harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 23:23:57 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
383 commits 23 branches 61 tags 2.2 MiB
Commit graph

45 commits

Author SHA1 Message Date
Harald Hoyer
a41460b7f0
feat(tdx-google): enhance container service setup 
- Add `vector.service` and `chronyd.service` dependencies to `docker_start_container` service.
- Use `EnvironmentFile` and a pre-start script to dynamically generate environment variables for container setup.
- Improve error handling and clarity in container initialization.
 2025-02-14 16:47:43 +01:00
Harald Hoyer
908579cd60
feat: rewrite google-metadata test as tdx-test 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-02-14 16:47:42 +01:00
Harald Hoyer
45309e58f4
chore: cargo deps update 
with code fixes for the new versions.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-02-10 15:44:16 +01:00
Harald Hoyer
11a22c9e67
feat: add Google Metadata support and TDX container test 
- Introduced `google-metadata` binary for reading GCP instance attributes.
- Added TDX container test with new `container-test-tdx` package.
- Updated Nix workflow and deployment scripts for Google Metadata integration.
- Bumped `anyhow` to 1.0.95 and updated Cargo.lock.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2025-01-27 16:18:58 +01:00
Patryk Bęza
afa524c18c
Address code review comments 2025-01-17 12:41:07 +01:00
Patryk Bęza
2d04ba0508
feat(tee-key-preexec): add support for Solidity-compatible pubkey in report_data 
This PR is part of the effort to implement on-chain TEE proof
verification. This PR goes hand in hand with https://github.com/matter-labs/zksync-era/pull/3414.
 2025-01-16 20:46:16 +01:00
Harald Hoyer
5d32396966
feat: add tdx-extend, sha384-extend and rtmr-calc 
This enables pre-calculating the TDX rtmr[1,2,3] values for an attested boot process.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-12-20 13:27:55 +01:00
Harald Hoyer
0b67a14cd1
chore: cargo update 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-12-20 12:20:39 +01:00
Harald Hoyer
4610475fae
feat: add TDX support 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-12-20 10:54:24 +01:00
Patrick
78471f5b64
Merge branch 'main' into handle_old_proof_response 2024-11-28 17:28:53 +01:00
Harald Hoyer
f0fea5c122
refactor(logging): enhance logging setup and usage 
- Modified the `setup_logging` function to return a `Subscriber`, improving flexibility and reuse.
- Integrated `tracing::subscriber::set_global_default` in the main functions to establish the logging subscriber globally.
- Added configurations for span events and control over file and line information display.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-11-28 15:49:15 +01:00
Harald Hoyer
4a0a4f6e5e
fix(proof-validation): handle optional proof status 
Ensure proof status is treated as optional, preventing crashes when status is absent.
- Modify status field to `Option<String>` in `Proof` struct.
- Update validation logic to handle `None` values safely.
- Adjust main logic to check for "permanently_ignored" safely.
 2024-11-28 15:48:23 +01:00
Patryk Bęza
e63d0901fa
feat(verifier): don't retry verifying permanently ignored batches 
Currently, the [TEE verifier][1] – the tool for continuous SGX
attestation and batch signature verification – is [stuck][2] on batches
that failed to be proven and are marked as `permanently_ignored`. The
tool should be able to distinguish between batches that are permanently
ignored (and should be skipped) and batches that have failed but will be
retried. This PR enables that distinction.

This commit goes hand in hand with the following PR:
https://github.com/matter-labs/zksync-era/pull/3321

[1]: https://github.com/matter-labs/teepot/blob/main/bin/verify-era-proof-attestation/src/main.rs
[2]: https://grafana.matterlabs.dev/goto/unFqf57Hg?orgId=1
 2024-11-26 17:19:55 +01:00
Harald Hoyer
af3ab51320
feat(logging): centralize logging setup in teepot crate 
- Added a new logging module in `teepot` crate.
- Removed redundant logging setup code from individual projects.
- Updated dependencies and references for logging setup.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-18 16:08:13 +02:00
Patryk Bęza
9bf40c9cb9
feat(tee): use hex deserialization for RPC requests 
Following Anton's suggestion, we have switched to hex serialization for
API/RPC requests and responses. Previously, we used default JSON
serialization for Vec<u8>, which resulted in a lengthy comma-separated
list of integers.

This change standardizes serialization, making it more efficient and
reducing the size of the responses. The previous format, with a series
of comma-separated integers for pubkey-like fields, looked odd.

Then:
```
curl -X POST\
     -H "Content-Type: application/json" \
     --data '{"jsonrpc": "2.0", "id": 1, "method": "unstable_getTeeProofs", "params": [491882, "Sgx"] }' \
        https://mainnet.era.zksync.io
{"jsonrpc":"2.0","result":[{"attestation":[3,0,2,0,0,0,0,0,10,<dozens of comma-separated integers here>
```

Now:
```
$ curl -X POST \
       -H "Content-Type: application/json" \
       --data '{"jsonrpc": "2.0", "id": 1, "method": "unstable_getTeeProofs", "params": [1, "sgx"] }' \
          http://localhost:3050
{"jsonrpc":"2.0","result":[{"l1BatchNumber":1,"teeType":"sgx","pubkey":"0506070809","signature":"0001020304","proof":"0a0b0c0d0e","provedAt":"2024-09-16T11:53:38.253033Z","attestation":"0403020100"}],"id":1}
```

This change needs to be deployed in lockstep with:
https://github.com/matter-labs/zksync-era/pull/2887.
 2024-09-18 14:10:21 +02:00
Harald Hoyer
7743c1321a
chore: prepare release tags 
* set `publish = false` for multiple Cargo.toml files
* cargo update
* fix taplo.toml
* sort `workspace.dependencies`
* add `cargo-release` to nix shell

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-16 16:14:26 +02:00
Patryk Bęza
4fcaaa7398
feat(verify-era-proof-attestation): continuous mode with attestation policies 
This PR introduces TEE Prover continuous mode with attestation policies.

Attestation policies are a set of criteria that determine whether an SGX
attestation should be considered valid or invalid. In practice, this
means checking against a specified set of mrsigners, mrenclaves, and TCB
levels. If the attestation’s mrenclave/mrsigner/TCB levels matches those
in the provided --sgx-mrenclaves/--sgx-mrsigners/--sgx-allowed-tcb-levels,
we treat the attestation as successfully verified. Otherwise, the
attestation is considered invalid.

The --continuous mode for the TEE Prover allows it to run continuously,
verifying new batches exposed by the node's RPC API in real-time.

To try it out, run the following commands:

    $ nix build -L .#container-verify-era-proof-attestation-sgx
    $ export IMAGE_TAG=$(docker load -i result | grep -Po 'Loaded image.*: \K.*')
    $ docker run  -i --init --rm $IMAGE_TAG --continuous 11505 --rpc https://sepolia.era.zksync.dev --sgx-allowed-tcb-levels Ok,SwHardeningNeeded --log-level debug
    $ docker run  -i --init --rm $IMAGE_TAG --batch 11509 --rpc https://sepolia.era.zksync.dev --sgx-allowed-tcb-levels Ok,SwHardeningNeeded --log-level debug
 2024-09-13 19:34:37 +02:00
Patrick
0e6eb2b74e
feat(verify-era-proof-attestation): add support for verifying a range of batches (#194) 
Co-authored-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-03 12:48:04 +00:00
Harald Hoyer
c94912d832
feat(tee-key-preexec): add cmdline arg for env prefix 
- Introduced `clap` for command-line argument parsing.
- Replaced manual argument handling with `clap`'s derived `Args` struct.
- Updated environmental variables to use dynamic prefixes.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-09-03 10:42:42 +02:00
Patryk Bęza
5e4b8901b0
feat(verify-attestation): RPC attestation and batch signature verification binary 
This is another variant of the binary tool for verifying attestation and
the signature of a given batch. Unlike the existing tool, this variant
does not require you to provide two separate files—one for the
attestation and one for the signature. Instead, it automatically fetches
both from the RPC node.

Unfortunately, after discussing with @popzxc, we found that there is no way
to reuse the RPC client because our published crates on crates.io are
outdated and do not include the recently merged TEE-specific code
changes. To be fixed in the future.
 2024-08-30 12:14:55 +02:00
Harald Hoyer
0bdc3425e4
chore: cargo update 
and fix `cargo clippy` issues.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-08-07 15:26:20 +02:00
Patryk Bęza
ad6ce872f8
fix(verify-attestation): simplify dependencies 
The zksync crates have recently been published on crates.io. Let's take
advantage of them! Specifically, we are replacing alloy-primitives with
zksync_basic_types to avoid the additional transitive dependencies
introduced by alloy.
 2024-07-22 14:45:27 +02:00
Patryk Bęza
51c1e72a03
Use Docker's entrypoint instead of command 2024-07-11 17:49:37 +02:00
Patryk Bęza
78447ea307
Unify verify-attestation-sgx and verify-attestation 
Rationale: too much copy-paste
 2024-07-11 17:13:11 +02:00
Patryk Bęza
f3f6ea1dba
Introduce root_hash option 2024-07-11 11:29:37 +02:00
Patryk Bęza
f90088be76
SGX attestation & batch signature verification tool 2024-07-10 14:47:07 +02:00
Harald Hoyer
204aa33f7f
fix(tee-vault-unseal): pick either VAULT_AUTH_TEE_SHA256 string or file 
Pick either `VAULT_AUTH_TEE_SHA256` or `VAULT_AUTH_TEE_SHA256_FILE`,
with `VAULT_AUTH_TEE_SHA256` having the precedence.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-07-03 14:42:06 +02:00
Harald Hoyer
f1b8a48a6a
fix: update the common cacert and include it in the unseal container 
The previous cacert expired. A new one was created and also included in the unseal container.

The path to access the cacert was fixed in the unseal app and made configurable via an environment variable.
 2024-07-03 11:26:29 +02:00
Patryk Bęza
4c76318702
Replace secp256k1 with k256 crate 
Rationale: we already have secp256k1 in our dependencies, as suggested
by Igor:
https://github.com/matter-labs/zksync-era/pull/2333#discussion_r1656531731
 2024-07-01 14:17:13 +02:00
Harald Hoyer
1505b14db0
chore: remove obsolete Dockerfiles 
all is built via nix and maintaining those files would mean more work.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-06-21 11:23:41 +02:00
Harald Hoyer
df7973c501
chore: cargo update + taplo fmt 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-06-20 14:00:18 +02:00
Harald Hoyer
d77243b8fd
fix(tee-key-preexec): export the key in PEM 
makes it easier to import

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-06-13 14:00:43 +02:00
Harald Hoyer
d0c5950c0e
feat: use nixsgx nix function to create containers 
It refactors the way the SGX containers are built.
This removes all `Dockerfile` and gramine manifest files.
It also enables a single recipe for azure and non-azure variants.

Additionally the `teepot-crate.nix` is now the inherited recipe to
build the rust `teepot` crate.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-06-10 16:32:02 +02:00
Harald Hoyer
1f850d060e
feat(tee-vault-unseal): add VAULT_AUTH_TEE_SHA256_FILE 
If `VAULT_AUTH_TEE_SHA256_FILE` is set,
read the sha value from the file,
rather from the environment variable.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-06-10 14:19:25 +02:00
Harald Hoyer
a9bb266668
chore(deps): update to rust version 1.78 
and fix the clippy warnings

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-06-10 13:09:05 +02:00
snoppy
7c2d3259b1
fix typos 2024-03-18 22:22:31 +08:00
Harald Hoyer
0654bacdb5
ci: use crane flake to build with nix 
This enables to add cargo `fmt`, `clippy` and `deny` to nix, using cached results.

Move the `teepot` crate to the `crates` subdir to make the life easier for
the `crane` flake.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-03-11 10:01:59 +01:00
Harald Hoyer
9f760da23e
docs: add bin/tee-self-attestation-test/README.md 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-03-08 15:50:00 +01:00
Harald Hoyer
97420df006
feat: attestation test on azure and default dcap 
```
❯ docker run -i --rm --privileged  --device /dev/sgx_enclave --net host \
  matterlabsrobot/teepot-self-attestation-test-sgx-azure:latest \
  | base64 -d --ignore-garbage \
  | docker run -i --rm --net host matterlabsrobot/verify-attestation-sgx-azure:latest
```

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-03-07 16:05:27 +01:00
Harald Hoyer
59807c4286
chore(deps): remove unused dependencies 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-02-28 15:18:28 +01:00
Harald Hoyer
91f1612e0f
chore: cleanup and nixify 
* create containers with nix
* updated README.md
* added SPDX license headers

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-02-28 11:09:34 +01:00
Harald Hoyer
0b60abc030
feat: use real RA-TLS for everything 
* add `tee-ratls-preexec` for creating the vault certificate
* remove the old attestation API

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-02-27 16:44:28 +01:00
Harald Hoyer
dc4434938e
fix(tee-key-preexec): don't hash public key 
No need to hash the public key for the attestation report data.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-02-15 10:31:54 +01:00
Harald Hoyer
2591bf0807
chore(deps): rustls-pemfile 2 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-02-15 10:23:29 +01:00
Harald Hoyer
89ffbd35a8
feat: initial commit 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
 2024-02-09 10:10:53 +01:00