mirror of
https://github.com/matter-labs/teepot.git
synced 2025-07-21 15:13:56 +02:00
Nix, crates and tools for TEE handling
f1b8a48a6a
The previous cacert expired. A new one was created and also included in the unseal container. The path to access the cacert was fixed in the unseal app and made configurable via an environment variable. |
||
|---|---|---|
| .github | ||
| assets | ||
| bin | ||
| crates | ||
| examples | ||
| packages | ||
| shells/teepot | ||
| .dockerignore | ||
| .gitignore | ||
| Cargo.lock | ||
| Cargo.toml | ||
| deny.toml | ||
| flake.lock | ||
| flake.nix | ||
| LICENSE-APACHE | ||
| LICENSE-MIT | ||
| README.md | ||
| rust-toolchain.toml | ||
| taplo.toml | ||
| teepot-crate.nix | ||
teepot
Key Value store in a TEE with Remote Attestation for Authentication
Introduction
This project is a key-value store that runs in a Trusted Execution Environment (TEE) and uses Remote Attestation for Authentication. The key-value store is implemented using Hashicorp Vault running in an Intel SGX enclave via the Gramine runtime.
Parts of this project
teepot: The main rust crate that abstracts TEEs and key-value stores.tee-vault-unseal: An enclave that uses the Vault API to unseal a vault as a proxy.vault-unseal: A client utility, that talks totee-vault-unsealto unseal a vault.tee-vault-admin: An enclave that uses the Vault API to administer a vault as a proxy.vault-admin: A client utility, that talks totee-vault-adminto administer a vault.teepot-read: A pre-exec utility that reads from the key-value store and passes the key-value pairs as environment variables to the enclave.teepot-write: A pre-exec utility that reads key-values from the environment variables and writes them to the key-value store.verify-attestation: A client utility that verifies the attestation of an enclave.tee-key-preexec: A pre-exec utility that generates a p256 secret key and passes it as an environment variable to the enclave along with the attestation quote containing the hash of the public key.
Development
Prerequisites
Install nix.
In ~/.config/nix/nix.conf
experimental-features = nix-command flakes
sandbox = true
or on nixos in /etc/nixos/configuration.nix add the following lines:
{
nix = {
extraOptions = ''
experimental-features = nix-command flakes
sandbox = true
'';
};
}
Develop
$ nix develop
optionally create .envrc for direnv to automatically load the environment when entering the directory:
$ cat <<EOF > .envrc
use flake .#teepot
EOF
$ direnv allow
Format for commit
$ nix run .#fmt
Build as the CI would
$ nix run github:nixos/nixpkgs/nixos-23.11#nixci
Build and test individual container
See the packages directory for the available packages and containers.
$ nix build -L .#container-self-attestation-test-sgx-azure
[...]
teepot-self-attestation-test-sgx-azure-manifest-app-customisation-layer> Measurement:
teepot-self-attestation-test-sgx-azure-manifest-app-customisation-layer> eaaabf210797606bcfde818a52e4a434fbf4f2e620d7edcc7025e3e1bbaa95c4
[...]
$ export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')
$ docker run -v $(pwd):/mnt -i --init --rm $IMAGE_TAG "cp app.sig /mnt"
$ nix shell github:matter-labs/nixsgx#gramine -c gramine-sgx-sigstruct-view app.sig
Attributes:
mr_signer: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
mr_enclave: eaaabf210797606bcfde818a52e4a434fbf4f2e620d7edcc7025e3e1bbaa95c4
isv_prod_id: 0
isv_svn: 0
debug_enclave: False