teepot

mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 15:13:56 +02:00

Author	SHA1	Message	Date
Harald Hoyer	716c782e6f	chore(deps): update crates and nix flakes - Updated multiple Rust dependencies, including `opentelemetry`, `const-oid`, and `webpki-roots` for enhanced features and bug fixes. - Upgraded `nixpkgs` and `crane` in the nix flake configuration. - Removed unused dependencies and introduced missing dependencies for improved build integrity. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-05-30 17:54:30 +02:00
Lucille L. Blumire	d54f7b14ad	refactor: remove redundant continue	2025-04-17 16:53:01 +01:00
Lucille L. Blumire	2ca0b47169	refactor: improve punctuation readability	2025-04-17 16:52:59 +01:00
Lucille L. Blumire	6a9e035d19	refactor: combine equivalent match branches	2025-04-17 16:52:59 +01:00
Lucille L. Blumire	36afc85d38	refactor: prefer if let to single variant match	2025-04-17 16:52:57 +01:00
Lucille L. Blumire	2ff169da9f	refactor: improve type ergonomics	2025-04-17 16:52:56 +01:00
Lucille L. Blumire	0768b0ad67	refactor: prefer conversion methods to infallable casts	2025-04-17 16:52:54 +01:00
Lucille L. Blumire	2dea589c0e	refactor: prefer inline format args	2025-04-17 16:52:53 +01:00
Lucille L. Blumire	71a04ad4e2	refactor: bring items to top level of files	2025-04-17 16:52:49 +01:00
Harald Hoyer	0b8f1d54c7	feat: bump rust version to 1.86 fixes the hardcoded `/usr/bin/strip` issue on macos see https://github.com/rust-lang/rust/issues/131206 Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-04-10 11:57:47 +02:00
Harald Hoyer	eb39705ff1	feat: compat code for non `x86_64-linux` - do not build packages, which require `x86_64-linux` - use Phala `dcap-qvl` crate for remote attestation, if possible - nix: exclude `nixsgx` on non `x86_64-linux` platforms Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-04-10 11:57:46 +02:00
Harald Hoyer	95b6a2d70a	refactor(verify-era-proof-attestation): replace watch channel with `CancellationToken` Refactored stop signal handling in all components to use `tokio_util::sync::CancellationToken` instead of `tokio::sync::watch`. - Improved cancellation logic by leveraging `CancellationToken` for cleaner and more efficient handling. - Updated corresponding dependency to `tokio-util` version `0.7.14`.	2025-04-07 08:54:00 +02:00
Harald Hoyer	2605e2ae3a	refactor(verify-era-proof-attestation): modularize and restructure proof verification logic - Split `verify-era-proof-attestation` into modular subcomponents for maintainability. - Moved client, proof handling, and core types into dedicated modules.	2025-04-04 17:05:30 +02:00
Harald Hoyer	1e853f653a	refactor(quote): move TCB level logic to a dedicated module - Extracted `TcbLevel` functionality from `sgx` module to `quote::tcblevel`. - Updated all references to import `TcbLevel` and related utilities from `quote::tcblevel`. - Updated copyright headers to reflect the new year range. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-04-04 17:05:23 +02:00
Harald Hoyer	3257f316b5	feat(ci): switch to GitHub Container Registry for images Updated the workflow to push container images to GitHub Container Registry instead of Docker Hub. Added a login step for GHCR and updated image tagging and pushing commands accordingly. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-04-02 17:10:20 +02:00
Harald Hoyer	e27b5da856	fix(tee-key-preexec): add context to file write operations - Add context to `std::fs::write` calls to improve error tracing. - Ensures better debugging by attaching filenames to potential errors. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-04-02 16:18:27 +02:00
Harald Hoyer	f03a8ba643	Merge branch 'main' into teepot_vault	2025-03-28 14:13:14 +01:00
Harald Hoyer	fa2ecee4bd	feat(sha384-extend): enhance SHA384 extend utility with padding and tests - Refactor `sha384-extend` to include digest padding and validation. - Add `extend_sha384` function for hex-string-based digest extension. - Introduce comprehensive test coverage for edge cases and errors. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-03-28 12:55:13 +01:00
Harald Hoyer	f8bd9e6a08	chore: split-out vault code from `teepot` in `teepot-vault` Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-03-06 09:47:51 +01:00
Harald Hoyer	7cb3af4b65	Merge branch 'main' into no_quote	2025-03-06 09:30:33 +01:00
Harald Hoyer	55ea2a6069	fix(verify-attestation): bail out, if no quote provided Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-03-06 09:07:31 +01:00
Harald Hoyer	98ed802b75	docs(tee-self-attestation-test): add podman example Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-03-06 08:57:55 +01:00
Harald Hoyer	bece17f7bf	Merge branch 'main' into missing_recoverid_two	2025-03-03 08:52:32 +01:00
Harald Hoyer	589e375d47	Merge branch 'main' into rustls_ring_provider	2025-03-01 09:11:21 +01:00
Harald Hoyer	a6ea98a096	fix(verify-era-proof-attestation): handle missing RecoveryId signatures - add `RecoveryId::Two` and `RecoveryId::Three` Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-03-01 09:07:29 +01:00
Harald Hoyer	c26b3db290	fix(verify-era-proof-attestation): handle missing RecoveryId signatures - Add fallback for missing RecoveryId in 64-byte signatures. - Improve error context for invalid signature length. - Add debug and trace logs for better diagnosis during verification. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-02-28 17:31:59 +01:00
Harald Hoyer	d6061c35a8	fix(teepot-vault): use `ring` as `CryptoProvider` for `rustls` New `rustls` needs global install of default `CryptoProvider`. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-02-28 14:14:57 +01:00
Harald Hoyer	d3c17a7ace	Merge branch 'main' into cargo_update	2025-02-25 13:22:35 +01:00
Harald Hoyer	f822c70721	chore: remove unused `rand` dependency and update crates - Removed `rand` dependency from multiple `.toml` files and updated relevant imports to use `rand_core::OsRng`. - Updated OpenTelemetry dependencies to latest versions and refactored SDK initialization to use `SdkLoggerProvider`. - Bumped versions of several dependencies including `clap`, `awc`, `ring`, and `smallvec` for compatibility and features. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-02-20 15:40:13 +01:00
Harald Hoyer	049f1b3de8	feat(tdx): add TDX RTMR extension support with UEFI marker - Added `UEFI_MARKER_DIGEST_BYTES` constant for TDX RTMR extension. - Implemented RTMR3 extension in `tee-key-preexec` for TDX attestation flow. - Updated `rtmr-calc` to use `UEFI_MARKER_DIGEST_BYTES` for RTMR1 extension. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-02-20 15:15:44 +01:00
Harald Hoyer	daf375836b	chore: remove unused deps Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-02-14 16:47:45 +01:00
Harald Hoyer	a41460b7f0	feat(tdx-google): enhance container service setup - Add `vector.service` and `chronyd.service` dependencies to `docker_start_container` service. - Use `EnvironmentFile` and a pre-start script to dynamically generate environment variables for container setup. - Improve error handling and clarity in container initialization.	2025-02-14 16:47:43 +01:00
Harald Hoyer	908579cd60	feat: rewrite google-metadata test as tdx-test Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-02-14 16:47:42 +01:00
Harald Hoyer	45309e58f4	chore: cargo deps update with code fixes for the new versions. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-02-10 15:44:16 +01:00
Harald Hoyer	11a22c9e67	feat: add Google Metadata support and TDX container test - Introduced `google-metadata` binary for reading GCP instance attributes. - Added TDX container test with new `container-test-tdx` package. - Updated Nix workflow and deployment scripts for Google Metadata integration. - Bumped `anyhow` to 1.0.95 and updated Cargo.lock. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2025-01-27 16:18:58 +01:00
Patryk Bęza	afa524c18c	Address code review comments	2025-01-17 12:41:07 +01:00
Patryk Bęza	2d04ba0508	feat(tee-key-preexec): add support for Solidity-compatible pubkey in report_data This PR is part of the effort to implement on-chain TEE proof verification. This PR goes hand in hand with https://github.com/matter-labs/zksync-era/pull/3414.	2025-01-16 20:46:16 +01:00
Harald Hoyer	5d32396966	feat: add tdx-extend, sha384-extend and rtmr-calc This enables pre-calculating the TDX rtmr[1,2,3] values for an attested boot process. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-12-20 13:27:55 +01:00
Harald Hoyer	0b67a14cd1	chore: cargo update Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-12-20 12:20:39 +01:00
Harald Hoyer	4610475fae	feat: add TDX support Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-12-20 10:54:24 +01:00
Patrick	78471f5b64	Merge branch 'main' into handle_old_proof_response	2024-11-28 17:28:53 +01:00
Harald Hoyer	f0fea5c122	refactor(logging): enhance logging setup and usage - Modified the `setup_logging` function to return a `Subscriber`, improving flexibility and reuse. - Integrated `tracing::subscriber::set_global_default` in the main functions to establish the logging subscriber globally. - Added configurations for span events and control over file and line information display. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-11-28 15:49:15 +01:00
Harald Hoyer	4a0a4f6e5e	fix(proof-validation): handle optional proof status Ensure proof status is treated as optional, preventing crashes when status is absent. - Modify status field to `Option<String>` in `Proof` struct. - Update validation logic to handle `None` values safely. - Adjust main logic to check for "permanently_ignored" safely.	2024-11-28 15:48:23 +01:00
Patryk Bęza	e63d0901fa	feat(verifier): don't retry verifying permanently ignored batches Currently, the [TEE verifier][1] – the tool for continuous SGX attestation and batch signature verification – is [stuck][2] on batches that failed to be proven and are marked as `permanently_ignored`. The tool should be able to distinguish between batches that are permanently ignored (and should be skipped) and batches that have failed but will be retried. This PR enables that distinction. This commit goes hand in hand with the following PR: https://github.com/matter-labs/zksync-era/pull/3321 [1]: https://github.com/matter-labs/teepot/blob/main/bin/verify-era-proof-attestation/src/main.rs [2]: https://grafana.matterlabs.dev/goto/unFqf57Hg?orgId=1	2024-11-26 17:19:55 +01:00
Harald Hoyer	af3ab51320	feat(logging): centralize logging setup in teepot crate - Added a new logging module in `teepot` crate. - Removed redundant logging setup code from individual projects. - Updated dependencies and references for logging setup. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-09-18 16:08:13 +02:00
Patryk Bęza	9bf40c9cb9	feat(tee): use hex deserialization for RPC requests Following Anton's suggestion, we have switched to hex serialization for API/RPC requests and responses. Previously, we used default JSON serialization for Vec<u8>, which resulted in a lengthy comma-separated list of integers. This change standardizes serialization, making it more efficient and reducing the size of the responses. The previous format, with a series of comma-separated integers for pubkey-like fields, looked odd. Then: ``` curl -X POST\ -H "Content-Type: application/json" \ --data '{"jsonrpc": "2.0", "id": 1, "method": "unstable_getTeeProofs", "params": [491882, "Sgx"] }' \ https://mainnet.era.zksync.io {"jsonrpc":"2.0","result":[{"attestation":[3,0,2,0,0,0,0,0,10,<dozens of comma-separated integers here> ``` Now: ``` $ curl -X POST \ -H "Content-Type: application/json" \ --data '{"jsonrpc": "2.0", "id": 1, "method": "unstable_getTeeProofs", "params": [1, "sgx"] }' \ http://localhost:3050 {"jsonrpc":"2.0","result":[{"l1BatchNumber":1,"teeType":"sgx","pubkey":"0506070809","signature":"0001020304","proof":"0a0b0c0d0e","provedAt":"2024-09-16T11:53:38.253033Z","attestation":"0403020100"}],"id":1} ``` This change needs to be deployed in lockstep with: https://github.com/matter-labs/zksync-era/pull/2887.	2024-09-18 14:10:21 +02:00
Harald Hoyer	7743c1321a	chore: prepare release tags * set `publish = false` for multiple Cargo.toml files * cargo update * fix taplo.toml * sort `workspace.dependencies` * add `cargo-release` to nix shell Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-09-16 16:14:26 +02:00
Patryk Bęza	4fcaaa7398	feat(verify-era-proof-attestation): continuous mode with attestation policies This PR introduces TEE Prover continuous mode with attestation policies. Attestation policies are a set of criteria that determine whether an SGX attestation should be considered valid or invalid. In practice, this means checking against a specified set of mrsigners, mrenclaves, and TCB levels. If the attestation’s mrenclave/mrsigner/TCB levels matches those in the provided --sgx-mrenclaves/--sgx-mrsigners/--sgx-allowed-tcb-levels, we treat the attestation as successfully verified. Otherwise, the attestation is considered invalid. The --continuous mode for the TEE Prover allows it to run continuously, verifying new batches exposed by the node's RPC API in real-time. To try it out, run the following commands: $ nix build -L .#container-verify-era-proof-attestation-sgx $ export IMAGE_TAG=$(docker load -i result \| grep -Po 'Loaded image.: \K.') $ docker run -i --init --rm $IMAGE_TAG --continuous 11505 --rpc https://sepolia.era.zksync.dev --sgx-allowed-tcb-levels Ok,SwHardeningNeeded --log-level debug $ docker run -i --init --rm $IMAGE_TAG --batch 11509 --rpc https://sepolia.era.zksync.dev --sgx-allowed-tcb-levels Ok,SwHardeningNeeded --log-level debug	2024-09-13 19:34:37 +02:00
Patrick	0e6eb2b74e	feat(verify-era-proof-attestation): add support for verifying a range of batches (#194 ) Co-authored-by: Harald Hoyer <harald@matterlabs.dev>	2024-09-03 12:48:04 +00:00
Harald Hoyer	c94912d832	feat(tee-key-preexec): add cmdline arg for env prefix - Introduced `clap` for command-line argument parsing. - Replaced manual argument handling with `clap`'s derived `Args` struct. - Updated environmental variables to use dynamic prefixes. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>	2024-09-03 10:42:42 +02:00

1 2

76 commits