feat: initial commit

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>

bin/verify-attestation/Cargo.toml

@@ -0,0 +1,13 @@
+[package]
+name = "verify-attestation"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+repository.workspace = true
+
+[dependencies]
+anyhow.workspace = true
+hex.workspace = true
+intel-tee-quote-verification-rs.workspace = true
+teepot.workspace = true

bin/verify-attestation/Dockerfile

@@ -0,0 +1,46 @@
+FROM docker.io/rust:1-bullseye AS buildtee
+RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \
+    && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends \
+        build-essential \
+        cmake \
+        rsync \
+        pkg-config \
+        libssl-dev \
+        libcurl4-openssl-dev \
+        libprotobuf-dev \
+        protobuf-compiler \
+        clang \
+        libsgx-headers \
+        libsgx-dcap-quote-verify-dev
+
+WORKDIR /opt/vault/plugins
+
+WORKDIR /build
+RUN --mount=type=bind,target=/data rsync --exclude='/.git' --filter="dir-merge,- .gitignore" --exclude "Dockerfile-*" --exclude 'tee-vault-admin.manifest.template' -av /data/ ./
+RUN --mount=type=cache,target=/usr/local/cargo/registry --mount=type=cache,target=target \
+    RUSTFLAGS="-C target-cpu=icelake-server --cfg mio_unsupported_force_waker_pipe" \
+    cargo build --locked --target x86_64-unknown-linux-gnu --release -p verify-attestation --bin verify-attestation \
+    && mv ./target/x86_64-unknown-linux-gnu/release/verify-attestation ./
+
+FROM docker.io/ubuntu:20.04
+
+RUN apt-get update \
+    && apt-get install -y curl
+
+RUN curl -fsSLo /usr/share/keyrings/intel.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \
+    && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends \
+        libsgx-dcap-default-qpl \
+        libsgx-urts \
+        libsgx-enclave-common \
+        libsgx-dcap-quote-verify
+RUN apt purge -y libsgx-ae-qve
+RUN rm -rf /var/lib/apt/lists/*
+
+COPY --from=buildtee /build/verify-attestation /bin/verify-attestation
+
+ENTRYPOINT ["/bin/sh", "-c"]
+CMD [ "verify-attestation" ]

bin/verify-attestation/src/main.rs

@@ -0,0 +1,58 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2023 Matter Labs
+
+//! Simple TEE attestation verification test
+
+#![deny(missing_docs)]
+#![deny(clippy::all)]
+
+use anyhow::{bail, Context, Result};
+use std::io::Read;
+use std::time::UNIX_EPOCH;
+use teepot::client::TcbLevel;
+use teepot::sgx::{tee_qv_get_collateral, verify_quote_with_collateral, QuoteVerificationResult};
+
+fn main() -> Result<()> {
+    // read myquote from stdin
+    let mut myquote = Vec::new();
+    std::io::stdin()
+        .read_to_end(&mut myquote)
+        .context("Failed to read quote from stdin")?;
+
+    let collateral = tee_qv_get_collateral(&myquote).context("Failed to get collateral")?;
+
+    let unix_time: i64 = std::time::SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap()
+        .as_secs() as _;
+
+    let QuoteVerificationResult {
+        collateral_expired,
+        result,
+
+        quote,
+        advisories,
+        ..
+    } = verify_quote_with_collateral(&myquote, Some(&collateral), unix_time.saturating_add(60))
+        .context("Failed to verify quote with collateral")?;
+
+    if collateral_expired {
+        bail!("Freshly fetched collateral expired");
+    }
+
+    let tcblevel = TcbLevel::from(result);
+    if tcblevel != TcbLevel::Ok {
+        println!("Quote verification result: {}", tcblevel);
+    }
+
+    for advisory in advisories {
+        println!("\tInfo: Advisory ID: {advisory}");
+    }
+
+    println!("Quote verified successfully: {}", tcblevel);
+    println!("mrsigner: {}", hex::encode(quote.report_body.mrsigner));
+    println!("mrenclave: {}", hex::encode(quote.report_body.mrenclave));
+    println!("reportdata: {}", hex::encode(quote.report_body.reportdata));
+
+    Ok(())
+}