AB#530 cli doc

Author: thomasten

cmd/ego/main.go

@@ -43,6 +43,14 @@ func main() {
 		}
 		// also print usage
 		fmt.Println()
+	case "run":
+		if len(args) > 0 {
+			os.Exit(cli.Run(args[0], args[1:]))
+		}
+	case "marblerun":
+		if len(args) == 1 {
+			os.Exit(cli.Marblerun(args[0]))
+		}
 	case "signerid":
 		if len(args) == 1 {
 			id, err := cli.Signerid(args[0])
@@ -61,14 +69,6 @@ func main() {
 			fmt.Println(id)
 			return
 		}
-	case "run":
-		if len(args) > 0 {
-			os.Exit(cli.Run(args[0], args[1:]))
-		}
-	case "marblerun":
-		if len(args) == 1 {
-			os.Exit(cli.Marblerun(args[0]))
-		}
 	case "env":
 		if len(args) > 0 {
 			os.Exit(cli.Env(args[0], args[1:]))
@@ -89,21 +89,20 @@ func help(cmd string) {
 
 	switch cmd {
 	case "sign":
-		s = `sign [executable|json]
+		s = `sign [executable | config.json]
 
 Sign an executable built with ego-go. Executables must be signed before they can be run in an enclave.
-There are 3 different ways of signing an executable:
 
-1. ego sign
-Searches in the current directory for enclave.json and signs the therein provided executable.
+This command can be used in different modes:
 
-2. ego sign <executable>
-Searches in the current directory for enclave.json.
-If no such file is found, create one with default parameters for the executable.
-Use enclave.json to sign the executable.
+ego sign <executable>
+  Generates a new key "private.pem" and a default configuration "enclave.json" in the current directory and signs the executable.
 
-3. ego sign <json>
-Reads json and signs the therein provided executable.`
+ego sign
+  Searches in the current directory for "enclave.json" and signs the therein provided executable.
+
+ego sign <config.json>
+  Signs an executable according to a given configuration.`
 
 	case "run":
 		s = `run <executable> [args...]
@@ -117,46 +116,46 @@ Set OE_SIMULATION=1 to run in simulation mode.`
 	case "marblerun":
 		s = `marblerun <executable>
 
-Run a signed executable as a Marblerun marble.
+Run a signed executable as a Marblerun Marble.
 Requires a running Marblerun Coordinator instance.
-Environment variables are only readable from within the enclave if they start with "EDG_".
-Environment variables will be extended/overwritten with the ones specified in the manifest.
+Environment variables are only readable from within the enclave if they start with "EDG_" and
+will be extended/overwritten with the ones specified in the manifest.
+
 Requires the following configuration environment variables:
-		- EDG_MARBLE_COORDINATOR_ADDR: The Coordinator address
-		- EDG_MARBLE_TYPE: The type of this marble (as specified in the manifest)
-		- EDG_MARBLE_DNS_NAMES: The alternative DNS names for this marble's TLS certificate
-		- EDG_MARBLE_UUID_FILE: The location where this marble will store its UUID
+  EDG_MARBLE_COORDINATOR_ADDR   The Coordinator address
+  EDG_MARBLE_TYPE               The type of this Marble (as specified in the manifest)
+  EDG_MARBLE_DNS_NAMES          The alternative DNS names for this Marble's TLS certificate
+  EDG_MARBLE_UUID_FILE          The location where this Marble will store its UUID
 
 Set OE_SIMULATION=1 to run in simulation mode.`
 
 	case "env":
 		s = `env ...
 
-Run a command within the ego environment. For example, run
+Run a command within the EGo environment. For example, run
 ` + me + ` env make
 to build a Go project that uses a Makefile.`
-	case "signerid":
-		s = `signerid <executable|keyfile>
 
-Print the signerID either from the executable or by reading the keyfile.
+	case "signerid":
+		s = `signerid <executable | key.pem>
 
-The keyfile needs to have the extension ".pem"`
+Print the SignerID either from a signed executable or by reading a keyfile.`
 
 	case "uniqueid":
-		s = `signerid <executable>
+		s = `uniqueid <executable>
 
-Print the uniqueID from the executable.`
+Print the UniqueID of a signed executable.`
 
 	default:
 		s = `<command> [arguments]
 
 Commands:
-  sign       Sign an executable built with ego-go.
-  run        Run a signed executable.
-  env        Run a command in the ego environment.
-  marblerun    Run a signed Marblerun marble.
-  signerid   Print the signerID of an executable.
-  uniqueid   Print the uniqueID of an executable.
+  sign        Sign an executable built with ego-go.
+  run         Run a signed executable in standalone mode.
+  marblerun   Run a signed executable as a Marblerun Marble.
+  signerid    Print the SignerID of a signed executable.
+  uniqueid    Print the UniqueID of a signed executable.
+  env         Run a command in the EGo environment.
 
 Use "` + me + ` help <command>" for more information about a command.`
 	}

doc/ego_cli.md

@@ -0,0 +1,127 @@
+# ego command reference
+`ego` is a tool for managing EGo enclaves.
+
+Usage:
+```
+ego <command> [arguments]
+```
+
+Commands:
+```
+sign        Sign an executable built with ego-go.
+run         Run a signed executable in standalone mode.
+marblerun   Run a signed executable as a Marblerun Marble.
+signerid    Print the SignerID of a signed executable.
+uniqueid    Print the UniqueID of a signed executable.
+env         Run a command in the EGo environment.
+```
+
+## sign
+Usage:
+```
+ego sign [executable | config.json]
+```
+Sign an executable built with ego-go. Executables must be signed before they can be run in an enclave.
+
+This command can be used in different modes:
+* `ego sign <executable>`\
+  Generates a new key `private.pem` and a default configuration `enclave.json` in the current directory and signs the executable.
+
+* `ego sign`\
+  Searches in the current directory for `enclave.json` and signs the therein provided executable.
+
+* `ego sign <config.json>`\
+  Signs an executable according to a given configuration.
+
+See [this section](#enclave-configuration-file) for more information on the configuration file.
+
+## run
+Usage:
+```
+ego run <executable> [args...]
+```
+Run a signed executable in an enclave. You can pass arbitrary arguments to the enclave.
+
+Environment variables are only readable from within the enclave if they start with "EDG_".
+
+You need an SGX-enabled machine to run an enclave. For development, you can also enable simulation mode by setting OE_SIMULATION=1, e.g.:
+```
+OE_SIMULATION=1 ego run helloworld
+```
+
+## marblerun
+Usage:
+```
+ego marblerun <executable>
+```
+Run a signed executable as a Marblerun Marble.
+Requires a running Marblerun Coordinator instance.
+
+Environment variables are only readable from within the enclave if they start with "EDG_" and will be extended/overwritten with the ones specified in the manifest.
+
+Requires the following configuration environment variables:
+* EDG_MARBLE_COORDINATOR_ADDR\
+  The Coordinator address
+* EDG_MARBLE_TYPE\
+  The type of this Marble (as specified in the manifest)
+* EDG_MARBLE_DNS_NAMES\
+  The alternative DNS names for this Marble's TLS certificate
+* EDG_MARBLE_UUID_FILE\
+  The location where this Marble will store its UUID
+
+Set OE_SIMULATION=1 to run in simulation mode.
+
+## signerid
+Usage:
+```
+ego signerid <executable | key.pem>
+```
+Print the SignerID either from a signed executable or by reading a keyfile.`
+
+## uniqueid
+Usage:
+```
+ego uniqueid <executable>
+```
+Print the UniqueID of a signed executable.
+
+## env
+Usage:
+```
+ego env ...
+```
+Run a command within the ego build environment. For example, run
+```
+ego env make
+```
+to build a Go project that uses a Makefile.
+
+## Enclave configuration file
+An enclave configuration is defined in JSON and applied when signing an executable.
+
+Here is an example configuration:
+```json
+{
+ "exe": "helloworld",
+ "key": "private.pem",
+ "debug": true,
+ "heapSize": 512,
+ "productID": 1,
+ "securityVersion": 1
+}
+```
+
+`exe` is the (relative or absolute) path to the executable that should be signed.
+
+`key` is the path to the private RSA key of the signer. When invoking `ego sign` and the key file does not exist, a key with the required parameters is automatically generated. You can also generate it yourself with:
+```
+openssl genrsa -out private.pem -3 3072
+```
+
+If `debug` is true, the enclave will be debuggable.
+
+`heapSize` specifies the heap size available to the enclave in MB. It should be at least 512 MB.
+
+A `productID` (SGX: ISVPRODID) is assigned by the developer and enables the attester to distinguish between different enclaves signed with the same key.
+
+The developer should increment the `securityVersion` (SGX: ISVSVN) whenever a security fix is made to the enclave code.

internal/cli/sign.go

@@ -24,15 +24,15 @@ type config struct {
 	Exe             string `json:"exe"`
 	Key             string `json:"key"`
 	Debug           bool   `json:"debug"`
-	Heapsize        int    `json:"heapsize"`
+	HeapSize        int    `json:"heapSize"`
 	ProductID       int    `json:"productID"`
 	SecurityVersion int    `json:"securityVersion"`
 }
 
-// Validate Exe, Key, Heapsize
+// Validate Exe, Key, HeapSize
 func (c *config) validate() error {
-	if c.Heapsize == 0 {
-		return fmt.Errorf("heapsize not set in config file")
+	if c.HeapSize == 0 {
+		return fmt.Errorf("heapSize not set in config file")
 	}
 	if c.Exe == "" {
 		return fmt.Errorf("exe not set in config file")
@@ -55,8 +55,8 @@ func (c *Cli) signWithJSON(conf *config) error {
 		cDebug = "Debug=0\n"
 	}
 
-	// calculate number of pages: Heapsize[MiB], pageSize is 4096B
-	heapPages := conf.Heapsize * 1024 * 1024 / 4096
+	// calculate number of pages: HeapSize[MiB], pageSize is 4096B
+	heapPages := conf.HeapSize * 1024 * 1024 / 4096
 	cNumHeapPages := "NumHeapPages=" + strconv.Itoa(heapPages) + "\n"
 
 	cStackPages := "NumStackPages=1024\n"
@@ -107,7 +107,7 @@ func (c *Cli) signExecutable(path string) error {
 		Exe:             path,
 		Key:             defaultPrivKeyFilename,
 		Debug:           true,
-		Heapsize:        512, //[MB]
+		HeapSize:        512, //[MB]
 		ProductID:       1,
 		SecurityVersion: 1,
 	}

samples/remote_attestation/enclave.json

@@ -2,7 +2,7 @@
     "exe": "server",
     "key": "private.pem",
     "debug": true,
-    "heapsize": 512,
+    "heapSize": 512,
     "productID": 1234,
     "securityVersion": 2
 }