teepot

mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 23:23:57 +02:00

Author	SHA1	Message	Date
Harald Hoyer	eb39705ff1	feat: compat code for non `x86_64-linux` - do not build packages, which require `x86_64-linux` - use Phala `dcap-qvl` crate for remote attestation, if possible - nix: exclude `nixsgx` on non `x86_64-linux` platforms Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-04-10 11:57:46 +02:00
Harald Hoyer	982fcc363b	Merge branch 'main' into teepot_vault	2025-03-25 13:40:50 +01:00
Harald Hoyer	3f90e4f80b	feat(tdx_google): add iproute2 and vector initialization wait - Include iproute2 in the container path for required networking tools. - Add a script to wait for vector to initialize before proceeding.	2025-03-21 13:11:23 +01:00
Harald Hoyer	f8bd9e6a08	chore: split-out vault code from `teepot` in `teepot-vault` Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-03-06 09:47:51 +01:00
Harald Hoyer	cf4a6cfb60	feat(tdx_google): add onFailure action to reboot on metadata.service errors - Introduce `onFailure` handler to trigger reboot after 5 minutes. - Enhances system reliability by automating recovery measures. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-02-20 15:32:51 +01:00
Harald Hoyer	a5cf220c57	feat(tdx_google): add support for attestation in container - Mount `/sys/kernel/config` to enable attestation for TDX containers. - Ensures compatibility with TDX guest measurements during runtime.	2025-02-20 12:14:10 +01:00
Harald Hoyer	439574f22c	chore(tdx_google): remove unused `teepot` package from system environment Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-02-19 15:01:02 +01:00
Harald Hoyer	760ff7eff1	refactor(tdx_google): simplify service configurations - Replaced hardcoded metadata-fetching logic with shared metadata service. - Removed custom pre-start scripts and refactored environment handling. - Updated Vector configuration to include custom field transformations. - Streamlined container startup process and ensured proper cleanup. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-02-19 15:00:43 +01:00
Harald Hoyer	5d2ad57cfd	refactor(tdx_google): modularize tdx_google configuration - Split `tdx_google/configuration.nix` into smaller modules: `vector.nix`, and `container.nix`. - Simplified the main configuration by leveraging modular imports for better readability and maintainability. Signed-off-by: Harald Hoyer <harald@matterlabs.dev> # Conflicts: # packages/tdx_google/configuration.nix	2025-02-19 15:00:42 +01:00
Harald Hoyer	bbbce81541	feat(configuration): update journald and serial settings - Set journald console to `/dev/ttyS0` for improved logging. - Disable `serial-getty@ttyS0` service to avoid conflicts.	2025-02-19 11:16:34 +01:00
Harald Hoyer	a41460b7f0	feat(tdx-google): enhance container service setup - Add `vector.service` and `chronyd.service` dependencies to `docker_start_container` service. - Use `EnvironmentFile` and a pre-start script to dynamically generate environment variables for container setup. - Improve error handling and clarity in container initialization.	2025-02-14 16:47:43 +01:00
Harald Hoyer	908579cd60	feat: rewrite google-metadata test as tdx-test Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-02-14 16:47:42 +01:00
Harald Hoyer	9266a9f072	feat(google-tdx): add Vector service integration - Enable Vector service and configure OpenTelemetry source. - Add sinks for logs output to console and Kafka. - Configure environment setup for Kafka using GCP metadata API. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-02-12 08:34:18 +01:00
Harald Hoyer	ff22db6054	chore(google-tdx): removed commented-out ssh debugging Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-02-11 08:29:34 +01:00
Harald Hoyer	c5cdc1e4ab	feat(google-tdx): disable LLMNR and MulticastDNS - Configured resolved service, disabling LLMNR and MulticastDNS for improved resolution settings. - Removed commented-out Prometheus Node config Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-02-11 08:29:29 +01:00
Harald Hoyer	11a22c9e67	feat: add Google Metadata support and TDX container test - Introduced `google-metadata` binary for reading GCP instance attributes. - Added TDX container test with new `container-test-tdx` package. - Updated Nix workflow and deployment scripts for Google Metadata integration. - Bumped `anyhow` to 1.0.95 and updated Cargo.lock. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-01-27 16:18:58 +01:00
Harald Hoyer	99037ceb6c	feat(tee-key-preexec): add test container for tee-key-preexec Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-01-15 15:48:21 +01:00
Harald Hoyer	dc1e756ec6	feat(tdx): add nix build for TDX google VMs Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-01-14 14:50:43 +01:00
Harald Hoyer	5d32396966	feat: add tdx-extend, sha384-extend and rtmr-calc This enables pre-calculating the TDX rtmr[1,2,3] values for an attested boot process. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-12-20 13:27:55 +01:00
Harald Hoyer	4610475fae	feat: add TDX support Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-12-20 10:54:24 +01:00
Harald Hoyer	b066cdd15a	fix: update build process for teepot package - Fix output format for propagated-user-env-packages. - Remove empty bin directory after binaries are moved.	2024-12-20 09:31:00 +01:00
Harald Hoyer	83d57bf354	chore: update Rust toolchain to version 1.83 - Upgraded the Rust version in rust-toolchain.toml to 1.83. - Ensures compatibility and access to the latest features and fixes. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-12-20 09:29:43 +01:00
Harald Hoyer	488dcfcdca	chore: add extra startup information to unseal and admin enclaves This eases testing and debugging. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-09-04 09:47:20 +02:00
Harald Hoyer	d88f79d239	chore: rename `nixsgxLib.mkSGXContainer` to `pkgs.lib.tee.sgxGramineContainer` Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-09-03 13:24:20 +02:00
Patryk Bęza	5e4b8901b0	feat(verify-attestation): RPC attestation and batch signature verification binary This is another variant of the binary tool for verifying attestation and the signature of a given batch. Unlike the existing tool, this variant does not require you to provide two separate files—one for the attestation and one for the signature. Instead, it automatically fetches both from the RPC node. Unfortunately, after discussing with @popzxc, we found that there is no way to reuse the RPC client because our published crates on crates.io are outdated and do not include the recently merged TEE-specific code changes. To be fixed in the future.	2024-08-30 12:14:55 +02:00
Harald Hoyer	8d3f378392	fix(container-vault-sgx-azure): remove insecure eventfd setting Removed the sys.insecure__allow_eventfd setting, because gramine has a secure eventfd implementation since [v1.7](https://github.com/gramineproject/gramine/releases/tag/v1.7).	2024-08-29 10:58:46 +02:00
Harald Hoyer	33fe7f17fa	fix(vault): maybe fix `netpollBreak` issues - Updated the flake.lock for nixsgx dependency with new revision to get a patched gramine https://github.com/matter-labs/nixsgx/pull/54 - Enabled `sys.insecure__allow_eventfd` to support recent golang changes in the `netpoll` implementation	2024-08-08 14:51:04 +02:00
Harald Hoyer	2d1d68210b	fix(container-vault-sgx-azure): increase max file descriptors for vault Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-08-08 11:06:56 +02:00
Harald Hoyer	c92cb4e0b1	fix: increase `performance_multiplier` Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-08-07 16:43:30 +02:00
Harald Hoyer	6be0ac561e	fix: use `performance_multiplier` The vault instances lose the raft leader status, while loading the `vault-auth-tee` plugin, because the gramine enviroment slows down the `execve` significantly. Using `performance_multiplier` relaxes the timeouts for the raft protocol. see also: https://github.com/hashicorp/vault/issues/28009 Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-08-07 15:54:22 +02:00
Harald Hoyer	36449980c2	fix(teepot-vault-unseal-sgx): pass `CA_CERT_FILE` Although the file was included, it was not in the standard location. Passing the absolute path fixes the issue. The CA file is needed for the raft join command. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-08-07 14:34:25 +02:00
Harald Hoyer	97a1654c59	chore: turn off debug again The increase of `max_threads` and `stack.size` did the trick. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-08-07 12:22:17 +02:00
Harald Hoyer	0de5447580	chore: tweak vault parameters for slow plugin loading Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-08-07 10:12:36 +02:00
Harald Hoyer	a0a08d2ce7	chore: debug vault with gramine debug Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-08-06 16:34:36 +02:00
Harald Hoyer	cd108a5d9f	chore: debug vault with gramine trace Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-08-06 15:12:12 +02:00
Harald Hoyer	840730d598	chore: debug vault with gramine warning Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-08-06 12:57:48 +02:00
Patryk Bęza	51c1e72a03	Use Docker's entrypoint instead of command	2024-07-11 17:49:37 +02:00
Patryk Bęza	78447ea307	Unify verify-attestation-sgx and verify-attestation Rationale: too much copy-paste	2024-07-11 17:13:11 +02:00
Patryk Bęza	f90088be76	SGX attestation & batch signature verification tool	2024-07-10 14:47:07 +02:00
otani	ace415a43e	fix: dns for vault nodes	2024-07-09 16:39:04 +03:00
Harald Hoyer	ae01290bcc	chore: change dns names for the vault cluster Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-07-09 11:11:10 +02:00
Harald Hoyer	fd6fe49be7	fix(container-vault-unseal-sgx-azure): correct `VAULT_AUTH_TEE_SHA256_FILE` use the correct environment variable name... sigh Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-07-03 12:08:49 +02:00
Harald Hoyer	f1b8a48a6a	fix: update the common `cacert` and include it in the unseal container The previous cacert expired. A new one was created and also included in the unseal container. The path to access the cacert was fixed in the unseal app and made configurable via an environment variable.	2024-07-03 11:26:29 +02:00
Harald Hoyer	160d133383	fix: hardcode VAULT_AUTH_TEE_VERSION in vault manifest Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-07-03 09:21:25 +02:00
Harald Hoyer	fc3fe37f81	fix: `sgx.nonpie_binary` option is deprecated see https://github.com/gramineproject/gramine/pull/1187 Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-07-02 13:14:38 +02:00
Harald Hoyer	943ef8c878	feat: use `nixsgxLib.mkSGXContainer` Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-07-01 17:25:00 +02:00
Harald Hoyer	43a7931a40	fix(container-vault-unseal): remove azure config Not needed anymore. Stuff can be gathered via the default qpl Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-06-12 13:32:51 +02:00
Harald Hoyer	9c01b0a281	feat: add `container-vault-admin` Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-06-12 13:32:34 +02:00
Harald Hoyer	de06acbef9	fix: don't tag the nix produced container with `latest` leave it to the github workflow on push to main Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-06-12 13:21:44 +02:00
Harald Hoyer	d0c5950c0e	feat: use nixsgx nix function to create containers It refactors the way the SGX containers are built. This removes all `Dockerfile` and gramine manifest files. It also enables a single recipe for azure and non-azure variants. Additionally the `teepot-crate.nix` is now the inherited recipe to build the rust `teepot` crate. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-06-10 16:32:02 +02:00

1 2

60 commits