harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-20 22:53:57 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore(deps): update crates and nix flakes

Browse source 
- Updated multiple Rust dependencies, including `opentelemetry`, `const-oid`, and `webpki-roots` for enhanced features and bug fixes.
- Upgraded `nixpkgs` and `crane` in the nix flake configuration.
- Removed unused dependencies and introduced missing dependencies for improved build integrity.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
This commit is contained in:
Harald Hoyer 2025-05-30 14:35:17 +02:00
parent 37e7f7f8e2
commit 716c782e6f
Signed by: harald
GPG key ID: F519A1143B3FBE32
16 changed files with 947 additions and 792 deletions
Download patch file Download diff file Expand all files Collapse all files

9
.github/workflows/nix.yml vendored
View file

@ -16,8 +16,9 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: cachix/install-nix-action@v30 - uses: cachix/install-nix-action@v31
with: with:
install_url: https://releases.nixos.org/nix/nix-2.28.3/install
extra_nix_config: | extra_nix_config: |
access-tokens = github.com=${{ github.token }} access-tokens = github.com=${{ github.token }}
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg= trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
@ -37,8 +38,9 @@ jobs:
runs-on: [matterlabs-default-infra-runners] runs-on: [matterlabs-default-infra-runners]
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: cachix/install-nix-action@v30 - uses: cachix/install-nix-action@v31
with: with:
install_url: https://releases.nixos.org/nix/nix-2.28.3/install
extra_nix_config: | extra_nix_config: |
access-tokens = github.com=${{ github.token }} access-tokens = github.com=${{ github.token }}
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg= trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
@ -76,8 +78,9 @@ jobs:
- { nixpackage: 'container-tdx-test' } - { nixpackage: 'container-tdx-test' }
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: cachix/install-nix-action@v30 - uses: cachix/install-nix-action@v31
with: with:
install_url: https://releases.nixos.org/nix/nix-2.28.3/install
extra_nix_config: | extra_nix_config: |
access-tokens = github.com=${{ github.token }} access-tokens = github.com=${{ github.token }}
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg= trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=

1615
Cargo.lock generated
View file

File diff suppressed because it is too large Load diff

16
Cargo.toml
View file

@ -27,7 +27,7 @@ bytemuck = { version = "1.15.0", features = ["derive", "min_const_generics", "ex
bytes = "1" bytes = "1"
clap = { version = "4.5", features = ["std", "derive", "env", "error-context", "help", "usage", "wrap_help"], default-features = false } clap = { version = "4.5", features = ["std", "derive", "env", "error-context", "help", "usage", "wrap_help"], default-features = false }
config = { version = "0.15.8", default-features = false, features = ["yaml", "json", "toml", "async"] } config = { version = "0.15.8", default-features = false, features = ["yaml", "json", "toml", "async"] }
const-oid = { version = "0.9", default-features = false } const-oid = { version = "0.9.6", default-features = false }
enumset = { version = "1.1", features = ["serde"] } enumset = { version = "1.1", features = ["serde"] }
getrandom = { version = "0.3.1", features = ["std"] } getrandom = { version = "0.3.1", features = ["std"] }
gpt = "4.0.0" gpt = "4.0.0"
@ -35,19 +35,19 @@ hex = { version = "0.4.3", features = ["std"], default-features = false }
intel-dcap-api = { path = "crates/intel-dcap-api" } intel-dcap-api = { path = "crates/intel-dcap-api" }
num-integer = "0.1.46" num-integer = "0.1.46"
num-traits = "0.2.18" num-traits = "0.2.18"
opentelemetry = { version = "0.28.0", features = ["default", "logs"] } opentelemetry = { version = "0.30", features = ["default", "logs"] }
opentelemetry-appender-tracing = { version = "0.28.1", features = ["experimental_metadata_attributes", "log"] } opentelemetry-appender-tracing = { version = "0.30", features = ["experimental_metadata_attributes", "log"] }
opentelemetry-otlp = { version = "0.28.0", features = ["grpc-tonic", "logs"] } opentelemetry-otlp = { version = "0.30", features = ["grpc-tonic", "logs"] }
opentelemetry-semantic-conventions = { version = "0.28.0", features = ["semconv_experimental"] } opentelemetry-semantic-conventions = { version = "0.30", features = ["semconv_experimental"] }
opentelemetry_sdk = { version = "0.28.0", features = ["tokio", "rt-tokio"] } opentelemetry_sdk = { version = "0.30", features = ["tokio", "rt-tokio"] }
p256 = "0.13.2" p256 = "0.13.2"
pe-sign = "0.1.10" pe-sign = "0.1.10"
pgp = "0.15" pgp = { version = "0.16", default-features = false }
pkcs8 = { version = "0.10" } pkcs8 = { version = "0.10" }
reqwest = { version = "0.12", features = ["json"] } reqwest = { version = "0.12", features = ["json"] }
rsa = { version = "0.9.6", features = ["sha2", "pem"] } rsa = { version = "0.9.6", features = ["sha2", "pem"] }
rustls = { version = "0.23.20", default-features = false, features = ["std", "logging", "tls12", "ring"] } rustls = { version = "0.23.20", default-features = false, features = ["std", "logging", "tls12", "ring"] }
secp256k1 = { version = "0.30", features = ["rand", "global-context"] } secp256k1 = { version = "0.31", features = ["rand", "global-context"] }
serde = { version = "1", features = ["derive", "rc"] } serde = { version = "1", features = ["derive", "rc"] }
serde_json = "1" serde_json = "1"
serde_with = { version = "3.8", features = ["base64", "hex"] } serde_with = { version = "3.8", features = ["base64", "hex"] }

4
bin/rtmr-calc/src/main.rs
View file

@ -7,7 +7,7 @@ use pesign::PE;
use sha2::{Digest, Sha384}; use sha2::{Digest, Sha384};
use std::{ use std::{
fmt::{Display, Formatter}, fmt::{Display, Formatter},
io::{Error, ErrorKind, Read, Seek, SeekFrom}, io::{Error, Read, Seek, SeekFrom},
path::PathBuf, path::PathBuf,
}; };
use teepot::{ use teepot::{
@ -125,7 +125,7 @@ fn main() -> Result<()> {
let pstart = header let pstart = header
.part_start .part_start
.checked_mul(lb_size.as_u64()) .checked_mul(lb_size.as_u64())
.ok_or_else(|| Error::new(ErrorKind::Other, "partition overflow - start offset"))?; .ok_or_else(|| Error::other("partition overflow - start offset"))?;
let _ = device.seek(SeekFrom::Start(pstart))?; let _ = device.seek(SeekFrom::Start(pstart))?;
assert_eq!(header.part_size, 128); assert_eq!(header.part_size, 128);

5
bin/tee-key-preexec/src/main.rs
View file

@ -27,10 +27,9 @@ fn main_with_error() -> Result<()> {
use anyhow::Context; use anyhow::Context;
use secp256k1::{rand, Secp256k1}; use secp256k1::{rand, Secp256k1};
use std::{os::unix::process::CommandExt, process::Command}; use std::{os::unix::process::CommandExt, process::Command};
use teepot::tdx::rtmr::TdxRtmrEvent;
use teepot::{ use teepot::{
ethereum::public_key_to_ethereum_address, prover::reportdata::ReportDataV1, ethereum::public_key_to_ethereum_address, prover::reportdata::ReportDataV1,
quote::get_quote, quote::get_quote, tdx::rtmr::TdxRtmrEvent,
}; };
use tracing_log::LogTracer; use tracing_log::LogTracer;
use tracing_subscriber::{fmt, prelude::*, EnvFilter, Registry}; use tracing_subscriber::{fmt, prelude::*, EnvFilter, Registry};
@ -45,7 +44,7 @@ fn main_with_error() -> Result<()> {
tracing::subscriber::set_global_default(subscriber).context("Failed to set logger")?; tracing::subscriber::set_global_default(subscriber).context("Failed to set logger")?;
let args = Args::parse(); let args = Args::parse();
let mut rng = rand::thread_rng(); let mut rng = rand::rng();
let secp = Secp256k1::new(); let secp = Secp256k1::new();
let (signing_key, verifying_key) = secp.generate_keypair(&mut rng); let (signing_key, verifying_key) = secp.generate_keypair(&mut rng);
let ethereum_address = public_key_to_ethereum_address(&verifying_key); let ethereum_address = public_key_to_ethereum_address(&verifying_key);

2
bin/verify-era-proof-attestation/Cargo.toml
View file

@ -12,7 +12,7 @@ bytes.workspace = true
clap.workspace = true clap.workspace = true
enumset.workspace = true enumset.workspace = true
hex.workspace = true hex.workspace = true
jsonrpsee-types = "0.24" jsonrpsee-types = "0.25.1"
reqwest.workspace = true reqwest.workspace = true
secp256k1.workspace = true secp256k1.workspace = true
serde.workspace = true serde.workspace = true

4
bin/verify-era-proof-attestation/src/verification/signature.rs
View file

@ -59,7 +59,7 @@ impl SignatureVerifier {
let signature = Signature::from_compact(signature) let signature = Signature::from_compact(signature)
.map_err(|e| error::Error::signature_verification(e.to_string()))?; .map_err(|e| error::Error::signature_verification(e.to_string()))?;
let root_hash_msg = Message::from_digest(root_hash.0); let root_hash_msg = Message::from_digest(root_hash.0);
Ok(signature.verify(&root_hash_msg, &report.pubkey).is_ok()) Ok(signature.verify(root_hash_msg, &report.pubkey).is_ok())
} }
/// Verify a V1 report /// Verify a V1 report
@ -139,7 +139,7 @@ impl SignatureVerifier {
continue; continue;
}; };
let Ok(public) = SECP256K1.recover_ecdsa(message, &rec_sig) else { let Ok(public) = SECP256K1.recover_ecdsa(*message, &rec_sig) else {
continue; continue;
}; };

9
crates/intel-dcap-api/src/client/helpers.rs
View file

@ -11,8 +11,7 @@ use crate::{
}; };
use percent_encoding::percent_decode_str; use percent_encoding::percent_decode_str;
use reqwest::{RequestBuilder, Response, StatusCode}; use reqwest::{RequestBuilder, Response, StatusCode};
use std::io; use std::{io, time::Duration};
use std::time::Duration;
use tokio::time::sleep; use tokio::time::sleep;
impl ApiClient { impl ApiClient {
@ -154,8 +153,7 @@ impl ApiClient {
resource_description: &str, resource_description: &str,
) -> Result<(), IntelApiError> { ) -> Result<(), IntelApiError> {
let builder_clone = request_builder.try_clone().ok_or_else(|| { let builder_clone = request_builder.try_clone().ok_or_else(|| {
IntelApiError::Io(io::Error::new( IntelApiError::Io(io::Error::other(
io::ErrorKind::Other,
"Failed to clone request builder for status check", "Failed to clone request builder for status check",
)) ))
})?; })?;
@ -241,8 +239,7 @@ impl ApiClient {
loop { loop {
// Clone the request builder for retry attempts // Clone the request builder for retry attempts
let builder = request_builder.try_clone().ok_or_else(|| { let builder = request_builder.try_clone().ok_or_else(|| {
IntelApiError::Io(io::Error::new( IntelApiError::Io(io::Error::other(
io::ErrorKind::Other,
"Failed to clone request builder for retry", "Failed to clone request builder for retry",
)) ))
})?; })?;

2
crates/teepot-vault/Cargo.toml
View file

@ -26,7 +26,7 @@ sha2.workspace = true
teepot.workspace = true teepot.workspace = true
thiserror.workspace = true thiserror.workspace = true
tracing.workspace = true tracing.workspace = true
webpki-roots = "0.26.1" webpki-roots = "1.0.0"
x509-cert.workspace = true x509-cert.workspace = true
[dev-dependencies] [dev-dependencies]

5
crates/teepot-vault/bin/vault-admin/src/main.rs
View file

@ -3,7 +3,10 @@
use anyhow::{anyhow, bail, Context, Result}; use anyhow::{anyhow, bail, Context, Result};
use clap::{Args, Parser, Subcommand}; use clap::{Args, Parser, Subcommand};
use pgp::{types::PublicKeyTrait, Deserializable, SignedPublicKey}; use pgp::{
composed::{Deserializable, SignedPublicKey},
types::KeyDetails,
};
use serde_json::Value; use serde_json::Value;
use std::{ use std::{
default::Default, default::Default,

16
crates/teepot-vault/src/server/signatures.rs
View file

@ -1,14 +1,18 @@
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2024 Matter Labs // Copyright (c) 2023-2025 Matter Labs
//! Signature checking utilities //! Signature checking utilities
use crate::json::secrets::AdminConfig; use crate::{
use crate::server::{HttpResponseError, Status as _}; json::secrets::AdminConfig,
server::{HttpResponseError, Status as _},
};
use actix_web::http::StatusCode; use actix_web::http::StatusCode;
use anyhow::{anyhow, bail, Context, Result}; use anyhow::{anyhow, bail, Context, Result};
use pgp::types::PublicKeyTrait; use pgp::{
use pgp::{Deserializable, SignedPublicKey, StandaloneSignature}; composed::{Deserializable, SignedPublicKey, StandaloneSignature},
types::PublicKeyTrait,
};
use tracing::debug; use tracing::debug;
/// Verify a pgp signature for some message given some public keys /// Verify a pgp signature for some message given some public keys
@ -91,7 +95,7 @@ impl VerifySig for AdminConfig {
mod tests { mod tests {
use super::verify_sig; use super::verify_sig;
use base64::{engine::general_purpose, Engine as _}; use base64::{engine::general_purpose, Engine as _};
use pgp::{Deserializable, SignedPublicKey}; use pgp::composed::{Deserializable, SignedPublicKey};
const TEST_DATA: &str = include_str!("../../tests/data/test.json"); const TEST_DATA: &str = include_str!("../../tests/data/test.json");

4
crates/teepot/src/ethereum/mod.rs
View file

@ -17,7 +17,7 @@ pub fn recover_signer(sig: &[u8; 65], root_hash: &Message) -> Result<[u8; 20]> {
&sig[0..64], &sig[0..64],
RecoveryId::try_from(i32::from(sig[64]) - 27)?, RecoveryId::try_from(i32::from(sig[64]) - 27)?,
)?; )?;
let public = SECP256K1.recover_ecdsa(root_hash, &sig)?; let public = SECP256K1.recover_ecdsa(*root_hash, &sig)?;
Ok(public_key_to_ethereum_address(&public)) Ok(public_key_to_ethereum_address(&public))
} }
@ -42,7 +42,7 @@ mod tests {
/// Signs the message in Ethereum-compatible format for on-chain verification. /// Signs the message in Ethereum-compatible format for on-chain verification.
fn sign_message(sec: &SecretKey, message: Message) -> Result<[u8; 65]> { fn sign_message(sec: &SecretKey, message: Message) -> Result<[u8; 65]> {
let s = SECP256K1.sign_ecdsa_recoverable(&message, sec); let s = SECP256K1.sign_ecdsa_recoverable(message, sec);
let (rec_id, data) = s.serialize_compact(); let (rec_id, data) = s.serialize_compact();
let mut signature = [0u8; 65]; let mut signature = [0u8; 65];

1
deny.toml
View file

@ -33,6 +33,7 @@ allow = [
"OpenSSL", "OpenSSL",
"CC0-1.0", "CC0-1.0",
"Zlib", "Zlib",
"CDLA-Permissive-2.0",
] ]
confidence-threshold = 0.8 confidence-threshold = 0.8
exceptions = [] exceptions = []

37
flake.lock generated
View file

@ -2,16 +2,16 @@
"nodes": { "nodes": {
"crane": { "crane": {
"locked": { "locked": {
"lastModified": 1731974531, "lastModified": 1745454774,
"narHash": "sha256-z7hiGBWsbWwSnu5UMmYyfHEehlSmfB8sCA8iH4nmxm8=", "narHash": "sha256-oLvmxOnsEKGtwczxp/CwhrfmQUG2ym24OMWowcoRhH8=",
"owner": "ipetkov", "owner": "ipetkov",
"repo": "crane", "repo": "crane",
"rev": "8ff9c457d60951bdd37a05ae903423de7ff55c6e", "rev": "efd36682371678e2b6da3f108fdb5c613b3ec598",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "ipetkov", "owner": "ipetkov",
"ref": "8ff9c457d60951bdd37a05ae903423de7ff55c6e", "ref": "efd36682371678e2b6da3f108fdb5c613b3ec598",
"repo": "crane", "repo": "crane",
"type": "github" "type": "github"
} }
@ -156,6 +156,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-25-05": {
"locked": {
"lastModified": 1748437600,
"narHash": "sha256-hYKMs3ilp09anGO7xzfGs3JqEgUqFMnZ8GMAqI6/k04=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "7282cb574e0607e65224d33be8241eae7cfe0979",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1717281328, "lastModified": 1717281328,
@ -217,6 +233,7 @@
"nixsgx-flake", "nixsgx-flake",
"nixpkgs" "nixpkgs"
], ],
"nixpkgs-25-05": "nixpkgs-25-05",
"nixsgx-flake": "nixsgx-flake", "nixsgx-flake": "nixsgx-flake",
"rust-overlay": "rust-overlay", "rust-overlay": "rust-overlay",
"snowfall-lib": [ "snowfall-lib": [
@ -234,11 +251,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1743993291, "lastModified": 1748572605,
"narHash": "sha256-u8GHvduU1gCtoFXvTS/wGjH1ouv5S/GRGq6MAT+sG/k=", "narHash": "sha256-k0nhPtkVDQkVJckRw6fGIeeDBktJf1BH0i8T48o7zkk=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "0cb3c8979c65dc6a5812dfe67499a8c7b8b4325b", "rev": "405ef13a5b80a0a4d4fc87c83554423d80e5f929",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -350,11 +367,11 @@
"nixsgx-flake": "nixsgx-flake_2" "nixsgx-flake": "nixsgx-flake_2"
}, },
"locked": { "locked": {
"lastModified": 1719832445, "lastModified": 1747897304,
"narHash": "sha256-Dnueq3A1sf8zT+bY6CcuaxPvX4AK7B6Sveqb8YfoY8o=", "narHash": "sha256-8O9ry5FaD1fkRqvHV5hPtsg5G+Z0RX6MRkazn5bmK50=",
"owner": "matter-labs", "owner": "matter-labs",
"repo": "vault-auth-tee", "repo": "vault-auth-tee",
"rev": "2b53a4387fc8ecfb7826acd93d4895e7e810677d", "rev": "dc802364964d9fe01b2e164e3fb3005bcdf91272",
"type": "github" "type": "github"
}, },
"original": { "original": {

8
flake.nix
View file

@ -7,6 +7,7 @@
}; };
inputs = { inputs = {
nixpkgs-25-05.url = "github:nixos/nixpkgs/nixos-25.05";
nixsgx-flake.url = "github:matter-labs/nixsgx"; nixsgx-flake.url = "github:matter-labs/nixsgx";
nixpkgs.follows = "nixsgx-flake/nixpkgs"; nixpkgs.follows = "nixsgx-flake/nixpkgs";
snowfall-lib.follows = "nixsgx-flake/snowfall-lib"; snowfall-lib.follows = "nixsgx-flake/snowfall-lib";
@ -21,7 +22,7 @@
inputs.nixpkgs.follows = "nixsgx-flake/nixpkgs"; inputs.nixpkgs.follows = "nixsgx-flake/nixpkgs";
}; };
crane.url = "github:ipetkov/crane?ref=8ff9c457d60951bdd37a05ae903423de7ff55c6e"; # v0.19.3 crane.url = "github:ipetkov/crane?ref=efd36682371678e2b6da3f108fdb5c613b3ec598"; # v0.20.3
}; };
outputs = inputs: outputs = inputs:
@ -39,6 +40,11 @@
nixsgx-flake.overlays.default nixsgx-flake.overlays.default
vault-auth-tee-flake.overlays.default vault-auth-tee-flake.overlays.default
rust-overlay.overlays.default rust-overlay.overlays.default
(next: prev: {
# need recent cargo-deny understanding the 2024 edition
inherit (inputs.nixpkgs-25-05.legacyPackages.${prev.system})
cargo-deny;
})
]; ];
alias = { alias = {

2
rust-toolchain.toml
View file

@ -1,3 +1,3 @@
[toolchain] [toolchain]
channel = "1.86" channel = "1.87"
components = ["rustfmt", "clippy", "rust-src"] components = ["rustfmt", "clippy", "rust-src"]