harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 15:13:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
428 commits 23 branches 61 tags 2.2 MiB
Commit graph

61 commits

Author SHA1 Message Date
Harald Hoyer
e27b5da856
fix(tee-key-preexec): add context to file write operations 
- Add context to `std::fs::write` calls to improve error tracing.
- Ensures better debugging by attaching filenames to potential errors.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-04-02 16:18:27 +02:00
Harald Hoyer
f03a8ba643
Merge branch 'main' into teepot_vault 2025-03-28 14:13:14 +01:00
Harald Hoyer
fa2ecee4bd
feat(sha384-extend): enhance SHA384 extend utility with padding and tests 
- Refactor `sha384-extend` to include digest padding and validation.
- Add `extend_sha384` function for hex-string-based digest extension.
- Introduce comprehensive test coverage for edge cases and errors.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-03-28 12:55:13 +01:00
Harald Hoyer
f8bd9e6a08
chore: split-out vault code from teepot in teepot-vault 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-03-06 09:47:51 +01:00
Harald Hoyer
7cb3af4b65
Merge branch 'main' into no_quote 2025-03-06 09:30:33 +01:00
Harald Hoyer
55ea2a6069
fix(verify-attestation): bail out, if no quote provided 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-03-06 09:07:31 +01:00
Harald Hoyer
98ed802b75
docs(tee-self-attestation-test): add podman example 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-03-06 08:57:55 +01:00
Harald Hoyer
bece17f7bf
Merge branch 'main' into missing_recoverid_two 2025-03-03 08:52:32 +01:00
Harald Hoyer
589e375d47
Merge branch 'main' into rustls_ring_provider 2025-03-01 09:11:21 +01:00
Harald Hoyer
a6ea98a096
fix(verify-era-proof-attestation): handle missing RecoveryId signatures 
- add `RecoveryId::Two` and `RecoveryId::Three`

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-03-01 09:07:29 +01:00
Harald Hoyer
c26b3db290
fix(verify-era-proof-attestation): handle missing RecoveryId signatures 
- Add fallback for missing RecoveryId in 64-byte signatures.
- Improve error context for invalid signature length.
- Add debug and trace logs for better diagnosis during verification.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-02-28 17:31:59 +01:00
Harald Hoyer
d6061c35a8
fix(teepot-vault): use ring as CryptoProvider for rustls 
New `rustls` needs global install of default `CryptoProvider`.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-02-28 14:14:57 +01:00
Harald Hoyer
d3c17a7ace
Merge branch 'main' into cargo_update 2025-02-25 13:22:35 +01:00
Harald Hoyer
f822c70721
chore: remove unused rand dependency and update crates 
- Removed `rand` dependency from multiple `.toml` files and updated relevant imports to use `rand_core::OsRng`.
- Updated OpenTelemetry dependencies to latest versions and refactored SDK initialization to use `SdkLoggerProvider`.
- Bumped versions of several dependencies including `clap`, `awc`, `ring`, and `smallvec` for compatibility and features.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-02-20 15:40:13 +01:00
Harald Hoyer
049f1b3de8
feat(tdx): add TDX RTMR extension support with UEFI marker 
- Added `UEFI_MARKER_DIGEST_BYTES` constant for TDX RTMR extension.
- Implemented RTMR3 extension in `tee-key-preexec` for TDX attestation flow.
- Updated `rtmr-calc` to use `UEFI_MARKER_DIGEST_BYTES` for RTMR1 extension.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-02-20 15:15:44 +01:00
Harald Hoyer
daf375836b
chore: remove unused deps 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-02-14 16:47:45 +01:00
Harald Hoyer
a41460b7f0
feat(tdx-google): enhance container service setup 
- Add `vector.service` and `chronyd.service` dependencies to `docker_start_container` service.
- Use `EnvironmentFile` and a pre-start script to dynamically generate environment variables for container setup.
- Improve error handling and clarity in container initialization.
 2025-02-14 16:47:43 +01:00
Harald Hoyer
908579cd60
feat: rewrite google-metadata test as tdx-test 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-02-14 16:47:42 +01:00
Harald Hoyer
45309e58f4
chore: cargo deps update 
with code fixes for the new versions.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-02-10 15:44:16 +01:00
Harald Hoyer
11a22c9e67
feat: add Google Metadata support and TDX container test 
- Introduced `google-metadata` binary for reading GCP instance attributes.
- Added TDX container test with new `container-test-tdx` package.
- Updated Nix workflow and deployment scripts for Google Metadata integration.
- Bumped `anyhow` to 1.0.95 and updated Cargo.lock.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-01-27 16:18:58 +01:00
Patryk Bęza
afa524c18c
Address code review comments 2025-01-17 12:41:07 +01:00
Patryk Bęza
2d04ba0508
feat(tee-key-preexec): add support for Solidity-compatible pubkey in report_data 
This PR is part of the effort to implement on-chain TEE proof
verification. This PR goes hand in hand with https://github.com/matter-labs/zksync-era/pull/3414.
 2025-01-16 20:46:16 +01:00
Harald Hoyer
5d32396966
feat: add tdx-extend, sha384-extend and rtmr-calc 
This enables pre-calculating the TDX rtmr[1,2,3] values for an attested boot process.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-12-20 13:27:55 +01:00
Harald Hoyer
0b67a14cd1
chore: cargo update 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-12-20 12:20:39 +01:00
Harald Hoyer
4610475fae
feat: add TDX support 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-12-20 10:54:24 +01:00
Patrick
78471f5b64
Merge branch 'main' into handle_old_proof_response 2024-11-28 17:28:53 +01:00
Harald Hoyer
f0fea5c122
refactor(logging): enhance logging setup and usage 
- Modified the `setup_logging` function to return a `Subscriber`, improving flexibility and reuse.
- Integrated `tracing::subscriber::set_global_default` in the main functions to establish the logging subscriber globally.
- Added configurations for span events and control over file and line information display.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-11-28 15:49:15 +01:00
Harald Hoyer
4a0a4f6e5e
fix(proof-validation): handle optional proof status 
Ensure proof status is treated as optional, preventing crashes when status is absent.
- Modify status field to `Option<String>` in `Proof` struct.
- Update validation logic to handle `None` values safely.
- Adjust main logic to check for "permanently_ignored" safely.
 2024-11-28 15:48:23 +01:00
Patryk Bęza
e63d0901fa
feat(verifier): don't retry verifying permanently ignored batches 
Currently, the [TEE verifier][1] – the tool for continuous SGX
attestation and batch signature verification – is [stuck][2] on batches
that failed to be proven and are marked as `permanently_ignored`. The
tool should be able to distinguish between batches that are permanently
ignored (and should be skipped) and batches that have failed but will be
retried. This PR enables that distinction.

This commit goes hand in hand with the following PR:
https://github.com/matter-labs/zksync-era/pull/3321

[1]: https://github.com/matter-labs/teepot/blob/main/bin/verify-era-proof-attestation/src/main.rs
[2]: https://grafana.matterlabs.dev/goto/unFqf57Hg?orgId=1
 2024-11-26 17:19:55 +01:00
Harald Hoyer
af3ab51320
feat(logging): centralize logging setup in teepot crate 
- Added a new logging module in `teepot` crate.
- Removed redundant logging setup code from individual projects.
- Updated dependencies and references for logging setup.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-18 16:08:13 +02:00
Patryk Bęza
9bf40c9cb9
feat(tee): use hex deserialization for RPC requests 
Following Anton's suggestion, we have switched to hex serialization for
API/RPC requests and responses. Previously, we used default JSON
serialization for Vec<u8>, which resulted in a lengthy comma-separated
list of integers.

This change standardizes serialization, making it more efficient and
reducing the size of the responses. The previous format, with a series
of comma-separated integers for pubkey-like fields, looked odd.

Then:
```
curl -X POST\
     -H "Content-Type: application/json" \
     --data '{"jsonrpc": "2.0", "id": 1, "method": "unstable_getTeeProofs", "params": [491882, "Sgx"] }' \
        https://mainnet.era.zksync.io
{"jsonrpc":"2.0","result":[{"attestation":[3,0,2,0,0,0,0,0,10,<dozens of comma-separated integers here>
```

Now:
```
$ curl -X POST \
       -H "Content-Type: application/json" \
       --data '{"jsonrpc": "2.0", "id": 1, "method": "unstable_getTeeProofs", "params": [1, "sgx"] }' \
          http://localhost:3050
{"jsonrpc":"2.0","result":[{"l1BatchNumber":1,"teeType":"sgx","pubkey":"0506070809","signature":"0001020304","proof":"0a0b0c0d0e","provedAt":"2024-09-16T11:53:38.253033Z","attestation":"0403020100"}],"id":1}
```

This change needs to be deployed in lockstep with:
https://github.com/matter-labs/zksync-era/pull/2887.
 2024-09-18 14:10:21 +02:00
Harald Hoyer
7743c1321a
chore: prepare release tags 
* set `publish = false` for multiple Cargo.toml files
* cargo update
* fix taplo.toml
* sort `workspace.dependencies`
* add `cargo-release` to nix shell

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-16 16:14:26 +02:00
Patryk Bęza
4fcaaa7398
feat(verify-era-proof-attestation): continuous mode with attestation policies 
This PR introduces TEE Prover continuous mode with attestation policies.

Attestation policies are a set of criteria that determine whether an SGX
attestation should be considered valid or invalid. In practice, this
means checking against a specified set of mrsigners, mrenclaves, and TCB
levels. If the attestation’s mrenclave/mrsigner/TCB levels matches those
in the provided --sgx-mrenclaves/--sgx-mrsigners/--sgx-allowed-tcb-levels,
we treat the attestation as successfully verified. Otherwise, the
attestation is considered invalid.

The --continuous mode for the TEE Prover allows it to run continuously,
verifying new batches exposed by the node's RPC API in real-time.

To try it out, run the following commands:

    $ nix build -L .#container-verify-era-proof-attestation-sgx
    $ export IMAGE_TAG=$(docker load -i result | grep -Po 'Loaded image.*: \K.*')
    $ docker run  -i --init --rm $IMAGE_TAG --continuous 11505 --rpc https://sepolia.era.zksync.dev --sgx-allowed-tcb-levels Ok,SwHardeningNeeded --log-level debug
    $ docker run  -i --init --rm $IMAGE_TAG --batch 11509 --rpc https://sepolia.era.zksync.dev --sgx-allowed-tcb-levels Ok,SwHardeningNeeded --log-level debug
 2024-09-13 19:34:37 +02:00
Patrick
0e6eb2b74e
feat(verify-era-proof-attestation): add support for verifying a range of batches (#194) 
Co-authored-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-03 12:48:04 +00:00
Harald Hoyer
c94912d832
feat(tee-key-preexec): add cmdline arg for env prefix 
- Introduced `clap` for command-line argument parsing.
- Replaced manual argument handling with `clap`'s derived `Args` struct.
- Updated environmental variables to use dynamic prefixes.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-03 10:42:42 +02:00
Patryk Bęza
5e4b8901b0
feat(verify-attestation): RPC attestation and batch signature verification binary 
This is another variant of the binary tool for verifying attestation and
the signature of a given batch. Unlike the existing tool, this variant
does not require you to provide two separate files—one for the
attestation and one for the signature. Instead, it automatically fetches
both from the RPC node.

Unfortunately, after discussing with @popzxc, we found that there is no way
to reuse the RPC client because our published crates on crates.io are
outdated and do not include the recently merged TEE-specific code
changes. To be fixed in the future.
 2024-08-30 12:14:55 +02:00
Harald Hoyer
0bdc3425e4
chore: cargo update 
and fix `cargo clippy` issues.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-07 15:26:20 +02:00
Patryk Bęza
ad6ce872f8
fix(verify-attestation): simplify dependencies 
The zksync crates have recently been published on crates.io. Let's take
advantage of them! Specifically, we are replacing alloy-primitives with
zksync_basic_types to avoid the additional transitive dependencies
introduced by alloy.
 2024-07-22 14:45:27 +02:00
Patryk Bęza
51c1e72a03
Use Docker's entrypoint instead of command 2024-07-11 17:49:37 +02:00
Patryk Bęza
78447ea307
Unify verify-attestation-sgx and verify-attestation 
Rationale: too much copy-paste
 2024-07-11 17:13:11 +02:00
Patryk Bęza
f3f6ea1dba
Introduce root_hash option 2024-07-11 11:29:37 +02:00
Patryk Bęza
f90088be76
SGX attestation & batch signature verification tool 2024-07-10 14:47:07 +02:00
Harald Hoyer
204aa33f7f
fix(tee-vault-unseal): pick either VAULT_AUTH_TEE_SHA256 string or file 
Pick either `VAULT_AUTH_TEE_SHA256` or `VAULT_AUTH_TEE_SHA256_FILE`,
with `VAULT_AUTH_TEE_SHA256` having the precedence.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-07-03 14:42:06 +02:00
Harald Hoyer
f1b8a48a6a
fix: update the common cacert and include it in the unseal container 
The previous cacert expired. A new one was created and also included in the unseal container.

The path to access the cacert was fixed in the unseal app and made configurable via an environment variable.
 2024-07-03 11:26:29 +02:00
Patryk Bęza
4c76318702
Replace secp256k1 with k256 crate 
Rationale: we already have secp256k1 in our dependencies, as suggested
by Igor:
https://github.com/matter-labs/zksync-era/pull/2333#discussion_r1656531731
 2024-07-01 14:17:13 +02:00
Harald Hoyer
1505b14db0
chore: remove obsolete Dockerfiles 
all is built via nix and maintaining those files would mean more work.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-06-21 11:23:41 +02:00
Harald Hoyer
df7973c501
chore: cargo update + taplo fmt 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-06-20 14:00:18 +02:00
Harald Hoyer
d77243b8fd
fix(tee-key-preexec): export the key in PEM 
makes it easier to import

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-06-13 14:00:43 +02:00
Harald Hoyer
d0c5950c0e
feat: use nixsgx nix function to create containers 
It refactors the way the SGX containers are built.
This removes all `Dockerfile` and gramine manifest files.
It also enables a single recipe for azure and non-azure variants.

Additionally the `teepot-crate.nix` is now the inherited recipe to
build the rust `teepot` crate.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-06-10 16:32:02 +02:00
Harald Hoyer
1f850d060e
feat(tee-vault-unseal): add VAULT_AUTH_TEE_SHA256_FILE 
If `VAULT_AUTH_TEE_SHA256_FILE` is set,
read the sha value from the file,
rather from the environment variable.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-06-10 14:19:25 +02:00