feat: compat code for non x86_64-linux

- do not build packages, which require `x86_64-linux`
- use Phala `dcap-qvl` crate for remote attestation, if possible
- nix: exclude `nixsgx` on non `x86_64-linux` platforms

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>

crates/teepot-vault/Cargo.toml

@@ -17,14 +17,12 @@ clap.workspace = true
 const-oid.workspace = true
 futures-core = { version = "0.3.30", features = ["alloc"], default-features = false }
 hex.workspace = true
-intel-tee-quote-verification-rs.workspace = true
 pgp.workspace = true
 rustls.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 serde_with.workspace = true
 sha2.workspace = true
-tdx-attest-rs.workspace = true
 teepot.workspace = true
 thiserror.workspace = true
 tracing.workspace = true

crates/teepot-vault/src/client/mod.rs

@@ -8,13 +8,15 @@
 
 pub mod vault;
 
-use crate::server::pki::{RaTlsCollateralExtension, RaTlsQuoteExtension};
+use crate::server::{
+    attestation::Collateral,
+    pki::{RaTlsCollateralExtension, RaTlsQuoteExtension},
+};
 use actix_web::http::header;
 use anyhow::Result;
 use awc::{Client, Connector};
 use clap::Args;
 use const_oid::AssociatedOid;
-use intel_tee_quote_verification_rs::Collateral;
 use rustls::{
     client::{
         danger::{HandshakeSignatureValid, ServerCertVerifier},
@@ -25,10 +27,9 @@ use rustls::{
 };
 use sha2::{Digest, Sha256};
 use std::{sync::Arc, time, time::Duration};
-pub use teepot::{
-    quote::tcblevel::{parse_tcb_levels, EnumSet, TcbLevel},
-    quote::{verify_quote_with_collateral, QuoteVerificationResult},
-    sgx::sgx_ql_qv_result_t,
+pub use teepot::quote::{
+    tcblevel::{parse_tcb_levels, EnumSet, TcbLevel},
+    verify_quote_with_collateral, QuoteVerificationResult,
 };
 use teepot::{quote::Report, sgx::Quote};
 use tracing::{debug, error, info, trace, warn};
@@ -194,7 +195,7 @@ impl TeeConnection {
 
                 let QuoteVerificationResult {
                     collateral_expired,
-                    result,
+                    result: tcblevel,
                     quote,
                     advisories,
                     earliest_expiration_date,
@@ -206,7 +207,7 @@ impl TeeConnection {
                     return Err(Error::General("TDX quote and not SGX quote".into()));
                 };
 
-                if collateral_expired || result != sgx_ql_qv_result_t::SGX_QL_QV_RESULT_OK {
+                if collateral_expired || tcblevel != TcbLevel::Ok {
                     if collateral_expired {
                         error!(
                             "Collateral is out of date! Expired {}",
@@ -218,7 +219,6 @@ impl TeeConnection {
                         )));
                     }
 
-                    let tcblevel = TcbLevel::from(result);
                     if self
                         .args
                         .sgx_allowed_tcb_levels

crates/teepot-vault/src/client/vault.rs

@@ -20,7 +20,6 @@ use awc::{
 };
 use bytes::Bytes;
 use futures_core::Stream;
-use intel_tee_quote_verification_rs::tee_qv_get_collateral;
 use rustls::ClientConfig;
 use serde_json::{json, Value};
 use std::{
@@ -28,13 +27,13 @@ use std::{
     sync::Arc,
     time,
 };
-use teepot::quote::error::QuoteContext;
+use teepot::quote::get_collateral;
 pub use teepot::{
     quote::{
         tcblevel::{parse_tcb_levels, EnumSet, TcbLevel},
         verify_quote_with_collateral, QuoteVerificationResult,
     },
-    sgx::{sgx_gramine_get_quote, sgx_ql_qv_result_t, Collateral},
+    sgx::{sgx_gramine_get_quote, Collateral},
 };
 use tracing::{debug, error, info, trace};
 
@@ -158,7 +157,7 @@ impl VaultConnection {
         info!("Getting attestation report");
         let attestation_url = AuthRequest::URL;
         let quote = sgx_gramine_get_quote(&self.key_hash).context("Failed to get own quote")?;
-        let collateral = tee_qv_get_collateral(&quote).context("Failed to get own collateral")?;
+        let collateral = get_collateral(&quote).context("Failed to get own collateral")?;
 
         let auth_req = AuthRequest {
             name: self.name.clone(),