mirror of
https://github.com/matter-labs/vault-auth-tee.git
synced 2025-07-21 07:43:57 +02:00
Hashicorp Vault plugin for authenticating Trusted Execution Environments (TEE) like SGX enclaves
c9e4f6d9db
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [trufflesecurity/trufflehog](https://togithub.com/trufflesecurity/trufflehog) | action | minor | `v3.68.5` -> `v3.69.0` | --- ### Release Notes <details> <summary>trufflesecurity/trufflehog (trufflesecurity/trufflehog)</summary> ### [`v3.69.0`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.69.0) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.68.5...v3.69.0) #### What's Changed - add version to extra data + moving existing versioned detectors into subdirectory format by [@​0x1](https://togithub.com/0x1) in [https://github.com/trufflesecurity/trufflehog/pull/2471](https://togithub.com/trufflesecurity/trufflehog/pull/2471) - fix(deps): update module github.com/launchdarkly/go-server-sdk/v6 to v7 by [@​renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2499](https://togithub.com/trufflesecurity/trufflehog/pull/2499) - fix(deps): update module github.com/golang-jwt/jwt/v4 to v5 by [@​renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2535](https://togithub.com/trufflesecurity/trufflehog/pull/2535) - fix(deps): update module github.com/charmbracelet/lipgloss to v0.10.0 by [@​renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2542](https://togithub.com/trufflesecurity/trufflehog/pull/2542) - fix(deps): update module github.com/aws/aws-sdk-go to v1.50.34 by [@​renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2541](https://togithub.com/trufflesecurity/trufflehog/pull/2541) - fix(deps): update module golang.org/x/crypto to v0.21.0 by [@​renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2544](https://togithub.com/trufflesecurity/trufflehog/pull/2544) - fix(deps): update module github.com/xanzy/go-gitlab to v0.99.0 by [@​renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2543](https://togithub.com/trufflesecurity/trufflehog/pull/2543) - fix(deps): update module golang.org/x/oauth2 to v0.18.0 by [@​renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2546](https://togithub.com/trufflesecurity/trufflehog/pull/2546) - fix(deps): update module google.golang.org/api to v0.169.0 by [@​renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2547](https://togithub.com/trufflesecurity/trufflehog/pull/2547) - Canary verification by [@​joeleonjr](https://togithub.com/joeleonjr) in [https://github.com/trufflesecurity/trufflehog/pull/2531](https://togithub.com/trufflesecurity/trufflehog/pull/2531) - fix(deps): update testcontainers-go monorepo to v0.29.1 by [@​renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2549](https://togithub.com/trufflesecurity/trufflehog/pull/2549) - fix(deps): update module google.golang.org/protobuf to v1.33.0 by [@​renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2548](https://togithub.com/trufflesecurity/trufflehog/pull/2548) **Full Changelog**: https://github.com/trufflesecurity/trufflehog/compare/v3.68.5...v3.69.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/matter-labs/vault-auth-tee). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzAuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIzMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> |
||
|---|---|---|
| .github | ||
| cmd/vault-auth-tee | ||
| packages | ||
| shells/vault-auth-tee | ||
| test-fixtures/keys | ||
| .gitignore | ||
| backend.go | ||
| backend_test.go | ||
| CONTRIBUTING.md | ||
| Dockerfile | ||
| flake.lock | ||
| flake.nix | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| path_info.go | ||
| path_login.go | ||
| path_login_test.go | ||
| path_tees.go | ||
| README.md | ||
| renovate.json | ||
| roughntstime.go | ||
| SECURITY.md | ||
| sgxquote.go | ||
| sgxquote_test.go | ||
| test_responder.go | ||
| version.go | ||
vault-auth-tee
TEE remote attestation plugin for Hashicorp Vault
⚠️☢️☣️ WARNING: not yet for production use ☣️☢️⚠️
License
All of the code is licensed under the Mozilla Public License 2.0 unless otherwise specified.
Most of the vault plugin code is based on the vault builtin/credential/cert plugin.
Build Setup
$ wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
$ sudo bash -c 'echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list'
$ sudo apt update
$ sudo apt install -y --no-install-recommends \
libsgx-headers \
libsgx-enclave-common \
libsgx-urts \
libsgx-dcap-quote-verify \
libsgx-dcap-quote-verify-dev
Configuration
Create or Update via the ${plugin}/tees/$name endpoint
{
"name": "TEE_role_name",
"token_policies": "policy1,policy2,...",
"types": "sgx",
"sgx_mrsigner": "298037d88782e022e019b3020745b78aa40ed95c77da4bf7f3253d3a44c4fd7e",
"sgx_mrenclave": "18946b3547d3ca036f4df7b516857e28fd512d69fed3411dc660537912faabf8",
"sgx_isv_prodid": 0,
"sgx_min_isv_svn": 0,
"sgx_allowed_tcb_levels": "Ok,ConfigNeeded,OutOfDate,OutOfDateConfigNeeded,SwHardeningNeeded,ConfigAndSwHardeningNeeded"
}
- At least one of
sgx_mrsignerorsgx_mrenclavemust be set. If both are set, both are used for matching. sgx_isv_prodidis optional and defaults to0.sgx_min_isv_svnis optional and defaults to0.sgx_allowed_tcb_levelsis optional and defaults toOk.
Authentication
- Client TEE generates a self-signed TLS client certificate
- Client TEE generates an attestation report, which includes the hash of the public key of the client certificate (in case of SGX, a sha256 sum of the public key)
- Client TEE fetches all collateral material via e.g. Intel DCAP (
tee_qv_get_collateral) - Client TEE sends POST request with a TLS connection using the client certificate
to Vault via the
${plugin}/loginendpoint with the name, attestation report and the attestation collateral material - An optional challenge can be included in the POST request, which is then included in the attestation report of the vault response
{
"name": "The name of the TEE role to authenticate against.",
"quote": "The quote Base64 encoded.",
"collateral": "The collateral Json string encoded.",
"challenge": "An optional challenge hex encoded."
}
The response contains the Vault token and, if a challenge was included, the vault attestation report, which must contain the challenge bytes in the report_data of the quote.
{
"auth": {
"client_token": "The Vault token.",
"....": "...."
},
"data": {
"quote": "The vault quote Base64 encoded.",
"collateral": "The vault collateral Json string encoded."
}
}
Collateral Json encoding
{
"major_version": uint16,
"minor_version": uint16,
"tee_type": uint32,
"pck_crl_issuer_chain": []byte,
"root_ca_crl": []byte,
"pck_crl": []byte,
"tcb_info_issuer_chain": []byte,
"tcb_info": []byte,
"qe_identity_issuer_chain": []byte,
"qe_identity": []byte
}