For a more detailed description, please visit https://sconedocs.github.io/print-arg-env/.
The name of the SGX device has changed over time. These days, the SGX driver is part of the Linux kernel. The device is ...
source determine_sgx_device.shRun the cross-compiler in a docker container:
docker run $MOUNT_SGXDEVICE --platform linux/amd64 --network=host -it -v `pwd`:/work registry.scontain.com/sconecuratedimages/crosscompilers bashThe next steps are executed inside the container.
We assume that we do not have access to an SGX device and hence, we run in simulation mode.
Sessions can include environment variables like $SESSION in the following policy:
name: $SESSION
version: 0.3.10
# Disable attestation in case we do not have
# access to SGX or a LAS, see
# https://sconedocs.github.io/CAS_session_lang_0_3/#disabling-attestation
attestation:
mode: node
services:
- name: scone-print-arg-env
command: ./scone-print-arg-env arg1 arg2 arg3
environment:
SCONE_MODE: auto
env1: running
env2: in
env3: enclave
pwd: /The SCONE CLI can replace these environment variables with values that are passed as arguments to the SCONE CLI or that are defined in the environment of the SCONE CLI:
export SESSION=secure-arguments-example-sim-mode-$RANDOM-$RANDOM
export SCONE_CAS_ADDR=scone-cas.cf
scone cas attest $SCONE_CAS_ADDR --only_for_testing-debug --only_for_testing-ignore-signer --only_for_testing-trust-any --accept-configuration-needed --accept-sw-hardening-needed --accept-group-out-of-dateWe can create a new policy with the command scone session create. The available flags for creating a policy can be printed via flag --help:
scone session create --helpWe can set the name of the policy in three different ways:
--name $POLICY_NAMEoverwrites the policy name with the value of the environment variablePOLICY_NAME-e SESSION=$SESSION_NAMEoverwrites the policy name with the value of the environment variableSESSION_NAME--use-envuses the value of the environment variableSESSIONto set the policy name.
Note that if none of the above options is used, the session creation will fail with the error:
Caused by: Parsing session from session template file 'session.yaml' failed
Caused by: name: Value for variable $SESSION is missing at line 3 column 7
This will also be the case if we replace the policy name with flag --name since the environment variables are first replaced before the CLI overwrites the policy name with option --name.
When defining both --use-env and -e SESSION=$SESSION_NAME, option -e has priority over the environment variables imported via --use-env.
Execute:
scone session create session.yamlWe can now execute the program as follows:
SCONE_CONFIG_ID=$SESSION/scone-print-arg-env ./scone-print-arg-envWe create now a new namespace:
export SCONE_CAS_ADDR=scone-cas.cf
export NAMESPACE="otp-example-$RANDOM-$RANDOM-$RANDOM-$RANDOM"
export NAMESPACE_PREDECESSOR="~"
export NAMESPACE_PREDECESSOR=$(scone session create --use-env namespace.yaml)
echo NAMESPACE=$NAMESPACE
echo The SESSION HASH of $NAMESPACE is $NAMESPACE_PREDECESSOR
scone session read $NAMESPACEWe create now a new OTP secret:
export OTP_POLICY_PREDECESSOR="~"
# create policy $NAMESPACE/otp_policy
export OTP_POLICY_PREDECESSOR=$(scone session create --use-env otp_policy.yaml)
echo The SESSION HASH of $NAMESPACE/otp_policy is $OTP_POLICY_PREDECESSOR
scone session read $NAMESPACE/otp_policy
unset SCONE_SERVICE_ACCESS_TOKEN
SCONE_CONFIG_ID=$NAMESPACE/otp_policy/print-otp-secret ./scone-print-arg-envexport ACCESS_TOKEN_POLICY_PREDECESSOR="~"
export ACCESS_TOKEN_POLICY_PREDECESSOR=$(scone session create --use-env access_token_policy.yaml)
echo The SESSION HASH of $NAMESPACE/access_token_policy is $ACCESS_TOKEN_POLICY_PREDECESSOR
scone session read $NAMESPACE/access_token_policy
export OTP=12345
SCONE_CONFIG_ID=$NAMESPACE/access_token_policy/print_access_token@${OTP} ./print-access-token
export OTP= # provide current OTP
export SCONE_SERVICE_ACCESS_TOKEN=$(SCONE_CONFIG_ID=$NAMESPACE/access_token_policy/print_access_token@${OTP} ./print-access-token)
echo $SCONE_SERVICE_ACCESS_TOKENWe create now a new namespace:
export NESTED_NAMESPACE_PREDECESSOR="~"
export NESTED_NAMESPACE_PREDECESSOR=$(scone session create --use-env nested_namespace.yaml)
echo The SESSION HASH of $NAMESPACE/nested-namespace is $NESTED_NAMESPACE_PREDECESSOR
scone session read $NAMESPACE/nested-namespaceexport NESTED_ACCESS_TOKEN_POLICY_PREDECESSOR="~"
export NESTED_ACCESS_TOKEN_POLICY_PREDECESSOR=$(scone session create --use-env nested_access_token_policy.yaml)
echo The SESSION HASH of $NAMESPACE/nested-namespace/access_token_policy is $NESTED_ACCESS_TOKEN_POLICY_PREDECESSOR
scone session read $NAMESPACE/nested-namespace/access_token_policy
export OTP= # provide current OTP
SCONE_CONFIG_ID=$NAMESPACE/nested-namespace/access_token_policy/print_access_token@${OTP} ./print-access-tokenexport ACCESS_POLICY_PREDECESSOR="~"
export ACCESS_POLICY_PREDECESSOR=$(scone session create --use-env access_policy.yaml)
echo The SESSION HASH of $NAMESPACE/access_policy is $ACCESS_POLICY_PREDECESSOR
scone session read $NAMESPACE/access_policyexport HOST_ARGUMENTS_POLICY_PREDECESSOR="~"
export HOST_ARGUMENTS_POLICY_PREDECESSOR=$(scone session create --use-env host_arguments_policy.yaml)
echo The SESSION HASH of $NAMESPACE/host_arguments_policy is $HOST_ARGUMENTS_POLICY_PREDECESSOR
scone session read $NAMESPACE/host_arguments_policy
export OTP=
SCONE_CONFIG_ID=$NAMESPACE/host_arguments_policy/scone-print-arg-env@$OTP ./scone-print-arg-env first last 1234567