# tcas-cli **Repository Path**: nanhu-lab/tcas-cli ## Basic Information - **Project Name**: tcas-cli - **Description**: No description available - **Primary Language**: Unknown - **License**: AGPL-3.0 - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 1 - **Forks**: 3 - **Created**: 2024-07-30 - **Last Updated**: 2025-11-07 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # TCAS Client ## 0. Authentication ### 0.1 LoginToken LoginToken is needed when you want manager policy or secret, so your should login with the username and password first ```shell ./tcasctl login -u ``` + `-u`: optional, tcas's api url, default is https://api.trustcluster.cc Follow the prompts to enter your username and password to complete the login process. when login successful, the tcas's config will generate automatic in `/.tcasctl/config.json` ```json { "configs": { "https://api.trustcluster.cc": { "APIEndpoint": "https://api.trustcluster.cc", "Role": "", "Token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjYxMzQ4MjIsImlhdCI6MTcyNjEzMzkyMiwiaXNzIjoidGNhcyIsImp0aSI6ImYwNWI4MzI2LWRhYmEtNGVkZi04YzcwLTEzNWQ5MTRjMWRmNiIsIm5iZiI6MTcyNjEzMjkyMiwidXNlcklkIjoidXNlci05MWU1MmYwYi0zMzgxLTQzZTQtOGFiNi0yZmVjMzdhZTQ3OTYifQ.CvZ4De0l-So9rDRyn2O6TLORQB3gvePh31UpO7vr5CXXmFUdTAUB4C7qxSpLaSwKHRO019v9h_e-buXq-5RxtbIyDNVLKcxK38umSLdpwF5s-vM8Bp-brRf4kFyNPcR7OoHgSaolTcrQxY8aw-CYZj_-DD6KYmPzNMWLiR5VLS8", "API-KEY": "", "CaPath": "", "SkipVerify": false } } } ``` ### 0.2 API-KEY API-KEY is needed, when you want to do attest, and API-KEY can only be obtained when the policy user login, so you need ask the policy user to get the API-KEY, and config the key as fellow ```shell ./tcasctl init -u ``` + `-u`: optional, tcas's api url, default is https://api.trustcluster.cc it will generate a template config in `/.tcasctl/config.json`, you need to add the API-KEY to config: ```shell { "configs": { "https://api.trustcluster.cc": { "APIEndpoint": "https://api.trustcluster.cc", "Role": "", "Token": "", "API-KEY": "kIjoidXNlci05MWU1MmYwYi0zM", "CaPath": "", "SkipVerify": false } } } ``` ## 1. policy manager ### 1.1 set policy ```shell ./tcasctl policy set -u -n -f -t ``` + `-u`: optional, tcas's api url, default is https://api.trustcluster.cc + `-n`: must, policy name + `-f`: must, the path of policy file in rego format + `-t`: optional, the attestation-type of policy, support trustnode or trustcluster, default is trustnode successful response ```shell set policy successful, policy id: cfaaab6d-7a25-436e-a8d9-6357a1e4cb33 ``` ### 1.2 get policy list ```shell ./tcasctl policy list -u -t ``` + `-u`: optional, tcas's api url, default is https://api.trustcluster.cc + `-t`: optional, the attestation-type of policy, support trustnode or trustcluster, default is trustnode successful response: ```json { "policies": [ { "no": 2, "policy_id": "9e434346-682d-4c13-917d-24883ce096d1", "policy_rego": "cGFja2FnZSB0cnVzdG5vZGUKCmltcG9ydCBmdXR1cmUua2V5d29yZHMuZXZlcnkKCmRlZmF1bHQgdHJ1c3Rfbm9kZSA6PSBmYWxzZQoKdHJ1c3Rfbm9kZSB7CglhbGxvd2VkX25vZGUoaW5wdXQudHJ1c3Rfbm9kZSkKfQoKYWxsb3dlZF9ub2RlKG5vZGUpIHsKCW5vZGUudGVlLnZpcnRjY2FfcmltID09ICJlYTIxY2NlMWJiODM2Y2E3OTc4NGFjMTFhMmZlMjg4YzY3MWU1ZjYyYzI4ODM3MThlZDhkYTU5OTQ3YWUyOGIxIgoJbm9kZS50ZWUudmlydGNjYV9yZW0wID0gIjM3YTRhMDRmZTRjYjIxYTgwYTgxNDE5ZWI0Zjc1OTJmNzI3MTA2OTcyN2ZiNWViODU5ZmQxYjUwMzE5YmZhZTQiCn0K", "policy_name": "test-vcca1", "attestation_type": "trust_node", "policy_hash": "822e3ca44a68bd28797d61d6428dff04691c1811093d3cd589febd2b00309842", "version": 1, "createTime": "2024-07-24T09:17:22.4220796Z", "updateTime": "2024-07-24T09:17:22.42208149Z" }, { "no": 1, "policy_id": "4ed9690b-962f-4279-abdb-fdccecba6775", "policy_rego": "cGFja2FnZSB0cnVzdG5vZGUKCmltcG9ydCBmdXR1cmUua2V5d29yZHMuZXZlcnkKCmRlZmF1bHQgdHJ1c3Rfbm9kZSA6PSBmYWxzZQoKdHJ1c3Rfbm9kZSB7CglhbGxvd2VkX25vZGUoaW5wdXQudHJ1c3Rfbm9kZSkKfQoKYWxsb3dlZF9ub2RlKG5vZGUpIHsKCW5vZGUudGVlLnZpcnRjY2FfcmltID09ICJlYTIxY2NlMWJiODM2Y2E3OTc4NGFjMTFhMmZlMjg4YzY3MWU1ZjYyYzI4ODM3MThlZDhkYTU5OTQ3YWUyOGIxIgoJbm9kZS50ZWUudmlydGNjYV9yZW0wID0gIjM3YTRhMDRmZTRjYjIxYTgwYTgxNDE5ZWI0Zjc1OTJmNzI3MTA2OTcyN2ZiNWViODU5ZmQxYjUwMzE5YmZhZTQiCn0K", "policy_name": "test-vcca", "attestation_type": "trust_node", "policy_hash": "822e3ca44a68bd28797d61d6428dff04691c1811093d3cd589febd2b00309842", "version": 1, "createTime": "2024-07-24T09:17:11.51031935Z", "updateTime": "2024-07-24T09:17:11.5103208Z" } ] } ``` ### 1.3 get the detail of the policy (unsupported now) ```shell ./tcasctl policy detail -u -i ``` + `-i`: must the id of policy successful response : ```json { "no": 1, "policy_id": "4ed9690b-962f-4279-abdb-fdccecba6775", "policy_rego": "cGFja2FnZSB0cnVzdG5vZGUKCmltcG9ydCBmdXR1cmUua2V5d29yZHMuZXZlcnkKCmRlZmF1bHQgdHJ1c3Rfbm9kZSA6PSBmYWxzZQoKdHJ1c3Rfbm9kZSB7CglhbGxvd2VkX25vZGUoaW5wdXQudHJ1c3Rfbm9kZSkKfQoKYWxsb3dlZF9ub2RlKG5vZGUpIHsKCW5vZGUudGVlLnZpcnRjY2FfcmltID09ICJlYTIxY2NlMWJiODM2Y2E3OTc4NGFjMTFhMmZlMjg4YzY3MWU1ZjYyYzI4ODM3MThlZDhkYTU5OTQ3YWUyOGIxIgoJbm9kZS50ZWUudmlydGNjYV9yZW0wID0gIjM3YTRhMDRmZTRjYjIxYTgwYTgxNDE5ZWI0Zjc1OTJmNzI3MTA2OTcyN2ZiNWViODU5ZmQxYjUwMzE5YmZhZTQiCn0K", "policy_name": "test-vcca", "attestation_type": "trust_node", "policy_hash": "822e3ca44a68bd28797d61d6428dff04691c1811093d3cd589febd2b00309842", "version": 1, "createTime": "2024-07-24T09:17:11.51031935Z", "updateTime": "2024-07-24T09:17:11.5103208Z" } ``` ### 1.4 delete policy ```shell ./tcasctl policy delete -u -i ``` + `-i`: must the id of policy successful response: ```shell delete policy successful, the policy id is ``` ## 2. secret manager ### 2.1 set secret ```shell ./tcasctl secret set -u -n -f ``` + `-f`: must, the path of secret file, only support json format. + `-n`: must, the unique name of the secret successful response: ```shell set secret successful, secret id: ``` ### 2.2 update secret ```shell ./tcasctl secret update -u -f -i ``` + `-f`: must, the path of new secret file, only support json format. + `-i`: must, the id of the old secret + successful response: ```shell update secret successful, secret id: ``` ### 2.3 get the secret base info list ```shell ./tcasctl secret list -u ``` successful response: ```json { "secrets": [ { "id": "0d6f1080-dcf4-4961-8def-9fb1f98d6174", "name": "test-vcca", "createTime": "2024-07-24T08:41:06.62906502Z", "updateTime": "2024-07-24T08:41:06.62906712Z" } ] } ``` ### 2.4 delete secret ```shell ./tcasctl secret detele -u -i ``` + `-i`: must, the id of the old secret successful response: ```shell delete secret successful, secret id: ``` ## 3 Attest ### 3.1 get token ```shell ./tcasctl attest token -u -t -d -p -v ``` + `-t`: must, the type of tee, now support csv and virtcca + `-d`: optional, the base64 encoded userdata + `-p`: optional, the ids of the policy needed matching + `-v`: optional, the trust devices eg: ./tcasctl attest token -u http://127.0.0.1:8081 -t virtcca -d MTIzYWJj successful response: ```shell ``` ### 3.2 get secret ```shell ./tcasctl attest secret -u -t -d -p -v -s -o ``` + `-t`: must, the type of tee, now support csv and virtcca + `-s`: must,the secret ID that needs to be obtained + `-d`: optional, the base64 encoded userdata + `-p`: optional, the ids of the policy needed matching + `-v`: optional, the trust devices + `-o`:optional, the output dir of the secret,default is ./tcas-secret successful response: ```shell {"key":"123"} ``` ### 3.3 get cert ```shell ./tcasctl attest cert -u -t -p -v -k -c -e -i -o ``` + `-t`: must, the type of tee, now support csv and virtcca + `-p`: optional, the ids of the policy needed matching + `-v`: optional, the trust devices + `-k`: optional, the ecc256 of publickey in pem format, if not present, will generate key pair randomly + `-c`: must, the cert's common_name + `-e`: optional, the cert's expiration time, default: 10 years + `-i`: optional, the cert's IP addresses extensions + `-o`：optional, the output dir of the cert and keys, default: ./tcas-certs successful response: ```shell get cert successful, the save in ``` ## 4.verify ### 4.1 get root CA ```shell ./tcasctl ca -u -o ``` `-o`: optional, the save path of the ca cert ### 4.2 verify token ```shell ./tcasctl verify token -t -f ``` - `-t`:must,tcas's token - `-f`:optionally, the path of the CA certificate. If not, it will be verified online successful response ```shell verify token successful, the detail info of the token is as follow: ``` ### 4.3 verify cert ```shell ./tcasectl verfiy cert -u -f -c ``` `-f`: must, the path of the cert to be verified `-c`: optional, the path of the CA certificate file.If not, the CA certificate will be automatically obtained successful response: ```shell verify successful ``` ## 5.evidence ```shell ./tcasctl evidence -t tdx -r eyJ1c2VyIjoiamZmYW4ifQ== ``` + `-t`: must, the type of tee, now support csv、virtcca and tdx + `-r`: optional, the base64 encoded repotdata + `-o`: optional, the save path of the tees report，By default, it is saved in the current '**tee-reports**' directory. + `-v`: optional, the trust devices successful response: ```shell ------------------evidence info start------------------ { "tee": "tdx", "tee_report": "", "parameter": null, "trust_devices": [], "runtime_data": "eyJ1c2VyIjoiamZmYW4ifQ==", "init_data": "", "event_log": "" } ------------------evidence info end-------------------- The evidence successfully saved in: tee-reports/tdx-evidence.json ``` ## reference + https://github.com/edgelesssys/go-tdx-qpl/blob/main/tdx/tdx_linux.go