
OPTIONS:
-c, --cas <cas>
CAS to use (optional)
--config-file <config-file>
Path to the file containing the server-side CAS configuration (in TOML, JSON or YAML format)
--identity <identity>
External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
scone cas register-backup
scone cas register-backup 0.2.0
Register a backup CAS
USAGE:
scone cas register-backup [FLAGS] [OPTIONS] <backup-cas>
FLAGS:
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
performed at all. This is obviously not secure!
-h, --help
Prints help information
-V, --version
Prints version information
OPTIONS:
-c, --cas <cas>
CAS to use (optional)
--identity <identity>
External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
ARGS:
<backup-cas>
The address of the backup CAS
scone cas register-upgrade
scone cas register-upgrade 0.2.0
Register an upgrade CAS
USAGE:
scone cas register-upgrade [FLAGS] [OPTIONS] <upgrade-cas>
FLAGS:
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
performed at all. This is obviously not secure!
-h, --help
Prints help information
-V, --version
Prints version information
OPTIONS:
-c, --cas <cas>
CAS to use (optional)
--identity <identity>
External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
ARGS:
<upgrade-cas>
The address of the upgrade CAS
scone cas start-upgrade
scone cas start-upgrade 0.2.0
Initiate a CAS upgrade with database key rollover
USAGE:
scone cas start-upgrade [FLAGS] [OPTIONS]
FLAGS:
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
performed at all. This is obviously not secure!
-h, --help
Prints help information
-V, --version
Prints version information
-y, --yes
Do not ask for confirmation
OPTIONS:
-c, --cas <cas>
CAS to use (optional)
--identity <identity>
External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
scone cas verify-audit-log
scone cas verify-audit-log 0.2.0
Verify the authenticity and integrity of a signed CAS audit log. The origin CAS will be contacted to detect a CAS
rollback or log truncation. You must be the CAS owner in order to fetch the necessary information. Verification
information will be printed to stderr.
The command may exit with one of the following exit codes (most severe first): * 20 - Log authenticity/integrity
violation - parsing error or signature verification failed * 19 - The log does not originate from the selected CAS * 18
- CAS rollback detected (excluding single failed & rolled back transactions) * 17 - CAS rollback or missing/deleted log
entries detected * 16 - CAS rollback cannot be ruled out * 15 - Log was truncated (older entries are missing) * 14 - Log
was truncated (recent entries are missing) * 10 - At least one failed & rolled back transaction detected * 0 - Log is
fully correct * other - Fatal error during verification
USAGE:
scone cas verify-audit-log [FLAGS] [OPTIONS] <log-file-path>
FLAGS:
-h, --help
Prints help information
-p, --print-log
Print the log content in human-readable format to stdout
-V, --version
Prints version information
OPTIONS:
--cas <cas>
URL of the CAS that the log file belongs to (optional, if omitted, the default CAS will be assumed)
-c, --cas-key-hash <cas-key-hash>
Expected CAS public key hash (optional). If omitted, a previously attested key will be used. Requires
setting option 'cas', too
--identity <identity>
External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
--last <last>
If the log was split: Predecessor signature of the first event of a previously verified succeeding log file.
If omitted, verification ensures that the most recent event logged by CAS is present
--predecessor <predecessor>
If the log was split: Signature of the last event of a previously verified preceding log file. If omitted,
verification ensures that the first event logged by CAS is present
ARGS:
<log-file-path>
Path to the audit log file
scone cas attest-audit-log
scone cas attest-audit-log 0.2.0
Performs the same task as `verify-audit-log`, but additionally checks that the audit log contains valid attestation
reports according to the given attestation settings
USAGE:
scone cas attest-audit-log [FLAGS] [OPTIONS] <log-file-path> [--] [_mrenclave]
FLAGS:
-C, --accept-configuration-needed
Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)
--only_for_testing-debug
Allow CAS to run in debug mode, in which it CANNOT PROTECT SECRETS (only for testing purposes!) Only allowed
if CAS signer is ignored
-G, --accept-group-out-of-date
Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)
-S, --accept-sw-hardening-needed
Accept SW HARDENING NEEDED verification response (less safe compilation options)
-h, --help
Prints help information
--only_for_testing-ignore-signer
Do not verify CAS software signature (MRSIGNER). This allows using a CAS signed with test keys. If set,
argument <mrenclave> becomes mandatory, unless --only_for_testing-trust-any was also set
-p, --print-log
Print the log content in human-readable format to stdout
--only_for_testing-trust-any
Trust ANY enclave measurement value, only allowed if CAS is in debug mode. With this option, `mrenclave` can
be omitted, but the attested enclave can run ANY software. This is obviously not secure!
-V, --version
Prints version information
OPTIONS:
--cas <cas>
URL of the CAS that the log file belongs to (optional, if omitted, the default CAS will be assumed)
-c, --cas-key-hash <cas-key-hash>
Expected CAS public key hash (optional). If omitted, a previously attested key will be used. Requires
setting option 'cas', too
--identity <identity>
External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
--isvprodid <isvprodid>
Verify the given Independent Software Vendor Product ID (ISVPRODID). Required when using a custom MRSIGNER
--isvsvn <isvsvn>
Verify that CAS has a given or greater Independent Software Vendor Security Version Number (ISVSVN).
Required when using a custom MRSIGNER
--last <last>
If the log was split: Predecessor signature of the first event of a previously verified succeeding log file.
If omitted, verification ensures that the most recent event logged by CAS is present
--mrenclave <mrenclave>...
An expected enclave measurement/MRENCLAVE of the CAS enclave (optional). The CAS software signature will
always be verified, regardless of this argument; but if set, the default CAS version (ISVSVN) check will be
disabled. If specified multiple times, attestation will succeed if any of the given measurements matches
--mrsigner <mrsigner>
Verify the CAS software signature using the given MRSIGNER instead of the default Scontain MRSIGNER.
Requires ISVPRODID and ISVSVN too
--predecessor <predecessor>
If the log was split: Signature of the last event of a previously verified preceding log file. If omitted,
verification ensures that the first event logged by CAS is present
ARGS:
<log-file-path>
Path to the audit log file
<_mrenclave>
Expected enclave measurement/MRENCLAVE of the CAS enclave (optional). Deprecated, please use --mrenclave
instead
scone session
scone session 0.2.0
Manage CAS sessions
USAGE:
scone session <SUBCOMMAND>
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
SUBCOMMANDS:
check Check the syntax of the provided session file. Exits with a non-zero exit code on validation error
create Upload a new session to CAS. Prints the hash of the created session on success
help Prints this message or the help of the given subcommand(s)
read Load an active session from CAS and print it to stdout
update Update an existing session in CAS. Prints the hash of the updated session on success
verify Verify that a session active on CAS matches the given session. Prints the hash of the verified session
on success
scone session check
scone session check 0.2.0
Check the syntax of the provided session file. Exits with a non-zero exit code on validation error
USAGE:
scone session check [FLAGS] [OPTIONS] <file>
FLAGS:
-h, --help
Prints help information
--use-env
Use the environment variables for variable substitution
-V, --version
Prints version information
OPTIONS:
-n, --name <name>
Name of the session. Will replace the name stored in the file
-e <VAR=VALUE>...
Add or overwrite existing variables in the template
ARGS:
<file>
Path to the file containing the session description
scone session create
scone session create 0.2.0
Upload a new session to CAS. Prints the hash of the created session on success
USAGE:
scone session create [FLAGS] [OPTIONS] <file>
FLAGS:
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
performed at all. This is obviously not secure!
-h, --help
Prints help information
--use-env
Use the environment variables for variable substitution
-V, --version
Prints version information
OPTIONS:
-c, --cas <cas>
CAS to use (optional)
--identity <identity>
External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
-n, --name <name>
Name of the session. Will replace the name stored in the file
-e <VAR=VALUE>...
Add or overwrite existing variables in the template
ARGS:
<file>
Path to the file containing the session description
scone session update
scone session update 0.2.0
Update an existing session in CAS. Prints the hash of the updated session on success
USAGE:
scone session update [FLAGS] [OPTIONS] <file>
FLAGS:
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
performed at all. This is obviously not secure!
-h, --help
Prints help information
--use-env
Use the environment variables for variable substitution
-V, --version
Prints version information
OPTIONS:
-c, --cas <cas>
CAS to use (optional)
--identity <identity>
External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
-n, --name <name>
Name of the session. Will replace the name stored in the file
-e <VAR=VALUE>...
Add or overwrite existing variables in the template
ARGS:
<file>
Path to the file containing the session description
scone session verify
scone session verify 0.2.0
Verify that a session active on CAS matches the given session. Prints the hash of the verified session on success
USAGE:
scone session verify [FLAGS] [OPTIONS] <file>
FLAGS:
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
performed at all. This is obviously not secure!
-h, --help
Prints help information
--use-env
Use the environment variables for variable substitution
-V, --version
Prints version information
OPTIONS:
-c, --cas <cas>
CAS to use (optional)
--identity <identity>
External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
-n, --name <name>
Name of the session. Will replace the name stored in the file
-e <VAR=VALUE>...
Add or overwrite existing variables in the template
ARGS:
<file>
Path to the file containing the session description
scone session read
scone session read 0.2.0
Load an active session from CAS and print it to stdout
USAGE:
scone session read [FLAGS] [OPTIONS] <name>
FLAGS:
--only_for_testing-disable-attestation-verification
Do not require the CAS to be attested. With this option set, NO verification of the used CAS will be
performed at all. This is obviously not secure!
-h, --help
Prints help information
-V, --version
Prints version information
OPTIONS:
-c, --cas <cas>
CAS to use (optional)
--identity <identity>
External identity file to use (optional). If omitted, the automatically generated CLI identity will be used.
An identity file must contain a PEM-encoded PKCS#8 private key followed by a X.509v3 certificate
ARGS:
<name>
The name of the session to get from CAS and print
scone las
scone las 0.2.0
Interact with the local attestation service (LAS)
USAGE:
scone las <SUBCOMMAND>
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
SUBCOMMANDS:
help Prints this message or the help of the given subcommand(s)
scone-epid-trust-anchor Retrieve the EPID trust anchor of the SCONE QE (and verify it). Prints public key and
enclave measurement of the SCONE QE
scone las scone-epid-trust-anchor
scone las scone-epid-trust-anchor 0.2.0
Retrieve the EPID trust anchor of the SCONE QE (and verify it). Prints public key and enclave measurement of the SCONE
QE.
The information can only be verified, and thus trusted in a production environment, if IAS credentials (sp_id and
sp_key) are provided.
USAGE:
scone las scone-epid-trust-anchor [FLAGS] [OPTIONS]
FLAGS:
-C, --accept-configuration-needed
Accept CONFIGURATION NEEDED verification response (hyperthreading enabled, less secure)
--only_for_testing-debug
Allow LAS to run in debug mode, in which it CAN BE MANIPULATED AND SHOULDN'T BE TRUSTED (only for testing
purposes!)
-G, --accept-group-out-of-date
Accept GROUP OUT OF DATE verification response (TCB out-of-date, dangerous!)
-S, --accept-sw-hardening-needed
Accept SW HARDENING NEEDED verification response (less safe compilation options)
--dev-env
Whether the service provider ID is registered in the IAS debug environment
-h, --help
Prints help information
-l
The service provider ID's quote linkability setting
-V, --version
Prints version information
OPTIONS:
--las <las>
LAS to connect to. Default port will be added if no port is specified [default: localhost]
--sp-id <sp-id>
The service provider ID used to verify the EPID quote with Intel IAS [default:
00000000000000000000000000000000]
--sp-key <sp-key>
The service provider KEY used to authenticate to Intel IAS
scone cert
scone cert 0.2.0
Perform operations on X.509 certificates
USAGE:
scone cert <SUBCOMMAND>
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
SUBCOMMANDS:
help Prints this message or the help of the given subcommand(s)
show-key-hash Print the hash of the certificate's public key
scone cert show-key-hash
scone cert show-key-hash 0.2.0
Print the hash of the certificate's public key
USAGE:
scone cert show-key-hash <file>
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
ARGS:
<file>
Path to the file containing the PEM-encoded X.509 certificate
scone binary-fs
scone binary-fs 0.2.0
Collect directories and files to generate a binary fs source code file
USAGE:
scone binary-fs [FLAGS] [OPTIONS] <root> <output>
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information
-v, --verbose
OPTIONS:
-i, --include <include>...
ARGS:
<root>
<output>
scone help-markdown
scone help-markdown 0.2.0
Generate markdown help pages on stdout
USAGE:
scone help-markdown
FLAGS:
-h, --help
Prints help information
-V, --version
Prints version information