mirror of
https://github.com/matter-labs/teepot.git
synced 2025-07-21 07:03:56 +02:00
d0c5950c0e
It refactors the way the SGX containers are built. This removes all `Dockerfile` and gramine manifest files. It also enables a single recipe for azure and non-azure variants. Additionally the `teepot-crate.nix` is now the inherited recipe to build the rust `teepot` crate. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
3.3 KiB
3.3 KiB
self-attestation-test
Optionally build and load the containers (remove the matterlabsrobot/ repo from the commands below then)
$ nix build -L .#container-verify-attestation-sgx && docker load -i result
$ nix build -L .#container-self-attestation-test-sgx-dcap && docker load -i result
$ nix build -L .#container-self-attestation-test-sgx-azure && docker load -i result
Azure DCAP
❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave \
matterlabsrobot/teepot-self-attestation-test-sgx-azure:latest \
| base64 -d --ignore-garbage \
| docker run -i --rm matterlabsrobot/verify-attestation-sgx:latest
aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
Gramine is starting. Parsing TOML manifest file, this may take some time...
Verifying quote (4734 bytes)...
Quote verification result: SwHardeningNeeded: Software hardening is needed
Info: Advisory ID: INTEL-SA-00615
Quote verified successfully: SwHardeningNeeded: Software hardening is needed
mrsigner: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
mrenclave: 31a0d51ee410ed6db18ebfb181ba0b2fa0d2062a38d6b955b73b3e9cfb8336bd
reportdata: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Normal DCAP
❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave \
matterlabsrobot/teepot-self-attestation-test-sgx-dcap:latest \
| base64 -d --ignore-garbage \
| docker run -i --rm matterlabsrobot/verify-attestation-sgx:latest
aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
Gramine is starting. Parsing TOML manifest file, this may take some time...
Verifying quote (4730 bytes)...
Quote verified successfully: Ok
mrsigner: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
mrenclave: 7ffe70789261a51769f50e129bfafb2aafe91a4e17c3f0d52839006777c652f6
reportdata: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
On an outdated machine, this might look like this:
❯ docker run -i --init --rm --privileged --device /dev/sgx_enclave \
matterlabsrobot/teepot-self-attestation-test-sgx-dcap:latest \
| base64 -d --ignore-garbage \
| docker run -i --rm matterlabsrobot/verify-attestation-sgx:latest
aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
Gramine is starting. Parsing TOML manifest file, this may take some time...
Verifying quote (4600 bytes)...
Quote verification result: OutOfDate: Firmware needs to be updated
Info: Advisory ID: INTEL-SA-00614
Info: Advisory ID: INTEL-SA-00617
Info: Advisory ID: INTEL-SA-00289
Info: Advisory ID: INTEL-SA-00657
Info: Advisory ID: INTEL-SA-00767
Info: Advisory ID: INTEL-SA-00828
Info: Advisory ID: INTEL-SA-00615
Quote verified successfully: OutOfDate: Firmware needs to be updated
mrsigner: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
mrenclave: 7ffe70789261a51769f50e129bfafb2aafe91a4e17c3f0d52839006777c652f6
reportdata: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000