see-sock-serv, see-stdioe-serv, see-stdioesock-serv, see-stdoe-serv

see-sock-serv -p <PUBL-NAME> | -o <KEYID> | -M <MACHINE>.sar
see-stdoe-serv -p <PUBL-NAME> | -o <KEYID> | -M <MACHINE>.sar
see-stdioe-serv -p <PUBL-NAME> | -o <KEYID> | -M <MACHINE>.sar
see-stdioesock-serv -p <PUBL-NAME> | -o <KEYID> | -M <MACHINE>.sar

see-*-serv utilities activate or enable standard IO and socket connections for SEE machines using the glibc architecture. Ensure that you select the appropriate utility for your SEE machine, because running a host-side utility with more provisions than the SEE machine was linked against causes the SEE machine to abort.

see-sock-serv, for SEE machines that require only sockets.
see-stdoe-serv, for SEE machines that require only standard output and error streams.
see-stdioe-serv, for SEE machines that require standard input, output, and error streams.
If you are using a nShield Connect, you must set the --no-feature-check option when running the see-stdoe-serv utility.
see-stdioesock-serv, for SEE machines that require sockets in addition to standard input, output, and error streams.

Each utility can:

Load the SAR file for the SEE machine
Load the mandatory userdata file
Provide a selection of socket and I/O streams

SEE machines that require the standard I/O streams or INET domain sockets must be serviced by one of the described host-side utilities. Without an appropriate host-side utility, SEE machine operations requiring any of these streams are blocked until the appropriate service becomes available.

All the see-*-serv host-side utilities take the same arguments.

Option Description

Option	Description
Loading the SEE machine
`-e, --encryptionkey=IDENT`	The SEE machine is encrypted with key IDENT.
`-s, --sighash=HASH`	The SEE machine is signed with key whose hash is HASH. Use this option together with the `-e` option and only if you have the dynamic SEE feature.
`-M, --machine=<MACHINE>.sar`	Specifies a SEE machine file (packed as a SAR). If you do not specify this option, the SEE machine must have been loaded previously by, for example, running loadmache.
Starting the SEE world
`--userdata-raw <USERDATA.bin>`	An unpacked `userdata` file to be passed to SEE machine. The raw file is internally made into an unsigned SAR file.
`--userdata-sar <USERDATA>.sar`	The `userdata` file (packed as a SAR) to be passed to SEE machine.
`-V, --userdata-vuln`	Starts the SEE world, passing remaining arguments, which should include an `argv[0]` for the world in `userdata` to `vulnerability.o`.
Pre-started SEE world
`-o, --object-id=<NAME>`	The `KeyID` of the started SEE machine. By default, a decimal value is expected. Use `0x` notation for hexadecimal values.
`-p, --published-object=<NAME>`	The `PublishedObject` name to use for publishing the `KeyID` of the started SEE machine.
Tracing
`--trace`	Polls the security world’s trace buffer. The contents are printed to `stderr` in dark red. If the configuration of the Security World requires it, you must supply authorization to poll the trace buffer when specifying this option. The `see-*-serv` host-utility prompts you to supply authorization if it is required.
`--plain-trace`	Functions like the `--trace` option to poll the security world’s trace buffer, but the output from `--plain-trace` is not surrounded by terminal escape codes.
HSM options
`-f, --no-feature-check`	Suppresses the default behavior of the `see-*-serv` host-side utilities to ensure that the HSM specified by the `-m, --module=<MODULE>` option has the `HasSEE` flag and the `GeneralSEE` feature before the utility tries to load an SEE machine. If you are using a network-attached HSM (an nShield Connect), you must set the `--no-feature-check` option when running the `see-stdoe-serv` utility.
`--job-prefix <PREFIX>`	This option is for debugging. For the host-side utilities that provide a single service (that is, `see-sock-serv`, `see-stdoe-serv`, and `see-stdioe-serv`), specifying this option forces the service to use the job prefix specified by `<PREFIX>`.
`-m`, `--module=<MODULE>`	The HSM onto which the SEE machine is to be loaded. Use enquiry to get information about the HSM.
`-r`, `--restrict`	Only permits userdata and machine-image files from the `nc-seemachines` or the `custom-seemachines` subdirectories of the `/opt/nfast` (Linux) or `%NFAST_HOME%` (Windows) directory to be loaded. When userdata is loaded automatically by a privileged account, this option should be specified, for extra security.
Help options
`-h`, `--help`	Displays help for the utility.
`-u`, `--usage`	Displays a brief usage summary for the utility.
`-v`, `--version`	Displays the version number of the Security World Software that deploys the utility.

Loading the SEE machine

-e, --encryptionkey=IDENT

The SEE machine is encrypted with key IDENT.

-s, --sighash=HASH

The SEE machine is signed with key whose hash is HASH. Use this option together with the -e option and only if you have the dynamic SEE feature.

-M, --machine=<MACHINE>.sar

Specifies a SEE machine file (packed as a SAR). If you do not specify this option, the SEE machine must have been loaded previously by, for example, running loadmache.

Starting the SEE world

--userdata-raw <USERDATA.bin>

An unpacked userdata file to be passed to SEE machine.
The raw file is internally made into an unsigned SAR file.

--userdata-sar <USERDATA>.sar

The userdata file (packed as a SAR) to be passed to SEE machine.

-V, --userdata-vuln

Starts the SEE world, passing remaining arguments, which should include an argv[0] for the world in userdata to vulnerability.o.

Pre-started SEE world

-o, --object-id=<NAME>

The KeyID of the started SEE machine.
By default, a decimal value is expected. Use 0x notation for hexadecimal values.

-p, --published-object=<NAME>

The PublishedObject name to use for publishing the KeyID of the started SEE machine.

Tracing

--trace

Polls the security world’s trace buffer. The contents are printed to stderr in dark red.
If the configuration of the Security World requires it, you must supply authorization to poll the trace buffer when specifying this option. The see-*-serv host-utility prompts you to supply authorization if it is required.

--plain-trace

Functions like the --trace option to poll the security world’s trace buffer, but the output from --plain-trace is not surrounded by terminal escape codes.

HSM options

-f, --no-feature-check

Suppresses the default behavior of the see-*-serv host-side utilities to ensure that the HSM specified by the -m, --module=<MODULE> option has the HasSEE flag and the GeneralSEE feature before the utility tries to load an SEE machine.
If you are using a network-attached HSM (an nShield Connect), you must set the --no-feature-check option when running the see-stdoe-serv utility.

--job-prefix <PREFIX>

This option is for debugging. For the host-side utilities that provide a single service (that is, see-sock-serv, see-stdoe-serv, and see-stdioe-serv), specifying this option forces the service to use the job prefix specified by <PREFIX>.

-m, --module=<MODULE>

The HSM onto which the SEE machine is to be loaded.
Use enquiry to get information about the HSM.

-r, --restrict

Only permits userdata and machine-image files from the nc-seemachines or the custom-seemachines subdirectories of the /opt/nfast (Linux) or %NFAST_HOME% (Windows) directory to be loaded. When userdata is loaded automatically by a privileged account, this option should be specified, for extra security.

Help options

-h, --help

Displays help for the utility.

-u, --usage

Displays a brief usage summary for the utility.

-v, --version

Displays the version number of the Security World Software that deploys the utility.

Error output from SEE machine with SEElib architecture

You cannot use the see-*-serv host-side utilities to load SEE machines built with the SEElib architecture. If you try to do so, the utility returns a message similar to

FATAL: SeeHostCallProvision_Init (prefix `nC/HC/sock/INET ') failed:
SeeHostcallProvisionFailed

This is the expected behavior caused by the host utility sending SEEJobs that the SEE machine cannot understand or to which it cannot respond correctly.

You can use the loadmache command-line utility to manually load SEE machines built with the SEElib architecture.