feat: use nixsgx nix function to create containers

It refactors the way the SGX containers are built. This removes all `Dockerfile` and gramine manifest files. It also enables a single recipe for azure and non-azure variants. Additionally the `teepot-crate.nix` is now the inherited recipe to build the rust `teepot` crate. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-21 15:13:56 +02:00 · 2024-06-03 16:46:21 +02:00 · 2024-06-03 16:46:21 +02:00 · d0c5950c0e
commit d0c5950c0e
parent 93e3e73d56
30 changed files with 337 additions and 897 deletions
--- a/bin/tee-self-attestation-test/README.md
+++ b/bin/tee-self-attestation-test/README.md
@ -1,12 +1,20 @@
 # self-attestation-test

+Optionally build and load the containers (remove the `matterlabsrobot/` repo from the commands below then)
+
+```bash
+$ nix build -L .#container-verify-attestation-sgx && docker load -i result
+$ nix build -L .#container-self-attestation-test-sgx-dcap && docker load -i result
+$ nix build -L .#container-self-attestation-test-sgx-azure && docker load -i result
+```
+
 ## Azure DCAP

 ```bash
-❯ docker run -i --init --rm --privileged  --device /dev/sgx_enclave --net host \
+❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave \
    matterlabsrobot/teepot-self-attestation-test-sgx-azure:latest \
    | base64 -d --ignore-garbage \
-    | docker run -i --init --rm --net host matterlabsrobot/verify-attestation-sgx-azure:latest
+    | docker run -i --rm matterlabsrobot/verify-attestation-sgx:latest

 aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
 Gramine is starting. Parsing TOML manifest file, this may take some time...
@ -15,46 +23,34 @@ Quote verification result: SwHardeningNeeded: Software hardening is needed
 	Info: Advisory ID: INTEL-SA-00615
 Quote verified successfully: SwHardeningNeeded: Software hardening is needed
 mrsigner: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
-mrenclave: 23267adf8144a195ede71425c50529ac8fd1aa896fe91786c28406854f246ab9
+mrenclave: 31a0d51ee410ed6db18ebfb181ba0b2fa0d2062a38d6b955b73b3e9cfb8336bd
 reportdata: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 ```

-## PCCS DCAP
-
-Install iptables rules to forward traffic to 127.0.0.1:8081 to the PCCS server.
+## Normal DCAP

 ```bash
-❯ sudo sysctl -w net.ipv4.conf.all.route_localnet=1
-❯ sudo iptables -t nat -A OUTPUT -p tcp --dport 8081 -j DNAT --to-destination 192.168.122.1:8081
-❯ sudo iptables -t nat -A POSTROUTING -j MASQUERADE
-```
-
-```bash
-❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave --net host \
+❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave \
    matterlabsrobot/teepot-self-attestation-test-sgx-dcap:latest \
    | base64 -d --ignore-garbage \
-    | docker run -i --init --rm --net host \
-    -v /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf \
-    matterlabsrobot/verify-attestation-sgx-dcap:latest
+    | docker run -i --rm matterlabsrobot/verify-attestation-sgx:latest

 aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
 Gramine is starting. Parsing TOML manifest file, this may take some time...
 Verifying quote (4730 bytes)...
 Quote verified successfully: Ok
 mrsigner: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
-mrenclave: 10cfeee8e2a65c31795104d041647415c01dc3ae4b004e05e26107f6ede82677
+mrenclave: 7ffe70789261a51769f50e129bfafb2aafe91a4e17c3f0d52839006777c652f6
 reportdata: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 ```

 On an outdated machine, this might look like this:

 ```bash
-❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave --net host \
+❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave \
                matterlabsrobot/teepot-self-attestation-test-sgx-dcap:latest \
                | base64 -d --ignore-garbage \
-                | docker run -i --init --rm --net host \
-                -v /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf \
-                matterlabsrobot/verify-attestation-sgx-dcap:latest
+                | docker run -i --rm matterlabsrobot/verify-attestation-sgx:latest

 aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
 Gramine is starting. Parsing TOML manifest file, this may take some time...
@ -69,6 +65,6 @@ Quote verification result: OutOfDate: Firmware needs to be updated
 	Info: Advisory ID: INTEL-SA-00615
 Quote verified successfully: OutOfDate: Firmware needs to be updated
 mrsigner: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
-mrenclave: 10cfeee8e2a65c31795104d041647415c01dc3ae4b004e05e26107f6ede82677
+mrenclave: 7ffe70789261a51769f50e129bfafb2aafe91a4e17c3f0d52839006777c652f6
 reportdata: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
 ```