A CAS instance can be shared by multiple users. Since policy names must be unique per CAS instance, there might be conflicts when creating sessions in the sense that another user has already created a session with that name. The standard name to address such name collisions is to introduce namespaces.
We are working on extending CAS will provide namespaces, i.e., a scope for session names. When one has created a namespace, one controls which session names can be created in this namespace.
Until the support is in place, we suggest a simple cooperative approach for namespaces. The prefix of a name until the first
~ is the namespace. We create a name space
$NS by creating a session with name
We use the creation of namespaces to introduce some basic concepts: We show how to attest CAS and how to create a session with the help of the SCONE CLI.
To attest CAS, we need to know the expected
MRENCLAVE of the CAS. One way to determine is to download the CAS image and determine
MRENCLAVE (by setting
SCONE_HASH=1). One might not always have access to the image and how can one check that the image was not modified.
We use here an alternative way to determine
MRENCLAVE of CAS and other images. We maintain a signed list of MrEnclaves on
https://sconedocs.github.io/txt/mrenclaves.txt. One can download the list, check the signature and if the signature is ok, use the
MRENCLAVE of the image we want to use.
Creating a session
We need a session description first. The session could look like this
name: $NS access_policy: read: - CREATOR update: - CREATOR
We can upload this session with the command
scone session create policy.yml
Setting up the container to create a namespace
export CLI_IMAGE="sconecuratedimages/sconecli" determine_sgx_device # see https://sconedocs.github.io/sgxinstall/ docker run $SGXDEVICE -it --rm $CLI_IMAGE bash apk add --no-cache git openssl gnupg curl # add some missing packages
In the CLI image, we first clone
git clone https://github.com/scontain/create_namespace.git export SCONE_CAS_ADDR="4-2-1.scone-cas.cf" export NS="MyNamespace" cd create_namespace ./create_namespace --debug --namespace=$NS --cas=$SCONE_CAS_ADDR