# Blocky Attestation Service Setup

The Blocky Attestation Service (Blocky AS) is available both as a command-line
interface (CLI) and as a REST API. The installation and configuration
instructions below apply to the Blocky AS CLI.
If you want to use use the Blocky AS REST API directly, contact us
at [info@blocky.rocks](mailto:info@blocky.rocks).

## Installation

To use the Blocky AS CLI you need to install its executable, `bky-as`, and its
configuration file, `config.toml`.
You may complete this process using our installation script, or by manually
downloading the executable and the configuration file.

### Using the installation script

To install the Blocky AS CLI, run the following command:


```bash
curl -s https://raw.githubusercontent.com/blocky/attestation-service-demo/refs/tags/v0.1.0-beta.4/install.sh | bash
```

The installation script will check your system architecture, operating system,
and download the appropriate Blocky AS CLI executable as `bky-as`. If you
prefer, you can move `bky-as` to another location in your `$PATH`.

The installation script will also download a configuration file called
`config.toml`. The `bky-as` command will look for it in the current directory,
`./configs`, `$HOME/.config/bky/bky-as` or you can specify the location using
the `--config` command line argument to `bky-as`.

The installation script overwrites `config.toml` in the current directory.
Once you go through the [Configuration](#configuration) process to customize
`config.toml`, you may want to move it to a different directory.

### Manual installation

To install the Blocky AS CLI manually:

1. Go to the
[Blocky Attestation Service v0.1.0-beta.4](https://github.com/blocky/attestation-service-demo/releases/tag/v0.1.0-beta.4)
release page.
2. You will see a list of pre-build CLI executables:

Identify the executable that's compatible with your system,
download as `bky-as`, place it in your `$PATH`, and give it executable
permissions.
3. After clicking on the latest release, you will also see

Download the `config.toml` file and place it in the same directory as the
`bky-as` executable, in `./configs`, or in `$HOME/.config/bky/bky-as`.
You can also specify the location of the configuration file using the
`--config` command line argument to `bky-as`.


### Testing the installation

To test the installation of `bky-as` and see available commands, run:


```bash
bky-as --help
```

### Additional Dependencies

Several examples in this documentation rely on the `jq` command
to parse JSON output of `bky-as`. If you don't have `jq` installed already,
you set it up using your package manager or from the
[`jq` website](https://jqlang.github.io/jq/).

## Configuration

The starting `config.toml` uses `local-server` as the host, which
directs `bky-as` to start a local server that does **NOT** run in a TEE.
As a result, the attestations produced by a local server are not suitable
for production use.

To use Blocky AS in production, contact
[info@blocky.rocks](mailto:info@blocky.rocks) for:

- The URL of a production Blocky AS server running inside a TEE. You will need
to set it as the `host` value in `config.toml`.
- A developer token for accessing the Blocky AS server. You will
need to set it as the `auth_token` value in `config.toml`.
- A measurement of the source code running on the TEE.
You will need to add it to the `acceptable_measurements` values in
`config.toml`.
This setting allows you to define what version of the Blocky AS code you
trust. Please consult the [Enclave Measurements](#enclave-measurements)
section for more information.
The default `config.toml` includes `acceptable_measurements` entries for
attestations created by a Blocky Attestation Service server running on your
local machine and for one running in a TEE enclave in debug mode. In
production, you may want to disallow these by commenting them out.


After you set these values in `config.toml`, you'll be able to obtain
attestations that anyone can verify without trusting you or Blocky.

## Enclave Measurements

The foundation of the Blocky AS security model relies on two axioms:

1. Blocky AS service runs inside a TEE
2. The TEE runs a specific version of the Blocky AS service


The current version of Blocky AS runs
on [AWS Nitro Enclaves](https://aws.amazon.com/ec2/nitro/nitro-enclaves/). You
can read more about The Security Design of the AWS Nitro System, including AWS
Nitro
Enclaves [here](https://docs.aws.amazon.com/pdfs/whitepapers/latest/security-design-of-aws-nitro-system/security-design-of-aws-nitro-system.pdf).
Specifically, we rely on the correctness of AWS Nitro Enclaves implementation
and on the ability of AWS to retain the control over the private key used by the
AWS Nitro Enclaves hardware security module to
sign
[enclave attestations](/attestation-service/v0.1.0-beta.4/concepts#attestations-in-the-blocky-attestation-service).
Future versions of Blocky AS will support multiple TEE hosting options,
including [AMD SEV](https://www.amd.com/en/developer/sev.html)
and [Intel TDX](https://www.intel.com/content/www/us/en/developer/tools/trust-domain-extensions/overview.html)
architectures.

An [enclave attestation](/attestation-service/v0.1.0-beta.4/concepts#attestations-in-the-blocky-attestation-service)
attests not only the application public key, but also the enclave image, which,
can be used to represent the source code, build process, and runtime environment
of the application.

In the near future, we will make the source code of Blocky AS available for
inspection, which will allow you to build your own enclave image and compare
its measurement to the one attested by the enclave. For now, we provide the
measurement to enter into your `config.toml` file.
code produces the attestations you receive.