harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 15:13:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
503 commits 23 branches 61 tags 2.2 MiB
Commit graph

503 commits

This branch
This branch
All branches
Author SHA1 Message Date
Harald Hoyer
2c326f83bd
Merge pull request #207 from matter-labs/container-tag 
chore: tag container with git tag
 2024-09-17 15:09:02 +02:00
Harald Hoyer
e7b743b213
chore: tag container with git tag 
Allow all tags and tag the matterlabsrobot container with it.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-17 14:48:49 +02:00
Harald Hoyer
3b7041b459
Merge pull request #206 from matter-labs/cargo-release 
chore: Release
 2024-09-16 17:38:14 +02:00
Harald Hoyer
77818cffef
chore: Release 2024-09-16 17:01:14 +02:00
Harald Hoyer
2b6e68e269
Merge pull request #205 from matter-labs/cargo-release 
chore: prepare release tags
 2024-09-16 16:39:51 +02:00
Harald Hoyer
7743c1321a
chore: prepare release tags 
* set `publish = false` for multiple Cargo.toml files
* cargo update
* fix taplo.toml
* sort `workspace.dependencies`
* add `cargo-release` to nix shell

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-16 16:14:26 +02:00
Harald Hoyer
108ef8cc07
Merge pull request #198 from matter-labs/patrick/attestation-acceptance-params 
feat(verify-era-proof-attestation): added continuous mode with attestation policies
 2024-09-16 12:04:42 +02:00
Patryk Bęza
4fcaaa7398
feat(verify-era-proof-attestation): continuous mode with attestation policies 
This PR introduces TEE Prover continuous mode with attestation policies.

Attestation policies are a set of criteria that determine whether an SGX
attestation should be considered valid or invalid. In practice, this
means checking against a specified set of mrsigners, mrenclaves, and TCB
levels. If the attestation’s mrenclave/mrsigner/TCB levels matches those
in the provided --sgx-mrenclaves/--sgx-mrsigners/--sgx-allowed-tcb-levels,
we treat the attestation as successfully verified. Otherwise, the
attestation is considered invalid.

The --continuous mode for the TEE Prover allows it to run continuously,
verifying new batches exposed by the node's RPC API in real-time.

To try it out, run the following commands:

    $ nix build -L .#container-verify-era-proof-attestation-sgx
    $ export IMAGE_TAG=$(docker load -i result | grep -Po 'Loaded image.*: \K.*')
    $ docker run  -i --init --rm $IMAGE_TAG --continuous 11505 --rpc https://sepolia.era.zksync.dev --sgx-allowed-tcb-levels Ok,SwHardeningNeeded --log-level debug
    $ docker run  -i --init --rm $IMAGE_TAG --batch 11509 --rpc https://sepolia.era.zksync.dev --sgx-allowed-tcb-levels Ok,SwHardeningNeeded --log-level debug
 2024-09-13 19:34:37 +02:00
Harald Hoyer
dd2a0304be
Merge pull request #199 from matter-labs/devshell_env 
chore(nix): set shell environment for openssl
 2024-09-11 15:31:50 +02:00
Harald Hoyer
d37d8c4845
chore(nix): set shell environment for openssl 
The shellHook statement has been added to export OPENSSL_NO_VENDOR as 1.
This should prevent building the vendored version of openssl.
 2024-09-11 10:35:32 +02:00
Harald Hoyer
e13bf353e0
Merge pull request #197 from matter-labs/extracmd 
chore: add extra startup information to unseal and admin enclaves
 2024-09-04 10:00:07 +02:00
Harald Hoyer
488dcfcdca
chore: add extra startup information to unseal and admin enclaves 
This eases testing and debugging.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-04 09:47:20 +02:00
Harald Hoyer
537521f0ee
Merge pull request #184 from matter-labs/renovate/trufflesecurity-trufflehog-3.x 
chore(deps): update trufflesecurity/trufflehog action to v3.81.10
 2024-09-03 15:24:37 +02:00
renovate[bot]
5162acd666
chore(deps): update trufflesecurity/trufflehog action to v3.81.10 2024-09-03 13:17:07 +00:00
Harald Hoyer
3b9735499c
Merge pull request #195 from matter-labs/cargo-update 
chore: cargo and flake update
 2024-09-03 15:15:46 +02:00
Harald Hoyer
301f91d269
Merge branch 'main' into cargo-update 2024-09-03 14:51:51 +02:00
Patrick
0e6eb2b74e
feat(verify-era-proof-attestation): add support for verifying a range of batches (#194) 
Co-authored-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-03 12:48:04 +00:00
Harald Hoyer
d88f79d239
chore: rename nixsgxLib.mkSGXContainer to pkgs.lib.tee.sgxGramineContainer 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-03 13:24:20 +02:00
Harald Hoyer
15109610d8
chore: update flake.lock 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-03 13:24:19 +02:00
Harald Hoyer
b0ac83b78e
chore: update Cargo.lock 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-03 13:24:18 +02:00
Harald Hoyer
2c21d0161e
Merge pull request #196 from matter-labs/env-preexec 
feat(tee-key-preexec): add cmdline arg for env prefix
 2024-09-03 11:06:33 +02:00
Harald Hoyer
c94912d832
feat(tee-key-preexec): add cmdline arg for env prefix 
- Introduced `clap` for command-line argument parsing.
- Replaced manual argument handling with `clap`'s derived `Args` struct.
- Updated environmental variables to use dynamic prefixes.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-03 10:42:42 +02:00
Harald Hoyer
6b0b0b69ca
Merge pull request #189 from matter-labs/patrick/sgx-rpc-attestation-verifier 
feat(verify-attestation): RPC attestation and batch signature verification binary
 2024-08-30 12:37:01 +02:00
Patryk Bęza
5e4b8901b0
feat(verify-attestation): RPC attestation and batch signature verification binary 
This is another variant of the binary tool for verifying attestation and
the signature of a given batch. Unlike the existing tool, this variant
does not require you to provide two separate files—one for the
attestation and one for the signature. Instead, it automatically fetches
both from the RPC node.

Unfortunately, after discussing with @popzxc, we found that there is no way
to reuse the RPC client because our published crates on crates.io are
outdated and do not include the recently merged TEE-specific code
changes. To be fixed in the future.
 2024-08-30 12:14:55 +02:00
Harald Hoyer
27f35a7432
Merge pull request #193 from matter-labs/secure-eventfd 
fix(container-vault-sgx-azure): remove insecure eventfd setting
 2024-08-29 11:22:50 +02:00
Harald Hoyer
8d3f378392
fix(container-vault-sgx-azure): remove insecure eventfd setting 
Removed the sys.insecure__allow_eventfd setting, because gramine
has a secure eventfd implementation since
[v1.7](https://github.com/gramineproject/gramine/releases/tag/v1.7).
 2024-08-29 10:58:46 +02:00
Harald Hoyer
8ce8f5bccb
Merge pull request #182 from matter-labs/vault_netpoll 
fix(vault): maybe fix `netpollBreak` issues
 2024-08-08 15:11:27 +02:00
Harald Hoyer
33fe7f17fa
fix(vault): maybe fix netpollBreak issues 
- Updated the flake.lock for nixsgx dependency with new revision to get a patched gramine
  https://github.com/matter-labs/nixsgx/pull/54

- Enabled `sys.insecure__allow_eventfd` to support recent golang changes in the `netpoll` implementation
 2024-08-08 14:51:04 +02:00
Harald Hoyer
49fb234d2a
Merge pull request #181 from matter-labs/ulimit 
fix(container-vault-sgx-azure): increase max file descriptors for vault
 2024-08-08 12:19:40 +02:00
Harald Hoyer
2d1d68210b
fix(container-vault-sgx-azure): increase max file descriptors for vault 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-08 11:06:56 +02:00
Harald Hoyer
bb93775252
Merge pull request #179 from matter-labs/renovate/trufflesecurity-trufflehog-3.x 
chore(deps): update trufflesecurity/trufflehog action to v3.81.7
 2024-08-08 10:20:46 +02:00
renovate[bot]
cec4785d49
chore(deps): update trufflesecurity/trufflehog action to v3.81.7 2024-08-08 08:12:27 +00:00
Harald Hoyer
9b34b30d24
Merge pull request #180 from matter-labs/renovate/serde-monorepo 
chore(deps): update rust crate serde to v1.0.205
 2024-08-08 10:11:58 +02:00
renovate[bot]
6b7e1b09cb
chore(deps): update rust crate serde to v1.0.205 2024-08-08 02:33:26 +00:00
Harald Hoyer
4f606d0117
Merge pull request #178 from matter-labs/performance_multiplier 
fix: increase `performance_multiplier`
 2024-08-07 16:55:59 +02:00
Harald Hoyer
c92cb4e0b1
fix: increase performance_multiplier 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-07 16:43:30 +02:00
Harald Hoyer
af9ee3df2e
Merge pull request #177 from matter-labs/performance_multiplier 
fix: use `performance_multiplier`
 2024-08-07 16:06:16 +02:00
Harald Hoyer
6be0ac561e
fix: use performance_multiplier 
The vault instances lose the raft leader status, while loading
the `vault-auth-tee` plugin, because the gramine enviroment slows
down the `execve` significantly.

Using `performance_multiplier` relaxes the timeouts for the raft protocol.

see also: https://github.com/hashicorp/vault/issues/28009

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-07 15:54:22 +02:00
Harald Hoyer
e476792bfe
Merge pull request #160 from matter-labs/renovate/trufflesecurity-trufflehog-3.x 
chore(deps): update trufflesecurity/trufflehog action to v3.81.6
 2024-08-07 15:54:08 +02:00
renovate[bot]
847a950500
chore(deps): update trufflesecurity/trufflehog action to v3.81.6 2024-08-07 13:47:32 +00:00
Harald Hoyer
09aa640c65
Merge pull request #176 from matter-labs/cargo_update 
chore: cargo update
 2024-08-07 15:47:08 +02:00
Harald Hoyer
0bdc3425e4
chore: cargo update 
and fix `cargo clippy` issues.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-07 15:26:20 +02:00
Harald Hoyer
64715ccbdf
Merge pull request #175 from matter-labs/unseal 
feat: add Kubernetes pod spec for vault-unseal and update docs
 2024-08-07 15:24:46 +02:00
Harald Hoyer
eae8b860a9
feat: add Kubernetes pod spec for vault-unseal and update docs 
- Add `vault-unseal-pod-*.yaml` for Kubernetes deployment.
- Update `README.md` to reflect changes in unseal and sign commands.
- Add `vault` to the `shells/teepot/default.nix` package list.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-07 14:46:10 +02:00
Harald Hoyer
4ed311a16a
Merge pull request #174 from matter-labs/raft_join 
fix(teepot-vault-unseal-sgx): make ca files readable
 2024-08-07 14:45:39 +02:00
Harald Hoyer
36449980c2
fix(teepot-vault-unseal-sgx): pass CA_CERT_FILE 
Although the file was included, it was not in the standard location.
Passing the absolute path fixes the issue.

The CA file is needed for the raft join command.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-07 14:34:25 +02:00
Harald Hoyer
42aa0ed6b0
Merge pull request #173 from matter-labs/debug_vault 
chore: turn off debug again
 2024-08-07 13:10:25 +02:00
Harald Hoyer
97a1654c59
chore: turn off debug again 
The increase of `max_threads` and `stack.size` did the trick.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-07 12:22:17 +02:00
Harald Hoyer
68c8bda0e4
Merge pull request #172 from matter-labs/debug_vault 
chore: tweak vault parameters for slow plugin loading
 2024-08-07 10:25:00 +02:00
Harald Hoyer
0de5447580
chore: tweak vault parameters for slow plugin loading 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-07 10:12:36 +02:00