|
2 | 2 |
|
3 | 3 | TEE verification and management CLI for [PrivateClaw](https://privateclaw.dev) CVMs. |
4 | 4 |
|
| 5 | +PrivateClaw runs your inference workloads inside fully encrypted confidential VMs. This CLI lets you cryptographically confirm that a CVM really is a genuine TEE — and inspect its state. |
| 6 | + |
| 7 | +For background on TEEs and remote attestation, see [confidential.ai/docs](https://confidential.ai/docs). |
| 8 | + |
5 | 9 | ## Install |
6 | 10 |
|
7 | 11 | ```bash |
8 | | -curl -fsSL https://github.com/lunal-dev/privateclaw-cli/releases/download/v1.0.0/install.sh | bash |
| 12 | +curl -fsSL https://github.com/lunal-dev/privateclaw-cli/releases/latest/download/install.sh | bash |
9 | 13 | ``` |
10 | 14 |
|
11 | 15 | This installs two binaries to `/usr/local/bin/`: |
12 | | -- `privateclaw` — shell script CLI with `verify`, `attest`, and `assign` subcommands |
13 | | -- `attestation-cli` — pre-built binary from [attestation-rs](https://github.com/lunal-dev/attestation-rs) for cryptographic TEE attestation |
| 16 | + |
| 17 | +- `privateclaw` — the CLI shell script (this repo) |
| 18 | +- `attestation-cli` — pre-built binary from [lunal-dev/attestation-rs](https://github.com/lunal-dev/attestation-rs) that performs the cryptographic SEV-SNP and TPM attestation |
14 | 19 |
|
15 | 20 | ## Commands |
16 | 21 |
|
| 22 | +``` |
| 23 | +privateclaw <command> [flags] |
| 24 | +``` |
| 25 | + |
| 26 | +| Command | Description | |
| 27 | +|---|---| |
| 28 | +| `verify [-v\|--verbose]` | Run the full 5-check TEE verification | |
| 29 | +| `info` | Print component versions, hostname, gateway IP, install date | |
| 30 | +| `attest` | Generate attestation evidence (boot-time; run by cloud-init) | |
| 31 | +| `assign` | Apply user configuration from IMDS (internal; run by systemd) | |
| 32 | + |
17 | 33 | ### `privateclaw verify` |
18 | 34 |
|
19 | | -User-facing command. Cryptographically verifies your CVM is running in a genuine TEE: |
| 35 | +User-facing command. Runs five checks and prints a pass/fail summary: |
20 | 36 |
|
21 | | -1. **TEE Attestation** — validates AMD SEV-SNP attestation evidence via `attestation-cli`, confirms SSH host key is bound to the TEE |
22 | | -2. **Inference Provider** — shows configured Lunal inference endpoint |
23 | | -3. **External Access Lockout** — audits SSH authorized keys and firewall |
| 37 | +1. **SEV-SNP Hardware** — requests a fresh AMD SEV-SNP attestation report bound to the current SSH host key hash and validates the full cert chain via `attestation-cli`. |
| 38 | +2. **TPM Attestation** — validates the vTPM quote and AK cert chain. |
| 39 | +3. **Host Key Binding** — confirms the live SSH host key matches the key baked into the attestation evidence (so MITM is impossible). |
| 40 | +4. **Inference Provider** — shows the configured Lunal inference endpoint. |
| 41 | +5. **External Access Lockout** — audits `authorized_keys`, firewall rules, and cloud-provider access paths (waagent / VM extensions) to confirm no operator backdoor. |
| 42 | + |
| 43 | +Add `-v` / `--verbose` for full cert-chain, VCEK, and endpoint diagnostics. |
| 44 | + |
| 45 | +### `privateclaw info` |
| 46 | + |
| 47 | +Prints a compact status block — useful for bug reports and quick sanity checks: |
| 48 | + |
| 49 | +``` |
| 50 | +privateclaw: v1.5.7 |
| 51 | +attestation-cli: v0.4.1 |
| 52 | +openclaw: <version> |
| 53 | +Hostname: <fqdn> |
| 54 | +Gateway IP: <gateway> |
| 55 | +Installed: <date> |
| 56 | +``` |
24 | 57 |
|
25 | 58 | ### `privateclaw attest` |
26 | 59 |
|
27 | | -Boot-time command (called by cloud-init). Generates attestation evidence binding the SSH host key to the TEE hardware. |
| 60 | +Boot-time command invoked by cloud-init. Generates SEV-SNP + TPM attestation evidence binding the SSH host key to the TEE hardware and writes it to `/etc/privateclaw/evidence.json`. |
28 | 61 |
|
29 | 62 | ### `privateclaw assign` |
30 | 63 |
|
31 | | -Internal command (called by systemd timer). Polls Azure IMDS for user configuration and applies it. |
| 64 | +Internal command invoked by a systemd timer. Polls Azure IMDS for user configuration (SSH keys, inference endpoint) and applies it to the CVM. |
32 | 65 |
|
33 | | -## Independent Verification |
| 66 | +## Independent verification |
34 | 67 |
|
35 | | -You can verify a CVM's attestation evidence from any machine: |
| 68 | +You can verify a CVM's attestation evidence from any machine — you don't need to trust this CLI: |
36 | 69 |
|
37 | 70 | ```bash |
38 | | -# Copy evidence from CVM |
| 71 | +# Copy evidence off the CVM |
39 | 72 | scp user@cvm:/etc/privateclaw/evidence.json . |
40 | 73 |
|
41 | | -# Verify locally (install attestation-cli first) |
| 74 | +# Verify locally with attestation-cli |
42 | 75 | attestation-cli verify -e evidence.json --expected-report-data <host_key_hash_hex> |
43 | 76 | ``` |
44 | 77 |
|
45 | 78 | ## Auditing |
46 | 79 |
|
47 | | -This repo contains everything that runs on your CVM. The `privateclaw` script is a single shell file — read it directly to see exactly what it does. |
| 80 | +Everything that runs on your CVM lives in this repo. `privateclaw` is a single bash script — read it top to bottom to see exactly what it does. The only binary dependency is [`attestation-cli`](https://github.com/lunal-dev/attestation-rs), which is also open source. |
| 81 | + |
| 82 | +## License |
48 | 83 |
|
49 | | -The only binary dependency is [`attestation-cli`](https://github.com/lunal-dev/attestation-rs), which is also open source. |
| 84 | +[MIT](./LICENSE) |
0 commit comments