mirror of
https://github.com/matter-labs/teepot.git
synced 2025-07-20 22:53:57 +02:00
Nix, crates and tools for TEE handling
bfd895e8f7
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [clap](https://redirect.github.com/clap-rs/clap) | workspace.dependencies | patch | `4.5.30` -> `4.5.38` | --- ### Release Notes <details> <summary>clap-rs/clap (clap)</summary> ### [`v4.5.38`](https://redirect.github.com/clap-rs/clap/blob/HEAD/CHANGELOG.md#4538---2025-05-11) [Compare Source](https://redirect.github.com/clap-rs/clap/compare/v4.5.37...v4.5.38) ##### Fixes - *(help)* When showing aliases, include leading `--` or `-` ### [`v4.5.37`](https://redirect.github.com/clap-rs/clap/blob/HEAD/CHANGELOG.md#4537---2025-04-18) [Compare Source](https://redirect.github.com/clap-rs/clap/compare/v4.5.36...v4.5.37) ##### Features - Added `ArgMatches::try_clear_id()` ### [`v4.5.36`](https://redirect.github.com/clap-rs/clap/blob/HEAD/CHANGELOG.md#4536---2025-04-11) [Compare Source](https://redirect.github.com/clap-rs/clap/compare/v4.5.35...v4.5.36) ##### Fixes - *(help)* Revert 4.5.35's "Don't leave space for shorts if there are none" for now ### [`v4.5.35`](https://redirect.github.com/clap-rs/clap/blob/HEAD/CHANGELOG.md#4535---2025-04-01) [Compare Source](https://redirect.github.com/clap-rs/clap/compare/v4.5.34...v4.5.35) ##### Fixes - *(help)* Align positionals and flags when put in the same `help_heading` - *(help)* Don't leave space for shorts if there are none ### [`v4.5.34`](https://redirect.github.com/clap-rs/clap/blob/HEAD/CHANGELOG.md#4534---2025-03-27) [Compare Source](https://redirect.github.com/clap-rs/clap/compare/v4.5.33...v4.5.34) ##### Fixes - *(help)* Don't add extra blank lines with `flatten_help(true)` and subcommands without arguments ### [`v4.5.33`](https://redirect.github.com/clap-rs/clap/blob/HEAD/CHANGELOG.md#4533---2025-03-26) [Compare Source](https://redirect.github.com/clap-rs/clap/compare/v4.5.32...v4.5.33) ##### Fixes - *(error)* When showing the usage of a suggestion for an unknown argument, don't show the group ### [`v4.5.32`](https://redirect.github.com/clap-rs/clap/blob/HEAD/CHANGELOG.md#4532---2025-03-10) [Compare Source](https://redirect.github.com/clap-rs/clap/compare/v4.5.31...v4.5.32) ##### Features - Add `Error::remove` ##### Documentation - *(cookbook)* Switch from `humantime` to `jiff` - *(tutorial)* Better cover required vs optional ##### Internal - Update `pulldown-cmark` ### [`v4.5.31`](https://redirect.github.com/clap-rs/clap/blob/HEAD/CHANGELOG.md#4531---2025-02-24) [Compare Source](https://redirect.github.com/clap-rs/clap/compare/v4.5.30...v4.5.31) ##### Features - Add `ValueParserFactory` for `Saturating<T>` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/matter-labs/teepot). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xNjQuMSIsInVwZGF0ZWRJblZlciI6IjQwLjE2LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|---|---|---|
| .github | ||
| assets | ||
| bin | ||
| checks | ||
| crates | ||
| examples | ||
| lib | ||
| packages | ||
| shells/teepot | ||
| systems/x86_64-linux/tdxtest | ||
| .dockerignore | ||
| .gitignore | ||
| Cargo.lock | ||
| Cargo.toml | ||
| deny.toml | ||
| flake.lock | ||
| flake.nix | ||
| LICENSE-APACHE | ||
| LICENSE-MIT | ||
| README.md | ||
| rust-toolchain.toml | ||
| taplo.toml | ||
teepot
Parts of this project
teepot - lib
teepot: The main rust crate that abstracts TEEs.verify-attestation: A client utility that verifies the attestation of an enclave.tee-key-preexec: A pre-exec utility that generates a p256 secret key and passes it as an environment variable to the enclave along with the attestation quote containing the hash of the public key.tdx_google: A base VM running on Google Cloud TDX. It receives a container URL via the instance metadata, measures the sha384 of the URL to RTMR3 and launches the container.tdx-extend: A utility to extend an RTMR register with a hash value.rtmr-calc: A utility to calculate RTMR1 and RTMR2 from a GPT disk, the linux kernel, the linux initrd and a UKI (unified kernel image).sha384-extend: A utility to calculate RTMR registers after extending them with a digest.
Vault
Part of this project is a key-value store that runs in a Trusted Execution Environment (TEE) and uses Remote Attestation for Authentication. The key-value store is implemented using Hashicorp Vault running in an Intel SGX enclave via the Gramine runtime.
teepot-vault: A crate lib with for the TEE key-value store components:tee-vault-unseal: An enclave that uses the Vault API to unseal a vault as a proxy.vault-unseal: A client utility, that talks totee-vault-unsealto unseal a vault.tee-vault-admin: An enclave that uses the Vault API to administer a vault as a proxy.vault-admin: A client utility, that talks totee-vault-adminto administer a vault.teepot-read: A pre-exec utility that reads from the key-value store and passes the key-value pairs as environment variables to the enclave.teepot-write: A pre-exec utility that reads key-values from the environment variables and writes them to the key-value store.
Development
Prerequisites
Install nix.
In ~/.config/nix/nix.conf
experimental-features = nix-command flakes
sandbox = true
or on nixos in /etc/nixos/configuration.nix add the following lines:
{
nix = {
extraOptions = ''
experimental-features = nix-command flakes
sandbox = true
'';
};
}
Develop
$ nix develop
optionally create .envrc for direnv to automatically load the environment when entering the directory:
$ cat <<EOF > .envrc
use flake .#teepot
EOF
$ direnv allow
Format for commit
$ nix run .#fmt
Build as the CI would
$ nix run github:nixos/nixpkgs/nixos-24.11#nixci -- build
Build and test individual container
See the packages directory for the available packages and containers.
$ nix build -L .#container-self-attestation-test-sgx-azure
[...]
teepot-self-attestation-test-sgx-azure-manifest-app-customisation-layer> Measurement:
teepot-self-attestation-test-sgx-azure-manifest-app-customisation-layer> eaaabf210797606bcfde818a52e4a434fbf4f2e620d7edcc7025e3e1bbaa95c4
[...]
$ export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')
$ docker run -v $(pwd):/mnt -i --init --rm $IMAGE_TAG "cp app.sig /mnt"
$ nix shell github:matter-labs/nixsgx#gramine -c gramine-sgx-sigstruct-view app.sig
Attributes:
mr_signer: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
mr_enclave: eaaabf210797606bcfde818a52e4a434fbf4f2e620d7edcc7025e3e1bbaa95c4
isv_prod_id: 0
isv_svn: 0
debug_enclave: False
TDX VM testing
nixos-rebuild -L --flake .#tdxtest build-vm && ./result/bin/run-tdxtest-vm