mirror of
https://github.com/matter-labs/teepot.git
synced 2025-10-25 12:24:06 +02:00
4fcaaa7398
This PR introduces TEE Prover continuous mode with attestation policies.
Attestation policies are a set of criteria that determine whether an SGX
attestation should be considered valid or invalid. In practice, this
means checking against a specified set of mrsigners, mrenclaves, and TCB
levels. If the attestation’s mrenclave/mrsigner/TCB levels matches those
in the provided --sgx-mrenclaves/--sgx-mrsigners/--sgx-allowed-tcb-levels,
we treat the attestation as successfully verified. Otherwise, the
attestation is considered invalid.
The --continuous mode for the TEE Prover allows it to run continuously,
verifying new batches exposed by the node's RPC API in real-time.
To try it out, run the following commands:
$ nix build -L .#container-verify-era-proof-attestation-sgx
$ export IMAGE_TAG=$(docker load -i result | grep -Po 'Loaded image.*: \K.*')
$ docker run -i --init --rm $IMAGE_TAG --continuous 11505 --rpc https://sepolia.era.zksync.dev --sgx-allowed-tcb-levels Ok,SwHardeningNeeded --log-level debug
$ docker run -i --init --rm $IMAGE_TAG --batch 11509 --rpc https://sepolia.era.zksync.dev --sgx-allowed-tcb-levels Ok,SwHardeningNeeded --log-level debug
|
||
|---|---|---|
| .. | ||
| tee-key-preexec | ||
| tee-ratls-preexec | ||
| tee-self-attestation-test | ||
| tee-stress-client | ||
| tee-vault-admin | ||
| tee-vault-unseal | ||
| teepot-read | ||
| teepot-write | ||
| vault-admin | ||
| vault-unseal | ||
| verify-attestation | ||
| verify-era-proof-attestation | ||