gramine-ratls – RA-TLS wrapper¶
Synopsis¶
gramine-ratls [OPTIONS] <CERTFILE> <KEYFILE> [–] [COMMAND ARGS …]
Description¶
gramine-ratls generates X.509 certificate and matching private key
using RA-TLS library. It saves those as files (by default PEM encoded, but see
option -D) under paths given as first two CLI arguments. If further
arguments are passed, those are interpreted as a command that is then
executed using execvp().
This tool is intended to be the “pre-main” executable that runs inside Gramine before the actual application; therefore it must be specified as the entrypoint in the Gramine manifest file. It cannot be used by itself.
This tool is intended to launch standalone TLS (HTTPS) servers which require cert and key passed as files. For a real-world example of its usage with an Nginx web server, see https://github.com/gramineproject/gramine/tree/master/CI-Examples/ra-tls-nginx.
Options¶
-
-D¶ Write the certificate and key in DER format.
-
-P¶ Write the certificate and key in PEM format. This is the default, but can be used to override
-D.
-
-h¶ Show help and exit.
Example¶
The below manifest will first run gramine-ratls and then write the contents of a certificate file to standard output using the cat utility:
loader.entrypoint = "file:{{ gramine.libos }}"
loader.argv = [
"gramine-ratls", "/tmp/crt.der", "/tmp/key.der",
"cat", "/tmp/crt.der",
]
libos.entrypoint = "/gramine-ratls"
loader.env.LD_LIBRARY_PATH = "/lib"
fs.mounts = [
{ path = "/gramine-ratls", uri = "file:/usr/bin/gramine-ratls" },
{ path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
{ path = "/bin/cat", uri = "file:/bin/cat" },
{ path = "/tmp", type = "tmpfs" },
]
sgx.remote_attestation = "dcap"
sgx.debug = true
sgx.trusted_files = [
"file:{{ gramine.libos }}",
"file:/usr/bin/gramine-ratls",
"file:{{ gramine.runtimedir() }}/",
"file:/bin/cat",
]