harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 15:13:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #29 from matter-labs/nix_container

Browse source 
chore: cleanup and nixify
This commit is contained in:
Harald Hoyer 2024-02-28 12:04:53 +01:00 committed by GitHub
commit 2721589dff
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
37 changed files with 902 additions and 659 deletions
Download patch file Download diff file Expand all files Collapse all files

51
.github/workflows/container.yml vendored
View file

@ -1,51 +0,0 @@
name: Container
on:
push:
branches: [ "main" ]
pull_request:
jobs:
push_to_registry:
permissions:
packages: write
contents: read
name: Build and push containers image to GitHub Packages
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.config.dockerfile }}
cancel-in-progress: true
strategy:
fail-fast: false
matrix:
config:
- { dockerfile: 'vault/Dockerfile', tag: 'vault:latest', repository: 'teepot-vault' }
- { dockerfile: 'bin/tee-vault-unseal/Dockerfile-azure', tag: 'tvu:latest', repository: 'teepot-tvu' }
- { dockerfile: 'bin/tee-vault-admin/Dockerfile-azure', tag: 'tva:latest', repository: 'teepot-tva' }
steps:
- name: Check out the repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up env
run: echo "repository_owner=${GITHUB_REPOSITORY_OWNER,,}" >>${GITHUB_ENV}
- name: Build and Push Container
uses: docker/build-push-action@v5
with:
file: ${{ matrix.config.dockerfile }}
tags: |
matterlabsrobot/${{ matrix.config.repository }}:latest
cache-from: type=gha
cache-to: type=gha,mode=max,ignore-error=true
push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}

127
.github/workflows/nix.yml vendored
View file

@ -14,94 +14,129 @@ jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- run: nix flake check -L --show-trace --keep-going
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- uses: cachix/cachix-action@v14
with:
name: nixsgx
extraPullNames: vault-auth-tee
- run: nix flake check -L --show-trace --keep-going
fmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- run: nix fmt
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- uses: cachix/cachix-action@v14
with:
name: nixsgx
extraPullNames: vault-auth-tee
- run: nix fmt
clippy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
# Cache any artifacts that aren't already cached at https://cache.nixos.org
- name: Enable magic Nix cache
uses: DeterminateSystems/magic-nix-cache-action@main
- name: Use nixsgx cache
run: |
nix-env -iA cachix -f https://cachix.org/api/v1/install
cachix use nixsgx
- name: cargo clippy
run: nix develop -L --ignore-environment -c cargo clippy --all --locked
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- uses: cachix/cachix-action@v14
with:
name: nixsgx
extraPullNames: vault-auth-tee
- name: Enable magic Nix cache
uses: DeterminateSystems/magic-nix-cache-action@main
- name: cargo clippy
run: nix develop -L --ignore-environment -c cargo clippy --all --locked
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
- uses: cachix/install-nix-action@v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
# Cache any artifacts that aren't already cached at https://cache.nixos.org
- uses: cachix/cachix-action@v14
with:
name: nixsgx
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
extraPullNames: vault-auth-tee
- name: Enable magic Nix cache
uses: DeterminateSystems/magic-nix-cache-action@main
- name: Use nixsgx cache
run: |
nix-env -iA cachix -f https://cachix.org/api/v1/install
cachix use nixsgx
- name: nix build
run: nix run nixpkgs#nixci
push_to_docker:
needs: build
if: ${{ github.event_name == 'push' }}
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.config.dockerfile }}
cancel-in-progress: true
strategy:
fail-fast: false
matrix:
config:
- { nixpackage: 'container-vault-sgx-azure', dockerfile: 'packages/container-vault-sgx-azure/Dockerfile', tag: 'vault:latest', repository: 'teepot-vault' }
- { nixpackage: 'container-vault-unseal-sgx-azure', dockerfile: 'packages/container-vault-unseal-sgx-azure/Dockerfile', tag: 'tvu:latest', repository: 'teepot-tvu' }
- { nixpackage: 'container-vault-admin-sgx-azure', dockerfile: 'packages/container-vault-admin-sgx-azure/Dockerfile', tag: 'tva:latest', repository: 'teepot-tva' }
- { nixpackage: 'container-verify-attestation' }
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
# Cache any artifacts that aren't already cached at https://cache.nixos.org
- uses: cachix/cachix-action@v14
with:
name: nixsgx
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
extraPullNames: vault-auth-tee
- name: Enable magic Nix cache
uses: DeterminateSystems/magic-nix-cache-action@main
- name: Use nixsgx cache
run: |
nix-env -iA cachix -f https://cachix.org/api/v1/install
cachix use nixsgx
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Load and push
- name: Load and Push nix container
run: |
nix build -L .#container-verify-attestation
nix build -L .#${{ matrix.config.nixpackage }}
export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')
echo "Pushing image ${IMAGE_TAG} to Docker Hub"
echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV
docker tag "${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG}"
docker push matterlabsrobot/"${IMAGE_TAG}"
docker tag matterlabsrobot/"${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG%:*}:latest"
docker push matterlabsrobot/"${IMAGE_TAG%:*}:latest"
- name: Generate build ID for Flux Image Automation
if: ${{ matrix.config.dockerfile }}
id: buildid
run: |
sha=$(git rev-parse --short HEAD)
ts=$(date +%s%N | cut -b1-13)
echo "BUILD_ID=${sha}-${ts}" >> "$GITHUB_OUTPUT"
- name: Build and Push Container
if: ${{ matrix.config.dockerfile }}
uses: docker/build-push-action@v5
with:
file: ${{ matrix.config.dockerfile }}
tags: |
"matterlabsrobot/${{ matrix.config.repository }}:latest"
"matterlabsrobot/${{ matrix.config.repository }}:${{ steps.buildid.outputs.BUILD_ID }}"
push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}

38
assets/Azure-DCAP-Client.patch
View file

@ -1,38 +0,0 @@
diff --git a/src/dcap_provider.cpp b/src/dcap_provider.cpp
index d23c250..34c4d9d 100644
--- a/src/dcap_provider.cpp
+++ b/src/dcap_provider.cpp
@@ -1333,7 +1333,7 @@ static std::string build_tcb_info_url(
tcb_info_url << base_url;
}
else
- tcb_info_url << get_base_url();
+ tcb_info_url << "https://api.trustedservices.intel.com/sgx/certification";
if (!version.empty())
{
@@ -1426,7 +1426,7 @@ static std::string build_enclave_id_url(
qe_id_url << base_url;
}
else
- qe_id_url << get_base_url();
+ qe_id_url << "https://api.trustedservices.intel.com/sgx/certification/";
// Select the correct issuer header name
if (!version.empty())
@@ -1521,6 +1521,7 @@ static quote3_error_t get_collateral(
"Successfully fetched %s from URL: '%s'.",
friendly_name.c_str(),
url.c_str());
+/*
std::string cache_control;
auto get_cache_header_operation = get_unescape_header(*curl_operation, headers::CACHE_CONTROL, &cache_control);
retval = convert_to_intel_error(get_cache_header_operation);
@@ -1534,6 +1535,7 @@ static quote3_error_t get_collateral(
local_cache_add(issuer_chain_cache_name, expiry, issuer_chain.size(), issuer_chain.c_str());
}
}
+*/
}
return retval;

4
assets/extract-sig.sh
View file

@ -1,8 +1,10 @@
#!/usr/bin/env bash
#
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
#
# This script is used to extract the signature of a gramine docker image.
#
# Usage: ./extract-sig.sh <image-name> <tee-name> <output-file>
# Example: ./extract-sig.sh tva tee-vault-admin

4
assets/replace-sig.sh
View file

@ -1,8 +1,10 @@
#!/usr/bin/env bash
#
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
#
# This script is used to replace the signature of a gramine docker image with a new one.
#
# Usage: ./replace-sig.sh <image> <new-signature-file> <old-signature-file>
# Example: ./replace-sig.sh tva tee-vault-admin.sig /app/tee-vault-admin.sig

1
assets/vault-auth-tee.sha256
View file

@ -1 +0,0 @@
7e417b65b9a4fa46dfcc72feb0f0c2e5fa4391c3f6b668cb2c5ba7174b95c43b

85
bin/tee-vault-admin/Dockerfile-azure
View file

@ -1,85 +0,0 @@
FROM docker.io/ubuntu:20.04 AS azuredcap
WORKDIR /build
ADD https://github.com/microsoft/Azure-DCAP-Client/archive/refs/tags/1.12.0.tar.gz ./Azure-DCAP-Client.tar.gz
RUN tar -xvf Azure-DCAP-Client.tar.gz
COPY assets/Azure-DCAP-Client.patch ./Azure-DCAP-Client.patch
RUN set -eux; \
apt-get update; \
apt-get install -y software-properties-common; \
add-apt-repository ppa:team-xbmc/ppa -y; \
apt-get update; \
apt-get install -y \
build-essential \
cmake \
libssl-dev \
libcurl4-openssl-dev \
pkg-config \
nlohmann-json3-dev \
wget \
dos2unix \
;
WORKDIR /build/Azure-DCAP-Client-1.12.0
RUN dos2unix src/dcap_provider.cpp && patch -p1 < ../Azure-DCAP-Client.patch
WORKDIR /build/Azure-DCAP-Client-1.12.0/src/Linux
RUN ./configure && make && make install
FROM docker.io/rust:1-bullseye AS buildtee
RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \
&& echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
build-essential \
cmake \
rsync \
pkg-config \
libssl-dev \
libcurl4-openssl-dev \
libprotobuf-dev \
protobuf-compiler \
clang \
libsgx-headers \
libsgx-dcap-quote-verify-dev
WORKDIR /opt/vault/plugins
WORKDIR /build
RUN --mount=type=bind,target=/data rsync --exclude='/.git' --filter="dir-merge,- .gitignore" --exclude "Dockerfile-*" --exclude 'tee-vault-admin.manifest.template' -av /data/ ./
RUN --mount=type=cache,target=/usr/local/cargo/registry --mount=type=cache,target=target \
RUSTFLAGS="-C target-cpu=icelake-server --cfg mio_unsupported_force_waker_pipe" \
cargo build --locked --target x86_64-unknown-linux-gnu --release -p tee-vault-admin --bin tee-vault-admin \
&& mv ./target/x86_64-unknown-linux-gnu/release/tee-vault-admin ./
FROM docker.io/gramineproject/gramine:v1.5
RUN curl -fsSLo /usr/share/keyrings/microsoft.asc https://packages.microsoft.com/keys/microsoft.asc \
&& echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.asc] https://packages.microsoft.com/ubuntu/20.04/prod focal main" > /etc/apt/sources.list.d/msprod.list \
&& apt-get update \
&& apt purge -y libsgx-dcap-default-qpl \
&& apt-get install -y az-dcap-client
RUN apt purge -y libsgx-ae-qve
# libsgx-urts
RUN rm -rf /var/lib/apt/lists/*
# So we only have to use one gramine template
RUN touch /etc/sgx_default_qcnl.conf
WORKDIR /app
COPY --from=buildtee /build/tee-vault-admin .
COPY ./bin/tee-vault-admin/tee-vault-admin.manifest.template .
COPY vault/enclave-key.pem .
# The original Azure library is still delivering expired collateral, so we have to use a patched version
COPY --from=azuredcap /usr/local/lib/libdcap_quoteprov.so /usr/lib/
RUN gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu -Dexecdir=/usr/bin -Dlog_level=warning tee-vault-admin.manifest.template tee-vault-admin.manifest \
&& gramine-sgx-sign --manifest tee-vault-admin.manifest --output tee-vault-admin.manifest.sgx --key enclave-key.pem \
&& rm enclave-key.pem
EXPOSE 8443
ENTRYPOINT ["/bin/sh", "-c"]
CMD [ "/restart_aesm.sh ; exec gramine-sgx tee-vault-admin" ]

66
bin/tee-vault-admin/tee-vault-admin.manifest.template
View file

@ -1,66 +0,0 @@
libos.entrypoint = "/app/tee-vault-admin"
[loader]
argv = [ "/app/tee-vault-admin" ]
entrypoint = "file:{{ gramine.libos }}"
env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}:/lib"
env.HOME = "/app"
env.MALLOC_ARENA_MAX = "1"
env.AZDCAP_DEBUG_LOG_LEVEL = "ignore"
env.AZDCAP_COLLATERAL_VERSION = "v4"
### Admin Config ###
env.PORT = { passthrough = true }
### VAULT attestation ###
env.VAULT_ADDR = { passthrough = true }
env.VAULT_SGX_MRENCLAVE = { passthrough = true }
env.VAULT_SGX_MRSIGNER = { passthrough = true }
env.VAULT_SGX_ALLOWED_TCB_LEVELS = { passthrough = true }
### DEBUG ###
env.RUST_BACKTRACE = "1"
env.RUST_LOG="info,tee_vault_admin=trace,teepot=trace,vault_tee_client=trace,tee_client=trace,awc=debug"
[fs]
root.uri = "file:/"
start_dir = "/app"
mounts = [
{ path = "{{ execdir }}", uri = "file:{{ execdir }}" },
{ path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
{ path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
{ path = "/etc", uri = "file:/etc" },
{ type = "tmpfs", path = "/var/tmp" },
{ type = "tmpfs", path = "/tmp" },
{ type = "tmpfs", path = "/app/.dcap-qcnl" },
{ type = "tmpfs", path = "/app/.az-dcap-client" },
{ path = "/lib/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" },
]
[sgx]
trusted_files = [
"file:/etc/ld.so.cache",
"file:/app/",
"file:{{ execdir }}/",
"file:{{ arch_libdir }}/",
"file:/usr/{{ arch_libdir }}/",
"file:{{ gramine.libos }}",
"file:{{ gramine.runtimedir() }}/",
"file:/usr/lib/ssl/openssl.cnf",
"file:/etc/ssl/",
"file:/etc/sgx_default_qcnl.conf",
"file:/lib/libdcap_quoteprov.so",
]
remote_attestation = "dcap"
max_threads = 64
edmm_enable = false
## max enclave size
enclave_size = "8G"
[sys]
enable_extra_runtime_domain_names_conf = true
enable_sigterm_injection = true
# possible tweak option, if problems with mio
# currently mio is compiled with `mio_unsupported_force_waker_pipe`
# insecure__allow_eventfd = true

92
bin/tee-vault-unseal/Dockerfile-azure
View file

@ -1,92 +0,0 @@
FROM ghcr.io/matter-labs/vault-auth-tee:latest AS vault-auth-tee
FROM docker.io/ubuntu:20.04 AS azuredcap
WORKDIR /build
ADD https://github.com/microsoft/Azure-DCAP-Client/archive/refs/tags/1.12.0.tar.gz ./Azure-DCAP-Client.tar.gz
RUN tar -xvf Azure-DCAP-Client.tar.gz
COPY assets/Azure-DCAP-Client.patch ./Azure-DCAP-Client.patch
RUN set -eux; \
apt-get update; \
apt-get install -y software-properties-common; \
add-apt-repository ppa:team-xbmc/ppa -y; \
apt-get update; \
apt-get install -y \
build-essential \
cmake \
libssl-dev \
libcurl4-openssl-dev \
pkg-config \
nlohmann-json3-dev \
wget \
dos2unix \
;
WORKDIR /build/Azure-DCAP-Client-1.12.0
RUN dos2unix src/dcap_provider.cpp && patch -p1 < ../Azure-DCAP-Client.patch
WORKDIR /build/Azure-DCAP-Client-1.12.0/src/Linux
RUN ./configure && make && make install
FROM docker.io/rust:1-bullseye AS buildtee
RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \
&& echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
build-essential \
cmake \
rsync \
pkg-config \
libssl-dev \
libcurl4-openssl-dev \
libprotobuf-dev \
protobuf-compiler \
clang \
libsgx-headers \
libsgx-dcap-quote-verify-dev
WORKDIR /opt/vault/plugins
COPY --from=vault-auth-tee /opt/vault/plugins/vault-auth-tee ./
WORKDIR /build
RUN --mount=type=bind,target=/data rsync --exclude='/.git' --filter="dir-merge,- .gitignore" --exclude "Dockerfile-*" --exclude 'tee-vault-unseal.manifest.template' -av /data/ ./
RUN sha256sum /opt/vault/plugins/vault-auth-tee | ( read a _ ; echo -n $a ) | tee assets/vault-auth-tee.sha256
RUN --mount=type=cache,target=/usr/local/cargo/registry --mount=type=cache,target=target \
RUSTFLAGS="-C target-cpu=icelake-server --cfg mio_unsupported_force_waker_pipe" \
cargo build --locked --target x86_64-unknown-linux-gnu --release -p tee-vault-unseal --bin tee-vault-unseal \
&& mv ./target/x86_64-unknown-linux-gnu/release/tee-vault-unseal ./
FROM docker.io/gramineproject/gramine:v1.5
RUN curl -fsSLo /usr/share/keyrings/microsoft.asc https://packages.microsoft.com/keys/microsoft.asc \
&& echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.asc] https://packages.microsoft.com/ubuntu/20.04/prod focal main" > /etc/apt/sources.list.d/msprod.list \
&& apt-get update \
&& apt purge -y libsgx-dcap-default-qpl \
&& apt-get install -y az-dcap-client
RUN apt purge -y libsgx-ae-qve
# libsgx-urts
RUN rm -rf /var/lib/apt/lists/*
# So we only have to use one gramine template
RUN touch /etc/sgx_default_qcnl.conf
WORKDIR /app
COPY --from=buildtee /build/tee-vault-unseal .
COPY ./bin/tee-vault-unseal/tee-vault-unseal.manifest.template .
COPY vault/enclave-key.pem .
RUN mkdir -p /opt/vault/tls && rm -rf /opt/vault/tls/*
# The original Azure library is still delivering expired collateral, so we have to use a patched version
COPY --from=azuredcap /usr/local/lib/libdcap_quoteprov.so /usr/lib/
RUN gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu -Dexecdir=/usr/bin -Dlog_level=warning tee-vault-unseal.manifest.template tee-vault-unseal.manifest \
&& gramine-sgx-sign --manifest tee-vault-unseal.manifest --output tee-vault-unseal.manifest.sgx --key enclave-key.pem \
&& rm enclave-key.pem
VOLUME /opt/vault/tls
EXPOSE 8443
ENTRYPOINT ["/bin/sh", "-c"]
CMD [ "/restart_aesm.sh ; exec gramine-sgx tee-vault-unseal" ]

62
bin/tee-vault-unseal/tee-vault-unseal.manifest.template
View file

@ -1,62 +0,0 @@
libos.entrypoint = "/app/tee-vault-unseal"
[loader]
argv = [ "/app/tee-vault-unseal" ]
entrypoint = "file:{{ gramine.libos }}"
env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}:/lib"
env.HOME = "/app"
env.MALLOC_ARENA_MAX = "1"
env.AZDCAP_DEBUG_LOG_LEVEL = "ignore"
env.AZDCAP_COLLATERAL_VERSION = "v4"
### Required configuration ###
env.ALLOWED_TCB_LEVELS = { passthrough = true }
env.VAULT_ADDR = { passthrough = true }
### DEBUG ###
env.RUST_BACKTRACE = "1"
env.RUST_LOG="info,tee_vault_unseal=trace,teepot=trace,awc=debug"
[fs]
root.uri = "file:/"
start_dir = "/app"
mounts = [
{ path = "{{ execdir }}", uri = "file:{{ execdir }}" },
{ path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
{ path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
{ path = "/etc", uri = "file:/etc" },
{ type = "tmpfs", path = "/var/tmp" },
{ type = "tmpfs", path = "/tmp" },
{ type = "tmpfs", path = "/app/.dcap-qcnl" },
{ type = "tmpfs", path = "/app/.az-dcap-client" },
{ type = "encrypted", path = "/opt/vault/tls", uri = "file:/opt/vault/tls", key_name = "_sgx_mrsigner" },
{ path = "/lib/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" },
]
[sgx]
trusted_files = [
"file:/etc/ld.so.cache",
"file:/app/",
"file:{{ execdir }}/",
"file:{{ arch_libdir }}/",
"file:/usr/{{ arch_libdir }}/",
"file:{{ gramine.libos }}",
"file:{{ gramine.runtimedir() }}/",
"file:/usr/lib/ssl/openssl.cnf",
"file:/etc/ssl/",
"file:/etc/sgx_default_qcnl.conf",
"file:/lib/libdcap_quoteprov.so",
]
remote_attestation = "dcap"
max_threads = 64
edmm_enable = false
## max enclave size
enclave_size = "2G"
[sys]
enable_extra_runtime_domain_names_conf = true
enable_sigterm_injection = true
# possible tweak option, if problems with mio
# currently mio is compiled with `mio_unsupported_force_waker_pipe`
# insecure__allow_eventfd = true

20
examples/README.md
View file

@ -8,9 +8,13 @@ $ docker compose up
```
## Build and Run on client machine
```bash
$ cd teepot
$ gpg --export username@example.com | base64 > gpgkey.pub
cd teepot
gpg --export username@example.com | base64 > gpgkey.pub
export GPG_TTY="$(tty)"
gpg-connect-agent updatestartuptty /bye
RUST_LOG=info cargo run -p vault-unseal -- --sgx-mrsigner c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d --sgx-allowed-tcb-levels SwHardeningNeeded --server https://20.172.154.218:8443 init --unseal-threshold 1 -u bin/tee-vault-admin/tests/data/gpgkey.pub --admin-threshold 1 -a bin/tee-vault-admin/tests/data/gpgkey.pub --admin-tee-mrenclave 21c8c1a4dbcce04798f5119eb47203084bc74e564a3c954d1a21172c656cb801
Finished dev [unoptimized + debuginfo] target(s) in 0.09s
Running `target/debug/vault-unseal --sgx-mrsigner c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d --sgx-allowed-tcb-levels SwHardeningNeeded --server 'https://20.172.154.218:8443' init --unseal-threshold 1 -u bin/tee-vault-admin/tests/data/gpgkey.pub --admin-threshold 1 -a bin/tee-vault-admin/tests/data/gpgkey.pub --admin-tee-mrenclave 21c8c1a4dbcce04798f5119eb47203084bc74e564a3c954d1a21172c656cb801`
@ -43,14 +47,17 @@ Vault is unsealed!
```
With `teepot-admin` being the name of the image running the tee-vault-admin service, the following commands can be used
to sign the admin tee:
```bash
(id=$(docker create tva); docker cp $id:/app/tee-vault-admin.sig ~/tee-vault-admin.sig; docker rm -v $id)
cargo run -p vault-admin -- create-sign-request ~/tee-vault-admin.sig > ~/sign_admin_tee.json
(id=$(docker create teepot-admin); docker cp $id:/app/tee-vault-admin.sig ~/tee-vault-admin.sig; docker rm -v $id)
cargo run -p vault-admin -- create-sign-request --tee-name admin ~/tee-vault-admin.sig > ~/sign_admin_tee.json
vim sign_admin_tee.json
gpg --local-user test@example.com --detach-sign --armor ~/sign_admin_tee.json
RUST_LOG=info cargo run -p vault-admin -- \
sign-tee \
--sgx-mrenclave 080c3210d5b6bcf47887101a554c117c21d80e75240bb70846c3e158a713ec65 \
--sgx-mrenclave c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d \
--sgx-allowed-tcb-levels SwHardeningNeeded \
--server https://127.0.0.1:8444 \
--out new_admin.sig \
@ -217,7 +224,8 @@ Next is to sign the admin tee with the vault-admin tool:
~/tee-vault-admin.json ~/tee-vault-admin.json.asc
```
Then replace `tee-vault-admin.sig` with `tee-vault-admin-new.sig` in the container image `matterlabsrobot/teepot-tva:latest` with this Dockerfile:
Then replace `tee-vault-admin.sig` with `tee-vault-admin-new.sig` in the container
image `matterlabsrobot/teepot-tva:latest` with this Dockerfile:
```Dockerfile
FROM matterlabsrobot/teepot-tva:latest

63
examples/docker-compose.yml
View file

@ -4,29 +4,30 @@ services:
tvu-1:
build:
context: .
dockerfile: bin/tee-vault-unseal/Dockerfile-azure
dockerfile: packages/container-vault-unseal-sgx-azure/Dockerfile
image: tee-vault-unseal
restart: "no"
ports:
- 8413:8443
- 8413
environment:
PORT: "8413"
VAULT_ADDR: "https://vault-1:8210"
VAULT_SGX_MRSIGNER: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
VAULT_SGX_ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
privileged: true
init: true
volumes:
- /run/aesmd:/run/aesmd
- /dev/sgx_enclave:/dev/sgx_enclave
- shared-1:/opt/vault/tls
vault-1:
build:
context: .
dockerfile: vault/Dockerfile
dockerfile: packages/container-vault-sgx-azure/Dockerfile
image: vault
restart: "no"
ports:
- 8210:8210
# - 8211:8211
- 8210
environment:
VAULT_API_ADDR: "https://vault-1:8210"
VAULT_CLUSTER_ADDR: "https://vault-1:8211"
@ -36,29 +37,29 @@ services:
volumes:
- /run/aesmd:/run/aesmd
- /dev/sgx_enclave:/dev/sgx_enclave
- shared-1:/opt/vault/tls
- data-1:/opt/vault/data
tvu-2:
image: tee-vault-unseal
restart: "no"
ports:
- 8423:8443
- 8423
environment:
PORT: "8423"
VAULT_ADDR: "https://vault-2:8210"
VAULT_SGX_MRSIGNER: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
VAULT_SGX_ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
privileged: true
init: true
volumes:
- /run/aesmd:/run/aesmd
- /dev/sgx_enclave:/dev/sgx_enclave
- shared-2:/opt/vault/tls
vault-2:
image: vault
restart: "no"
ports:
- 8220:8210
# - 8221:8211
environment:
VAULT_API_ADDR: "https://vault-2:8210"
VAULT_CLUSTER_ADDR: "https://vault-2:8211"
@ -68,29 +69,29 @@ services:
volumes:
- /run/aesmd:/run/aesmd
- /dev/sgx_enclave:/dev/sgx_enclave
- shared-2:/opt/vault/tls
- data-2:/opt/vault/data
tvu-3:
image: tee-vault-unseal
restart: "no"
ports:
- 8433:8443
- 8433
environment:
PORT: "8433"
VAULT_ADDR: "https://vault-3:8210"
VAULT_SGX_MRSIGNER: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
VAULT_SGX_ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
privileged: true
init: true
volumes:
- /run/aesmd:/run/aesmd
- /dev/sgx_enclave:/dev/sgx_enclave
- shared-3:/opt/vault/tls
vault-3:
image: vault
restart: "no"
ports:
- 8230:8210
# - 8231:8211
environment:
VAULT_API_ADDR: "https://vault-3:8210"
VAULT_CLUSTER_ADDR: "https://vault-3:8211"
@ -100,17 +101,17 @@ services:
volumes:
- /run/aesmd:/run/aesmd
- /dev/sgx_enclave:/dev/sgx_enclave
- shared-3:/opt/vault/tls
- data-3:/opt/vault/data
admin:
build:
context: .
dockerfile: bin/tee-vault-admin/Dockerfile-azure
dockerfile: packages/container-vault-admin-sgx-azure/Dockerfile
restart: "no"
ports:
- 8444:8444
environment:
PORT: "8444"
VAULT_ADDR: "https://vault-1:8210"
VAULT_SGX_MRSIGNER: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
VAULT_SGX_ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
@ -121,21 +122,21 @@ services:
- /run/aesmd:/run/aesmd
- /dev/sgx_enclave:/dev/sgx_enclave
stress:
build:
context: .
dockerfile: bin/tee-stress-client/Dockerfile-azure
restart: "no"
environment:
VAULT_ADDR: "https://vault-1:8210"
VAULT_SGX_MRSIGNER: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
VAULT_SGX_ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
privileged: true
init: true
volumes:
- /run/aesmd:/run/aesmd
- /dev/sgx_enclave:/dev/sgx_enclave
# stress:
# build:
# context: .
# dockerfile: bin/tee-stress-client/Dockerfile-azure
# restart: "no"
# environment:
# VAULT_ADDR: "https://vault-1:8210"
# VAULT_SGX_MRSIGNER: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
# VAULT_SGX_ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
# ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
# privileged: true
# init: true
# volumes:
# - /run/aesmd:/run/aesmd
# - /dev/sgx_enclave:/dev/sgx_enclave
volumes:
shared-1:

228
flake.lock generated
View file

@ -32,6 +32,38 @@
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
@ -86,6 +118,42 @@
"type": "github"
}
},
"flake-utils-plus_3": {
"inputs": {
"flake-utils": "flake-utils_4"
},
"locked": {
"lastModified": 1696331477,
"narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=",
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3",
"type": "github"
},
"original": {
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"type": "github"
}
},
"flake-utils-plus_4": {
"inputs": {
"flake-utils": "flake-utils_5"
},
"locked": {
"lastModified": 1696331477,
"narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=",
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3",
"type": "github"
},
"original": {
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
@ -122,19 +190,39 @@
"type": "github"
}
},
"nix-filter": {
"flake-utils_4": {
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1705332318,
"narHash": "sha256-kcw1yFeJe9N4PjQji9ZeX47jg0p9A0DuU4djKvg1a7I=",
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "nix-filter",
"rev": "3449dc925982ad46246cfc36469baf66e1b64f17",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "nix-filter",
"rev": "3449dc925982ad46246cfc36469baf66e1b64f17",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_5": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
@ -175,13 +263,35 @@
"type": "github"
}
},
"nixsgx-flake_2": {
"inputs": {
"nixpkgs": [
"vault-auth-tee-flake",
"nixpkgs"
],
"snowfall-lib": "snowfall-lib_3"
},
"locked": {
"lastModified": 1707314146,
"narHash": "sha256-NcqWVXkGBautT44YcQgZdVK1Vwqop1V8nDoPEzKr0uE=",
"owner": "matter-labs",
"repo": "nixsgx",
"rev": "e3bbd5415eb845c8857dd0963febcef71866cd4a",
"type": "github"
},
"original": {
"owner": "matter-labs",
"repo": "nixsgx",
"type": "github"
}
},
"root": {
"inputs": {
"nix-filter": "nix-filter",
"nixpkgs": "nixpkgs",
"nixsgx-flake": "nixsgx-flake",
"rust-overlay": "rust-overlay",
"snowfall-lib": "snowfall-lib_2"
"snowfall-lib": "snowfall-lib_2",
"vault-auth-tee-flake": "vault-auth-tee-flake"
}
},
"rust-overlay": {
@ -252,6 +362,54 @@
"type": "github"
}
},
"snowfall-lib_3": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils-plus": "flake-utils-plus_3",
"nixpkgs": [
"vault-auth-tee-flake",
"nixsgx-flake",
"nixpkgs"
]
},
"locked": {
"lastModified": 1696432959,
"narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=",
"owner": "snowfallorg",
"repo": "lib",
"rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6",
"type": "github"
},
"original": {
"owner": "snowfallorg",
"repo": "lib",
"type": "github"
}
},
"snowfall-lib_4": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-utils-plus": "flake-utils-plus_4",
"nixpkgs": [
"vault-auth-tee-flake",
"nixpkgs"
]
},
"locked": {
"lastModified": 1696432959,
"narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=",
"owner": "snowfallorg",
"repo": "lib",
"rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6",
"type": "github"
},
"original": {
"owner": "snowfallorg",
"repo": "lib",
"rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@ -296,6 +454,58 @@
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"vault-auth-tee-flake": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixsgx-flake": "nixsgx-flake_2",
"snowfall-lib": "snowfall-lib_4"
},
"locked": {
"lastModified": 1708593089,
"narHash": "sha256-HtRZmjLZEcwTRLbqxRIkilLL94OZccbe22UtNInhk4Y=",
"owner": "matter-labs",
"repo": "vault-auth-tee",
"rev": "0f9a672c9925e9de6888ca4b30bc4573c52c6899",
"type": "github"
},
"original": {
"owner": "matter-labs",
"repo": "vault-auth-tee",
"type": "github"
}
}
},
"root": "root",

6
flake.nix
View file

@ -9,6 +9,11 @@
inputs.nixpkgs.follows = "nixpkgs";
};
vault-auth-tee-flake = {
url = "github:matter-labs/vault-auth-tee";
inputs.nixpkgs.follows = "nixpkgs";
};
snowfall-lib = {
url = "github:snowfallorg/lib?rev=92803a029b5314d4436a8d9311d8707b71d9f0b6";
inputs.nixpkgs.follows = "nixpkgs";
@ -29,6 +34,7 @@
overlays = with inputs; [
nixsgx-flake.overlays.default
vault-auth-tee-flake.overlays.default
rust-overlay.overlays.default
];

25
packages/container-vault-admin-sgx-azure/Dockerfile Normal file
View file

@ -0,0 +1,25 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
FROM teepot-vault-admin-sgx-azure:base
WORKDIR /app
COPY packages/container-vault-sgx-azure/test-enclave-key.pem /tmp/
RUN set -eux; \
gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu \
-Dentrypoint=$(readlink /bin/tee-vault-admin) \
-Dexecdir=/bin \
-Dlog_level=warning \
tee-vault-admin.manifest.toml tee-vault-admin.manifest; \
gramine-sgx-sign --manifest tee-vault-admin.manifest --output tee-vault-admin.manifest.sgx --key /tmp/test-enclave-key.pem; \
rm /tmp/test-enclave-key.pem
VOLUME /opt/vault/tls
EXPOSE 8443
ENTRYPOINT ["/bin/sh", "-c"]
ENV SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
CMD [ "echo tee-vault-admin in SGX mode starting; restart-aesmd ; exec gramine-sgx tee-vault-admin" ]

52
packages/container-vault-admin-sgx-azure/default.nix Normal file
View file

@ -0,0 +1,52 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
{ pkgs
, vat
, nixsgx
, curl
, teepot
, bash
, coreutils
, openssl
, vault
}:
let manifest = ./tee-vault-admin.manifest.toml;
in pkgs.dockerTools.buildLayeredImage {
name = "teepot-vault-admin-sgx-azure";
tag = "base";
config.Entrypoint = [ "/bin/sh" "-c" ];
contents = pkgs.buildEnv {
name = "image-root";
paths = with pkgs.dockerTools; with nixsgx; with teepot;[
bash
coreutils
openssl
vault
azure-dcap-client
curl
teepot.teepot.tee_vault_admin
gramine
restart-aesmd
sgx-dcap.quote_verify
sgx-psw
usrBinEnv
binSh
caCertificates
fakeNss
];
pathsToLink = [ "/bin" "/lib" "/etc" "/app" ];
postBuild = ''
mkdir -p $out/{app,etc}
cp ${manifest} $out/app/tee-vault-admin.manifest.toml
mkdir -p $out/var/run
mkdir -p $out/${nixsgx.sgx-psw.out}/aesm/
touch $out/etc/sgx_default_qcnl.conf
ln -s ${curl.out}/lib/libcurl.so $out/${nixsgx.sgx-psw.out}/aesm/
ln -s ${nixsgx.azure-dcap-client.out}/lib/libdcap_quoteprov.so $out/${nixsgx.sgx-psw.out}/aesm/libdcap_quoteprov.so.1
printf "precedence ::ffff:0:0/96 100\n" > $out/etc/gai.conf
'';
};
}

71
packages/container-vault-admin-sgx-azure/tee-vault-admin.manifest.toml Normal file
View file

@ -0,0 +1,71 @@
libos.entrypoint = "{{ entrypoint }}"
[loader]
argv = ["{{ entrypoint }}"]
entrypoint = "file:{{ gramine.libos }}"
[loader.env]
### Admin Config ###
PORT = { passthrough = true }
### VAULT attestation ###
VAULT_ADDR = { passthrough = true }
VAULT_SGX_MRENCLAVE = { passthrough = true }
VAULT_SGX_MRSIGNER = { passthrough = true }
VAULT_SGX_ALLOWED_TCB_LEVELS = { passthrough = true }
### DEBUG ###
RUST_BACKTRACE = "1"
RUST_LOG = "info,tee_vault_admin=trace,teepot=trace,vault_tee_client=trace,tee_client=trace,awc=debug"
### Enclave security ###
ALLOWED_TCB_LEVELS = "SwHardeningNeeded"
### Fixed values ###
LD_LIBRARY_PATH = "/lib"
SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt"
PATH = "/bin"
HOME = "/app"
MALLOC_ARENA_MAX = "1"
AZDCAP_DEBUG_LOG_LEVEL = "ignore"
AZDCAP_COLLATERAL_VERSION = "v4"
[fs]
root.uri = "file:/"
start_dir = "/app"
mounts = [
{ path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
{ path = "{{ gramine.runtimedir() }}/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" },
{ type = "tmpfs", path = "/var/tmp" },
{ type = "tmpfs", path = "/tmp" },
{ type = "tmpfs", path = "/app/.dcap-qcnl" },
{ type = "tmpfs", path = "/app/.az-dcap-client" },
]
[sgx]
trusted_files = [
"file:/app/",
"file:/bin/",
"file:/etc/gai.conf",
"file:/etc/sgx_default_qcnl.conf",
"file:/etc/ssl/certs/ca-bundle.crt",
"file:/lib/",
"file:/lib/libdcap_quoteprov.so",
"file:/nix/",
"file:{{ gramine.libos }}",
"file:{{ gramine.runtimedir() }}/",
]
remote_attestation = "dcap"
max_threads = 64
edmm_enable = false
## max enclave size
enclave_size = "2G"
[sys]
enable_extra_runtime_domain_names_conf = true
enable_sigterm_injection = true
# possible tweak option, if problems with mio
# currently mio is compiled with `mio_unsupported_force_waker_pipe`
# insecure__allow_eventfd = true

25
packages/container-vault-sgx-azure/Dockerfile Normal file
View file

@ -0,0 +1,25 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
FROM teepot-vault-sgx-azure:base
WORKDIR /opt/vault
COPY packages/container-vault-sgx-azure/test-enclave-key.pem /tmp/
RUN set -eux; \
gramine-manifest \
-Dtee_ratls_preexec=$(readlink /bin/tee-ratls-preexec) \
-Dvault_exec=$(readlink /bin/vault) \
-Darch_libdir=/lib/x86_64-linux-gnu \
-Dexecdir=/bin \
-Dlog_level=warning \
vault.manifest.toml vault.manifest; \
gramine-sgx-sign --manifest vault.manifest --output vault.manifest.sgx --key /tmp/test-enclave-key.pem; \
rm /tmp/test-enclave-key.pem
VOLUME /opt/vault/tls
VOLUME /opt/vault/data
ENTRYPOINT ["/bin/sh", "-c"]
ENV SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
CMD [ "echo vault in SGX mode starting; restart-aesmd ; exec gramine-sgx vault" ]

53
packages/container-vault-sgx-azure/default.nix Normal file
View file

@ -0,0 +1,53 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
{ pkgs
, vat
, nixsgx
, curl
, teepot
, bash
, coreutils
, openssl
, vault
}:
let manifest = ./vault.manifest.toml;
in pkgs.dockerTools.buildLayeredImage {
name = "teepot-vault-sgx-azure";
tag = "base";
config.Entrypoint = [ "/bin/sh" "-c" ];
contents = pkgs.buildEnv {
name = "image-root";
paths = with pkgs.dockerTools; with nixsgx;[
bash
coreutils
teepot.teepot.tee_ratls_preexec
vault
azure-dcap-client
curl
vat.vault-auth-tee
gramine
restart-aesmd
sgx-dcap.quote_verify
sgx-psw
usrBinEnv
binSh
caCertificates
fakeNss
teepot.container-vault-start-config
];
pathsToLink = [ "/bin" "/lib" "/etc" "/opt/vault" ];
postBuild = ''
mkdir -p $out/var/run
mkdir -p $out/${nixsgx.sgx-psw.out}/aesm/
mkdir -p $out/opt/vault/data $out/opt/vault/.cache $out/opt/vault/tls
ln -s ${curl.out}/lib/libcurl.so $out/${nixsgx.sgx-psw.out}/aesm/
ln -s ${nixsgx.azure-dcap-client.out}/lib/libdcap_quoteprov.so $out/${nixsgx.sgx-psw.out}/aesm/libdcap_quoteprov.so.1
mkdir -p $out/opt/vault/plugins
ln -s ${vat.vault-auth-tee}/bin/vault-auth-tee $out/opt/vault/plugins
cp ${manifest} $out/opt/vault/vault.manifest.toml
'';
};
}

0
vault/enclave-key.pem → packages/container-vault-sgx-azure/test-enclave-key.pem
View file

48
vault/vault.manifest.toml → packages/container-vault-sgx-azure/vault.manifest.toml
View file

@ -1,19 +1,30 @@
libos.entrypoint = "/bin/bash"
libos.entrypoint = "{{ tee_ratls_preexec }}"
[loader]
entrypoint = "file:{{ gramine.libos }}"
argv = ["bash", "/opt/vault/start.sh"]
argv = [
"{{ tee_ratls_preexec }}",
"--",
"{{ vault_exec }}",
"server",
"-config=/opt/vault/config.hcl",
"-log-level=trace",
]
# set a log level for gramine
log_level = "{{ log_level }}"
[loader.env]
LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}"
LD_LIBRARY_PATH = "/lib"
SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt"
PATH = "{{ execdir }}"
HOME = "/opt/vault"
VAULT_CLUSTER_ADDR.passthrough = true
VAULT_API_ADDR.passthrough = true
VAULT_RAFT_NODE_ID.passthrough = true
DNS_NAMES = "vault-1,vault-2,vault-3"
# otherwise vault will lock a lot of unused EPC memory
VAULT_RAFT_INITIAL_MMAP_SIZE = "0"
@ -22,18 +33,16 @@ VAULT_RAFT_INITIAL_MMAP_SIZE = "0"
[fs]
root.uri = "file:/"
start_dir = "/root"
start_dir = "/opt/vault"
mounts = [
{ path = "{{ execdir }}", uri = "file:{{ execdir }}" },
{ path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
{ path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
{ path = "{{ gramine.runtimedir() }}/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" },
{ type = "tmpfs", path = "/var/tmp" },
{ type = "tmpfs", path = "/tmp" },
{ type = "tmpfs", path = "/app/.dcap-qcnl" },
{ type = "tmpfs", path = "/app/.az-dcap-client" },
{ path = "/lib/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" },
{ type = "tmpfs", path = "/opt/vault/tls" },
{ type = "tmpfs", path = "/opt/vault/.dcap-qcnl" },
{ type = "tmpfs", path = "/opt/vault/.az-dcap-client" },
{ type = "encrypted", path = "/opt/vault/.cache", uri = "file:/opt/vault/.cache", key_name = "_sgx_mrsigner" },
{ type = "encrypted", path = "/opt/vault/tls", uri = "file:/opt/vault/tls", key_name = "_sgx_mrsigner" },
{ type = "encrypted", path = "/opt/vault/data", uri = "file:/opt/vault/data", key_name = "_sgx_mrsigner" },
]
@ -46,20 +55,19 @@ nonpie_binary = true
remote_attestation = "dcap"
trusted_files = [
"file:/bin/bash",
"file:/bin/",
"file:/etc/gai.conf",
"file:/etc/ssl/certs/ca-bundle.crt",
"file:/lib/",
"file:/nix/",
"file:/opt/vault/plugins/",
"file:/opt/vault/config.hcl",
"file:/opt/vault/cacert.pem",
"file:/opt/vault/cakey.pem",
"file:{{ gramine.libos }}",
"file:{{ execdir }}/",
"file:{{ gramine.runtimedir() }}/",
"file:{{ arch_libdir }}/",
"file:/usr/{{ arch_libdir }}/",
"file:/usr/lib/ssl/openssl.cnf",
"file:/etc/ssl/",
"file:/lib/libdcap_quoteprov.so",
"file:/opt/vault/",
]
#file_check_policy = "allow_all_but_log"
[sys]
stack.size = "1M"
enable_extra_runtime_domain_names_conf = true

0
vault/cacert.pem → packages/container-vault-start-config/cacert.pem
View file

0
vault/cakey.pem → packages/container-vault-start-config/cakey.pem
View file

55
packages/container-vault-start-config/config.hcl Normal file
View file

@ -0,0 +1,55 @@
# Parameter needed because of slow plugin loading
# may be relaxed for faster machines
#http_read_header_timeout = 0
#http_read_timeout = 300
disable_mlock = true
ui = false
listener "tcp" {
address = "0.0.0.0:8210"
cluster_address = "0.0.0.0:8211"
tls_disable = false
tls_cert_file = "/opt/vault/tls/tls.crt"
tls_key_file = "/opt/vault/tls/tls.key"
tls_client_ca_file = "/opt/vault/cacert.pem"
}
storage "raft" {
path = "/opt/vault/data/"
# override vial env var VAULT_RAFT_NODE_ID
node_id = "vault-1"
# Parameter needed because of slow plugin loading
# may be relaxed for faster machines
# performance_multiplier = 200
#autopilot_reconcile_interval = "120s"
#autopilot_update_interval = "60s"
retry_join {
leader_api_addr = "https://vault-1:8210"
leader_ca_cert_file = "/opt/vault/cacert.pem"
leader_client_cert_file = "/opt/vault/tls/tls.crt"
leader_client_key_file = "/opt/vault/tls/tls.key"
}
retry_join {
leader_api_addr = "https://vault-2:8210"
leader_ca_cert_file = "/opt/vault/cacert.pem"
leader_client_cert_file = "/opt/vault/tls/tls.crt"
leader_client_key_file = "/opt/vault/tls/tls.key"
}
retry_join {
leader_api_addr = "https://vault-3:8210"
leader_ca_cert_file = "/opt/vault/cacert.pem"
leader_client_cert_file = "/opt/vault/tls/tls.crt"
leader_client_key_file = "/opt/vault/tls/tls.key"
}
}
# path of plugin binaries
plugin_directory = "/opt/vault/plugins"
# override via env var VAULT_API_ADDR
api_addr = "https://vault:8210"
# override via env var VAULT_CLUSTER_ADDR
cluster_addr = "https://vault:8211"

29
packages/container-vault-start-config/default.nix Normal file
View file

@ -0,0 +1,29 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
# TODO: This derivation is a temporary workaround for
# creating a self-signed certificate for Vault and the unseal TEE.
# It will be replaced with real RA-TLS.
{ lib
, stdenv
}:
stdenv.mkDerivation rec {
name = "container-vault-start-config";
src = with lib.fileset; toSource {
root = ./.;
fileset = unions [
./cacert.pem
./cakey.pem
./config.hcl
];
};
phases = "installPhase";
postInstall = ''
mkdir -p $out/opt/vault
cp -r $src/* $out/opt/vault
mkdir -p $out/etc
printf "precedence ::ffff:0:0/96 100\n" > $out/etc/gai.conf
'';
}

25
packages/container-vault-unseal-sgx-azure/Dockerfile Normal file
View file

@ -0,0 +1,25 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
FROM teepot-vault-unseal-sgx-azure:base
WORKDIR /app
COPY packages/container-vault-sgx-azure/test-enclave-key.pem /tmp/
RUN set -eux; \
gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu \
-Dentrypoint=$(readlink /bin/tee-vault-unseal) \
-Dvault_auth_tee_sha=1505ffe3ef0994de63206ccce1dec6715d55e72955960cb7314e4571811c4422 \
-Dvault_auth_tee_version=0.1.0+dev \
-Dexecdir=/bin \
-Dlog_level=warning \
tee-vault-unseal.manifest.toml tee-vault-unseal.manifest; \
gramine-sgx-sign --manifest tee-vault-unseal.manifest --output tee-vault-unseal.manifest.sgx --key /tmp/test-enclave-key.pem; \
rm /tmp/test-enclave-key.pem
EXPOSE 8443
ENTRYPOINT ["/bin/sh", "-c"]
ENV SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
CMD [ "echo tee-vault-unseal in SGX mode starting; restart-aesmd ; exec gramine-sgx tee-vault-unseal" ]

54
packages/container-vault-unseal-sgx-azure/default.nix Normal file
View file

@ -0,0 +1,54 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
{ pkgs
, vat
, nixsgx
, curl
, teepot
, bash
, coreutils
, openssl
, vault
}:
let manifest = ./tee-vault-unseal.manifest.toml;
in pkgs.dockerTools.buildLayeredImage {
name = "teepot-vault-unseal-sgx-azure";
tag = "base";
config.Entrypoint = [ "/bin/sh" "-c" ];
contents = pkgs.buildEnv {
name = "image-root";
paths = with pkgs.dockerTools; with nixsgx; with teepot;[
bash
coreutils
openssl
vault
azure-dcap-client
curl
vat.vault-auth-tee.sha
teepot.teepot.tee_vault_unseal
gramine
restart-aesmd
sgx-dcap.quote_verify
sgx-psw
usrBinEnv
binSh
caCertificates
fakeNss
];
pathsToLink = [ "/bin" "/lib" "/etc" "/share" "/app" ];
postBuild = ''
mkdir -p $out/{app,etc}
cp ${manifest} $out/app/tee-vault-unseal.manifest.toml
mkdir -p $out/var/run
mkdir -p $out/${nixsgx.sgx-psw.out}/aesm/
touch $out/etc/sgx_default_qcnl.conf
mkdir -p $out/opt/vault/.cache $out/opt/vault/tls
ln -s ${curl.out}/lib/libcurl.so $out/${nixsgx.sgx-psw.out}/aesm/
ln -s ${nixsgx.azure-dcap-client.out}/lib/libdcap_quoteprov.so $out/${nixsgx.sgx-psw.out}/aesm/libdcap_quoteprov.so.1
printf "precedence ::ffff:0:0/96 100\n" > $out/etc/gai.conf
'';
};
}

74
packages/container-vault-unseal-sgx-azure/tee-vault-unseal.manifest.toml Normal file
View file

@ -0,0 +1,74 @@
libos.entrypoint = "{{ entrypoint }}"
[loader]
argv = ["{{ entrypoint }}"]
entrypoint = "file:{{ gramine.libos }}"
[loader.env]
### Admin Config ###
PORT = { passthrough = true }
### VAULT attestation ###
VAULT_ADDR = { passthrough = true }
VAULT_SGX_MRENCLAVE = { passthrough = true }
VAULT_SGX_MRSIGNER = { passthrough = true }
VAULT_SGX_ALLOWED_TCB_LEVELS = { passthrough = true }
### DEBUG ###
RUST_BACKTRACE = "1"
RUST_LOG = "info,tee_vault_unseal=trace,teepot=trace,vault_tee_client=trace,tee_client=trace,awc=debug"
### Enclave security ###
ALLOWED_TCB_LEVELS = "SwHardeningNeeded"
### Fixed values ###
LD_LIBRARY_PATH = "/lib"
SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt"
PATH = "/bin"
HOME = "/app"
MALLOC_ARENA_MAX = "1"
AZDCAP_DEBUG_LOG_LEVEL = "ignore"
AZDCAP_COLLATERAL_VERSION = "v4"
VAULT_AUTH_TEE_SHA256 = "{{ vault_auth_tee_sha }}"
VAULT_AUTH_TEE_VERSION = "{{ vault_auth_tee_version }}"
[fs]
root.uri = "file:/"
start_dir = "/app"
mounts = [
{ path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
{ path = "{{ gramine.runtimedir() }}/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" },
{ type = "tmpfs", path = "/var/tmp" },
{ type = "tmpfs", path = "/tmp" },
{ type = "tmpfs", path = "/app/.dcap-qcnl" },
{ type = "tmpfs", path = "/app/.az-dcap-client" },
]
[sgx]
trusted_files = [
"file:/app/",
"file:/bin/",
"file:/etc/gai.conf",
"file:/etc/sgx_default_qcnl.conf",
"file:/etc/ssl/certs/ca-bundle.crt",
"file:/lib/",
"file:/lib/libdcap_quoteprov.so",
"file:/nix/",
"file:{{ gramine.libos }}",
"file:{{ gramine.runtimedir() }}/",
]
remote_attestation = "dcap"
max_threads = 64
edmm_enable = false
## max enclave size
enclave_size = "2G"
[sys]
enable_extra_runtime_domain_names_conf = true
enable_sigterm_injection = true
# possible tweak option, if problems with mio
# currently mio is compiled with `mio_unsupported_force_waker_pipe`
# insecure__allow_eventfd = true

31
packages/container-vault-unseal/default.nix Normal file
View file

@ -0,0 +1,31 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
{ lib
, dockerTools
, nixsgx
, teepot
, buildEnv
, curl
, ...
}:
dockerTools.buildLayeredImage {
name = "vault-unseal";
tag = "latest";
config.Entrypoint = [ "${teepot.teepot.vault_unseal}/bin/vault-unseal" ];
contents = buildEnv {
name = "image-root";
paths = with dockerTools; with nixsgx;[
azure-dcap-client
curl
sgx-dcap.quote_verify
usrBinEnv
binSh
caCertificates
fakeNss
teepot.teepot.vault_unseal
];
pathsToLink = [ "/bin" "/lib" "/etc" ];
};
}

4
packages/container-verify-attestation/default.nix
View file

@ -1,3 +1,5 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
{ lib
, dockerTools
, teepot
@ -5,6 +7,8 @@
}:
dockerTools.buildImage {
name = "verify-attestation";
tag = "latest";
copyToRoot = [
teepot.teepot.verify_attestation
];

5
packages/teepot/default.nix
View file

@ -1,3 +1,5 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
{ lib
, gccStdenv
, makeRustPlatform
@ -34,7 +36,6 @@ rustPlatform.buildRustPackage {
fileset = unions [
../../Cargo.lock
../../Cargo.toml
../../assets
../../bin
../../crates
../../rust-toolchain.toml
@ -42,6 +43,7 @@ rustPlatform.buildRustPackage {
../../tests
];
};
RUSTFLAGS = "--cfg mio_unsupported_force_waker_pipe";
cargoBuildFlags = "--all";
checkType = "debug";
@ -52,6 +54,7 @@ rustPlatform.buildRustPackage {
outputs = [
"out"
"tee_key_preexec"
"tee_ratls_preexec"
"tee_self_attestation_test"
"tee_stress_client"
"tee_vault_admin"

15
shells/teepot/default.nix
View file

@ -1,7 +1,16 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
{ lib
, pkgs
, mkShell
, teepot
, dive
, taplo
, ...
}:
pkgs.mkShell {
inputsFrom = [ pkgs.teepot.teepot ];
mkShell {
inputsFrom = [ teepot.teepot ];
packages = [
dive
taplo
];
}

2
taplo.toml
View file

@ -1,3 +1,5 @@
exclude = [".direnv/**/*", "target/**/*", "vendor/**/*"]
[formatting]
reorder_keys = false
inline_table_expand = false

53
vault/Dockerfile
View file

@ -1,53 +0,0 @@
FROM docker.io/ubuntu:focal
RUN set -eux; \
apt-get update; \
apt-get install -y curl gpg;
RUN set -eux; \
curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg; \
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ focal main" > /etc/apt/sources.list.d/gramine.list
RUN set -eux; \
curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key; \
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list
RUN set -eux; \
curl -fsSLo /usr/share/keyrings/microsoft.asc https://packages.microsoft.com/keys/microsoft.asc; \
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.asc] https://packages.microsoft.com/ubuntu/20.04/prod focal main" > /etc/apt/sources.list.d/msprod.list
# Install gramine
RUN set -eux; \
apt-get update; \
DEBIAN_FRONTEND=noninteractive apt-get install -y gramine \
libsgx-urts \
libsgx-enclave-common \
libsgx-dcap-quote-verify \
az-dcap-client \
psmisc \
;
RUN set -eux; \
curl -s -o - https://apt.releases.hashicorp.com/gpg | gpg --dearmor > /usr/share/keyrings/hashicorp-archive-keyring.gpg; \
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com focal main" > /etc/apt/sources.list.d/hashicorp.list; \
apt-get update; \
apt-get install -y --no-install-recommends vault libcap2-bin;
RUN rm -rf /var/lib/apt/lists/*
WORKDIR /opt/vault
COPY vault/vault.manifest.toml vault/config.hcl vault/vault-csr.conf vault/cakey.pem vault/cacert.pem vault/start.sh ./
RUN mkdir -p /opt/vault/data /opt/vault/.cache /opt/vault/tls && rm -rf /opt/vault/tls/*
COPY vault/enclave-key.pem /tmp/
RUN set -eux; \
find / -xdev -print0 | xargs -0 touch -r /usr/bin/vault || : ; \
gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu -Dexecdir=/usr/bin -Dlog_level=warning vault.manifest.toml vault.manifest; \
gramine-sgx-sign --manifest vault.manifest --output vault.manifest.sgx --key /tmp/enclave-key.pem; \
rm /tmp/enclave-key.pem
VOLUME /opt/vault/tls
VOLUME /opt/vault/data
ENTRYPOINT ["/bin/sh", "-c"]
CMD [ "/restart_aesm.sh ; exec gramine-sgx vault" ]

55
vault/config.hcl
View file

@ -1,55 +0,0 @@
# Parameter needed because of slow plugin loading
# may be relaxed for faster machines
#http_read_header_timeout = 0
#http_read_timeout = 300
disable_mlock = true
ui = false
listener "tcp" {
address = "0.0.0.0:8210"
cluster_address = "0.0.0.0:8211"
tls_disable = false
tls_cert_file = "/opt/vault/tls/tls.crt"
tls_key_file = "/opt/vault/tls/tls.key"
tls_client_ca_file = "/opt/vault/cacert.pem"
}
storage "raft" {
path = "/opt/vault/data/"
# override vial env var VAULT_RAFT_NODE_ID
node_id = "vault-1"
# Parameter needed because of slow plugin loading
# may be relaxed for faster machines
performance_multiplier = 200
#autopilot_reconcile_interval = "120s"
#autopilot_update_interval = "60s"
retry_join {
leader_api_addr = "https://vault-1:8210"
leader_ca_cert_file = "/opt/vault/cacert.pem"
leader_client_cert_file = "/opt/vault/tls/tls.crt"
leader_client_key_file = "/opt/vault/tls/tls.key"
}
retry_join {
leader_api_addr = "https://vault-2:8210"
leader_ca_cert_file = "/opt/vault/cacert.pem"
leader_client_cert_file = "/opt/vault/tls/tls.crt"
leader_client_key_file = "/opt/vault/tls/tls.key"
}
retry_join {
leader_api_addr = "https://vault-3:8210"
leader_ca_cert_file = "/opt/vault/cacert.pem"
leader_client_cert_file = "/opt/vault/tls/tls.crt"
leader_client_key_file = "/opt/vault/tls/tls.key"
}
}
# path of plugin binaries
plugin_directory = "/opt/vault/plugins"
# override via env var VAULT_API_ADDR
api_addr = "https://vault:8210"
# override via env var VAULT_CLUSTER_ADDR
cluster_addr = "https://vault:8211"

17
vault/start.sh
View file

@ -1,17 +0,0 @@
#!/bin/bash
set -e
if [ ! -f /opt/vault/tls/tls.ok ]; then
# Generate the TLS certificates
cd /opt/vault/tls
cp ../cacert.pem ../cakey.pem ../vault-csr.conf .
openssl req -new -newkey rsa:4096 -keyout tls.key -out vault.csr \
-config vault-csr.conf -extensions v3_req
openssl x509 -req -in vault.csr -days 365 -CA cacert.pem -CAkey cakey.pem -CAcreateserial \
-out tls_single.crt -extensions v3_req -extfile vault-csr.conf
cat tls_single.crt cacert.pem >> tls.crt
echo ok > tls.ok
fi
cd /opt/vault
# Start the vault server
exec vault server -config=/opt/vault/config.hcl -log-level=trace

21
vault/vault-csr.conf
View file

@ -1,21 +0,0 @@
[req]
default_bits = 4096
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = kubelet_serving
req_extensions = v3_req
x509_extensions = v3_req
[ kubelet_serving ]
O = system:nodes
CN = system:node
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
DNS.1 = vault-1
DNS.2 = vault-2
DNS.3 = vault-3