Skip to main content

CLI Proxy

Manual PCR Configurations

The PCR codes of the enclave validate that the host is running the expected base image of OBLV Deploy. These codes are agnostic of the application being hosted internally by OBLV Deploy but ensure that no malicious user has corrupted the base image.

From the CLI Proxy, you can choose whether to validate all of these or not. Toggling them off is useful if you are an enterprise client working with the Oblivious team to customise the internals of OBLV Deploy to align with a specific preferred pattern used in your organisation or if you want to ensure a specific version of OBLV Deploy is being used.

Modifying PCRs can be Dangerous

If the PCRs being used do not align with an official version of OBLV Deploy, your data could be at risk. In practice, the enclave could be running any computation with any networking set up. Only modify these at your own risk.

Updating the PCR Codes to be Validated

To update a configuration file to use alternative PCR codes using the OBLV CLI, the oblv configure sub-command can be used. To update the PCR codes in the configuration file simply set the following options to your preferred PCR values.

oblv configure --config config.yaml\
--pcr0 <PCR0 value> \
--pcr1 <PCR1 value> \
--pcr2 <PCR2 value>

You can choose to update one or all PCR codes in this way. Below is an example of how the oblv configure can update the configuration file:

Updating Configuration from the CLI Proxy
oblv configure --config config.yaml \
--pcr0 5a96f59d8b4a7cc0bcc90a6ef20a671f351aea8e6bc588c4860e4d44f726c90626868c60db937d5ea7f782303ecd7018 \
--pcr2 da05be0d1e3eef32c0c0e4ce67af55d086187b8c9eb9c13c1071bf60d596a9e79186fa7df7e8639846950e9b2bbd30d8 \
--pcr1 b21f25802be9a07230544bb05c752529b2d18f03a5b4dc9627de528b5f6bb05ab710077bee14fd69f7eb37708a7efce1
Resulting Configuration File
oblvVersion: 0.1.0
usePCRServer: false
enclave:
pcrs:
- PCR0:5a96f59d8b4a7cc0bcc90a6ef20a671f351aea8e6bc588c4860e4d44f726c90626868c60db937d5ea7f782303ecd7018
- PCR1:b21f25802be9a07230544bb05c752529b2d18f03a5b4dc9627de528b5f6bb05ab710077bee14fd69f7eb37708a7efce1
- PCR2:da05be0d1e3eef32c0c0e4ce67af55d086187b8c9eb9c13c1071bf60d596a9e79186fa7df7e8639846950e9b2bbd30d8
pcrCheck: true
pcrServer: ''
images:
nginx:1.25.3: sha256:c7a6ad68be85142c7fe1089e48faa1e7c7166a194caa9180ddea66345876b9d2
docker.io/fluent/fluent-bit:2.1.10: sha256:5766d881ddb1fdacd9c5b24c9f28371ae22d44faaf3f7a510e5e86e37fd6244f
oryd/oathkeeper:v0.38.6: sha256:80ac597442d75f8059e6ade47bb42b01bcebbc4f6d1a61237a4402547f6f5f82
public.ecr.aws/oblivious-ai/oblv-sample-fastapi:latest: sha256:5adb8754823ba1cc18308dac0d116a48019dc6afe2ea921e60ca0f7df98cf850
plugins:
fluentbit-logging:
- name: fluent-bit.yaml
digest: sha256:37e3c0aaa422c9245fe5a39b223f056f023e14dbc855ced8979ea066516148b1
auth-plugin:
- name: config.yaml
digest: sha256:88eabdcaac2ecd5fe2b59fe8b9a12277c43878db7cd468dfd1b0aeffcbfe0626
- name: rules.json
digest: sha256:619fac4987a4774763b61e45828b7606fdee09893e04d978dd2ef2a319d65ef7
creds:
authCreds:
clientId: ''
clientSecret: ''
url: ''
grantType: ''
scope: ''
maxRetries: 18
retryTimeout: 5
log:
logLevel: trace
maxSizeInMb: 5
retaintionPeriodInDays: 7