From ee7c4ee17790712db5f741ce16b39b8978bb52ff Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Mon, 11 Mar 2024 12:34:32 +0100 Subject: [PATCH 1/2] feat: add `fmt` nix package ```shell $ nix run .#fmt ``` does all the automatic formatting the CI checks for. Signed-off-by: Harald Hoyer --- packages/fmt/default.nix | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 packages/fmt/default.nix diff --git a/packages/fmt/default.nix b/packages/fmt/default.nix new file mode 100644 index 0000000..8c05df1 --- /dev/null +++ b/packages/fmt/default.nix @@ -0,0 +1,28 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) 2024 Matter Labs +{ lib +, pkgs +, teepot +, ... +}: +pkgs.writeShellApplication { + name = "fmt-teepot"; + + runtimeInputs = with pkgs; + [ nixpkgs-fmt coreutils taplo ] + ++ teepot.teepot.nativeBuildInputs; + + text = '' + # .nix + echo "* Formatting nix files" + nixpkgs-fmt . + + # .toml + echo "* Formatting toml files" + taplo fmt + + # .rs + echo "* Formatting rust files" + cargo fmt + ''; +} From 9dc5d8aab420f38780d8eee8e62af8be3adce034 Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Mon, 11 Mar 2024 12:35:14 +0100 Subject: [PATCH 2/2] docs: update README.md Signed-off-by: Harald Hoyer --- README.md | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 81 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 69688cc..6aad956 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,11 @@ # teepot + Key Value store in a TEE with Remote Attestation for Authentication ## Introduction -This project is a key-value store that runs in a Trusted Execution Environment (TEE) and uses Remote Attestation for Authentication. +This project is a key-value store that runs in a Trusted Execution Environment (TEE) and uses Remote Attestation for +Authentication. The key-value store is implemented using Hashicorp Vault running in an Intel SGX enclave via the Gramine runtime. ## Parts of this project @@ -13,7 +15,82 @@ The key-value store is implemented using Hashicorp Vault running in an Intel SGX - `vault-unseal`: A client utility, that talks to `tee-vault-unseal` to unseal a vault. - `tee-vault-admin`: An enclave that uses the Vault API to administer a vault as a proxy. - `vault-admin`: A client utility, that talks to `tee-vault-admin` to administer a vault. -- `teepot-read` : A pre-exec utility that reads from the key-value store and passes the key-value pairs as environment variables to the enclave. -- `teepot-write` : A pre-exec utility that reads key-values from the environment variables and writes them to the key-value store. +- `teepot-read` : A pre-exec utility that reads from the key-value store and passes the key-value pairs as environment + variables to the enclave. +- `teepot-write` : A pre-exec utility that reads key-values from the environment variables and writes them to the + key-value store. - `verify-attestation`: A client utility that verifies the attestation of an enclave. -- `tee-key-preexec`: A pre-exec utility that generates a p256 secret key and passes it as an environment variable to the enclave along with the attestation quote containing the hash of the public key. +- `tee-key-preexec`: A pre-exec utility that generates a p256 secret key and passes it as an environment variable to the + enclave along with the attestation quote containing the hash of the public key. + +## Development + +### Prerequisites + +Install [nix](https://zero-to-nix.com/start/install). + +In `~/.config/nix/nix.conf` + +```ini +experimental-features = nix-command flakes +``` + +or on nixos in `/etc/nixos/configuration.nix` add the following lines: + +```nix +{ + nix = { + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; +} +``` + +Optionally install cachix (to save build time) and use the nixsgx cache: + +```shell +$ nix-env -iA cachix -f https://cachix.org/api/v1/install +$ cachix use nixsgx +``` + +### Develop + +```shell +$ nix develop --impure +``` + +optionally create `.envrc` for `direnv` to automatically load the environment when entering the directory: + +```shell +$ cat < .envrc +use flake .#teepot +EOF +$ direnv allow +``` + +### Format for commit + +```shell +$ nix run .#fmt +``` + +### Build as the CI would + +```shell +$ nix run nixpgks#ci +``` + +### Build and test individual container + +See the `packages` directory for the available packages. + +```shell +$ nix build -L .#container-vault-sgx-azure +$ docker load -i result +$ docker build --progress plain --no-cache -f packages/container-vault-sgx-azure/Dockerfile -t vault-sgx-azure:latest . +[...] +#8 5.966 Measurement: +#8 5.966 96602d8ae60673b3c44b6198b4b5f728480b1f00e9d48e7d3979cf1cf075bb5d +[...] +```