mirror of
				https://github.com/matter-labs/teepot.git
				synced 2025-10-25 20:34:05 +02:00 
			
		
		
		
	Merge pull request #116 from matter-labs/container-refactor
feat: use nixsgx nix function to create containers
This commit is contained in:
		
						commit
						7332842dad
					
				
					 30 changed files with 337 additions and 897 deletions
				
			
		
							
								
								
									
										3
									
								
								.github/workflows/nix.yml
									
										
									
									
										vendored
									
									
								
							
							
						
						
									
										3
									
								
								.github/workflows/nix.yml
									
										
									
									
										vendored
									
									
								
							|  | @ -65,8 +65,7 @@ jobs: | |||
|           - { nixpackage: 'container-vault-admin-sgx-azure', dockerfile: 'packages/container-vault-admin-sgx-azure/Dockerfile', repository: 'teepot-tva' } | ||||
|           - { nixpackage: 'container-self-attestation-test-sgx-dcap', dockerfile: 'packages/container-self-attestation-test-sgx-dcap/Dockerfile', repository: 'teepot-self-attestation-test-sgx-dcap' } | ||||
|           - { nixpackage: 'container-self-attestation-test-sgx-azure', dockerfile: 'packages/container-self-attestation-test-sgx-azure/Dockerfile', repository: 'teepot-self-attestation-test-sgx-azure' } | ||||
|           - { nixpackage: 'container-verify-attestation-sgx-dcap' } | ||||
|           - { nixpackage: 'container-verify-attestation-sgx-azure' } | ||||
|           - { nixpackage: 'container-verify-attestation-sgx' } | ||||
|     steps: | ||||
|       - uses: actions/checkout@v4 | ||||
|       - uses: cachix/install-nix-action@v27 | ||||
|  |  | |||
							
								
								
									
										17
									
								
								README.md
									
										
									
									
									
								
							
							
						
						
									
										17
									
								
								README.md
									
										
									
									
									
								
							|  | @ -78,19 +78,26 @@ $ nix run .#fmt | |||
| ### Build as the CI would | ||||
| 
 | ||||
| ```shell | ||||
| $ nix run nixpgks#ci | ||||
| $ nix run github:nixos/nixpkgs/nixos-23.11#nixci | ||||
| ``` | ||||
| 
 | ||||
| ### Build and test individual container | ||||
| 
 | ||||
| See the `packages` directory for the available packages. | ||||
| See the `packages` directory for the available packages and containers. | ||||
| 
 | ||||
| ```shell | ||||
| $ nix build -L .#container-vault-sgx-azure | ||||
| $ docker load -i result | ||||
| $ docker build --progress plain --no-cache -f packages/container-vault-sgx-azure/Dockerfile -t vault-sgx-azure:latest  . | ||||
| [...] | ||||
| #8 5.966 Measurement: | ||||
| #8 5.966     96602d8ae60673b3c44b6198b4b5f728480b1f00e9d48e7d3979cf1cf075bb5d | ||||
| #8 5.966     45b9f90fc2562e66516f40c83adc30007c88427d8d9fa7a35718f4cbdeac3efd | ||||
| [...] | ||||
| $ docker load -i result | ||||
| $ docker run -v $(pwd):/mnt -i --init --rm teepot-vault-sgx-azure:latest "cp teepot-vault-sgx-azure.sig /mnt" | ||||
| $ nix shell github:matter-labs/nixsgx#gramine -c gramine-sgx-sigstruct-view teepot-vault-sgx-azure.sig | ||||
| Attributes: | ||||
|     mr_signer: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d | ||||
|     mr_enclave: 45b9f90fc2562e66516f40c83adc30007c88427d8d9fa7a35718f4cbdeac3efd | ||||
|     isv_prod_id: 0 | ||||
|     isv_svn: 0 | ||||
|     debug_enclave: False | ||||
| ``` | ||||
|  |  | |||
|  | @ -1,12 +1,20 @@ | |||
| # self-attestation-test | ||||
| 
 | ||||
| Optionally build and load the containers (remove the `matterlabsrobot/` repo from the commands below then) | ||||
| 
 | ||||
| ```bash | ||||
| $ nix build -L .#container-verify-attestation-sgx && docker load -i result | ||||
| $ nix build -L .#container-self-attestation-test-sgx-dcap && docker load -i result | ||||
| $ nix build -L .#container-self-attestation-test-sgx-azure && docker load -i result | ||||
| ``` | ||||
| 
 | ||||
| ## Azure DCAP | ||||
| 
 | ||||
| ```bash | ||||
| ❯ docker run -i --init --rm --privileged  --device /dev/sgx_enclave --net host \ | ||||
| ❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave \ | ||||
|     matterlabsrobot/teepot-self-attestation-test-sgx-azure:latest \ | ||||
|     | base64 -d --ignore-garbage \ | ||||
|     | docker run -i --init --rm --net host matterlabsrobot/verify-attestation-sgx-azure:latest | ||||
|     | docker run -i --rm matterlabsrobot/verify-attestation-sgx:latest | ||||
| 
 | ||||
| aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground. | ||||
| Gramine is starting. Parsing TOML manifest file, this may take some time... | ||||
|  | @ -15,46 +23,34 @@ Quote verification result: SwHardeningNeeded: Software hardening is needed | |||
| 	Info: Advisory ID: INTEL-SA-00615 | ||||
| Quote verified successfully: SwHardeningNeeded: Software hardening is needed | ||||
| mrsigner: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d | ||||
| mrenclave: 23267adf8144a195ede71425c50529ac8fd1aa896fe91786c28406854f246ab9 | ||||
| mrenclave: 31a0d51ee410ed6db18ebfb181ba0b2fa0d2062a38d6b955b73b3e9cfb8336bd | ||||
| reportdata: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | ||||
| ``` | ||||
| 
 | ||||
| ## PCCS DCAP | ||||
| 
 | ||||
| Install iptables rules to forward traffic to 127.0.0.1:8081 to the PCCS server. | ||||
| ## Normal DCAP | ||||
| 
 | ||||
| ```bash | ||||
| ❯ sudo sysctl -w net.ipv4.conf.all.route_localnet=1 | ||||
| ❯ sudo iptables -t nat -A OUTPUT -p tcp --dport 8081 -j DNAT --to-destination 192.168.122.1:8081 | ||||
| ❯ sudo iptables -t nat -A POSTROUTING -j MASQUERADE | ||||
| ``` | ||||
| 
 | ||||
| ```bash | ||||
| ❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave --net host \ | ||||
| ❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave \ | ||||
|     matterlabsrobot/teepot-self-attestation-test-sgx-dcap:latest \ | ||||
|     | base64 -d --ignore-garbage \ | ||||
|     | docker run -i --init --rm --net host \ | ||||
|     -v /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf \ | ||||
|     matterlabsrobot/verify-attestation-sgx-dcap:latest | ||||
|     | docker run -i --rm matterlabsrobot/verify-attestation-sgx:latest | ||||
| 
 | ||||
| aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground. | ||||
| Gramine is starting. Parsing TOML manifest file, this may take some time... | ||||
| Verifying quote (4730 bytes)... | ||||
| Quote verified successfully: Ok | ||||
| mrsigner: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d | ||||
| mrenclave: 10cfeee8e2a65c31795104d041647415c01dc3ae4b004e05e26107f6ede82677 | ||||
| mrenclave: 7ffe70789261a51769f50e129bfafb2aafe91a4e17c3f0d52839006777c652f6 | ||||
| reportdata: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | ||||
| ``` | ||||
| 
 | ||||
| On an outdated machine, this might look like this: | ||||
| 
 | ||||
| ```bash | ||||
| ❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave --net host \ | ||||
| ❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave \ | ||||
|                 matterlabsrobot/teepot-self-attestation-test-sgx-dcap:latest \ | ||||
|                 | base64 -d --ignore-garbage \ | ||||
|                 | docker run -i --init --rm --net host \ | ||||
|                 -v /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf \ | ||||
|                 matterlabsrobot/verify-attestation-sgx-dcap:latest | ||||
|                 | docker run -i --rm matterlabsrobot/verify-attestation-sgx:latest | ||||
| 
 | ||||
| aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground. | ||||
| Gramine is starting. Parsing TOML manifest file, this may take some time... | ||||
|  | @ -69,6 +65,6 @@ Quote verification result: OutOfDate: Firmware needs to be updated | |||
| 	Info: Advisory ID: INTEL-SA-00615 | ||||
| Quote verified successfully: OutOfDate: Firmware needs to be updated | ||||
| mrsigner: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d | ||||
| mrenclave: 10cfeee8e2a65c31795104d041647415c01dc3ae4b004e05e26107f6ede82677 | ||||
| mrenclave: 7ffe70789261a51769f50e129bfafb2aafe91a4e17c3f0d52839006777c652f6 | ||||
| reportdata: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | ||||
| ``` | ||||
|  |  | |||
|  | @ -2,10 +2,7 @@ | |||
| # ❯ docker compose -f examples/docker-compose.yml --project-directory $PWD up | ||||
| services: | ||||
|   tvu-1: | ||||
|     build: | ||||
|       context: . | ||||
|       dockerfile: packages/container-vault-unseal-sgx-azure/Dockerfile | ||||
|     image: tee-vault-unseal | ||||
|     image: teepot-vault-unseal-sgx-azure | ||||
|     restart: "no" | ||||
|     ports: | ||||
|       - 8413 | ||||
|  | @ -21,10 +18,7 @@ services: | |||
|       - /run/aesmd:/run/aesmd | ||||
|       - /dev/sgx_enclave:/dev/sgx_enclave | ||||
|   vault-1: | ||||
|     build: | ||||
|       context: . | ||||
|       dockerfile: packages/container-vault-sgx-azure/Dockerfile | ||||
|     image: vault | ||||
|     image: teepot-vault-sgx-azure | ||||
|     restart: "no" | ||||
|     ports: | ||||
|       - 8210 | ||||
|  | @ -40,7 +34,7 @@ services: | |||
|       - data-1:/opt/vault/data | ||||
| 
 | ||||
|   tvu-2: | ||||
|     image: tee-vault-unseal | ||||
|     image: teepot-vault-unseal-sgx-azure | ||||
|     restart: "no" | ||||
|     ports: | ||||
|       - 8423 | ||||
|  | @ -56,7 +50,7 @@ services: | |||
|       - /run/aesmd:/run/aesmd | ||||
|       - /dev/sgx_enclave:/dev/sgx_enclave | ||||
|   vault-2: | ||||
|     image: vault | ||||
|     image: teepot-vault-sgx-azure | ||||
|     restart: "no" | ||||
|     ports: | ||||
|       - 8220:8210 | ||||
|  | @ -72,7 +66,7 @@ services: | |||
|       - data-2:/opt/vault/data | ||||
| 
 | ||||
|   tvu-3: | ||||
|     image: tee-vault-unseal | ||||
|     image: teepot-vault-unseal-sgx-azure | ||||
|     restart: "no" | ||||
|     ports: | ||||
|       - 8433 | ||||
|  | @ -88,7 +82,7 @@ services: | |||
|       - /run/aesmd:/run/aesmd | ||||
|       - /dev/sgx_enclave:/dev/sgx_enclave | ||||
|   vault-3: | ||||
|     image: vault | ||||
|     image: teepot-vault-sgx-azure | ||||
|     restart: "no" | ||||
|     ports: | ||||
|       - 8230:8210 | ||||
|  | @ -104,9 +98,7 @@ services: | |||
|       - data-3:/opt/vault/data | ||||
| 
 | ||||
|   admin: | ||||
|     build: | ||||
|       context: . | ||||
|       dockerfile: packages/container-vault-admin-sgx-azure/Dockerfile | ||||
|     image: teepot-vault-admin-sgx-azure | ||||
|     restart: "no" | ||||
|     ports: | ||||
|       - 8444:8444 | ||||
|  |  | |||
							
								
								
									
										103
									
								
								flake.lock
									
										
									
										generated
									
									
									
								
							
							
						
						
									
										103
									
								
								flake.lock
									
										
									
										generated
									
									
									
								
							|  | @ -76,34 +76,36 @@ | |||
|         "flake-utils": "flake-utils" | ||||
|       }, | ||||
|       "locked": { | ||||
|         "lastModified": 1696331477, | ||||
|         "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", | ||||
|         "lastModified": 1715533576, | ||||
|         "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", | ||||
|         "owner": "gytis-ivaskevicius", | ||||
|         "repo": "flake-utils-plus", | ||||
|         "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", | ||||
|         "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|         "owner": "gytis-ivaskevicius", | ||||
|         "repo": "flake-utils-plus", | ||||
|         "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", | ||||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|     "flake-utils-plus_2": { | ||||
|       "inputs": { | ||||
|         "flake-utils": "flake-utils_3" | ||||
|         "flake-utils": "flake-utils_4" | ||||
|       }, | ||||
|       "locked": { | ||||
|         "lastModified": 1696331477, | ||||
|         "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=", | ||||
|         "lastModified": 1715533576, | ||||
|         "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", | ||||
|         "owner": "gytis-ivaskevicius", | ||||
|         "repo": "flake-utils-plus", | ||||
|         "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3", | ||||
|         "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|         "owner": "gytis-ivaskevicius", | ||||
|         "repo": "flake-utils-plus", | ||||
|         "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", | ||||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|  | @ -129,6 +131,24 @@ | |||
|       "inputs": { | ||||
|         "systems": "systems_3" | ||||
|       }, | ||||
|       "locked": { | ||||
|         "lastModified": 1710146030, | ||||
|         "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", | ||||
|         "owner": "numtide", | ||||
|         "repo": "flake-utils", | ||||
|         "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|         "owner": "numtide", | ||||
|         "repo": "flake-utils", | ||||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|     "flake-utils_4": { | ||||
|       "inputs": { | ||||
|         "systems": "systems_4" | ||||
|       }, | ||||
|       "locked": { | ||||
|         "lastModified": 1694529238, | ||||
|         "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", | ||||
|  | @ -145,32 +165,32 @@ | |||
|     }, | ||||
|     "nixpkgs": { | ||||
|       "locked": { | ||||
|         "lastModified": 1710283656, | ||||
|         "narHash": "sha256-nI+AOy4uK6jLGBi9nsbHjL1EdSIzoo8oa+9oeVhbyFc=", | ||||
|         "lastModified": 1717281328, | ||||
|         "narHash": "sha256-evZPzpf59oNcDUXxh2GHcxHkTEG4fjae2ytWP85jXRo=", | ||||
|         "owner": "nixos", | ||||
|         "repo": "nixpkgs", | ||||
|         "rev": "51063ed4f2343a59fdeebb279bb81d87d453942b", | ||||
|         "rev": "b3b2b28c1daa04fe2ae47c21bb76fd226eac4ca1", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|         "owner": "nixos", | ||||
|         "ref": "nixos-23.11", | ||||
|         "ref": "nixos-24.05", | ||||
|         "repo": "nixpkgs", | ||||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|     "nixpkgs_2": { | ||||
|       "locked": { | ||||
|         "lastModified": 1710283656, | ||||
|         "narHash": "sha256-nI+AOy4uK6jLGBi9nsbHjL1EdSIzoo8oa+9oeVhbyFc=", | ||||
|         "lastModified": 1717281328, | ||||
|         "narHash": "sha256-evZPzpf59oNcDUXxh2GHcxHkTEG4fjae2ytWP85jXRo=", | ||||
|         "owner": "nixos", | ||||
|         "repo": "nixpkgs", | ||||
|         "rev": "51063ed4f2343a59fdeebb279bb81d87d453942b", | ||||
|         "rev": "b3b2b28c1daa04fe2ae47c21bb76fd226eac4ca1", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|         "owner": "nixos", | ||||
|         "ref": "nixos-23.11", | ||||
|         "ref": "nixos-24.05", | ||||
|         "repo": "nixpkgs", | ||||
|         "type": "github" | ||||
|       } | ||||
|  | @ -181,11 +201,11 @@ | |||
|         "snowfall-lib": "snowfall-lib" | ||||
|       }, | ||||
|       "locked": { | ||||
|         "lastModified": 1716280284, | ||||
|         "narHash": "sha256-rofvtPgaYEW01OnKsD3DJv2B2j9QovRTWbw8h5lGjkE=", | ||||
|         "lastModified": 1717758565, | ||||
|         "narHash": "sha256-yscuZ3ixjwTkqS6ew5cB3Uvy9e807szRlMoPSyQuRJM=", | ||||
|         "owner": "matter-labs", | ||||
|         "repo": "nixsgx", | ||||
|         "rev": "7151f63b1549b65633503f505df1e2a0b5ee844f", | ||||
|         "rev": "49a1ae79d92ccb6ed7cabfe5c5042b1399e3cd3e", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|  | @ -200,11 +220,11 @@ | |||
|         "snowfall-lib": "snowfall-lib_2" | ||||
|       }, | ||||
|       "locked": { | ||||
|         "lastModified": 1716280284, | ||||
|         "narHash": "sha256-rofvtPgaYEW01OnKsD3DJv2B2j9QovRTWbw8h5lGjkE=", | ||||
|         "lastModified": 1717758565, | ||||
|         "narHash": "sha256-yscuZ3ixjwTkqS6ew5cB3Uvy9e807szRlMoPSyQuRJM=", | ||||
|         "owner": "matter-labs", | ||||
|         "repo": "nixsgx", | ||||
|         "rev": "7151f63b1549b65633503f505df1e2a0b5ee844f", | ||||
|         "rev": "49a1ae79d92ccb6ed7cabfe5c5042b1399e3cd3e", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|  | @ -261,11 +281,11 @@ | |||
|         ] | ||||
|       }, | ||||
|       "locked": { | ||||
|         "lastModified": 1696432959, | ||||
|         "narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=", | ||||
|         "lastModified": 1716675292, | ||||
|         "narHash": "sha256-7TFvVE4HR/b65/0AAhewYHEJzUXxIEJn82ow5bCkrDo=", | ||||
|         "owner": "snowfallorg", | ||||
|         "repo": "lib", | ||||
|         "rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6", | ||||
|         "rev": "5d6e9f235735393c28e1145bec919610b172a20f", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|  | @ -285,11 +305,11 @@ | |||
|         ] | ||||
|       }, | ||||
|       "locked": { | ||||
|         "lastModified": 1696432959, | ||||
|         "narHash": "sha256-oJQZv2MYyJaVyVJY5IeevzqpGvMGKu5pZcCCJvb+xjc=", | ||||
|         "lastModified": 1716675292, | ||||
|         "narHash": "sha256-7TFvVE4HR/b65/0AAhewYHEJzUXxIEJn82ow5bCkrDo=", | ||||
|         "owner": "snowfallorg", | ||||
|         "repo": "lib", | ||||
|         "rev": "92803a029b5314d4436a8d9311d8707b71d9f0b6", | ||||
|         "rev": "5d6e9f235735393c28e1145bec919610b172a20f", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|  | @ -343,25 +363,36 @@ | |||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|     "systems_4": { | ||||
|       "locked": { | ||||
|         "lastModified": 1681028828, | ||||
|         "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", | ||||
|         "owner": "nix-systems", | ||||
|         "repo": "default", | ||||
|         "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|         "owner": "nix-systems", | ||||
|         "repo": "default", | ||||
|         "type": "github" | ||||
|       } | ||||
|     }, | ||||
|     "vault-auth-tee-flake": { | ||||
|       "inputs": { | ||||
|         "flake-utils": "flake-utils_3", | ||||
|         "nixpkgs": [ | ||||
|           "nixsgx-flake", | ||||
|           "nixpkgs" | ||||
|         ], | ||||
|         "nixsgx-flake": "nixsgx-flake_2", | ||||
|         "snowfall-lib": [ | ||||
|           "vault-auth-tee-flake", | ||||
|           "nixsgx-flake", | ||||
|           "snowfall-lib" | ||||
|         ] | ||||
|         "nixsgx-flake": "nixsgx-flake_2" | ||||
|       }, | ||||
|       "locked": { | ||||
|         "lastModified": 1716286642, | ||||
|         "narHash": "sha256-luHp8EhKU8ZEcOj/OLGKzOGLej5+xriebNW+unR4DDc=", | ||||
|         "lastModified": 1718012107, | ||||
|         "narHash": "sha256-uKiUBaEOj9f3NCn6oTw5VqoZJxsTXSoAn2IWVB/LSS0=", | ||||
|         "owner": "matter-labs", | ||||
|         "repo": "vault-auth-tee", | ||||
|         "rev": "752cdb65bd5658814b3d1a91d7e9f15ee8d5cae6", | ||||
|         "rev": "b10204436bc2fbad74c5716bd265fad74acc197c", | ||||
|         "type": "github" | ||||
|       }, | ||||
|       "original": { | ||||
|  |  | |||
							
								
								
									
										14
									
								
								flake.nix
									
										
									
									
									
								
							
							
						
						
									
										14
									
								
								flake.nix
									
										
									
									
									
								
							|  | @ -24,22 +24,29 @@ | |||
|     }; | ||||
| 
 | ||||
|     crane = { | ||||
|       url = "github:ipetkov/crane"; | ||||
|       url = "github:ipetkov/crane?tag=v0.17.3"; | ||||
|       inputs.nixpkgs.follows = "nixsgx-flake/nixpkgs"; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   outputs = inputs: | ||||
|     let src = ./.; in | ||||
|     inputs.snowfall-lib.mkFlake { | ||||
|       inherit inputs; | ||||
|       src = ./.; | ||||
|       inherit src; | ||||
| 
 | ||||
|       package-namespace = "teepot"; | ||||
|       snowfall.namespace = "teepot"; | ||||
| 
 | ||||
|       channels-config = { | ||||
|         allowUnfree = true; | ||||
|       }; | ||||
| 
 | ||||
|       overlays = with inputs; [ | ||||
|         nixsgx-flake.overlays.default | ||||
|         vault-auth-tee-flake.overlays.default | ||||
|         rust-overlay.overlays.default | ||||
|         # somehow the original `src` is not available anymore | ||||
|         (final: prev: { teepotCrate = prev.pkgs.callPackage ./teepot-crate.nix { inherit inputs; inherit src; }; }) | ||||
|       ]; | ||||
| 
 | ||||
|       alias = { | ||||
|  | @ -62,7 +69,6 @@ | |||
|           inherit | ||||
|             (channels.nixpkgs.teepot) cargoDeny; | ||||
|         }; | ||||
| 
 | ||||
|       }; | ||||
|     }; | ||||
| } | ||||
|  |  | |||
|  | @ -1,19 +1,6 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | ||||
| # Copyright (c) 2024 Matter Labs | ||||
| { lib | ||||
| , inputs | ||||
| , makeRustPlatform | ||||
| , nixsgx | ||||
| , pkg-config | ||||
| , rust-bin | ||||
| , pkgs | ||||
| , callPackage | ||||
| , ... | ||||
| }@args: | ||||
| let | ||||
|   teepotCrate = import ../teepot/teepot.nix args; | ||||
| in | ||||
| teepotCrate.craneLib.cargoClippy ( | ||||
| { teepotCrate }: teepotCrate.craneLib.cargoClippy ( | ||||
|   teepotCrate.commonArgs // { | ||||
|     pname = "teepot"; | ||||
|     inherit (teepotCrate) cargoArtifacts NIX_OUTPATH_USED_AS_RANDOM_SEED; | ||||
|  |  | |||
|  | @ -1,19 +1,6 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | ||||
| # Copyright (c) 2024 Matter Labs | ||||
| { lib | ||||
| , inputs | ||||
| , makeRustPlatform | ||||
| , nixsgx | ||||
| , pkg-config | ||||
| , rust-bin | ||||
| , pkgs | ||||
| , callPackage | ||||
| , ... | ||||
| }@args: | ||||
| let | ||||
|   teepotCrate = import ../teepot/teepot.nix args; | ||||
| in | ||||
| teepotCrate.craneLib.cargoDeny ( | ||||
| { teepotCrate }: teepotCrate.craneLib.cargoDeny ( | ||||
|   teepotCrate.commonArgs // { | ||||
|     pname = "teepot"; | ||||
|   } | ||||
|  |  | |||
|  | @ -1,19 +1,6 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | ||||
| # Copyright (c) 2024 Matter Labs | ||||
| { lib | ||||
| , inputs | ||||
| , makeRustPlatform | ||||
| , nixsgx | ||||
| , pkg-config | ||||
| , rust-bin | ||||
| , pkgs | ||||
| , callPackage | ||||
| , ... | ||||
| }@args: | ||||
| let | ||||
|   teepotCrate = import ../teepot/teepot.nix args; | ||||
| in | ||||
| teepotCrate.craneLib.cargoFmt ( | ||||
| { teepotCrate }: teepotCrate.craneLib.cargoFmt ( | ||||
|   teepotCrate.commonArgs // { | ||||
|     pname = "teepot"; | ||||
|   } | ||||
|  |  | |||
|  | @ -1,23 +0,0 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | ||||
| # Copyright (c) 2024 Matter Labs | ||||
| 
 | ||||
| FROM teepot-self-attestation-test-sgx-azure:base | ||||
| 
 | ||||
| WORKDIR /app | ||||
| 
 | ||||
| COPY packages/container-vault-sgx-azure/test-enclave-key.pem /tmp/ | ||||
| 
 | ||||
| RUN set -eux; \ | ||||
|     gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu \ | ||||
|       -Dentrypoint=$(readlink /bin/tee-self-attestation-test) \ | ||||
|       -Dexecdir=/bin \ | ||||
|       -Dlog_level=error \ | ||||
|       tee-self-attestation-test.manifest.toml tee-self-attestation-test.manifest; \ | ||||
|     gramine-sgx-sign --manifest tee-self-attestation-test.manifest --output tee-self-attestation-test.manifest.sgx --key /tmp/test-enclave-key.pem; \ | ||||
|     rm /tmp/test-enclave-key.pem | ||||
| 
 | ||||
| EXPOSE 8443 | ||||
| 
 | ||||
| ENTRYPOINT ["/bin/sh", "-c"] | ||||
| ENV SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt | ||||
| CMD [ "[[ -r /var/run/aesmd/aesm.socket ]] || restart-aesmd >&2; exec gramine-sgx tee-self-attestation-test" ] | ||||
|  | @ -1,50 +1,35 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | ||||
| # Copyright (c) 2024 Matter Labs | ||||
| { pkgs | ||||
| , nixsgx | ||||
| , curl | ||||
| { lib | ||||
| , pkgs | ||||
| , inputs | ||||
| , teepot | ||||
| , bash | ||||
| , coreutils | ||||
| , openssl | ||||
| , nixsgx | ||||
| , container-name ? "teepot-self-attestation-test-sgx-azure" | ||||
| , tag ? "latest" | ||||
| , isAzure ? true | ||||
| }: | ||||
| let manifest = ./tee-self-attestation-test.manifest.toml; | ||||
| in pkgs.dockerTools.buildLayeredImage { | ||||
|   name = "teepot-self-attestation-test-sgx-azure"; | ||||
|   tag = "base"; | ||||
| pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer { | ||||
|   name = container-name; | ||||
|   inherit tag; | ||||
| 
 | ||||
|   config.Entrypoint = [ "/bin/sh" "-c" ]; | ||||
|   packages = [ teepot.teepot.tee_self_attestation_test ]; | ||||
|   entrypoint = "${teepot.teepot.tee_self_attestation_test}/bin/tee-self-attestation-test"; | ||||
| 
 | ||||
|   contents = pkgs.buildEnv { | ||||
|     name = "image-root"; | ||||
|   inherit isAzure; | ||||
| 
 | ||||
|     paths = with pkgs.dockerTools; with nixsgx;[ | ||||
|       bash | ||||
|       coreutils | ||||
|       openssl.out | ||||
|       azure-dcap-client | ||||
|       curl.out | ||||
|       teepot.teepot.tee_self_attestation_test | ||||
|       gramine | ||||
|       restart-aesmd | ||||
|       sgx-dcap.quote_verify | ||||
|       sgx-psw | ||||
|       usrBinEnv | ||||
|       binSh | ||||
|       caCertificates | ||||
|       fakeNss | ||||
|     ]; | ||||
|     pathsToLink = [ "/bin" "/lib" "/etc" "/share" "/app" ]; | ||||
|     postBuild = '' | ||||
|       mkdir -p $out/{app,etc} | ||||
|       cp ${manifest} $out/app/tee-self-attestation-test.manifest.toml | ||||
|       mkdir -p $out/var/run | ||||
|       mkdir -p $out/${nixsgx.sgx-psw.out}/aesm/ | ||||
|       touch $out/etc/sgx_default_qcnl.conf | ||||
|       mkdir -p $out/opt/vault/.cache $out/opt/vault/tls | ||||
|       ln -s ${curl.out}/lib/libcurl.so $out/${nixsgx.sgx-psw.out}/aesm/ | ||||
|       ln -s ${nixsgx.azure-dcap-client.out}/lib/libdcap_quoteprov.so $out/${nixsgx.sgx-psw.out}/aesm/libdcap_quoteprov.so.1 | ||||
|       printf "precedence ::ffff:0:0/96  100\n" > $out/etc/gai.conf | ||||
|     ''; | ||||
|   manifest = { | ||||
|     loader = { | ||||
|       log_level = "error"; | ||||
|       env = { | ||||
|         RUST_BACKTRACE = "1"; | ||||
|         RUST_LOG = "warning"; | ||||
|       }; | ||||
|     }; | ||||
|     sgx = { | ||||
|       edmm_enable = false; | ||||
|       enclave_size = "2G"; | ||||
|       max_threads = 64; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
|  |  | |||
|  | @ -1,56 +0,0 @@ | |||
| libos.entrypoint = "{{ entrypoint }}" | ||||
| 
 | ||||
| [loader] | ||||
| argv = ["{{ entrypoint }}"] | ||||
| entrypoint = "file:{{ gramine.libos }}" | ||||
| log_level = "{{ log_level }}" | ||||
| 
 | ||||
| [loader.env] | ||||
| ### DEBUG ### | ||||
| RUST_BACKTRACE = "1" | ||||
| RUST_LOG = "warning" | ||||
| 
 | ||||
| ### Fixed values ### | ||||
| LD_LIBRARY_PATH = "{{ gramine.runtimedir() }}:/lib" | ||||
| SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt" | ||||
| PATH = "/bin" | ||||
| HOME = "/app" | ||||
| 
 | ||||
| MALLOC_ARENA_MAX = "1" | ||||
| AZDCAP_DEBUG_LOG_LEVEL = "ignore" | ||||
| AZDCAP_COLLATERAL_VERSION = "v4" | ||||
| 
 | ||||
| [fs] | ||||
| root.uri = "file:/" | ||||
| start_dir = "/app" | ||||
| mounts = [ | ||||
|   { type = "tmpfs", path = "/var/tmp" }, | ||||
|   { type = "tmpfs", path = "/tmp" }, | ||||
|   { type = "tmpfs", path = "/app/.dcap-qcnl" }, | ||||
|   { type = "tmpfs", path = "/app/.az-dcap-client" }, | ||||
| ] | ||||
| 
 | ||||
| [sgx] | ||||
| trusted_files = [ | ||||
|   "file:/app/", | ||||
|   "file:/bin/", | ||||
|   "file:/etc/gai.conf", | ||||
|   "file:/etc/ssl/certs/ca-bundle.crt", | ||||
|   "file:/lib/", | ||||
|   "file:/nix/", | ||||
|   "file:{{ gramine.libos }}", | ||||
|   "file:{{ gramine.runtimedir() }}/", | ||||
| ] | ||||
| remote_attestation = "dcap" | ||||
| max_threads = 64 | ||||
| edmm_enable = false | ||||
| ## max enclave size | ||||
| enclave_size = "2G" | ||||
| 
 | ||||
| [sys] | ||||
| enable_extra_runtime_domain_names_conf = true | ||||
| enable_sigterm_injection = true | ||||
| 
 | ||||
| # possible tweak option, if problems with mio | ||||
| # currently mio is compiled with `mio_unsupported_force_waker_pipe` | ||||
| # insecure__allow_eventfd = true | ||||
|  | @ -1,25 +0,0 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | ||||
| # Copyright (c) 2024 Matter Labs | ||||
| 
 | ||||
| FROM teepot-self-attestation-test-sgx-dcap:base | ||||
| 
 | ||||
| WORKDIR /app | ||||
| 
 | ||||
| COPY packages/container-vault-sgx-azure/test-enclave-key.pem /tmp/ | ||||
| COPY assets/sgx_default_qcnl.conf.json /etc/sgx_default_qcnl.conf | ||||
| 
 | ||||
| RUN set -eux; \ | ||||
|     touch -r /nix/store /etc/sgx_default_qcnl.conf; \ | ||||
|     gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu \ | ||||
|       -Dentrypoint=$(readlink /bin/tee-self-attestation-test) \ | ||||
|       -Dexecdir=/bin \ | ||||
|       -Dlog_level=error \ | ||||
|       tee-self-attestation-test.manifest.toml tee-self-attestation-test.manifest; \ | ||||
|     gramine-sgx-sign --manifest tee-self-attestation-test.manifest --output tee-self-attestation-test.manifest.sgx --key /tmp/test-enclave-key.pem; \ | ||||
|     rm /tmp/test-enclave-key.pem | ||||
| 
 | ||||
| EXPOSE 8443 | ||||
| 
 | ||||
| ENTRYPOINT ["/bin/sh", "-c"] | ||||
| ENV SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt | ||||
| CMD [ "[[ -r /var/run/aesmd/aesm.socket ]] || restart-aesmd >&2; exec gramine-sgx tee-self-attestation-test" ] | ||||
|  | @ -1,48 +1,7 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | ||||
| # Copyright (c) 2024 Matter Labs | ||||
| { pkgs | ||||
| , nixsgx | ||||
| , curl | ||||
| , teepot | ||||
| , bash | ||||
| , coreutils | ||||
| , openssl | ||||
| }: | ||||
| let manifest = ./tee-self-attestation-test.manifest.toml; | ||||
| in pkgs.dockerTools.buildLayeredImage { | ||||
|   name = "teepot-self-attestation-test-sgx-dcap"; | ||||
|   tag = "base"; | ||||
| 
 | ||||
|   config.Entrypoint = [ "/bin/sh" "-c" ]; | ||||
| 
 | ||||
|   contents = pkgs.buildEnv { | ||||
|     name = "image-root"; | ||||
| 
 | ||||
|     paths = with pkgs.dockerTools; with nixsgx;[ | ||||
|       bash | ||||
|       coreutils | ||||
|       openssl.out | ||||
|       curl.out | ||||
|       teepot.teepot.tee_self_attestation_test | ||||
|       gramine | ||||
|       restart-aesmd | ||||
|       sgx-dcap.quote_verify | ||||
|       sgx-dcap.default_qpl | ||||
|       sgx-psw | ||||
|       usrBinEnv | ||||
|       binSh | ||||
|       caCertificates | ||||
|       fakeNss | ||||
|     ]; | ||||
|     pathsToLink = [ "/bin" "/lib" "/etc" "/share" "/app" ]; | ||||
|     postBuild = '' | ||||
|       mkdir -p $out/{app,etc} | ||||
|       mkdir -p $out/app/{.dcap-qcnl,.az-dcap-client} | ||||
|       mkdir -p $out/var/run | ||||
|       mkdir -p $out/${nixsgx.sgx-psw.out}/aesm/ | ||||
|       ln -s ${curl.out}/lib/libcurl.so $out/${nixsgx.sgx-psw.out}/aesm/ | ||||
|       cp ${manifest} $out/app/tee-self-attestation-test.manifest.toml | ||||
|       printf "precedence ::ffff:0:0/96  100\n" > $out/etc/gai.conf | ||||
|     ''; | ||||
|   }; | ||||
| { teepot }: | ||||
| teepot.container-self-attestation-test-sgx-azure.override { | ||||
|   container-name = "teepot-self-attestation-test-sgx-dcap"; | ||||
|   isAzure = false; | ||||
| } | ||||
|  |  | |||
|  | @ -1,57 +0,0 @@ | |||
| libos.entrypoint = "{{ entrypoint }}" | ||||
| 
 | ||||
| [loader] | ||||
| argv = ["{{ entrypoint }}"] | ||||
| entrypoint = "file:{{ gramine.libos }}" | ||||
| log_level = "{{ log_level }}" | ||||
| 
 | ||||
| [loader.env] | ||||
| ### DEBUG ### | ||||
| RUST_BACKTRACE = "1" | ||||
| RUST_LOG = "warning" | ||||
| 
 | ||||
| ### Fixed values ### | ||||
| LD_LIBRARY_PATH = "{{ gramine.runtimedir() }}:/lib" | ||||
| SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt" | ||||
| PATH = "/bin" | ||||
| HOME = "/app" | ||||
| 
 | ||||
| MALLOC_ARENA_MAX = "1" | ||||
| AZDCAP_DEBUG_LOG_LEVEL = "ignore" | ||||
| AZDCAP_COLLATERAL_VERSION = "v4" | ||||
| 
 | ||||
| [fs] | ||||
| root.uri = "file:/" | ||||
| start_dir = "/app" | ||||
| mounts = [ | ||||
|   { type = "tmpfs", path = "/var/tmp" }, | ||||
|   { type = "tmpfs", path = "/tmp" }, | ||||
|   { type = "tmpfs", path = "/app/.dcap-qcnl" }, | ||||
|   { type = "tmpfs", path = "/app/.az-dcap-client" }, | ||||
| ] | ||||
| 
 | ||||
| [sgx] | ||||
| trusted_files = [ | ||||
|   "file:/app/", | ||||
|   "file:/bin/", | ||||
|   "file:/etc/gai.conf", | ||||
|   "file:/etc/sgx_default_qcnl.conf", | ||||
|   "file:/etc/ssl/certs/ca-bundle.crt", | ||||
|   "file:/lib/", | ||||
|   "file:/nix/", | ||||
|   "file:{{ gramine.libos }}", | ||||
|   "file:{{ gramine.runtimedir() }}/", | ||||
| ] | ||||
| remote_attestation = "dcap" | ||||
| max_threads = 64 | ||||
| edmm_enable = false | ||||
| ## max enclave size | ||||
| enclave_size = "2G" | ||||
| 
 | ||||
| [sys] | ||||
| enable_extra_runtime_domain_names_conf = true | ||||
| enable_sigterm_injection = true | ||||
| 
 | ||||
| # possible tweak option, if problems with mio | ||||
| # currently mio is compiled with `mio_unsupported_force_waker_pipe` | ||||
| # insecure__allow_eventfd = true | ||||
|  | @ -1,25 +0,0 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | ||||
| # Copyright (c) 2024 Matter Labs | ||||
| 
 | ||||
| FROM teepot-vault-admin-sgx-azure:base | ||||
| 
 | ||||
| WORKDIR /app | ||||
| 
 | ||||
| COPY packages/container-vault-sgx-azure/test-enclave-key.pem /tmp/ | ||||
| 
 | ||||
| RUN set -eux; \ | ||||
|     gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu \ | ||||
|       -Dentrypoint=$(readlink /bin/tee-vault-admin) \ | ||||
|       -Dexecdir=/bin \ | ||||
|       -Dlog_level=warning \ | ||||
|       tee-vault-admin.manifest.toml tee-vault-admin.manifest; \ | ||||
|     gramine-sgx-sign --manifest tee-vault-admin.manifest --output tee-vault-admin.manifest.sgx --key /tmp/test-enclave-key.pem; \ | ||||
|     rm /tmp/test-enclave-key.pem | ||||
| 
 | ||||
| VOLUME /opt/vault/tls | ||||
| 
 | ||||
| EXPOSE 8443 | ||||
| 
 | ||||
| ENTRYPOINT ["/bin/sh", "-c"] | ||||
| ENV SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt | ||||
| CMD [ "echo tee-vault-admin in SGX mode starting; [[ -r /var/run/aesmd/aesm.socket ]] || restart-aesmd ; exec gramine-sgx tee-vault-admin" ] | ||||
|  | @ -1,49 +1,53 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | ||||
| # Copyright (c) 2024 Matter Labs | ||||
| { pkgs | ||||
| , nixsgx | ||||
| , curl | ||||
| { lib | ||||
| , pkgs | ||||
| , inputs | ||||
| , teepot | ||||
| , bash | ||||
| , coreutils | ||||
| , openssl | ||||
| , nixsgx | ||||
| , container-name ? "teepot-vault-admin-sgx-azure" | ||||
| , tag ? "latest" | ||||
| , isAzure ? true | ||||
| }: | ||||
| let manifest = ./tee-vault-admin.manifest.toml; | ||||
| in pkgs.dockerTools.buildLayeredImage { | ||||
|   name = "teepot-vault-admin-sgx-azure"; | ||||
|   tag = "base"; | ||||
| pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer { | ||||
|   name = container-name; | ||||
|   inherit tag; | ||||
| 
 | ||||
|   config.Entrypoint = [ "/bin/sh" "-c" ]; | ||||
|   packages = [ teepot.teepot.tee_vault_admin ]; | ||||
|   entrypoint = "${teepot.teepot.tee_vault_admin}/bin/tee-vault-admin"; | ||||
| 
 | ||||
|   contents = pkgs.buildEnv { | ||||
|     name = "image-root"; | ||||
|   isAzure = true; | ||||
| 
 | ||||
|     paths = with pkgs.dockerTools; with nixsgx;[ | ||||
|       bash | ||||
|       coreutils | ||||
|       openssl.out | ||||
|       azure-dcap-client | ||||
|       curl.out | ||||
|       teepot.teepot.tee_vault_admin | ||||
|       gramine | ||||
|       restart-aesmd | ||||
|       sgx-dcap.quote_verify | ||||
|       sgx-psw | ||||
|       usrBinEnv | ||||
|       binSh | ||||
|       caCertificates | ||||
|       fakeNss | ||||
|     ]; | ||||
|     pathsToLink = [ "/bin" "/lib" "/etc" "/app" ]; | ||||
|     postBuild = '' | ||||
|       mkdir -p $out/{app,etc} | ||||
|       cp ${manifest} $out/app/tee-vault-admin.manifest.toml | ||||
|       mkdir -p $out/var/run | ||||
|       mkdir -p $out/${nixsgx.sgx-psw.out}/aesm/ | ||||
|       touch $out/etc/sgx_default_qcnl.conf | ||||
|       ln -s ${curl.out}/lib/libcurl.so $out/${nixsgx.sgx-psw.out}/aesm/ | ||||
|       ln -s ${nixsgx.azure-dcap-client.out}/lib/libdcap_quoteprov.so $out/${nixsgx.sgx-psw.out}/aesm/libdcap_quoteprov.so.1 | ||||
|       printf "precedence ::ffff:0:0/96  100\n" > $out/etc/gai.conf | ||||
|     ''; | ||||
|   manifest = { | ||||
|     loader = { | ||||
|       log_level = "error"; | ||||
|       env = { | ||||
|         ### Admin Config ### | ||||
|         PORT.passthrough = true; | ||||
| 
 | ||||
|         ### VAULT attestation ### | ||||
|         VAULT_ADDR.passthrough = true; | ||||
|         VAULT_SGX_MRENCLAVE.passthrough = true; | ||||
|         VAULT_SGX_MRSIGNER.passthrough = true; | ||||
|         VAULT_SGX_ALLOWED_TCB_LEVELS.passthrough = true; | ||||
| 
 | ||||
|         ### DEBUG ### | ||||
|         RUST_BACKTRACE = "1"; | ||||
|         RUST_LOG = "info,tee_vault_admin=trace,teepot=trace,vault_tee_client=trace,tee_client=trace,awc=debug"; | ||||
| 
 | ||||
|         ### Enclave security ### | ||||
|         ALLOWED_TCB_LEVELS = "SwHardeningNeeded"; | ||||
|       }; | ||||
|     }; | ||||
| 
 | ||||
|     sgx = { | ||||
|       edmm_enable = false; | ||||
|       enclave_size = "2G"; | ||||
|       max_threads = 64; | ||||
|     }; | ||||
| 
 | ||||
|     # possible tweak option, if problems with mio | ||||
|     # currently mio is compiled with `mio_unsupported_force_waker_pipe` | ||||
|     # sys.insecure__allow_eventfd = true | ||||
|   }; | ||||
| } | ||||
|  |  | |||
|  | @ -1,71 +0,0 @@ | |||
| libos.entrypoint = "{{ entrypoint }}" | ||||
| 
 | ||||
| [loader] | ||||
| argv = ["{{ entrypoint }}"] | ||||
| entrypoint = "file:{{ gramine.libos }}" | ||||
| 
 | ||||
| [loader.env] | ||||
| ### Admin Config ### | ||||
| PORT = { passthrough = true } | ||||
| 
 | ||||
| ### VAULT attestation ### | ||||
| VAULT_ADDR = { passthrough = true } | ||||
| VAULT_SGX_MRENCLAVE = { passthrough = true } | ||||
| VAULT_SGX_MRSIGNER = { passthrough = true } | ||||
| VAULT_SGX_ALLOWED_TCB_LEVELS = { passthrough = true } | ||||
| 
 | ||||
| ### DEBUG ### | ||||
| RUST_BACKTRACE = "1" | ||||
| RUST_LOG = "info,tee_vault_admin=trace,teepot=trace,vault_tee_client=trace,tee_client=trace,awc=debug" | ||||
| 
 | ||||
| ### Enclave security ### | ||||
| ALLOWED_TCB_LEVELS = "SwHardeningNeeded" | ||||
| 
 | ||||
| ### Fixed values ### | ||||
| LD_LIBRARY_PATH = "/lib" | ||||
| SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt" | ||||
| PATH = "/bin" | ||||
| HOME = "/app" | ||||
| 
 | ||||
| MALLOC_ARENA_MAX = "1" | ||||
| AZDCAP_DEBUG_LOG_LEVEL = "ignore" | ||||
| AZDCAP_COLLATERAL_VERSION = "v4" | ||||
| 
 | ||||
| [fs] | ||||
| root.uri = "file:/" | ||||
| start_dir = "/app" | ||||
| mounts = [ | ||||
|   { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" }, | ||||
|   { path = "{{ gramine.runtimedir() }}/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" }, | ||||
|   { type = "tmpfs", path = "/var/tmp" }, | ||||
|   { type = "tmpfs", path = "/tmp" }, | ||||
|   { type = "tmpfs", path = "/app/.dcap-qcnl" }, | ||||
|   { type = "tmpfs", path = "/app/.az-dcap-client" }, | ||||
| ] | ||||
| 
 | ||||
| [sgx] | ||||
| trusted_files = [ | ||||
|   "file:/app/", | ||||
|   "file:/bin/", | ||||
|   "file:/etc/gai.conf", | ||||
|   "file:/etc/sgx_default_qcnl.conf", | ||||
|   "file:/etc/ssl/certs/ca-bundle.crt", | ||||
|   "file:/lib/", | ||||
|   "file:/lib/libdcap_quoteprov.so", | ||||
|   "file:/nix/", | ||||
|   "file:{{ gramine.libos }}", | ||||
|   "file:{{ gramine.runtimedir() }}/", | ||||
| ] | ||||
| remote_attestation = "dcap" | ||||
| max_threads = 64 | ||||
| edmm_enable = false | ||||
| ## max enclave size | ||||
| enclave_size = "2G" | ||||
| 
 | ||||
| [sys] | ||||
| enable_extra_runtime_domain_names_conf = true | ||||
| enable_sigterm_injection = true | ||||
| 
 | ||||
| # possible tweak option, if problems with mio | ||||
| # currently mio is compiled with `mio_unsupported_force_waker_pipe` | ||||
| # insecure__allow_eventfd = true | ||||
|  | @ -1,25 +0,0 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | ||||
| # Copyright (c) 2024 Matter Labs | ||||
| 
 | ||||
| FROM teepot-vault-sgx-azure:base | ||||
| 
 | ||||
| WORKDIR /opt/vault | ||||
| 
 | ||||
| COPY packages/container-vault-sgx-azure/test-enclave-key.pem /tmp/ | ||||
| RUN set -eux; \ | ||||
|     gramine-manifest \ | ||||
|       -Dtee_ratls_preexec=$(readlink /bin/tee-ratls-preexec) \ | ||||
|       -Dvault_exec=$(readlink /bin/vault) \ | ||||
|       -Darch_libdir=/lib/x86_64-linux-gnu \ | ||||
|       -Dexecdir=/bin \ | ||||
|       -Dlog_level=warning \ | ||||
|       vault.manifest.toml vault.manifest; \ | ||||
|     gramine-sgx-sign --manifest vault.manifest --output vault.manifest.sgx --key /tmp/test-enclave-key.pem; \ | ||||
|     rm /tmp/test-enclave-key.pem | ||||
| 
 | ||||
| VOLUME /opt/vault/tls | ||||
| VOLUME /opt/vault/data | ||||
| 
 | ||||
| ENTRYPOINT ["/bin/sh", "-c"] | ||||
| ENV SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt | ||||
| CMD [ "echo vault in SGX mode starting; [[ -r /var/run/aesmd/aesm.socket ]] || restart-aesmd ; exec gramine-sgx vault" ] | ||||
|  | @ -1,54 +1,92 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | ||||
| # Copyright (c) 2024 Matter Labs | ||||
| { pkgs | ||||
| , vat | ||||
| , nixsgx | ||||
| , curl | ||||
| { lib | ||||
| , pkgs | ||||
| , inputs | ||||
| , teepot | ||||
| , bash | ||||
| , coreutils | ||||
| , openssl | ||||
| , nixsgx | ||||
| , vat | ||||
| , vault | ||||
| , container-name ? "teepot-vault-sgx-azure" | ||||
| , tag ? "latest" | ||||
| , isAzure ? true | ||||
| }: | ||||
| let manifest = ./vault.manifest.toml; | ||||
| in pkgs.dockerTools.buildLayeredImage { | ||||
|   name = "teepot-vault-sgx-azure"; | ||||
|   tag = "base"; | ||||
| let | ||||
|   entrypoint = "${teepot.teepot.tee_ratls_preexec}/bin/tee-ratls-preexec"; | ||||
|   appDir = "/opt/vault"; | ||||
| in | ||||
| pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer { | ||||
|   name = container-name; | ||||
|   inherit tag; | ||||
|   inherit appDir; | ||||
| 
 | ||||
|   config.Entrypoint = [ "/bin/sh" "-c" ]; | ||||
|   packages = [ | ||||
|     teepot.teepot.tee_ratls_preexec | ||||
|     vault | ||||
|     vat.vault-auth-tee | ||||
|     teepot.container-vault-start-config | ||||
|   ]; | ||||
|   inherit entrypoint; | ||||
| 
 | ||||
|   contents = pkgs.buildEnv { | ||||
|     name = "image-root"; | ||||
|   isAzure = true; | ||||
| 
 | ||||
|     paths = with pkgs.dockerTools; with nixsgx;[ | ||||
|       bash | ||||
|       coreutils | ||||
|       teepot.teepot.tee_ratls_preexec | ||||
|       vault | ||||
|       azure-dcap-client | ||||
|       openssl.out | ||||
|       curl.out | ||||
|       vat.vault-auth-tee | ||||
|       gramine | ||||
|       restart-aesmd | ||||
|       sgx-dcap.quote_verify | ||||
|       sgx-psw | ||||
|       usrBinEnv | ||||
|       binSh | ||||
|       caCertificates | ||||
|       fakeNss | ||||
|       teepot.container-vault-start-config | ||||
|   extraPostBuild = '' | ||||
|     mkdir -p $out/${appDir}/{data,.cache,tls,plugins} | ||||
|     ln -s ${vat.vault-auth-tee}/bin/vault-auth-tee $out/opt/vault/plugins | ||||
|   ''; | ||||
| 
 | ||||
|   manifest = { | ||||
|     loader = { | ||||
|       argv = [ | ||||
|         entrypoint | ||||
|         "--" | ||||
|         "${vault}/bin/vault" | ||||
|         "server" | ||||
|         "-config=/opt/vault/config.hcl" | ||||
|         "-log-level=trace" | ||||
|       ]; | ||||
|       log_level = "error"; | ||||
|       env = { | ||||
|         VAULT_CLUSTER_ADDR.passthrough = true; | ||||
|         VAULT_API_ADDR.passthrough = true; | ||||
|         VAULT_RAFT_NODE_ID.passthrough = true; | ||||
| 
 | ||||
|         DNS_NAMES = "vault-1,vault-2,vault-3"; | ||||
| 
 | ||||
|         # otherwise vault will lock a lot of unused EPC memory | ||||
|         VAULT_RAFT_INITIAL_MMAP_SIZE = "0"; | ||||
| 
 | ||||
|         # possible tweak option, if problems with raft | ||||
|         # VAULT_RAFT_DISABLE_MAP_POPULATE = "true" | ||||
|       }; | ||||
|     }; | ||||
| 
 | ||||
|     fs.mounts = [ | ||||
|       { type = "tmpfs"; path = "/opt/vault/tls"; } | ||||
|       { type = "encrypted"; path = "/opt/vault/.cache"; uri = "file:/opt/vault/.cache"; key_name = "_sgx_mrsigner"; } | ||||
|       { type = "encrypted"; path = "/opt/vault/data"; uri = "file:/opt/vault/data"; key_name = "_sgx_mrsigner"; } | ||||
|     ]; | ||||
|     pathsToLink = [ "/bin" "/lib" "/etc" "/opt/vault" ]; | ||||
|     postBuild = '' | ||||
|       mkdir -p $out/var/run | ||||
|       mkdir -p $out/${nixsgx.sgx-psw.out}/aesm/ | ||||
|       mkdir -p $out/opt/vault/data $out/opt/vault/.cache $out/opt/vault/tls | ||||
|       ln -s ${curl.out}/lib/libcurl.so $out/${nixsgx.sgx-psw.out}/aesm/ | ||||
|       ln -s ${nixsgx.azure-dcap-client.out}/lib/libdcap_quoteprov.so $out/${nixsgx.sgx-psw.out}/aesm/libdcap_quoteprov.so.1 | ||||
|       mkdir -p $out/opt/vault/plugins | ||||
|       ln -s ${vat.vault-auth-tee}/bin/vault-auth-tee $out/opt/vault/plugins | ||||
|       cp ${manifest} $out/opt/vault/vault.manifest.toml | ||||
|     ''; | ||||
| 
 | ||||
|     sgx = { | ||||
|       debug = false; | ||||
|       edmm_enable = false; | ||||
|       enclave_size = "8G"; | ||||
|       max_threads = 64; | ||||
|       nonpie_binary = true; | ||||
| 
 | ||||
|       trusted_files = [ | ||||
|         "file:/opt/vault/plugins/" | ||||
|         "file:/opt/vault/config.hcl" | ||||
|         "file:/opt/vault/cacert.pem" | ||||
|         "file:/opt/vault/cakey.pem" | ||||
|       ]; | ||||
| 
 | ||||
|     }; | ||||
| 
 | ||||
|     sys.stack.size = "1M"; | ||||
|     # vault needs flock | ||||
|     sys.experimental__enable_flock = true; | ||||
|   }; | ||||
| } | ||||
| 
 | ||||
| 
 | ||||
|  |  | |||
|  | @ -1,39 +0,0 @@ | |||
| -----BEGIN RSA PRIVATE KEY----- | ||||
| MIIG5AIBAAKCAYEAwDrEJDyGnIGv/xWF4/MQtVEshpft/xGECSdjuHOU87nwCWon | ||||
| hirmOyggPPU772tobmaqRhAMHn0NwvRyFCQcSwTIjd0e/cfwH/QtEd/fp4yaw/z7 | ||||
| FZmesTm+wjaobnRfPwrNHAfM8U2EQPXp1yYyjUqPVEXb/7ivdR+u7qnb0o6oNfzA | ||||
| ibRF6H+Fozj5FwepfbQ1DTauTEwdjywD+/21W+Ru5qF7SQVHYwf9OuyD4yZBm9os | ||||
| 0Aqnk1nO6ZUSJfrL1gd10LoblnPUjNxwQtWhxIPyeKRYwmVpoaYL45U+6iNOkBiL | ||||
| PyGJDC+lq+AS8YtwzPOt3pUUpFh/XZyxSHla3Q8qPAikjcv1DvTiK+NVEVXoFrbs | ||||
| /uG6Ii9BSRbZ3NQH1bOLtdkW7W6GPGCMr/KuXEvIQaOpDb27/DEtvCh3T/9vrKsO | ||||
| etpTI0an6NZ1oshZ3X2TxZ9nNxh9zMvPswXBdy9O9/WybAN6a1PvIb3v66bxJW6T | ||||
| Pu87/q0DKzeMM20pAgEDAoIBgQCAJy1tfa8TAR//Y66X92B44MhZup6qC61bb5fQ | ||||
| TQ330Uqw8W+ux0QncBV9+NKfnPBJmcbZYAgUU16B+EwNbWgyAzBek2n+hUq/+B4L | ||||
| 6pUaXbyCqKdju78g0SnWzxr0TZTUsd4Sr932M62Ao/E6GXcI3F+Ng+f/0HT4v8n0 | ||||
| cT03CcV5UysGeC6a/65s0KYPWnD+eCNeJHQy3WkKHVf9U849QvSZwPzbWNpCBVN8 | ||||
| na1CGYESkXM1XG+3kTSbuLbD/Ia8KvGsaOeVORvhXr04kD9qW2ioaisSAcXELHY7 | ||||
| qFcktM1cYnDJn1/LcCH6tUlnJdGIKWYlbBcmJvhT2FqpULg5IPldNiu9ybh5yQY9 | ||||
| HB0pnzg6Ldcb/aunyjdwXgcaPgdkOOpnqRYGq6yrmWk6WsnNMK/QFmgxadbfOU0i | ||||
| xjSrSYVItugHwOrH2eH842jBP2wbe1UJCOrKNytzZ3mBcb0RJbbFYjV0QzdPeVTN | ||||
| Y9ermQTt29tJVrd+Emzo8CK4+gMCgcEA4sXchskGNcoChkDpAqie0W2YLm2XDyPY | ||||
| CoiA+OVLc5lDd995Vqe2kCIC8VMMGIHhxG3NIqxrfxpH5LvqDczphyH6dlWl/O2M | ||||
| CrS/67NjCTm6935ADeR0qndYdMm5XyfYEjl5qESoq4oNq4Pg/0/P1Q/mhN8GQiKb | ||||
| qYAIHE/28dw1tsF6Kl7oqALpBXLQ/iRuFqJmrSPgQ32c5bEQUBD3F7HZq8T7V+O2 | ||||
| 7/jH8A1A2XddnddIe6fTqboFsghcPAHrAoHBANkBLsdTugDUKDSNa2tUo9ONPU2X | ||||
| gRg+6PDa2ZEzcL961w2laLoKwsrlb8J9GL5Q1LxHx4PGhmwDwvscPzyzXQA7ubnh | ||||
| vPQv1E2SmOSFxkmtWMfz6kcAw/wIlavAFdZPJK0ksnIWzTfi9Y92jdkar9Ny2gSj | ||||
| BoF8XgPbMeuvMV008gjXOETaCk986+gOh4LEyZ2iLYruJsRIH7n/iSDKLsXE4yQd | ||||
| ZuW68IQlJ/2a65DKDCLNgdVFVRfXWhvG++H0OwKBwQCXLpMEhgQj3AGu1fCscGng | ||||
| 87rJnmS0wpAHBatQmNz3u4JP6lDkb88KwVdLjLK7AUEtnojByEeqEYVDJ/FeiJuv | ||||
| a/xO48P987KxzdVHzOyw0SdPqYAJQvhxpOWjMSY/b+Vhe6ZwLcXHsV5yV+tU39/j | ||||
| X+8DP1mBbGfGVVq9iqShPXkkgPwcP0XFV0YDoeCpbZ65wZnIwpWCU73udgrgC09l | ||||
| ITvH2KeP7SSf+y/1Xis7pOkT5Nr9Go0b0VkhWugoAUcCgcEAkKt0hOJ8AI1wIwjy | ||||
| R43CjQjTiQ+rZX9F9ec7tiJLKlHks8ObJrHXMe5Kgai7KYs4fYUvrS8ESAKB/L1/ | ||||
| fczoqtJ70UEoosqNiQxl7a6EMR47L/fxhKstUrBjx9Vj5DTDHhh29rneJUH5Ck8J | ||||
| O2cf4kyRWGyvAP2UApIhR8og6M32sI962JFcNP3ymrRaVy3bvmweXJ7Egtq/0VUG | ||||
| FdwfLoNCGBOZ7nygWBjFU7ydCzFdbIkBONjjZTo8EoSn6/gnAoHBAJ/XSbhoVzkI | ||||
| CgW7gXSp+qKMhtbR2QawL3006KfQbK/sdcJ0Cyd4IfHXswrFQKV4BrL4tOxay1PT | ||||
| HoQZW5+pLTbZjz3d0tDU9WpSd6FNovoxB6lUA3ymD4ay8Zysy3FflNqOSO6XkwKq | ||||
| 0GApQ6pIiDTst+LpnfgvQBDAnJXK3Hik2wDgXThXEofUoMDcGNsQ+NbdackR7/yL | ||||
| 8ep5ZLAhczGi4XE471ut48CHtxKq0eGde/lHx0Origk9PPbsNoH2XA== | ||||
| -----END RSA PRIVATE KEY----- | ||||
|  | @ -1,77 +0,0 @@ | |||
| libos.entrypoint = "{{ tee_ratls_preexec }}" | ||||
| 
 | ||||
| [loader] | ||||
| entrypoint = "file:{{ gramine.libos }}" | ||||
| argv = [ | ||||
|   "{{ tee_ratls_preexec }}", | ||||
|   "--", | ||||
|   "{{ vault_exec }}", | ||||
|   "server", | ||||
|   "-config=/opt/vault/config.hcl", | ||||
|   "-log-level=trace", | ||||
| ] | ||||
| # set a log level for gramine | ||||
| log_level = "{{ log_level }}" | ||||
| 
 | ||||
| [loader.env] | ||||
| LD_LIBRARY_PATH = "/lib" | ||||
| SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt" | ||||
| PATH = "{{ execdir }}" | ||||
| HOME = "/opt/vault" | ||||
| 
 | ||||
| VAULT_CLUSTER_ADDR.passthrough = true | ||||
| VAULT_API_ADDR.passthrough = true | ||||
| VAULT_RAFT_NODE_ID.passthrough = true | ||||
| 
 | ||||
| DNS_NAMES = "vault-1,vault-2,vault-3" | ||||
| 
 | ||||
| # otherwise vault will lock a lot of unused EPC memory | ||||
| VAULT_RAFT_INITIAL_MMAP_SIZE = "0" | ||||
| 
 | ||||
| # possible tweak option, if problems with raft | ||||
| # VAULT_RAFT_DISABLE_MAP_POPULATE = "true" | ||||
| 
 | ||||
| [fs] | ||||
| root.uri = "file:/" | ||||
| start_dir = "/opt/vault" | ||||
| mounts = [ | ||||
|   { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" }, | ||||
|   { path = "{{ gramine.runtimedir() }}/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" }, | ||||
|   { type = "tmpfs", path = "/var/tmp" }, | ||||
|   { type = "tmpfs", path = "/tmp" }, | ||||
|   { type = "tmpfs", path = "/opt/vault/tls" }, | ||||
|   { type = "tmpfs", path = "/opt/vault/.dcap-qcnl" }, | ||||
|   { type = "tmpfs", path = "/opt/vault/.az-dcap-client" }, | ||||
|   { type = "encrypted", path = "/opt/vault/.cache", uri = "file:/opt/vault/.cache", key_name = "_sgx_mrsigner" }, | ||||
|   { type = "encrypted", path = "/opt/vault/data", uri = "file:/opt/vault/data", key_name = "_sgx_mrsigner" }, | ||||
| ] | ||||
| 
 | ||||
| [sgx] | ||||
| debug = false | ||||
| edmm_enable = false | ||||
| enclave_size = "8G" | ||||
| max_threads = 64 | ||||
| nonpie_binary = true | ||||
| remote_attestation = "dcap" | ||||
| 
 | ||||
| trusted_files = [ | ||||
|   "file:/bin/", | ||||
|   "file:/etc/gai.conf", | ||||
|   "file:/etc/ssl/certs/ca-bundle.crt", | ||||
|   "file:/lib/", | ||||
|   "file:/nix/", | ||||
|   "file:/opt/vault/plugins/", | ||||
|   "file:/opt/vault/config.hcl", | ||||
|   "file:/opt/vault/cacert.pem", | ||||
|   "file:/opt/vault/cakey.pem", | ||||
|   "file:{{ gramine.libos }}", | ||||
|   "file:{{ gramine.runtimedir() }}/", | ||||
| ] | ||||
| 
 | ||||
| [sys] | ||||
| stack.size = "1M" | ||||
| enable_extra_runtime_domain_names_conf = true | ||||
| enable_sigterm_injection = true | ||||
| 
 | ||||
| # vault needs flock | ||||
| experimental__enable_flock = true | ||||
|  | @ -19,8 +19,5 @@ stdenv.mkDerivation { | |||
|   postInstall = '' | ||||
|     mkdir -p $out/opt/vault | ||||
|     cp -r $src/* $out/opt/vault | ||||
| 
 | ||||
|     mkdir -p $out/etc | ||||
|     printf "precedence ::ffff:0:0/96  100\n" > $out/etc/gai.conf | ||||
|   ''; | ||||
| } | ||||
|  |  | |||
|  | @ -1,25 +0,0 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | ||||
| # Copyright (c) 2024 Matter Labs | ||||
| 
 | ||||
| FROM teepot-vault-unseal-sgx-azure:base | ||||
| 
 | ||||
| WORKDIR /app | ||||
| 
 | ||||
| COPY packages/container-vault-sgx-azure/test-enclave-key.pem /tmp/ | ||||
| 
 | ||||
| RUN set -eux; \ | ||||
|     gramine-manifest -Darch_libdir=/lib/x86_64-linux-gnu \ | ||||
|       -Dentrypoint=$(readlink /bin/tee-vault-unseal) \ | ||||
|       -Dvault_auth_tee_sha=1505ffe3ef0994de63206ccce1dec6715d55e72955960cb7314e4571811c4422 \ | ||||
|       -Dvault_auth_tee_version=0.1.0+dev \ | ||||
|       -Dexecdir=/bin \ | ||||
|       -Dlog_level=warning \ | ||||
|       tee-vault-unseal.manifest.toml tee-vault-unseal.manifest; \ | ||||
|     gramine-sgx-sign --manifest tee-vault-unseal.manifest --output tee-vault-unseal.manifest.sgx --key /tmp/test-enclave-key.pem; \ | ||||
|     rm /tmp/test-enclave-key.pem | ||||
| 
 | ||||
| EXPOSE 8443 | ||||
| 
 | ||||
| ENTRYPOINT ["/bin/sh", "-c"] | ||||
| ENV SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt | ||||
| CMD [ "echo tee-vault-unseal in SGX mode starting; [[ -r /var/run/aesmd/aesm.socket ]] || restart-aesmd ; exec gramine-sgx tee-vault-unseal" ] | ||||
|  | @ -1,52 +1,59 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | ||||
| # Copyright (c) 2024 Matter Labs | ||||
| { pkgs | ||||
| , vat | ||||
| , nixsgx | ||||
| , curl | ||||
| { lib | ||||
| , pkgs | ||||
| , inputs | ||||
| , teepot | ||||
| , bash | ||||
| , coreutils | ||||
| , openssl | ||||
| , nixsgx | ||||
| , vat | ||||
| , container-name ? "teepot-vault-unseal-sgx-azure" | ||||
| , tag ? "latest" | ||||
| , isAzure ? true | ||||
| }: | ||||
| let manifest = ./tee-vault-unseal.manifest.toml; | ||||
| in pkgs.dockerTools.buildLayeredImage { | ||||
|   name = "teepot-vault-unseal-sgx-azure"; | ||||
|   tag = "base"; | ||||
| pkgs.callPackage inputs.nixsgx-flake.lib.mkSGXContainer { | ||||
|   name = container-name; | ||||
|   inherit tag; | ||||
| 
 | ||||
|   config.Entrypoint = [ "/bin/sh" "-c" ]; | ||||
|   packages = [ | ||||
|     vat.vault-auth-tee.sha | ||||
|     teepot.teepot.tee_vault_unseal | ||||
|   ]; | ||||
|   entrypoint = "${teepot.teepot.tee_vault_unseal}/bin/tee-vault-unseal"; | ||||
| 
 | ||||
|   contents = pkgs.buildEnv { | ||||
|     name = "image-root"; | ||||
|   isAzure = true; | ||||
| 
 | ||||
|     paths = with pkgs.dockerTools; with nixsgx;[ | ||||
|       bash | ||||
|       coreutils | ||||
|       openssl.out | ||||
|       azure-dcap-client | ||||
|       curl.out | ||||
|       vat.vault-auth-tee.sha | ||||
|       teepot.teepot.tee_vault_unseal | ||||
|       gramine | ||||
|       restart-aesmd | ||||
|       sgx-dcap.quote_verify | ||||
|       sgx-psw | ||||
|       usrBinEnv | ||||
|       binSh | ||||
|       caCertificates | ||||
|       fakeNss | ||||
|     ]; | ||||
|     pathsToLink = [ "/bin" "/lib" "/etc" "/share" "/app" ]; | ||||
|     postBuild = '' | ||||
|       mkdir -p $out/{app,etc} | ||||
|       cp ${manifest} $out/app/tee-vault-unseal.manifest.toml | ||||
|       mkdir -p $out/var/run | ||||
|       mkdir -p $out/${nixsgx.sgx-psw.out}/aesm/ | ||||
|       touch $out/etc/sgx_default_qcnl.conf | ||||
|       mkdir -p $out/opt/vault/.cache $out/opt/vault/tls | ||||
|       ln -s ${curl.out}/lib/libcurl.so $out/${nixsgx.sgx-psw.out}/aesm/ | ||||
|       ln -s ${nixsgx.azure-dcap-client.out}/lib/libdcap_quoteprov.so $out/${nixsgx.sgx-psw.out}/aesm/libdcap_quoteprov.so.1 | ||||
|       printf "precedence ::ffff:0:0/96  100\n" > $out/etc/gai.conf | ||||
|     ''; | ||||
|   manifest = { | ||||
|     loader = { | ||||
|       log_level = "error"; | ||||
|       env = { | ||||
|         ### Admin Config ### | ||||
|         PORT.passthrough = true; | ||||
| 
 | ||||
|         ### VAULT attestation ### | ||||
|         VAULT_ADDR.passthrough = true; | ||||
|         VAULT_SGX_MRENCLAVE.passthrough = true; | ||||
|         VAULT_SGX_MRSIGNER.passthrough = true; | ||||
|         VAULT_SGX_ALLOWED_TCB_LEVELS.passthrough = true; | ||||
| 
 | ||||
|         ### DEBUG ### | ||||
|         RUST_BACKTRACE = "1"; | ||||
|         RUST_LOG = "info,tee_vault_unseal=trace,teepot=trace,vault_tee_client=trace,tee_client=trace,awc=debug"; | ||||
| 
 | ||||
|         ### Enclave security ### | ||||
|         ALLOWED_TCB_LEVELS = "SwHardeningNeeded"; | ||||
| 
 | ||||
|         VAULT_AUTH_TEE_SHA256 = "${vat.vault-auth-tee.sha}/share/vault-auth-tee.sha256"; | ||||
|       }; | ||||
|     }; | ||||
| 
 | ||||
|     sgx = { | ||||
|       edmm_enable = false; | ||||
|       enclave_size = "2G"; | ||||
|       max_threads = 64; | ||||
|     }; | ||||
| 
 | ||||
|     # possible tweak option, if problems with mio | ||||
|     # currently mio is compiled with `mio_unsupported_force_waker_pipe` | ||||
|     # sys.insecure__allow_eventfd = true | ||||
|   }; | ||||
| } | ||||
|  |  | |||
|  | @ -1,74 +0,0 @@ | |||
| libos.entrypoint = "{{ entrypoint }}" | ||||
| 
 | ||||
| [loader] | ||||
| argv = ["{{ entrypoint }}"] | ||||
| entrypoint = "file:{{ gramine.libos }}" | ||||
| 
 | ||||
| [loader.env] | ||||
| ### Admin Config ### | ||||
| PORT = { passthrough = true } | ||||
| 
 | ||||
| ### VAULT attestation ### | ||||
| VAULT_ADDR = { passthrough = true } | ||||
| VAULT_SGX_MRENCLAVE = { passthrough = true } | ||||
| VAULT_SGX_MRSIGNER = { passthrough = true } | ||||
| VAULT_SGX_ALLOWED_TCB_LEVELS = { passthrough = true } | ||||
| 
 | ||||
| ### DEBUG ### | ||||
| RUST_BACKTRACE = "1" | ||||
| RUST_LOG = "info,tee_vault_unseal=trace,teepot=trace,vault_tee_client=trace,tee_client=trace,awc=debug" | ||||
| 
 | ||||
| ### Enclave security ### | ||||
| ALLOWED_TCB_LEVELS = "SwHardeningNeeded" | ||||
| 
 | ||||
| ### Fixed values ### | ||||
| LD_LIBRARY_PATH = "/lib" | ||||
| SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt" | ||||
| PATH = "/bin" | ||||
| HOME = "/app" | ||||
| 
 | ||||
| MALLOC_ARENA_MAX = "1" | ||||
| AZDCAP_DEBUG_LOG_LEVEL = "ignore" | ||||
| AZDCAP_COLLATERAL_VERSION = "v4" | ||||
| 
 | ||||
| VAULT_AUTH_TEE_SHA256 = "{{ vault_auth_tee_sha }}" | ||||
| VAULT_AUTH_TEE_VERSION = "{{ vault_auth_tee_version }}" | ||||
| 
 | ||||
| [fs] | ||||
| root.uri = "file:/" | ||||
| start_dir = "/app" | ||||
| mounts = [ | ||||
|   { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" }, | ||||
|   { path = "{{ gramine.runtimedir() }}/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" }, | ||||
|   { type = "tmpfs", path = "/var/tmp" }, | ||||
|   { type = "tmpfs", path = "/tmp" }, | ||||
|   { type = "tmpfs", path = "/app/.dcap-qcnl" }, | ||||
|   { type = "tmpfs", path = "/app/.az-dcap-client" }, | ||||
| ] | ||||
| 
 | ||||
| [sgx] | ||||
| trusted_files = [ | ||||
|   "file:/app/", | ||||
|   "file:/bin/", | ||||
|   "file:/etc/gai.conf", | ||||
|   "file:/etc/sgx_default_qcnl.conf", | ||||
|   "file:/etc/ssl/certs/ca-bundle.crt", | ||||
|   "file:/lib/", | ||||
|   "file:/lib/libdcap_quoteprov.so", | ||||
|   "file:/nix/", | ||||
|   "file:{{ gramine.libos }}", | ||||
|   "file:{{ gramine.runtimedir() }}/", | ||||
| ] | ||||
| remote_attestation = "dcap" | ||||
| max_threads = 64 | ||||
| edmm_enable = false | ||||
| ## max enclave size | ||||
| enclave_size = "2G" | ||||
| 
 | ||||
| [sys] | ||||
| enable_extra_runtime_domain_names_conf = true | ||||
| enable_sigterm_injection = true | ||||
| 
 | ||||
| # possible tweak option, if problems with mio | ||||
| # currently mio is compiled with `mio_unsupported_force_waker_pipe` | ||||
| # insecure__allow_eventfd = true | ||||
|  | @ -1,36 +0,0 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | ||||
| # Copyright (c) 2024 Matter Labs | ||||
| { dockerTools | ||||
| , buildEnv | ||||
| , teepot | ||||
| , openssl | ||||
| , curl | ||||
| , nixsgx | ||||
| }: | ||||
| dockerTools.buildLayeredImage { | ||||
|   name = "verify-attestation-sgx-azure"; | ||||
|   tag = "latest"; | ||||
| 
 | ||||
|   config.Cmd = [ "${teepot.teepot.verify_attestation}/bin/verify-attestation" ]; | ||||
|   config.Env = [ | ||||
|     "LD_LIBRARY_PATH=/lib" | ||||
|     "AZDCAP_DEBUG_LOG_LEVEL=ignore" | ||||
|     "AZDCAP_COLLATERAL_VERSION=v4" | ||||
|   ]; | ||||
|   contents = buildEnv { | ||||
|     name = "image-root"; | ||||
| 
 | ||||
|     paths = with dockerTools; with nixsgx;[ | ||||
|       openssl.out | ||||
|       curl.out | ||||
|       azure-dcap-client | ||||
|       sgx-dcap.quote_verify | ||||
|       teepot.teepot.verify_attestation | ||||
|       usrBinEnv | ||||
|       binSh | ||||
|       caCertificates | ||||
|       fakeNss | ||||
|     ]; | ||||
|     pathsToLink = [ "/bin" "/lib" "/etc" "/share" ]; | ||||
|   }; | ||||
| } | ||||
|  | @ -8,7 +8,7 @@ | |||
| , nixsgx | ||||
| }: | ||||
| dockerTools.buildLayeredImage { | ||||
|   name = "verify-attestation-sgx-dcap"; | ||||
|   name = "verify-attestation-sgx"; | ||||
|   tag = "latest"; | ||||
| 
 | ||||
|   config.Cmd = [ "${teepot.teepot.verify_attestation}/bin/verify-attestation" ]; | ||||
|  | @ -1,18 +1,6 @@ | |||
| # SPDX-License-Identifier: Apache-2.0 | ||||
| # Copyright (c) 2024 Matter Labs | ||||
| { lib | ||||
| , inputs | ||||
| , makeRustPlatform | ||||
| , nixsgx | ||||
| , pkg-config | ||||
| , rust-bin | ||||
| , pkgs | ||||
| , ... | ||||
| }@args: | ||||
| let | ||||
|   teepotCrate = import ./teepot.nix args; | ||||
| in | ||||
| teepotCrate.craneLib.buildPackage ( | ||||
| { teepotCrate }: teepotCrate.craneLib.buildPackage ( | ||||
|   teepotCrate.commonArgs // { | ||||
|     pname = "teepot"; | ||||
|     inherit (teepotCrate) cargoArtifacts | ||||
|  |  | |||
|  | @ -7,10 +7,11 @@ | |||
| , pkg-config | ||||
| , rust-bin | ||||
| , pkgs | ||||
| , src | ||||
| , ... | ||||
| }: | ||||
| let | ||||
|   rustVersion = rust-bin.fromRustupToolchainFile ../../rust-toolchain.toml; | ||||
|   rustVersion = rust-bin.fromRustupToolchainFile ./rust-toolchain.toml; | ||||
|   rustPlatform = makeRustPlatform { | ||||
|     cargo = rustVersion; | ||||
|     rustc = rustVersion; | ||||
|  | @ -29,16 +30,18 @@ let | |||
|     ]; | ||||
| 
 | ||||
|     strictDeps = true; | ||||
| 
 | ||||
| 
 | ||||
|     src = with lib.fileset; toSource { | ||||
|       root = ../../.; | ||||
|       root = src; | ||||
|       fileset = unions [ | ||||
|         ../../Cargo.lock | ||||
|         ../../Cargo.toml | ||||
|         ../../bin | ||||
|         ../../crates | ||||
|         ../../rust-toolchain.toml | ||||
|         ../../deny.toml | ||||
|         ../../taplo.toml | ||||
|         ./Cargo.lock | ||||
|         ./Cargo.toml | ||||
|         ./bin | ||||
|         ./crates | ||||
|         ./rust-toolchain.toml | ||||
|         ./deny.toml | ||||
|         ./taplo.toml | ||||
|       ]; | ||||
|     }; | ||||
| 
 | ||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 Harald Hoyer
						Harald Hoyer