mirror of
				https://github.com/matter-labs/teepot.git
				synced 2025-10-25 04:24:05 +02:00 
			
		
		
		
	
				
				Nix, crates and tools for TEE handling
				
			
		|  2bbfb2415c - Introduced new types `Fmspc`, `CpuSvn`, and `Svn` for SGX metadata. - Added methods to extract raw certificate chains and FMSPC from SGX quotes. - Created new test file for validating FMSPC extraction with example quotes. Signed-off-by: Harald Hoyer <harald@matterlabs.dev> | ||
|---|---|---|
| .github | ||
| assets | ||
| bin | ||
| checks | ||
| crates | ||
| examples | ||
| lib | ||
| packages | ||
| shells/teepot | ||
| systems/x86_64-linux/tdxtest | ||
| .dockerignore | ||
| .gitignore | ||
| Cargo.lock | ||
| Cargo.toml | ||
| deny.toml | ||
| flake.lock | ||
| flake.nix | ||
| LICENSE-APACHE | ||
| LICENSE-MIT | ||
| README.md | ||
| rust-toolchain.toml | ||
| taplo.toml | ||
teepot
Parts of this project
teepot - lib
- teepot: The main rust crate that abstracts TEEs.- verify-attestation: A client utility that verifies the attestation of an enclave.
- tee-key-preexec: A pre-exec utility that generates a p256 secret key and passes it as an environment variable to the enclave along with the attestation quote containing the hash of the public key.
- tdx_google: A base VM running on Google Cloud TDX. It receives a container URL via the instance metadata, measures the sha384 of the URL to RTMR3 and launches the container.
- tdx-extend: A utility to extend an RTMR register with a hash value.
- rtmr-calc: A utility to calculate RTMR1 and RTMR2 from a GPT disk, the linux kernel, the linux initrd and a UKI (unified kernel image).
- sha384-extend: A utility to calculate RTMR registers after extending them with a digest.
 
Vault
Part of this project is a key-value store that runs in a Trusted Execution Environment (TEE) and uses Remote Attestation for Authentication. The key-value store is implemented using Hashicorp Vault running in an Intel SGX enclave via the Gramine runtime.
- teepot-vault: A crate lib with for the TEE key-value store components:- tee-vault-unseal: An enclave that uses the Vault API to unseal a vault as a proxy.
- vault-unseal: A client utility, that talks to- tee-vault-unsealto unseal a vault.
- tee-vault-admin: An enclave that uses the Vault API to administer a vault as a proxy.
- vault-admin: A client utility, that talks to- tee-vault-adminto administer a vault.
- teepot-read: A pre-exec utility that reads from the key-value store and passes the key-value pairs as environment variables to the enclave.
- teepot-write: A pre-exec utility that reads key-values from the environment variables and writes them to the key-value store.
 
Development
Prerequisites
Install nix.
In ~/.config/nix/nix.conf
experimental-features = nix-command flakes
sandbox = true
or on nixos in /etc/nixos/configuration.nix add the following lines:
{
  nix = {
    extraOptions = ''
      experimental-features = nix-command flakes
      sandbox = true
    '';
  };
}
Develop
$ nix develop
optionally create .envrc for direnv to automatically load the environment when entering the directory:
$ cat <<EOF > .envrc
use flake .#teepot
EOF
$ direnv allow
Format for commit
$ nix run .#fmt
Build as the CI would
$ nix run github:nixos/nixpkgs/nixos-24.11#nixci -- build
Build and test individual container
See the packages directory for the available packages and containers.
$ nix build -L .#container-self-attestation-test-sgx-azure
[...]
teepot-self-attestation-test-sgx-azure-manifest-app-customisation-layer> Measurement:
teepot-self-attestation-test-sgx-azure-manifest-app-customisation-layer>     eaaabf210797606bcfde818a52e4a434fbf4f2e620d7edcc7025e3e1bbaa95c4
[...]
$ export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')
$ docker run -v $(pwd):/mnt -i --init --rm $IMAGE_TAG "cp app.sig /mnt"
$ nix shell github:matter-labs/nixsgx#gramine -c gramine-sgx-sigstruct-view app.sig
Attributes:
    mr_signer: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
    mr_enclave: eaaabf210797606bcfde818a52e4a434fbf4f2e620d7edcc7025e3e1bbaa95c4
    isv_prod_id: 0
    isv_svn: 0
    debug_enclave: False
TDX VM testing
nixos-rebuild  -L --flake .#tdxtest build-vm && ./result/bin/run-tdxtest-vm