MSE Home CLI is designed to start an MSE application on your own SGX hardware without using all the MSE cloud infrastructure.
We explain later how all the subscommands can be chained to deploy your own application.
Two actors are required:
- The code provider (who can also consume the result of the MSE application)
- The SGX operator (who also owns the data to run against the MSE application)
$ pip install -r requirements.txt
$ pip install -U .
$ export TEST_PCCS_URL="https://pccs.staging.mse.cosmian.com"
$ export TEST_SIGNER_KEY="/opt/cosmian-internal/cosmian-signer-key.pem"
$ pytest
$ msehome -h
Note: if you declare the env variable MSE_BACKTRACE
to the value full
, a python stacktrace will be printed in case of errors.
You can find below the use flow step by step.
User: the code provider
$ msehome scaffold example
User: the code provider
$ msehome test-dev --project example/
User: the code provider
$ msehome package --project example/ \
--output workspace/code_provider
The generated package can now be sent to the sgx operator.
User: the SGX operator
$ msehome spawn --host myapp.fr \
--port 7777 \
--size 4096 \
--package workspace/code_provider/package_mse_src_1683276327723953661.tar \
--output workspace/sgx_operator/ \
app_name
Now, evidences have been automatically collected and the microservice is up.
Evidences are essential for the code provider to verify the trustworthiness of the running application.
The file workspace/sgx_operator/evidence.json
can now be shared with the other participants.
User: the code provider
The trustworthiness is established based on multiple information:
- the full code package (tarball)
- the arguments used to spawn the microservice
- evidences captured from the running microservice
Verification of the enclave information:
$ msehome verify --package workspace/code_provider/package_mse_src_1683276327723953661.tar \
--evidence output/evidence.json \
--output /tmp
If the verification succeeds, you get the RA-TLS certificate (written as a file named ratls.pem
) and you can now seal the code key to share it with the SGX operator.
User: the code provider
$ msehome seal --secrets example/secrets_to_seal.json --cert /tmp/ratls.pem --output workspace/code_provider/
User: the SGX operator
$ msehome run --sealed-secrets workspace/code_provider/secrets_to_seal.json.sealed \
app_name
User: the SGX operator
$ msehome test --test workspace/sgx_operator/tests/ \
--config workspace/sgx_operator/mse.toml \
app_name
User: the code provider
Assume the SGX operator gets a result as follow: curl https://localhost:7788/result --cacert /tmp/ratls.pem > result.enc
Then, the code provider can decrypt the result has follow:
$ msehome decrypt --key key.txt \
--output workspace/code_provider/result.plain \
result.enc
$ cat workspace/code_provider/result.plain
User: the SGX operator
You can stop and remove the docker as follow:
$ msehome stop [--remove] <app_name>
You can restart a stopped and not removed docker as follow:
$ msehome restart <app_name>
You can get the mse docker logs as follow:
$ msehome logs <app_name>
You can get the mse docker status as follow:
$ msehome status <app_name>
You can get the list of running mse dockers:
$ msehome list