Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								99037ceb6c 
								
							 
						 
						
							
							
								
								feat(tee-key-preexec): add test container for tee-key-preexec  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2025-01-15 15:48:21 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								dc1e756ec6 
								
							 
						 
						
							
							
								
								feat(tdx): add nix build for TDX google VMs  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2025-01-14 14:50:43 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								5d32396966 
								
							 
						 
						
							
							
								
								feat: add tdx-extend, sha384-extend and rtmr-calc  
							
							... 
							
							
							
							This enables pre-calculating the TDX rtmr[1,2,3] values for an attested boot process.
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-12-20 13:27:55 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								4610475fae 
								
							 
						 
						
							
							
								
								feat: add TDX support  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-12-20 10:54:24 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								b066cdd15a 
								
							 
						 
						
							
							
								
								fix: update build process for teepot package  
							
							... 
							
							
							
							- Fix output format for propagated-user-env-packages.
- Remove empty bin directory after binaries are moved. 
							
						 
						
							2024-12-20 09:31:00 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								83d57bf354 
								
							 
						 
						
							
							
								
								chore: update Rust toolchain to version 1.83  
							
							... 
							
							
							
							- Upgraded the Rust version in rust-toolchain.toml to 1.83.
- Ensures compatibility and access to the latest features and fixes.
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-12-20 09:29:43 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								488dcfcdca 
								
							 
						 
						
							
							
								
								chore: add extra startup information to unseal and admin enclaves  
							
							... 
							
							
							
							This eases testing and debugging.
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-09-04 09:47:20 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								d88f79d239 
								
							 
						 
						
							
							
								
								chore: rename nixsgxLib.mkSGXContainer to pkgs.lib.tee.sgxGramineContainer  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-09-03 13:24:20 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Patryk Bęza 
								
							 
						 
						
							
							
								
								
							
							
							
								
							
							
								5e4b8901b0 
								
							 
						 
						
							
							
								
								feat(verify-attestation): RPC attestation and batch signature verification binary  
							
							... 
							
							
							
							This is another variant of the binary tool for verifying attestation and
the signature of a given batch. Unlike the existing tool, this variant
does not require you to provide two separate files—one for the
attestation and one for the signature. Instead, it automatically fetches
both from the RPC node.
Unfortunately, after discussing with @popzxc, we found that there is no way
to reuse the RPC client because our published crates on crates.io are
outdated and do not include the recently merged TEE-specific code
changes. To be fixed in the future. 
							
						 
						
							2024-08-30 12:14:55 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								8d3f378392 
								
							 
						 
						
							
							
								
								fix(container-vault-sgx-azure): remove insecure eventfd setting  
							
							... 
							
							
							
							Removed the sys.insecure__allow_eventfd setting, because gramine
has a secure eventfd implementation since
[v1.7](https://github.com/gramineproject/gramine/releases/tag/v1.7 ). 
							
						 
						
							2024-08-29 10:58:46 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								33fe7f17fa 
								
							 
						 
						
							
							
								
								fix(vault): maybe fix netpollBreak issues  
							
							... 
							
							
							
							- Updated the flake.lock for nixsgx dependency with new revision to get a patched gramine
  https://github.com/matter-labs/nixsgx/pull/54 
- Enabled `sys.insecure__allow_eventfd` to support recent golang changes in the `netpoll` implementation 
							
						 
						
							2024-08-08 14:51:04 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								2d1d68210b 
								
							 
						 
						
							
							
								
								fix(container-vault-sgx-azure): increase max file descriptors for vault  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-08-08 11:06:56 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								c92cb4e0b1 
								
							 
						 
						
							
							
								
								fix: increase performance_multiplier  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-08-07 16:43:30 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								6be0ac561e 
								
							 
						 
						
							
							
								
								fix: use performance_multiplier  
							
							... 
							
							
							
							The vault instances lose the raft leader status, while loading
the `vault-auth-tee` plugin, because the gramine enviroment slows
down the `execve` significantly.
Using `performance_multiplier` relaxes the timeouts for the raft protocol.
see also: https://github.com/hashicorp/vault/issues/28009 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-08-07 15:54:22 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								36449980c2 
								
							 
						 
						
							
							
								
								fix(teepot-vault-unseal-sgx): pass CA_CERT_FILE  
							
							... 
							
							
							
							Although the file was included, it was not in the standard location.
Passing the absolute path fixes the issue.
The CA file is needed for the raft join command.
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-08-07 14:34:25 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								97a1654c59 
								
							 
						 
						
							
							
								
								chore: turn off debug again  
							
							... 
							
							
							
							The increase of `max_threads` and `stack.size` did the trick.
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-08-07 12:22:17 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								0de5447580 
								
							 
						 
						
							
							
								
								chore: tweak vault parameters for slow plugin loading  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-08-07 10:12:36 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								a0a08d2ce7 
								
							 
						 
						
							
							
								
								chore: debug vault with gramine debug  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-08-06 16:34:36 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								cd108a5d9f 
								
							 
						 
						
							
							
								
								chore: debug vault with gramine trace  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-08-06 15:12:12 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								840730d598 
								
							 
						 
						
							
							
								
								chore: debug vault with gramine warning  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-08-06 12:57:48 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Patryk Bęza 
								
							 
						 
						
							
							
								
								
							
							
							
								
							
							
								51c1e72a03 
								
							 
						 
						
							
							
								
								Use Docker's entrypoint instead of command  
							
							
							
						 
						
							2024-07-11 17:49:37 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Patryk Bęza 
								
							 
						 
						
							
							
								
								
							
							
							
								
							
							
								78447ea307 
								
							 
						 
						
							
							
								
								Unify verify-attestation-sgx and verify-attestation  
							
							... 
							
							
							
							Rationale: too much copy-paste 
							
						 
						
							2024-07-11 17:13:11 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Patryk Bęza 
								
							 
						 
						
							
							
								
								
							
							
							
								
							
							
								f90088be76 
								
							 
						 
						
							
							
								
								SGX attestation & batch signature verification tool  
							
							
							
						 
						
							2024-07-10 14:47:07 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									otani 
								
							 
						 
						
							
							
								
								
							
							
							
								
							
							
								ace415a43e 
								
							 
						 
						
							
							
								
								fix: dns for vault nodes  
							
							
							
						 
						
							2024-07-09 16:39:04 +03:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								ae01290bcc 
								
							 
						 
						
							
							
								
								chore: change dns names for the vault cluster  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-07-09 11:11:10 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								fd6fe49be7 
								
							 
						 
						
							
							
								
								fix(container-vault-unseal-sgx-azure): correct VAULT_AUTH_TEE_SHA256_FILE  
							
							... 
							
							
							
							use the correct environment variable name... sigh
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-07-03 12:08:49 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								f1b8a48a6a 
								
							 
						 
						
							
							
								
								fix: update the common cacert and include it in the unseal container  
							
							... 
							
							
							
							The previous cacert expired. A new one was created and also included in the unseal container.
The path to access the cacert was fixed in the unseal app and made configurable via an environment variable. 
							
						 
						
							2024-07-03 11:26:29 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								160d133383 
								
							 
						 
						
							
							
								
								fix: hardcode VAULT_AUTH_TEE_VERSION in vault manifest  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-07-03 09:21:25 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								fc3fe37f81 
								
							 
						 
						
							
							
								
								fix: sgx.nonpie_binary option is deprecated  
							
							... 
							
							
							
							see https://github.com/gramineproject/gramine/pull/1187 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-07-02 13:14:38 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								943ef8c878 
								
							 
						 
						
							
							
								
								feat: use nixsgxLib.mkSGXContainer  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-07-01 17:25:00 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								43a7931a40 
								
							 
						 
						
							
							
								
								fix(container-vault-unseal): remove azure config  
							
							... 
							
							
							
							Not needed anymore. Stuff can be gathered via the default qpl
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-06-12 13:32:51 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								9c01b0a281 
								
							 
						 
						
							
							
								
								feat: add container-vault-admin  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-06-12 13:32:34 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								de06acbef9 
								
							 
						 
						
							
							
								
								fix: don't tag the nix produced container with latest  
							
							... 
							
							
							
							leave it to the github workflow on push to main
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-06-12 13:21:44 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								d0c5950c0e 
								
							 
						 
						
							
							
								
								feat: use nixsgx nix function to create containers  
							
							... 
							
							
							
							It refactors the way the SGX containers are built.
This removes all `Dockerfile` and gramine manifest files.
It also enables a single recipe for azure and non-azure variants.
Additionally the `teepot-crate.nix` is now the inherited recipe to
build the rust `teepot` crate.
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-06-10 16:32:02 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								284393bf76 
								
							 
						 
						
							
							
								
								fix: only restart aesmd if aesm.socket is not readable  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-05-21 13:41:08 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								5fd8df4c2e 
								
							 
						 
						
							
							
								
								fix(deps): use craneLib.removeReferencesToVendoredSources  
							
							... 
							
							
							
							to reduce the dependencies pulled in.
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-04-09 09:08:07 +02:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								ee7c4ee177 
								
							 
						 
						
							
							
								
								feat: add fmt nix package  
							
							... 
							
							
							
							```shell
$ nix run .#fmt
```
does all the automatic formatting the CI checks for.
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-03-11 12:39:02 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								0654bacdb5 
								
							 
						 
						
							
							
								
								ci: use crane flake to build with nix  
							
							... 
							
							
							
							This enables to add cargo `fmt`, `clippy` and `deny` to nix, using cached results.
Move the `teepot` crate to the `crates` subdir to make the life easier for
the `crane` flake.
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-03-11 10:01:59 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								9680e32e82 
								
							 
						 
						
							
							
								
								fix: cleanup the nix packages  
							
							... 
							
							
							
							`curl` and `openssl` have to be specified with `.out`
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-03-08 14:19:31 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								97420df006 
								
							 
						 
						
							
							
								
								feat: attestation test on azure and default dcap  
							
							... 
							
							
							
							```
❯ docker run -i --rm --privileged  --device /dev/sgx_enclave --net host \
  matterlabsrobot/teepot-self-attestation-test-sgx-azure:latest \
  | base64 -d --ignore-garbage \
  | docker run -i --rm --net host matterlabsrobot/verify-attestation-sgx-azure:latest
```
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-03-07 16:05:27 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								91f1612e0f 
								
							 
						 
						
							
							
								
								chore: cleanup and nixify  
							
							... 
							
							
							
							* create containers with nix
* updated README.md
* added SPDX license headers
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-02-28 11:09:34 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								bf2e4a1b8e 
								
							 
						 
						
							
							
								
								chore(nix): replace nix-filter with lib.fileset  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-02-15 11:23:22 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								d8110f3720 
								
							 
						 
						
							
							
								
								feat: build and push container-verify-attestation  
							
							... 
							
							
							
							Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-02-14 16:01:59 +01:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Harald Hoyer 
								
							 
						 
						
							
							
								
								
									
										
									
								
							
							
							
								
							
							
								30539e068f 
								
							 
						 
						
							
							
								
								feat: use snowfall flake for nix  
							
							... 
							
							
							
							to make packages reusable by other flakes
Signed-off-by: Harald Hoyer <harald@matterlabs.dev> 
							
						 
						
							2024-02-14 11:39:39 +01:00