mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 15:13:56 +02:00

Nix, crates and tools for TEE handling

Find a file

Harald Hoyer 81d4077a6e chore(deps): cargo update Signed-off-by: Harald Hoyer <harald@matterlabs.dev>		2024-05-21 13:26:29 +02:00
.github	chore(deps): update actions/checkout digest to a5ac7e5	2024-05-21 11:07:53 +00:00
assets	feat: attestation test on azure and default dcap	2024-03-07 16:05:27 +01:00
bin	fix typos	2024-03-18 22:22:31 +08:00
crates	chore: Release	2024-03-12 15:23:51 +01:00
examples	fix typos	2024-03-18 22:22:31 +08:00
packages	fix(deps): use craneLib.removeReferencesToVendoredSources	2024-04-09 09:08:07 +02:00
shells/teepot	chore: cleanup and nixify	2024-02-28 11:09:34 +01:00
.dockerignore	feat: initial commit	2024-02-09 10:10:53 +01:00
.gitignore	feat: initial commit	2024-02-09 10:10:53 +01:00
Cargo.lock	chore(deps): cargo update	2024-05-21 13:26:29 +02:00
Cargo.toml	chore(deps): update rust crate thiserror to 1.0.59	2024-04-29 09:50:50 +00:00
deny.toml	ci: use `crane` flake to build with nix	2024-03-11 10:01:59 +01:00
flake.lock	chore(deps): flake update	2024-05-21 12:23:43 +02:00
flake.nix	fix(flake): follow the inputs of nixsgx	2024-03-27 16:47:23 +01:00
LICENSE-APACHE	feat: initial commit	2024-02-09 10:10:53 +01:00
LICENSE-MIT	feat: initial commit	2024-02-09 10:10:53 +01:00
README.md	docs: update README.md	2024-03-11 12:39:03 +01:00
rust-toolchain.toml	feat: initial commit	2024-02-09 10:10:53 +01:00
taplo.toml	chore(taplo): ignore some directories	2024-02-28 09:53:05 +01:00

README.md

teepot

Key Value store in a TEE with Remote Attestation for Authentication

Introduction

This project is a key-value store that runs in a Trusted Execution Environment (TEE) and uses Remote Attestation for Authentication. The key-value store is implemented using Hashicorp Vault running in an Intel SGX enclave via the Gramine runtime.

Parts of this project

teepot: The main rust crate that abstracts TEEs and key-value stores.
tee-vault-unseal: An enclave that uses the Vault API to unseal a vault as a proxy.
vault-unseal: A client utility, that talks to tee-vault-unseal to unseal a vault.
tee-vault-admin: An enclave that uses the Vault API to administer a vault as a proxy.
vault-admin: A client utility, that talks to tee-vault-admin to administer a vault.
teepot-read : A pre-exec utility that reads from the key-value store and passes the key-value pairs as environment variables to the enclave.
teepot-write : A pre-exec utility that reads key-values from the environment variables and writes them to the key-value store.
verify-attestation: A client utility that verifies the attestation of an enclave.
tee-key-preexec: A pre-exec utility that generates a p256 secret key and passes it as an environment variable to the enclave along with the attestation quote containing the hash of the public key.

Development

Prerequisites

Install nix.

In ~/.config/nix/nix.conf

experimental-features = nix-command flakes

or on nixos in /etc/nixos/configuration.nix add the following lines:

{
  nix = {
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
  };
}

Optionally install cachix (to save build time) and use the nixsgx cache:

$ nix-env -iA cachix -f https://cachix.org/api/v1/install
$ cachix use nixsgx

Develop

$ nix develop --impure

optionally create .envrc for direnv to automatically load the environment when entering the directory:

$ cat <<EOF > .envrc
use flake .#teepot
EOF
$ direnv allow

Format for commit

$ nix run .#fmt

Build as the CI would

$ nix run nixpgks#ci

Build and test individual container

See the packages directory for the available packages.

$ nix build -L .#container-vault-sgx-azure
$ docker load -i result
$ docker build --progress plain --no-cache -f packages/container-vault-sgx-azure/Dockerfile -t vault-sgx-azure:latest  .
[...]
#8 5.966 Measurement:
#8 5.966     96602d8ae60673b3c44b6198b4b5f728480b1f00e9d48e7d3979cf1cf075bb5d
[...]