Skip to content

LAS for Development

We explain how to start a Local Attestation Service (LAS) instance for development. LAS is need to perform a local attestation (i.e., this creates a quote that can be verified by CAS). Note that this LAS runs inside a debug enclave, i.e., do not use this LAS instance in production. For setting up a production mode LAS, send us an email.

For running LAS in a Kubernetes Cluster, please set up LAS with helm.

Pulling LAS Image

To start LAS, you first pull LAS to your local registry. To do so, please set the environment variable LAS to the image repository that we given you access to. The standard LAS image name is defined as follows:

export LAS=registry.scontain.com:5050/sconecuratedimages/services:las

Pull the image from Docker hub like this:

docker pull $LAS

If this fails, ensure that you are logged into docker (via docker login) and that we granted you access to that image.

Determining the SGX device

Depending on the platform, the SGX device is named /dev/isgx or /dev/sgx or /dev/sgx_enclave. To write generic software, you could use the bash function determine_sgx_device. It sets environment variable SGXDEVICE to the device that needs to be mounted.

Starting and Stopping LAS

The easiest way to start LAS is to use a simple Docker compose file. Please create a separate directory for that:

mkdir -p LAS
cd LAS

Create the following compose file:

determine_sgx_device
cat > docker-compose.yml <<EOF
version: '3.2'
services:
    las:
        image: registry.scontain.com:5050/sconecuratedimages/services:las
        devices:
          - "$SGXDEVICE:$SGXDEVICE"
        ports:
          - target: 18766
            published: 18766
            protocol: tcp
            mode: host
EOF

Now start LAS in the background as follows:

docker-compose up -d las

By executing

docker-compose logs las

you will see the output of LAS.

You can check if LAS is still running by executing:

docker-compose up -d las

This will result in an output like

las_las_1 is up-to-date

You can stop LAS by executing:

docker-compose stop

Troubleshooting

You might need to run the LAS container --privileged in case the user executing LAS is not member of group sgx_prv. Alternatively, you might need to pass device /dev/sgx_provision into the container.