mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 15:13:56 +02:00

Nix, crates and tools for TEE handling

Find a file

Harald Hoyer 88206f0f84 fix(flake): follow the inputs of nixsgx preventing any cache mismatches Signed-off-by: Harald Hoyer <harald@matterlabs.dev>		2024-03-27 16:47:23 +01:00
.github	ci: use `crane` flake to build with nix	2024-03-11 10:01:59 +01:00
assets	feat: attestation test on azure and default dcap	2024-03-07 16:05:27 +01:00
bin	fix typos	2024-03-18 22:22:31 +08:00
crates	chore: Release	2024-03-12 15:23:51 +01:00
examples	fix typos	2024-03-18 22:22:31 +08:00
packages	feat: add `fmt` nix package	2024-03-11 12:39:02 +01:00
shells/teepot	chore: cleanup and nixify	2024-02-28 11:09:34 +01:00
.dockerignore	feat: initial commit	2024-02-09 10:10:53 +01:00
.gitignore	feat: initial commit	2024-02-09 10:10:53 +01:00
Cargo.lock	chore(deps): update rust crate bytemuck to 1.15.0	2024-03-13 08:10:13 +00:00
Cargo.toml	chore: strip release executables by default	2024-03-14 10:47:42 +01:00
deny.toml	ci: use `crane` flake to build with nix	2024-03-11 10:01:59 +01:00
flake.lock	fix(flake): follow the inputs of nixsgx	2024-03-27 16:47:23 +01:00
flake.nix	fix(flake): follow the inputs of nixsgx	2024-03-27 16:47:23 +01:00
LICENSE-APACHE	feat: initial commit	2024-02-09 10:10:53 +01:00
LICENSE-MIT	feat: initial commit	2024-02-09 10:10:53 +01:00
README.md	docs: update README.md	2024-03-11 12:39:03 +01:00
rust-toolchain.toml	feat: initial commit	2024-02-09 10:10:53 +01:00
taplo.toml	chore(taplo): ignore some directories	2024-02-28 09:53:05 +01:00

README.md

teepot

Key Value store in a TEE with Remote Attestation for Authentication

Introduction

This project is a key-value store that runs in a Trusted Execution Environment (TEE) and uses Remote Attestation for Authentication. The key-value store is implemented using Hashicorp Vault running in an Intel SGX enclave via the Gramine runtime.

Parts of this project

teepot: The main rust crate that abstracts TEEs and key-value stores.
tee-vault-unseal: An enclave that uses the Vault API to unseal a vault as a proxy.
vault-unseal: A client utility, that talks to tee-vault-unseal to unseal a vault.
tee-vault-admin: An enclave that uses the Vault API to administer a vault as a proxy.
vault-admin: A client utility, that talks to tee-vault-admin to administer a vault.
teepot-read : A pre-exec utility that reads from the key-value store and passes the key-value pairs as environment variables to the enclave.
teepot-write : A pre-exec utility that reads key-values from the environment variables and writes them to the key-value store.
verify-attestation: A client utility that verifies the attestation of an enclave.
tee-key-preexec: A pre-exec utility that generates a p256 secret key and passes it as an environment variable to the enclave along with the attestation quote containing the hash of the public key.

Development

Prerequisites

Install nix.

In ~/.config/nix/nix.conf

experimental-features = nix-command flakes

or on nixos in /etc/nixos/configuration.nix add the following lines:

{
  nix = {
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
  };
}

Optionally install cachix (to save build time) and use the nixsgx cache:

$ nix-env -iA cachix -f https://cachix.org/api/v1/install
$ cachix use nixsgx

Develop

$ nix develop --impure

optionally create .envrc for direnv to automatically load the environment when entering the directory:

$ cat <<EOF > .envrc
use flake .#teepot
EOF
$ direnv allow

Format for commit

$ nix run .#fmt

Build as the CI would

$ nix run nixpgks#ci

Build and test individual container

See the packages directory for the available packages.

$ nix build -L .#container-vault-sgx-azure
$ docker load -i result
$ docker build --progress plain --no-cache -f packages/container-vault-sgx-azure/Dockerfile -t vault-sgx-azure:latest  .
[...]
#8 5.966 Measurement:
#8 5.966     96602d8ae60673b3c44b6198b4b5f728480b1f00e9d48e7d3979cf1cf075bb5d
[...]