mirror of
https://github.com/matter-labs/vault-auth-tee.git
synced 2025-07-21 07:43:57 +02:00
Hashicorp Vault plugin for authenticating Trusted Execution Environments (TEE) like SGX enclaves
059a2cba53
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [trufflesecurity/trufflehog](https://togithub.com/trufflesecurity/trufflehog) | action | patch | `v3.71.1` -> `v3.71.2` | --- ### Release Notes <details> <summary>trufflesecurity/trufflehog (trufflesecurity/trufflehog)</summary> ### [`v3.71.2`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.71.2) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.71.1...v3.71.2) #### What's Changed - Link to GitHub contribution guide in CONTRIBUTING by [@​rosecodym](https://togithub.com/rosecodym) in [https://github.com/trufflesecurity/trufflehog/pull/2632](https://togithub.com/trufflesecurity/trufflehog/pull/2632) - Fixing nitro check by [@​dylanTruffle](https://togithub.com/dylanTruffle) in [https://github.com/trufflesecurity/trufflehog/pull/2631](https://togithub.com/trufflesecurity/trufflehog/pull/2631) - fix(deps): update module google.golang.org/api to v0.172.0 by [@​renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2634](https://togithub.com/trufflesecurity/trufflehog/pull/2634) - make postman source public by [@​zricethezav](https://togithub.com/zricethezav) in [https://github.com/trufflesecurity/trufflehog/pull/2635](https://togithub.com/trufflesecurity/trufflehog/pull/2635) **Full Changelog**: https://github.com/trufflesecurity/trufflehog/compare/v3.71.1...v3.71.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/matter-labs/vault-auth-tee). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> |
||
|---|---|---|
| .github | ||
| cmd/vault-auth-tee | ||
| packages | ||
| shells/vault-auth-tee | ||
| test-fixtures/keys | ||
| .gitignore | ||
| backend.go | ||
| backend_test.go | ||
| CONTRIBUTING.md | ||
| Dockerfile | ||
| flake.lock | ||
| flake.nix | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| path_info.go | ||
| path_login.go | ||
| path_login_test.go | ||
| path_tees.go | ||
| README.md | ||
| renovate.json | ||
| roughntstime.go | ||
| SECURITY.md | ||
| sgxquote.go | ||
| sgxquote_test.go | ||
| test_responder.go | ||
| version.go | ||
vault-auth-tee
TEE remote attestation plugin for Hashicorp Vault
Disclaimer
This plugin has not yet received an audit. Use at your own risk.
License
All of the code is licensed under the Mozilla Public License 2.0 unless otherwise specified.
Most of the vault plugin code is based on the vault builtin/credential/cert plugin.
Build Setup
$ wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
$ sudo bash -c 'echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list'
$ sudo apt update
$ sudo apt install -y --no-install-recommends \
libsgx-headers \
libsgx-enclave-common \
libsgx-urts \
libsgx-dcap-quote-verify \
libsgx-dcap-quote-verify-dev
Configuration
Create or Update via the ${plugin}/tees/$name endpoint
{
"name": "TEE_role_name",
"token_policies": "policy1,policy2,...",
"types": "sgx",
"sgx_mrsigner": "298037d88782e022e019b3020745b78aa40ed95c77da4bf7f3253d3a44c4fd7e",
"sgx_mrenclave": "18946b3547d3ca036f4df7b516857e28fd512d69fed3411dc660537912faabf8",
"sgx_isv_prodid": 0,
"sgx_min_isv_svn": 0,
"sgx_allowed_tcb_levels": "Ok,ConfigNeeded,OutOfDate,OutOfDateConfigNeeded,SwHardeningNeeded,ConfigAndSwHardeningNeeded"
}
- At least one of
sgx_mrsignerorsgx_mrenclavemust be set. If both are set, both are used for matching. sgx_isv_prodidis optional and defaults to0.sgx_min_isv_svnis optional and defaults to0.sgx_allowed_tcb_levelsis optional and defaults toOk.
Authentication
- Client TEE generates a self-signed TLS client certificate
- Client TEE generates an attestation report, which includes the hash of the public key of the client certificate (in case of SGX, a sha256 sum of the public key)
- Client TEE fetches all collateral material via e.g. Intel DCAP (
tee_qv_get_collateral) - Client TEE sends POST request with a TLS connection using the client certificate
to Vault via the
${plugin}/loginendpoint with the name, attestation report and the attestation collateral material - An optional challenge can be included in the POST request, which is then included in the attestation report of the vault response
{
"name": "The name of the TEE role to authenticate against.",
"quote": "The quote Base64 encoded.",
"collateral": "The collateral Json string encoded.",
"challenge": "An optional challenge hex encoded."
}
The response contains the Vault token and, if a challenge was included, the vault attestation report, which must contain the challenge bytes in the report_data of the quote.
{
"auth": {
"client_token": "The Vault token.",
"....": "...."
},
"data": {
"quote": "The vault quote Base64 encoded.",
"collateral": "The vault collateral Json string encoded."
}
}
Collateral Json encoding
{
"major_version": uint16,
"minor_version": uint16,
"tee_type": uint32,
"pck_crl_issuer_chain": []byte,
"root_ca_crl": []byte,
"pck_crl": []byte,
"tcb_info_issuer_chain": []byte,
"tcb_info": []byte,
"qe_identity_issuer_chain": []byte,
"qe_identity": []byte
}