Skip to content

LAS for Development and Production

We explain how to start a Local Attestation Service (LAS) instance for development or production if you do not use Kubernetes.

LAS performs the local attestation, i.e., this creates a quote that CAS can verify.

To deploy LAS in a Kubernetes Cluster, please use the SCONE Operator.

Pulling LAS Image

To start LAS, you first pull LAS to your local registry. To do so, please set the environment variable LAS to the image repository to which we have given you access. The standard LAS image name is defined as follows:

export LAS=registry.scontain.com/scone.cloud/las

Pull the image from the Scontain registry like this:

docker pull $LAS

If this fails, ensure that you are logged into docker (via docker login) and that we granted you access to that image.

Determining the SGX device

Depending on the platform, the SGX device is named /dev/sgx_enclave, /dev/sgx/sgx_enclave (legacy), /dev/isgx (legacy) or /dev/sgx (legacy). To write generic software, you could use the bash function determine_sgx_device. It sets the environment variable SGXDEVICE to the device that needs to be mounted.

Starting and Stopping LAS

The easiest way to start LAS is to use a simple Docker compose file. Please create a separate directory for that:

mkdir -p LAS
cd LAS

Create the following compose file:

determine_sgx_device
cat > docker-compose.yml <<EOF
version: '3.2'
services:
    las:
        image: $LAS
        devices:
          - "$SGXDEVICE:$SGXDEVICE"
        restart: on-failure
        ports:
          - target: 18766
            published: 18766
            protocol: tcp
            mode: host
EOF

Now start LAS in the background as follows:

docker-compose up -d las

By executing

docker-compose logs las

You will see the output of LAS.

You can check if LAS is still running by executing the following:

docker-compose up -d las

This will result in an output like

las_las_1 is up-to-date

You can stop LAS by executing the following:

docker-compose stop

Troubleshooting

You might need to run the LAS container --privileged if the user executing LAS is not a member of group sgx_prv.