harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-22 07:24:48 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: split-out vault code from teepot in teepot-vault

Browse source 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
This commit is contained in:
Harald Hoyer 2025-02-18 13:37:34 +01:00
parent 63c16b1177
commit f8bd9e6a08
Signed by: harald
GPG key ID: F519A1143B3FBE32
61 changed files with 450 additions and 308 deletions
Download patch file Download diff file Expand all files Collapse all files

19
crates/teepot-vault/bin/tee-stress-client/Cargo.toml Normal file
View file

@ -0,0 +1,19 @@
[package]
name = "tee-stress-client"
publish = false
version.workspace = true
edition.workspace = true
authors.workspace = true
license.workspace = true
repository.workspace = true
[dependencies]
actix-web.workspace = true
anyhow.workspace = true
clap.workspace = true
serde.workspace = true
teepot.workspace = true
teepot-vault.workspace = true
tracing.workspace = true
tracing-log.workspace = true
tracing-subscriber.workspace = true

105
crates/teepot-vault/bin/tee-stress-client/src/main.rs Normal file
View file

@ -0,0 +1,105 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2024-2025 Matter Labs
//! Server to handle requests to the Vault TEE
#![deny(missing_docs)]
#![deny(clippy::all)]
use actix_web::rt::time::sleep;
use anyhow::{Context, Result};
use clap::Parser;
use serde::{Deserialize, Serialize};
use std::time::Duration;
use teepot::sgx::{parse_tcb_levels, EnumSet, TcbLevel};
use teepot_vault::{
client::vault::VaultConnection,
server::{
attestation::{get_quote_and_collateral, VaultAttestationArgs},
pki::make_self_signed_cert,
},
};
use tracing::{error, trace};
use tracing_log::LogTracer;
use tracing_subscriber::{fmt, prelude::*, EnvFilter, Registry};
#[derive(Parser, Debug)]
#[command(author, version, about, long_about = None)]
struct Arguments {
/// allowed TCB levels, comma separated
#[arg(long, value_parser = parse_tcb_levels, env = "ALLOWED_TCB_LEVELS", default_value = "Ok")]
my_sgx_allowed_tcb_levels: EnumSet<TcbLevel>,
#[clap(flatten)]
pub attestation: VaultAttestationArgs,
}
#[derive(Debug, Serialize, Deserialize)]
struct MySecret {
val: usize,
}
#[actix_web::main]
async fn main() -> Result<()> {
LogTracer::init().context("Failed to set logger")?;
let subscriber = Registry::default()
.with(EnvFilter::from_default_env())
.with(fmt::layer().with_writer(std::io::stderr));
tracing::subscriber::set_global_default(subscriber).unwrap();
let args = Arguments::parse();
let (report_data, _cert_chain, _priv_key) = make_self_signed_cert("CN=localhost", None)?;
if let Err(e) = get_quote_and_collateral(Some(args.my_sgx_allowed_tcb_levels), &report_data) {
error!("failed to get quote and collateral: {e:?}");
// don't return for now, we can still serve requests but we won't be able to attest
}
let mut vault_1 = args.attestation.clone();
let mut vault_2 = args.attestation.clone();
let mut vault_3 = args.attestation.clone();
vault_1.vault_addr = "https://vault-1:8210".to_string();
vault_2.vault_addr = "https://vault-2:8210".to_string();
vault_3.vault_addr = "https://vault-3:8210".to_string();
let servers = vec![vault_1.clone(), vault_2.clone(), vault_3.clone()];
let mut val: usize = 1;
loop {
let mut conns = Vec::new();
for server in &servers {
match VaultConnection::new(&server.into(), "stress".to_string()).await {
Ok(conn) => conns.push(conn),
Err(e) => {
error!("connecting to {}: {}", server.vault_addr, e);
continue;
}
}
}
if conns.is_empty() {
error!("no connections");
sleep(Duration::from_secs(1)).await;
continue;
}
let i = val % conns.len();
trace!("storing secret");
conns[i]
.store_secret(MySecret { val }, "val")
.await
.context("storing secret")?;
for conn in conns {
let got: MySecret = conn
.load_secret("val")
.await
.context("loading secret")?
.context("loading secret")?;
assert_eq!(got.val, val,);
}
val += 1;
sleep(Duration::from_secs(1)).await;
}
}

22
crates/teepot-vault/bin/tee-stress-client/src/stress.json Normal file
View file

@ -0,0 +1,22 @@
{
"last_digest": "",
"commands": [
{
"url": "/v1/sys/policies/acl/tee-stress",
"data": {
"policy": "path \"secret/data/tee/stress/*\" { capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\" ] }\n"
}
},
{
"url": "/v1/auth/tee/tees/stress",
"data": {
"lease": "1000",
"name": "stress",
"sgx_allowed_tcb_levels": "Ok,SwHardeningNeeded",
"sgx_mrsigner": "c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d",
"token_policies": "tee-stress",
"types": "sgx"
}
}
]
}

26
crates/teepot-vault/bin/tee-stress-client/src/stress.json.asc Normal file
View file

@ -0,0 +1,26 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEC0Pk344t4+guABNk9RmhFDs/vjIFAmUn5WkACgkQ9RmhFDs/
vjK5kw/8Dl1XuMOfJ+mxshaRH4JexPmB/+c4x5JnaYS6GGJaJ/eOp+hSFchxnwfI
OXRV3S+/kgaytfu5zVEepqyypX43LbV+eZ5s450xa3qI0fR/rd+LnJeJNqFoJVrZ
M+xTGpkBPvPB3340ebyti5k49I+uhgO8c5Cd1FpM00dWN0qUUJMsFuOKNueFURlC
Sk9HLDk63G2/ZDyBzT83vMpFUZbtJ46yJmS2++W1UfEt2GZvL6sc2wr7pwlb5EtF
wEgLtaIAy749h1Lzilw6RTWVC3ShQvaddIFIh+XagnrKmk2D0gha2XprbvBSkpYf
a/9tZKH/4U8wfONR3sJ83wlODwks6zdIibspk7868vY5Bm9Yr2N1cIIPGtnnypHE
xPZI9QXY/zUSnTXgs5JyEZkea8j29v135zhuGINFPVWOa+frGYTIN/zZ3sjdhZMt
+4rRL8SZbFbkCDc/zGdlJOcTygUbEJBiseNJ8GXgbWrXzY/WDZpxL1xdxjkPK4PA
xtKyaPlBP1B1RyHkZGYDq86t9DzX2H/gkqBHJpuSavcx/7/Q/b6KGYdf/QFxo7kY
S0jdVXRVem0ClxWtEVZU9Wu9QykcYQbj3AM7hk+9Khmq32w7b3bwOndYNAojwzP+
9UEVOAXv2K8LSBbq6RXott5KMKDwowOu4hQCNsDuvmBYkr1Sy5OJAcUEAAEIAC8W
IQSBoxLFnWedkw+p6LBtco8potur+AUCZSflbREcdGVzdEBleGFtcGxlLmNvbQAK
CRBtco8potur+LwPC/wOjT27sE4D/4Cadg58lXlRE2qoFdtc8vfs+ioxS7UxQX4m
ggY4P6lHq8u2TkY4jDe9FpA5S7LNGQJoQx2zrr3lGwonBwGkj4nRM60/uNSar+wd
Wknke8IUiv8E8MzITy+gKdFHwu95ZZh9IXefiQ4Fq8UQurELAfVA/sNk+1ovGzsO
/S4srkR4uejsAuk84PCA7dgNLYobcU/7SMH/ffgorqE6BOXwzfIy13c9TV5ZztWo
eK6R+wc92hza0ZvXVmB4i5NBe+aO7gSLe0QcJqHdaTpkcVhhhE+v8HdpF1JIgOH8
/336W/ZOp1q1K0hL2rNU2YX40MOaZZLoxjfXNmC/dAZPel5HJMwTLzM6Aqqk49sB
LHEPgHjefUWiHe2C31PGM0THM3fuA6i5OwypnZRI14WYVDlVa5KRmj/titcCt6aQ
+fbzK5lYIg4AhLl8rIns8+/yJnwTIw3Zy94H8Xwjq8tplk6nSUWm0GKjYqFquwUf
6PyKGVnqs2Cp0hFmD9o=
=AsWI
-----END PGP SIGNATURE-----

66
crates/teepot-vault/bin/tee-stress-client/tee-stress-client.manifest.template Normal file
View file

@ -0,0 +1,66 @@
libos.entrypoint = "/app/tee-stress-client"
[loader]
argv = [ "/app/tee-stress-client" ]
entrypoint = "file:{{ gramine.libos }}"
env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}:/lib"
env.HOME = "/app"
env.MALLOC_ARENA_MAX = "1"
env.AZDCAP_DEBUG_LOG_LEVEL = "ignore"
env.AZDCAP_COLLATERAL_VERSION = "v4"
### Admin Config ###
env.PORT = { passthrough = true }
### VAULT attestation ###
env.VAULT_ADDR = { passthrough = true }
env.VAULT_SGX_MRENCLAVE = { passthrough = true }
env.VAULT_SGX_MRSIGNER = { passthrough = true }
env.VAULT_SGX_ALLOWED_TCB_LEVELS = { passthrough = true }
### DEBUG ###
env.RUST_BACKTRACE = "1"
env.RUST_LOG="info"
[fs]
root.uri = "file:/"
start_dir = "/app"
mounts = [
{ path = "{{ execdir }}", uri = "file:{{ execdir }}" },
{ path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
{ path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
{ path = "/etc", uri = "file:/etc" },
{ type = "tmpfs", path = "/var/tmp" },
{ type = "tmpfs", path = "/tmp" },
{ type = "tmpfs", path = "/app/.dcap-qcnl" },
{ type = "tmpfs", path = "/app/.az-dcap-client" },
{ path = "/lib/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" },
]
[sgx]
trusted_files = [
"file:/etc/ld.so.cache",
"file:/app/",
"file:{{ execdir }}/",
"file:{{ arch_libdir }}/",
"file:/usr/{{ arch_libdir }}/",
"file:{{ gramine.libos }}",
"file:{{ gramine.runtimedir() }}/",
"file:/usr/lib/ssl/openssl.cnf",
"file:/etc/ssl/",
"file:/etc/sgx_default_qcnl.conf",
"file:/lib/libdcap_quoteprov.so",
]
remote_attestation = "dcap"
max_threads = 64
edmm_enable = false
## max enclave size
enclave_size = "8G"
[sys]
enable_extra_runtime_domain_names_conf = true
enable_sigterm_injection = true
# possible tweak option, if problems with mio
# currently mio is compiled with `mio_unsupported_force_waker_pipe`
# insecure__allow_eventfd = true