feat: tee quote endpoint #588
Conversation
crates/notary/server/Cargo.toml
Outdated
| @@ -44,3 +47,4 @@ tracing = { workspace = true } | |||
| tracing-subscriber = { workspace = true, features = ["env-filter"] } | |||
| uuid = { workspace = true, features = ["v4", "fast-rng"] } | |||
| ws_stream_tungstenite = { workspace = true, features = ["tokio_io"] } | |||
| sgx-dcap-ql-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", tag = "DCAP_1.21", optional = true } | |||
There was a problem hiding this comment.
nice find! can we leave a comment here on why we choose this repo instead of the other listed in https://github.com/intel/linux-sgx?tab=readme-ov-file#introduction? just for future reference :)
There was a problem hiding this comment.
| sgx-dcap-ql-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", tag = "DCAP_1.21", optional = true } | |
| sgx-dcap-ql-rs = { git = "https://github.com/intel/SGXDataCenterAttestationPrimitives", tag = "DCAP_1.21", optional = true } |
There was a problem hiding this comment.
nice find! can we leave a comment here on why we choose this repo instead of the other listed in https://github.com/intel/linux-sgx?tab=readme-ov-file#introduction? just for future reference :)
Which other libs? The other things mentioned at your link are a kernel module for older versions of Linux, a patched openssl impl, a k8s gadget, etc
There was a problem hiding this comment.
nice find! can we leave a comment here on why we choose this repo instead of the other listed in https://github.com/intel/linux-sgx?tab=readme-ov-file#introduction? just for future reference :)
Which other libs? The other things mentioned at your link are a kernel module for older versions of Linux, a patched openssl impl, a k8s gadget, etc
not referring to any specific one, but just thought a comment in the Cargo.toml explaining why we picked this SGXDataCenterAttestationPrimitives repo will be informative
crates/notary/server/src/tee.rs
Outdated
| ) -> Result<Option<Vec<u8>>, quote3_error_t> { | ||
| let sgx_report: sgx_report_t = Default::default(); | ||
|
|
||
| let (result, sgx_quote) = sgx_dcap_ql_rs::sgx_qe_get_quote(&sgx_report); |
There was a problem hiding this comment.
question: does this sgx library have async ability?
| exit 0 | ||
| - name: ✨ fet quotech from gh, write it to runner | ||
| run: | | ||
| curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.PAT_SET_ENV }}" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/$GITHUB_REPOSITORY/environments/TEE/variables/AZURE_TEE_BUILD_PORT > /home/runner/work/_temp/sgx-build-quote.txt |
There was a problem hiding this comment.
Why curl here? This is running on GH, so I assume you have direct access to AZURE_TEE_BUILD_PORT
|
|
…ware for quote gen
tmp ssh ci script to build --feature tee_quote on azure SGX hardware
uses ssh keys due to delay in keys needed, will remove this in favor of direct azure integration horrible bash scripting
maceip
force-pushed
the
quote-presentation
branch
from
e5f2f3c
to
728f2b7
Compare
sgx only, default report data