harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-10-28 04:14:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

docs: update README.md

Browse source 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
This commit is contained in:
Harald Hoyer 2024-03-11 12:35:14 +01:00
parent ee7c4ee177
commit 9dc5d8aab4
Signed by: harald
GPG key ID: F519A1143B3FBE32
1 changed files with 81 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

85
README.md
View file

@ -1,9 +1,11 @@
# teepot
Key Value store in a TEE with Remote Attestation for Authentication
## Introduction
This project is a key-value store that runs in a Trusted Execution Environment (TEE) and uses Remote Attestation for Authentication.
This project is a key-value store that runs in a Trusted Execution Environment (TEE) and uses Remote Attestation for
Authentication.
The key-value store is implemented using Hashicorp Vault running in an Intel SGX enclave via the Gramine runtime.
## Parts of this project
@ -13,7 +15,82 @@ The key-value store is implemented using Hashicorp Vault running in an Intel SGX
- `vault-unseal`: A client utility, that talks to `tee-vault-unseal` to unseal a vault.
- `tee-vault-admin`: An enclave that uses the Vault API to administer a vault as a proxy.
- `vault-admin`: A client utility, that talks to `tee-vault-admin` to administer a vault.
- `teepot-read` : A pre-exec utility that reads from the key-value store and passes the key-value pairs as environment variables to the enclave.
- `teepot-write` : A pre-exec utility that reads key-values from the environment variables and writes them to the key-value store.
- `teepot-read` : A pre-exec utility that reads from the key-value store and passes the key-value pairs as environment
variables to the enclave.
- `teepot-write` : A pre-exec utility that reads key-values from the environment variables and writes them to the
key-value store.
- `verify-attestation`: A client utility that verifies the attestation of an enclave.
- `tee-key-preexec`: A pre-exec utility that generates a p256 secret key and passes it as an environment variable to the enclave along with the attestation quote containing the hash of the public key.
- `tee-key-preexec`: A pre-exec utility that generates a p256 secret key and passes it as an environment variable to the
enclave along with the attestation quote containing the hash of the public key.
## Development
### Prerequisites
Install [nix](https://zero-to-nix.com/start/install).
In `~/.config/nix/nix.conf`
```ini
experimental-features = nix-command flakes
```
or on nixos in `/etc/nixos/configuration.nix` add the following lines:
```nix
{
nix = {
extraOptions = ''
experimental-features = nix-command flakes
'';
};
}
```
Optionally install cachix (to save build time) and use the nixsgx cache:
```shell
$ nix-env -iA cachix -f https://cachix.org/api/v1/install
$ cachix use nixsgx
```
### Develop
```shell
$ nix develop --impure
```
optionally create `.envrc` for `direnv` to automatically load the environment when entering the directory:
```shell
$ cat <<EOF > .envrc
use flake .#teepot
EOF
$ direnv allow
```
### Format for commit
```shell
$ nix run .#fmt
```
### Build as the CI would
```shell
$ nix run nixpgks#ci
```
### Build and test individual container
See the `packages` directory for the available packages.
```shell
$ nix build -L .#container-vault-sgx-azure
$ docker load -i result
$ docker build --progress plain --no-cache -f packages/container-vault-sgx-azure/Dockerfile -t vault-sgx-azure:latest .
[...]
#8 5.966 Measurement:
#8 5.966 96602d8ae60673b3c44b6198b4b5f728480b1f00e9d48e7d3979cf1cf075bb5d
[...]
```