chore: cleanup and nixify

* create containers with nix * updated README.md * added SPDX license headers Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-21 07:03:56 +02:00 · 2024-02-27 12:04:31 +01:00 · 2024-02-27 12:04:31 +01:00 · 91f1612e0f
commit 91f1612e0f
parent c8082debc7
36 changed files with 900 additions and 659 deletions
--- a/examples/README.md
+++ b/examples/README.md
@ -8,9 +8,13 @@ $ docker compose up
 ```

 ## Build and Run on client machine
+
 ```bash
-$ cd teepot
-$ gpg --export username@example.com | base64 > gpgkey.pub
+❯ cd teepot
+❯ gpg --export username@example.com | base64 > gpgkey.pub
+❯ export GPG_TTY="$(tty)"
+❯ gpg-connect-agent updatestartuptty /bye
+
 ❯ RUST_LOG=info cargo run -p vault-unseal --  --sgx-mrsigner c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d     --sgx-allowed-tcb-levels SwHardeningNeeded      --server https://20.172.154.218:8443    init   --unseal-threshold 1 -u bin/tee-vault-admin/tests/data/gpgkey.pub  --admin-threshold 1 -a  bin/tee-vault-admin/tests/data/gpgkey.pub --admin-tee-mrenclave 21c8c1a4dbcce04798f5119eb47203084bc74e564a3c954d1a21172c656cb801
    Finished dev [unoptimized + debuginfo] target(s) in 0.09s
     Running `target/debug/vault-unseal --sgx-mrsigner c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d --sgx-allowed-tcb-levels SwHardeningNeeded --server 'https://20.172.154.218:8443' init --unseal-threshold 1 -u bin/tee-vault-admin/tests/data/gpgkey.pub --admin-threshold 1 -a bin/tee-vault-admin/tests/data/gpgkey.pub --admin-tee-mrenclave 21c8c1a4dbcce04798f5119eb47203084bc74e564a3c954d1a21172c656cb801`
@ -43,14 +47,17 @@ Vault is unsealed!

 ```

+With `teepot-admin` being the name of the image running the tee-vault-admin service, the following commands can be used
+to sign the admin tee:
+
 ```bash
-❯ (id=$(docker create tva); docker cp $id:/app/tee-vault-admin.sig ~/tee-vault-admin.sig; docker rm -v $id)
-❯ cargo run -p vault-admin -- create-sign-request ~/tee-vault-admin.sig > ~/sign_admin_tee.json
+❯ (id=$(docker create teepot-admin); docker cp $id:/app/tee-vault-admin.sig ~/tee-vault-admin.sig; docker rm -v $id)
+❯ cargo run -p vault-admin -- create-sign-request --tee-name admin ~/tee-vault-admin.sig > ~/sign_admin_tee.json
 ❯ vim sign_admin_tee.json
 ❯ gpg --local-user test@example.com --detach-sign --armor ~/sign_admin_tee.json
 ❯ RUST_LOG=info cargo run -p vault-admin -- \
  sign-tee \
-  --sgx-mrenclave 080c3210d5b6bcf47887101a554c117c21d80e75240bb70846c3e158a713ec65 \
+  --sgx-mrenclave c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d \
  --sgx-allowed-tcb-levels SwHardeningNeeded \
  --server https://127.0.0.1:8444 \
  --out new_admin.sig \
@ -217,7 +224,8 @@ Next is to sign the admin tee with the vault-admin tool:
  ~/tee-vault-admin.json ~/tee-vault-admin.json.asc
 ```

-Then replace `tee-vault-admin.sig` with `tee-vault-admin-new.sig` in the container image `matterlabsrobot/teepot-tva:latest` with this Dockerfile:
+Then replace `tee-vault-admin.sig` with `tee-vault-admin-new.sig` in the container
+image `matterlabsrobot/teepot-tva:latest` with this Dockerfile:

 ```Dockerfile
 FROM matterlabsrobot/teepot-tva:latest
--- a/examples/docker-compose.yml
+++ b/examples/docker-compose.yml
@ -4,29 +4,30 @@ services:
  tvu-1:
    build:
      context: .
-      dockerfile: bin/tee-vault-unseal/Dockerfile-azure
+      dockerfile: packages/container-vault-unseal-sgx-azure/Dockerfile
    image: tee-vault-unseal
    restart: "no"
    ports:
-      - 8413:8443
+      - 8413
    environment:
+      PORT: "8413"
      VAULT_ADDR: "https://vault-1:8210"
+      VAULT_SGX_MRSIGNER: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
+      VAULT_SGX_ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
      ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
    privileged: true
    init: true
    volumes:
      - /run/aesmd:/run/aesmd
      - /dev/sgx_enclave:/dev/sgx_enclave
-      - shared-1:/opt/vault/tls
  vault-1:
    build:
      context: .
-      dockerfile: vault/Dockerfile
+      dockerfile: packages/container-vault-sgx-azure/Dockerfile
    image: vault
    restart: "no"
    ports:
-      - 8210:8210
-#      - 8211:8211
+      - 8210
    environment:
      VAULT_API_ADDR: "https://vault-1:8210"
      VAULT_CLUSTER_ADDR: "https://vault-1:8211"
@ -36,29 +37,29 @@ services:
    volumes:
      - /run/aesmd:/run/aesmd
      - /dev/sgx_enclave:/dev/sgx_enclave
-      - shared-1:/opt/vault/tls
      - data-1:/opt/vault/data

  tvu-2:
    image: tee-vault-unseal
    restart: "no"
    ports:
-      - 8423:8443
+      - 8423
    environment:
+      PORT: "8423"
      VAULT_ADDR: "https://vault-2:8210"
+      VAULT_SGX_MRSIGNER: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
+      VAULT_SGX_ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
      ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
    privileged: true
    init: true
    volumes:
      - /run/aesmd:/run/aesmd
      - /dev/sgx_enclave:/dev/sgx_enclave
-      - shared-2:/opt/vault/tls
  vault-2:
    image: vault
    restart: "no"
    ports:
      - 8220:8210
-#      - 8221:8211
    environment:
      VAULT_API_ADDR: "https://vault-2:8210"
      VAULT_CLUSTER_ADDR: "https://vault-2:8211"
@ -68,29 +69,29 @@ services:
    volumes:
      - /run/aesmd:/run/aesmd
      - /dev/sgx_enclave:/dev/sgx_enclave
-      - shared-2:/opt/vault/tls
      - data-2:/opt/vault/data

  tvu-3:
    image: tee-vault-unseal
    restart: "no"
    ports:
-      - 8433:8443
+      - 8433
    environment:
+      PORT: "8433"
      VAULT_ADDR: "https://vault-3:8210"
+      VAULT_SGX_MRSIGNER: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
+      VAULT_SGX_ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
      ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
    privileged: true
    init: true
    volumes:
      - /run/aesmd:/run/aesmd
      - /dev/sgx_enclave:/dev/sgx_enclave
-      - shared-3:/opt/vault/tls
  vault-3:
    image: vault
    restart: "no"
    ports:
      - 8230:8210
-#      - 8231:8211
    environment:
      VAULT_API_ADDR: "https://vault-3:8210"
      VAULT_CLUSTER_ADDR: "https://vault-3:8211"
@ -100,17 +101,17 @@ services:
    volumes:
      - /run/aesmd:/run/aesmd
      - /dev/sgx_enclave:/dev/sgx_enclave
-      - shared-3:/opt/vault/tls
      - data-3:/opt/vault/data

  admin:
    build:
      context: .
-      dockerfile: bin/tee-vault-admin/Dockerfile-azure
+      dockerfile: packages/container-vault-admin-sgx-azure/Dockerfile
    restart: "no"
    ports:
      - 8444:8444
    environment:
+      PORT: "8444"
      VAULT_ADDR: "https://vault-1:8210"
      VAULT_SGX_MRSIGNER: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
      VAULT_SGX_ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
@ -121,21 +122,21 @@ services:
      - /run/aesmd:/run/aesmd
      - /dev/sgx_enclave:/dev/sgx_enclave

-  stress:
-    build:
-      context: .
-      dockerfile: bin/tee-stress-client/Dockerfile-azure
-    restart: "no"
-    environment:
-      VAULT_ADDR: "https://vault-1:8210"
-      VAULT_SGX_MRSIGNER: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
-      VAULT_SGX_ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
-      ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
-    privileged: true
-    init: true
-    volumes:
-      - /run/aesmd:/run/aesmd
-      - /dev/sgx_enclave:/dev/sgx_enclave
+#  stress:
+#    build:
+#      context: .
+#      dockerfile: bin/tee-stress-client/Dockerfile-azure
+#    restart: "no"
+#    environment:
+#      VAULT_ADDR: "https://vault-1:8210"
+#      VAULT_SGX_MRSIGNER: "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d"
+#      VAULT_SGX_ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
+#      ALLOWED_TCB_LEVELS: "SwHardeningNeeded"
+#    privileged: true
+#    init: true
+#    volumes:
+#      - /run/aesmd:/run/aesmd
+#      - /dev/sgx_enclave:/dev/sgx_enclave

 volumes:
  shared-1: