LAS for Development and Production
We explain how to start a Local Attestation Service (LAS) instance for development or production if you do not use Kubernetes.
LAS performs the local attestation, i.e., this creates a quote that CAS can verify.
To deploy LAS in a Kubernetes Cluster, please use the SCONE Operator.
Pulling LAS Image
To start LAS, you first pull LAS to your local registry. To do so, please set the environment variable LAS to the image repository to which we have given you access. The standard LAS image name is defined as follows:
export LAS=registry.scontain.com/scone.cloud/las
Pull the image from the Scontain registry like this:
docker pull $LAS
If this fails, ensure that you are logged into docker (via docker login) and that we
granted you access to that image.
Determining the SGX device
Depending on the platform, the SGX device is named /dev/sgx_enclave, /dev/sgx/sgx_enclave (legacy), /dev/isgx (legacy) or /dev/sgx (legacy). To write generic
software, you could use the bash function determine_sgx_device. It sets the environment variable SGXDEVICE to the device that needs to be mounted.
Starting and Stopping LAS
The easiest way to start LAS is to use a simple Docker compose file. Please create a separate directory for that:
mkdir -p LAS
cd LAS
Create the following compose file:
determine_sgx_device
cat > docker-compose.yml <<EOF
version: '3.2'
services:
las:
image: $LAS
devices:
- "$SGXDEVICE:$SGXDEVICE"
restart: on-failure
ports:
- target: 18766
published: 18766
protocol: tcp
mode: host
EOF
Now start LAS in the background as follows:
docker-compose up -d las
By executing
docker-compose logs las
You will see the output of LAS.
You can check if LAS is still running by executing the following:
docker-compose up -d las
This will result in an output like
las_las_1 is up-to-date
You can stop LAS by executing the following:
docker-compose stop
Troubleshooting
You might need to run the LAS container --privileged if the user executing LAS is not a member of group sgx_prv.