mirror of
https://github.com/matter-labs/teepot.git
synced 2025-07-21 15:13:56 +02:00
Nix, crates and tools for TEE handling
0654bacdb5
This enables to add cargo `fmt`, `clippy` and `deny` to nix, using cached results. Move the `teepot` crate to the `crates` subdir to make the life easier for the `crane` flake. Signed-off-by: Harald Hoyer <harald@matterlabs.dev> |
||
|---|---|---|
| .github | ||
| assets | ||
| bin | ||
| crates | ||
| examples | ||
| packages | ||
| shells/teepot | ||
| .dockerignore | ||
| .gitignore | ||
| Cargo.lock | ||
| Cargo.toml | ||
| deny.toml | ||
| flake.lock | ||
| flake.nix | ||
| LICENSE-APACHE | ||
| LICENSE-MIT | ||
| README.md | ||
| rust-toolchain.toml | ||
| taplo.toml | ||
teepot
Key Value store in a TEE with Remote Attestation for Authentication
Introduction
This project is a key-value store that runs in a Trusted Execution Environment (TEE) and uses Remote Attestation for Authentication. The key-value store is implemented using Hashicorp Vault running in an Intel SGX enclave via the Gramine runtime.
Parts of this project
teepot: The main rust crate that abstracts TEEs and key-value stores.tee-vault-unseal: An enclave that uses the Vault API to unseal a vault as a proxy.vault-unseal: A client utility, that talks totee-vault-unsealto unseal a vault.tee-vault-admin: An enclave that uses the Vault API to administer a vault as a proxy.vault-admin: A client utility, that talks totee-vault-adminto administer a vault.teepot-read: A pre-exec utility that reads from the key-value store and passes the key-value pairs as environment variables to the enclave.teepot-write: A pre-exec utility that reads key-values from the environment variables and writes them to the key-value store.verify-attestation: A client utility that verifies the attestation of an enclave.tee-key-preexec: A pre-exec utility that generates a p256 secret key and passes it as an environment variable to the enclave along with the attestation quote containing the hash of the public key.