LAS for Development
We explain how to start a Local Attestation Service (LAS) instance for development. LAS is need to perform a local attestation (i.e., this creates a quote that can be verified by CAS). Note that this LAS runs inside a debug enclave, i.e., do not use this LAS instance in production. For setting up a production mode LAS, send us an email.
For running LAS in a Kubernetes Cluster, please set up LAS with helm.
Pulling LAS Image
To start LAS, you first pull LAS to your local registry. To do so, please set the environment variable
LAS
to the image repository that we given you access to. The standard LAS image name is defined as follows:
export LAS=registry.scontain.com:5050/sconecuratedimages/services:las
Pull the image from Docker hub like this:
docker pull $LAS
If this fails, ensure that you are logged into docker (via docker login
) and that we
granted you access to that image.
Determining the SGX device
Depending on the platform, the SGX device is named /dev/isgx
or /dev/sgx
or /dev/sgx_enclave
. To write generic
software, you could use the bash function determine_sgx_device.
It sets environment variable SGXDEVICE
to the device that needs to be mounted.
Starting and Stopping LAS
The easiest way to start LAS is to use a simple Docker compose file. Please create a separate directory for that:
mkdir -p LAS
cd LAS
Create the following compose file:
determine_sgx_device
cat > docker-compose.yml <<EOF
version: '3.2'
services:
las:
image: registry.scontain.com:5050/sconecuratedimages/services:las
devices:
- "$SGXDEVICE:$SGXDEVICE"
ports:
- target: 18766
published: 18766
protocol: tcp
mode: host
EOF
Now start LAS in the background as follows:
docker-compose up -d las
By executing
docker-compose logs las
you will see the output of LAS.
You can check if LAS is still running by executing:
docker-compose up -d las
This will result in an output like
las_las_1 is up-to-date
You can stop LAS by executing:
docker-compose stop
Troubleshooting
You might need to run the LAS container --privileged
in case the user executing LAS is not member of group sgx_prv
. Alternatively, you might need to pass device /dev/sgx_provision
into the container.