harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-20 14:43:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore(deps): update crates and nix flakes

Browse source 
- Updated multiple Rust dependencies, including `opentelemetry`, `const-oid`, and `webpki-roots` for enhanced features and bug fixes.
- Upgraded `nixpkgs` and `crane` in the nix flake configuration.
- Removed unused dependencies and introduced missing dependencies for improved build integrity.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
This commit is contained in:
Harald Hoyer 2025-05-30 14:35:17 +02:00
parent 37e7f7f8e2
commit 716c782e6f
Signed by: harald
GPG key ID: F519A1143B3FBE32
16 changed files with 947 additions and 792 deletions
Download patch file Download diff file Expand all files Collapse all files

9
.github/workflows/nix.yml vendored
View file

@ -16,8 +16,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: cachix/install-nix-action@v30
- uses: cachix/install-nix-action@v31
with:
install_url: https://releases.nixos.org/nix/nix-2.28.3/install
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
@ -37,8 +38,9 @@ jobs:
runs-on: [matterlabs-default-infra-runners]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: cachix/install-nix-action@v30
- uses: cachix/install-nix-action@v31
with:
install_url: https://releases.nixos.org/nix/nix-2.28.3/install
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
@ -76,8 +78,9 @@ jobs:
- { nixpackage: 'container-tdx-test' }
steps:
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v30
- uses: cachix/install-nix-action@v31
with:
install_url: https://releases.nixos.org/nix/nix-2.28.3/install
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=

1615
Cargo.lock generated
View file

File diff suppressed because it is too large Load diff

16
Cargo.toml
View file

@ -27,7 +27,7 @@ bytemuck = { version = "1.15.0", features = ["derive", "min_const_generics", "ex
bytes = "1"
clap = { version = "4.5", features = ["std", "derive", "env", "error-context", "help", "usage", "wrap_help"], default-features = false }
config = { version = "0.15.8", default-features = false, features = ["yaml", "json", "toml", "async"] }
const-oid = { version = "0.9", default-features = false }
const-oid = { version = "0.9.6", default-features = false }
enumset = { version = "1.1", features = ["serde"] }
getrandom = { version = "0.3.1", features = ["std"] }
gpt = "4.0.0"
@ -35,19 +35,19 @@ hex = { version = "0.4.3", features = ["std"], default-features = false }
intel-dcap-api = { path = "crates/intel-dcap-api" }
num-integer = "0.1.46"
num-traits = "0.2.18"
opentelemetry = { version = "0.28.0", features = ["default", "logs"] }
opentelemetry-appender-tracing = { version = "0.28.1", features = ["experimental_metadata_attributes", "log"] }
opentelemetry-otlp = { version = "0.28.0", features = ["grpc-tonic", "logs"] }
opentelemetry-semantic-conventions = { version = "0.28.0", features = ["semconv_experimental"] }
opentelemetry_sdk = { version = "0.28.0", features = ["tokio", "rt-tokio"] }
opentelemetry = { version = "0.30", features = ["default", "logs"] }
opentelemetry-appender-tracing = { version = "0.30", features = ["experimental_metadata_attributes", "log"] }
opentelemetry-otlp = { version = "0.30", features = ["grpc-tonic", "logs"] }
opentelemetry-semantic-conventions = { version = "0.30", features = ["semconv_experimental"] }
opentelemetry_sdk = { version = "0.30", features = ["tokio", "rt-tokio"] }
p256 = "0.13.2"
pe-sign = "0.1.10"
pgp = "0.15"
pgp = { version = "0.16", default-features = false }
pkcs8 = { version = "0.10" }
reqwest = { version = "0.12", features = ["json"] }
rsa = { version = "0.9.6", features = ["sha2", "pem"] }
rustls = { version = "0.23.20", default-features = false, features = ["std", "logging", "tls12", "ring"] }
secp256k1 = { version = "0.30", features = ["rand", "global-context"] }
secp256k1 = { version = "0.31", features = ["rand", "global-context"] }
serde = { version = "1", features = ["derive", "rc"] }
serde_json = "1"
serde_with = { version = "3.8", features = ["base64", "hex"] }

4
bin/rtmr-calc/src/main.rs
View file

@ -7,7 +7,7 @@ use pesign::PE;
use sha2::{Digest, Sha384};
use std::{
fmt::{Display, Formatter},
io::{Error, ErrorKind, Read, Seek, SeekFrom},
io::{Error, Read, Seek, SeekFrom},
path::PathBuf,
};
use teepot::{
@ -125,7 +125,7 @@ fn main() -> Result<()> {
let pstart = header
.part_start
.checked_mul(lb_size.as_u64())
.ok_or_else(|| Error::new(ErrorKind::Other, "partition overflow - start offset"))?;
.ok_or_else(|| Error::other("partition overflow - start offset"))?;
let _ = device.seek(SeekFrom::Start(pstart))?;
assert_eq!(header.part_size, 128);

5
bin/tee-key-preexec/src/main.rs
View file

@ -27,10 +27,9 @@ fn main_with_error() -> Result<()> {
use anyhow::Context;
use secp256k1::{rand, Secp256k1};
use std::{os::unix::process::CommandExt, process::Command};
use teepot::tdx::rtmr::TdxRtmrEvent;
use teepot::{
ethereum::public_key_to_ethereum_address, prover::reportdata::ReportDataV1,
quote::get_quote,
quote::get_quote, tdx::rtmr::TdxRtmrEvent,
};
use tracing_log::LogTracer;
use tracing_subscriber::{fmt, prelude::*, EnvFilter, Registry};
@ -45,7 +44,7 @@ fn main_with_error() -> Result<()> {
tracing::subscriber::set_global_default(subscriber).context("Failed to set logger")?;
let args = Args::parse();
let mut rng = rand::thread_rng();
let mut rng = rand::rng();
let secp = Secp256k1::new();
let (signing_key, verifying_key) = secp.generate_keypair(&mut rng);
let ethereum_address = public_key_to_ethereum_address(&verifying_key);

2
bin/verify-era-proof-attestation/Cargo.toml
View file

@ -12,7 +12,7 @@ bytes.workspace = true
clap.workspace = true
enumset.workspace = true
hex.workspace = true
jsonrpsee-types = "0.24"
jsonrpsee-types = "0.25.1"
reqwest.workspace = true
secp256k1.workspace = true
serde.workspace = true

4
bin/verify-era-proof-attestation/src/verification/signature.rs
View file

@ -59,7 +59,7 @@ impl SignatureVerifier {
let signature = Signature::from_compact(signature)
.map_err(|e| error::Error::signature_verification(e.to_string()))?;
let root_hash_msg = Message::from_digest(root_hash.0);
Ok(signature.verify(&root_hash_msg, &report.pubkey).is_ok())
Ok(signature.verify(root_hash_msg, &report.pubkey).is_ok())
}
/// Verify a V1 report
@ -139,7 +139,7 @@ impl SignatureVerifier {
continue;
};
let Ok(public) = SECP256K1.recover_ecdsa(message, &rec_sig) else {
let Ok(public) = SECP256K1.recover_ecdsa(*message, &rec_sig) else {
continue;
};

9
crates/intel-dcap-api/src/client/helpers.rs
View file

@ -11,8 +11,7 @@ use crate::{
};
use percent_encoding::percent_decode_str;
use reqwest::{RequestBuilder, Response, StatusCode};
use std::io;
use std::time::Duration;
use std::{io, time::Duration};
use tokio::time::sleep;
impl ApiClient {
@ -154,8 +153,7 @@ impl ApiClient {
resource_description: &str,
) -> Result<(), IntelApiError> {
let builder_clone = request_builder.try_clone().ok_or_else(|| {
IntelApiError::Io(io::Error::new(
io::ErrorKind::Other,
IntelApiError::Io(io::Error::other(
"Failed to clone request builder for status check",
))
})?;
@ -241,8 +239,7 @@ impl ApiClient {
loop {
// Clone the request builder for retry attempts
let builder = request_builder.try_clone().ok_or_else(|| {
IntelApiError::Io(io::Error::new(
io::ErrorKind::Other,
IntelApiError::Io(io::Error::other(
"Failed to clone request builder for retry",
))
})?;

2
crates/teepot-vault/Cargo.toml
View file

@ -26,7 +26,7 @@ sha2.workspace = true
teepot.workspace = true
thiserror.workspace = true
tracing.workspace = true
webpki-roots = "0.26.1"
webpki-roots = "1.0.0"
x509-cert.workspace = true
[dev-dependencies]

5
crates/teepot-vault/bin/vault-admin/src/main.rs
View file

@ -3,7 +3,10 @@
use anyhow::{anyhow, bail, Context, Result};
use clap::{Args, Parser, Subcommand};
use pgp::{types::PublicKeyTrait, Deserializable, SignedPublicKey};
use pgp::{
composed::{Deserializable, SignedPublicKey},
types::KeyDetails,
};
use serde_json::Value;
use std::{
default::Default,

16
crates/teepot-vault/src/server/signatures.rs
View file

@ -1,14 +1,18 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2024 Matter Labs
// Copyright (c) 2023-2025 Matter Labs
//! Signature checking utilities
use crate::json::secrets::AdminConfig;
use crate::server::{HttpResponseError, Status as _};
use crate::{
json::secrets::AdminConfig,
server::{HttpResponseError, Status as _},
};
use actix_web::http::StatusCode;
use anyhow::{anyhow, bail, Context, Result};
use pgp::types::PublicKeyTrait;
use pgp::{Deserializable, SignedPublicKey, StandaloneSignature};
use pgp::{
composed::{Deserializable, SignedPublicKey, StandaloneSignature},
types::PublicKeyTrait,
};
use tracing::debug;
/// Verify a pgp signature for some message given some public keys
@ -91,7 +95,7 @@ impl VerifySig for AdminConfig {
mod tests {
use super::verify_sig;
use base64::{engine::general_purpose, Engine as _};
use pgp::{Deserializable, SignedPublicKey};
use pgp::composed::{Deserializable, SignedPublicKey};
const TEST_DATA: &str = include_str!("../../tests/data/test.json");

4
crates/teepot/src/ethereum/mod.rs
View file

@ -17,7 +17,7 @@ pub fn recover_signer(sig: &[u8; 65], root_hash: &Message) -> Result<[u8; 20]> {
&sig[0..64],
RecoveryId::try_from(i32::from(sig[64]) - 27)?,
)?;
let public = SECP256K1.recover_ecdsa(root_hash, &sig)?;
let public = SECP256K1.recover_ecdsa(*root_hash, &sig)?;
Ok(public_key_to_ethereum_address(&public))
}
@ -42,7 +42,7 @@ mod tests {
/// Signs the message in Ethereum-compatible format for on-chain verification.
fn sign_message(sec: &SecretKey, message: Message) -> Result<[u8; 65]> {
let s = SECP256K1.sign_ecdsa_recoverable(&message, sec);
let s = SECP256K1.sign_ecdsa_recoverable(message, sec);
let (rec_id, data) = s.serialize_compact();
let mut signature = [0u8; 65];

1
deny.toml
View file

@ -33,6 +33,7 @@ allow = [
"OpenSSL",
"CC0-1.0",
"Zlib",
"CDLA-Permissive-2.0",
]
confidence-threshold = 0.8
exceptions = []

37
flake.lock generated
View file

@ -2,16 +2,16 @@
"nodes": {
"crane": {
"locked": {
"lastModified": 1731974531,
"narHash": "sha256-z7hiGBWsbWwSnu5UMmYyfHEehlSmfB8sCA8iH4nmxm8=",
"lastModified": 1745454774,
"narHash": "sha256-oLvmxOnsEKGtwczxp/CwhrfmQUG2ym24OMWowcoRhH8=",
"owner": "ipetkov",
"repo": "crane",
"rev": "8ff9c457d60951bdd37a05ae903423de7ff55c6e",
"rev": "efd36682371678e2b6da3f108fdb5c613b3ec598",
"type": "github"
},
"original": {
"owner": "ipetkov",
"ref": "8ff9c457d60951bdd37a05ae903423de7ff55c6e",
"ref": "efd36682371678e2b6da3f108fdb5c613b3ec598",
"repo": "crane",
"type": "github"
}
@ -156,6 +156,22 @@
"type": "github"
}
},
"nixpkgs-25-05": {
"locked": {
"lastModified": 1748437600,
"narHash": "sha256-hYKMs3ilp09anGO7xzfGs3JqEgUqFMnZ8GMAqI6/k04=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "7282cb574e0607e65224d33be8241eae7cfe0979",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1717281328,
@ -217,6 +233,7 @@
"nixsgx-flake",
"nixpkgs"
],
"nixpkgs-25-05": "nixpkgs-25-05",
"nixsgx-flake": "nixsgx-flake",
"rust-overlay": "rust-overlay",
"snowfall-lib": [
@ -234,11 +251,11 @@
]
},
"locked": {
"lastModified": 1743993291,
"narHash": "sha256-u8GHvduU1gCtoFXvTS/wGjH1ouv5S/GRGq6MAT+sG/k=",
"lastModified": 1748572605,
"narHash": "sha256-k0nhPtkVDQkVJckRw6fGIeeDBktJf1BH0i8T48o7zkk=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "0cb3c8979c65dc6a5812dfe67499a8c7b8b4325b",
"rev": "405ef13a5b80a0a4d4fc87c83554423d80e5f929",
"type": "github"
},
"original": {
@ -350,11 +367,11 @@
"nixsgx-flake": "nixsgx-flake_2"
},
"locked": {
"lastModified": 1719832445,
"narHash": "sha256-Dnueq3A1sf8zT+bY6CcuaxPvX4AK7B6Sveqb8YfoY8o=",
"lastModified": 1747897304,
"narHash": "sha256-8O9ry5FaD1fkRqvHV5hPtsg5G+Z0RX6MRkazn5bmK50=",
"owner": "matter-labs",
"repo": "vault-auth-tee",
"rev": "2b53a4387fc8ecfb7826acd93d4895e7e810677d",
"rev": "dc802364964d9fe01b2e164e3fb3005bcdf91272",
"type": "github"
},
"original": {

8
flake.nix
View file

@ -7,6 +7,7 @@
};
inputs = {
nixpkgs-25-05.url = "github:nixos/nixpkgs/nixos-25.05";
nixsgx-flake.url = "github:matter-labs/nixsgx";
nixpkgs.follows = "nixsgx-flake/nixpkgs";
snowfall-lib.follows = "nixsgx-flake/snowfall-lib";
@ -21,7 +22,7 @@
inputs.nixpkgs.follows = "nixsgx-flake/nixpkgs";
};
crane.url = "github:ipetkov/crane?ref=8ff9c457d60951bdd37a05ae903423de7ff55c6e"; # v0.19.3
crane.url = "github:ipetkov/crane?ref=efd36682371678e2b6da3f108fdb5c613b3ec598"; # v0.20.3
};
outputs = inputs:
@ -39,6 +40,11 @@
nixsgx-flake.overlays.default
vault-auth-tee-flake.overlays.default
rust-overlay.overlays.default
(next: prev: {
# need recent cargo-deny understanding the 2024 edition
inherit (inputs.nixpkgs-25-05.legacyPackages.${prev.system})
cargo-deny;
})
];
alias = {

2
rust-toolchain.toml
View file

@ -1,3 +1,3 @@
[toolchain]
channel = "1.86"
channel = "1.87"
components = ["rustfmt", "clippy", "rust-src"]