harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 15:13:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
352 commits 23 branches 61 tags 2.2 MiB
Commit graph

44 commits

Author SHA1 Message Date
Harald Hoyer
99037ceb6c
feat(tee-key-preexec): add test container for tee-key-preexec 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-01-15 15:48:21 +01:00
Harald Hoyer
dc1e756ec6
feat(tdx): add nix build for TDX google VMs 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-01-14 14:50:43 +01:00
Harald Hoyer
5d32396966
feat: add tdx-extend, sha384-extend and rtmr-calc 
This enables pre-calculating the TDX rtmr[1,2,3] values for an attested boot process.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-12-20 13:27:55 +01:00
Harald Hoyer
4610475fae
feat: add TDX support 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-12-20 10:54:24 +01:00
Harald Hoyer
b066cdd15a
fix: update build process for teepot package 
- Fix output format for propagated-user-env-packages.
- Remove empty bin directory after binaries are moved.
 2024-12-20 09:31:00 +01:00
Harald Hoyer
83d57bf354
chore: update Rust toolchain to version 1.83 
- Upgraded the Rust version in rust-toolchain.toml to 1.83.
- Ensures compatibility and access to the latest features and fixes.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-12-20 09:29:43 +01:00
Harald Hoyer
488dcfcdca
chore: add extra startup information to unseal and admin enclaves 
This eases testing and debugging.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-04 09:47:20 +02:00
Harald Hoyer
d88f79d239
chore: rename nixsgxLib.mkSGXContainer to pkgs.lib.tee.sgxGramineContainer 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-03 13:24:20 +02:00
Patryk Bęza
5e4b8901b0
feat(verify-attestation): RPC attestation and batch signature verification binary 
This is another variant of the binary tool for verifying attestation and
the signature of a given batch. Unlike the existing tool, this variant
does not require you to provide two separate files—one for the
attestation and one for the signature. Instead, it automatically fetches
both from the RPC node.

Unfortunately, after discussing with @popzxc, we found that there is no way
to reuse the RPC client because our published crates on crates.io are
outdated and do not include the recently merged TEE-specific code
changes. To be fixed in the future.
 2024-08-30 12:14:55 +02:00
Harald Hoyer
8d3f378392
fix(container-vault-sgx-azure): remove insecure eventfd setting 
Removed the sys.insecure__allow_eventfd setting, because gramine
has a secure eventfd implementation since
[v1.7](https://github.com/gramineproject/gramine/releases/tag/v1.7).
 2024-08-29 10:58:46 +02:00
Harald Hoyer
33fe7f17fa
fix(vault): maybe fix netpollBreak issues 
- Updated the flake.lock for nixsgx dependency with new revision to get a patched gramine
  https://github.com/matter-labs/nixsgx/pull/54

- Enabled `sys.insecure__allow_eventfd` to support recent golang changes in the `netpoll` implementation
 2024-08-08 14:51:04 +02:00
Harald Hoyer
2d1d68210b
fix(container-vault-sgx-azure): increase max file descriptors for vault 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-08 11:06:56 +02:00
Harald Hoyer
c92cb4e0b1
fix: increase performance_multiplier 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-07 16:43:30 +02:00
Harald Hoyer
6be0ac561e
fix: use performance_multiplier 
The vault instances lose the raft leader status, while loading
the `vault-auth-tee` plugin, because the gramine enviroment slows
down the `execve` significantly.

Using `performance_multiplier` relaxes the timeouts for the raft protocol.

see also: https://github.com/hashicorp/vault/issues/28009

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-07 15:54:22 +02:00
Harald Hoyer
36449980c2
fix(teepot-vault-unseal-sgx): pass CA_CERT_FILE 
Although the file was included, it was not in the standard location.
Passing the absolute path fixes the issue.

The CA file is needed for the raft join command.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-07 14:34:25 +02:00
Harald Hoyer
97a1654c59
chore: turn off debug again 
The increase of `max_threads` and `stack.size` did the trick.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-07 12:22:17 +02:00
Harald Hoyer
0de5447580
chore: tweak vault parameters for slow plugin loading 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-07 10:12:36 +02:00
Harald Hoyer
a0a08d2ce7
chore: debug vault with gramine debug 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-06 16:34:36 +02:00
Harald Hoyer
cd108a5d9f
chore: debug vault with gramine trace 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-06 15:12:12 +02:00
Harald Hoyer
840730d598
chore: debug vault with gramine warning 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-06 12:57:48 +02:00
Patryk Bęza
51c1e72a03
Use Docker's entrypoint instead of command 2024-07-11 17:49:37 +02:00
Patryk Bęza
78447ea307
Unify verify-attestation-sgx and verify-attestation 
Rationale: too much copy-paste
 2024-07-11 17:13:11 +02:00
Patryk Bęza
f90088be76
SGX attestation & batch signature verification tool 2024-07-10 14:47:07 +02:00
otani
ace415a43e
fix: dns for vault nodes 2024-07-09 16:39:04 +03:00
Harald Hoyer
ae01290bcc
chore: change dns names for the vault cluster 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-07-09 11:11:10 +02:00
Harald Hoyer
fd6fe49be7
fix(container-vault-unseal-sgx-azure): correct VAULT_AUTH_TEE_SHA256_FILE 
use the correct environment variable name... sigh

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-07-03 12:08:49 +02:00
Harald Hoyer
f1b8a48a6a
fix: update the common cacert and include it in the unseal container 
The previous cacert expired. A new one was created and also included in the unseal container.

The path to access the cacert was fixed in the unseal app and made configurable via an environment variable.
 2024-07-03 11:26:29 +02:00
Harald Hoyer
160d133383
fix: hardcode VAULT_AUTH_TEE_VERSION in vault manifest 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-07-03 09:21:25 +02:00
Harald Hoyer
fc3fe37f81
fix: sgx.nonpie_binary option is deprecated 
see https://github.com/gramineproject/gramine/pull/1187

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-07-02 13:14:38 +02:00
Harald Hoyer
943ef8c878
feat: use nixsgxLib.mkSGXContainer 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-07-01 17:25:00 +02:00
Harald Hoyer
43a7931a40
fix(container-vault-unseal): remove azure config 
Not needed anymore. Stuff can be gathered via the default qpl

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-06-12 13:32:51 +02:00
Harald Hoyer
9c01b0a281
feat: add container-vault-admin 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-06-12 13:32:34 +02:00
Harald Hoyer
de06acbef9
fix: don't tag the nix produced container with latest 
leave it to the github workflow on push to main

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-06-12 13:21:44 +02:00
Harald Hoyer
d0c5950c0e
feat: use nixsgx nix function to create containers 
It refactors the way the SGX containers are built.
This removes all `Dockerfile` and gramine manifest files.
It also enables a single recipe for azure and non-azure variants.

Additionally the `teepot-crate.nix` is now the inherited recipe to
build the rust `teepot` crate.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-06-10 16:32:02 +02:00
Harald Hoyer
284393bf76
fix: only restart aesmd if aesm.socket is not readable 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-05-21 13:41:08 +02:00
Harald Hoyer
5fd8df4c2e
fix(deps): use craneLib.removeReferencesToVendoredSources 
to reduce the dependencies pulled in.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-04-09 09:08:07 +02:00
Harald Hoyer
ee7c4ee177
feat: add fmt nix package 
```shell
$ nix run .#fmt
```

does all the automatic formatting the CI checks for.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-03-11 12:39:02 +01:00
Harald Hoyer
0654bacdb5
ci: use crane flake to build with nix 
This enables to add cargo `fmt`, `clippy` and `deny` to nix, using cached results.

Move the `teepot` crate to the `crates` subdir to make the life easier for
the `crane` flake.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-03-11 10:01:59 +01:00
Harald Hoyer
9680e32e82
fix: cleanup the nix packages 
`curl` and `openssl` have to be specified with `.out`

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-03-08 14:19:31 +01:00
Harald Hoyer
97420df006
feat: attestation test on azure and default dcap 
```
❯ docker run -i --rm --privileged  --device /dev/sgx_enclave --net host \
  matterlabsrobot/teepot-self-attestation-test-sgx-azure:latest \
  | base64 -d --ignore-garbage \
  | docker run -i --rm --net host matterlabsrobot/verify-attestation-sgx-azure:latest
```

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-03-07 16:05:27 +01:00
Harald Hoyer
91f1612e0f
chore: cleanup and nixify 
* create containers with nix
* updated README.md
* added SPDX license headers

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-02-28 11:09:34 +01:00
Harald Hoyer
bf2e4a1b8e
chore(nix): replace nix-filter with lib.fileset 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-02-15 11:23:22 +01:00
Harald Hoyer
d8110f3720
feat: build and push container-verify-attestation 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-02-14 16:01:59 +01:00
Harald Hoyer
30539e068f
feat: use snowfall flake for nix 
to make packages reusable by other flakes

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-02-14 11:39:39 +01:00