From 623360c176441e2e0c25af2adc5519740af9cc29 Mon Sep 17 00:00:00 2001 From: peg Date: Wed, 20 May 2026 13:26:27 +0200 Subject: [PATCH 1/3] Experimental nitro support in attestation-provider-server --- Cargo.lock | 15 +++++++++++ Cargo.toml | 10 ++++---- attestation-provider-server/Cargo.toml | 1 + attestation-provider-server/src/lib.rs | 13 +++++++--- attestation-provider-server/src/main.rs | 33 +++++++++++++++++++++---- 5 files changed, 58 insertions(+), 14 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 84aae56..6d17492 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -236,6 +236,7 @@ dependencies = [ "parity-scale-codec", "reqwest", "tokio", + "tokio-vsock", "tracing", "tracing-subscriber", ] @@ -3966,6 +3967,20 @@ dependencies = [ "tokio", ] +[[package]] +name = "tokio-vsock" +version = "0.7.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8b319ef9394889dab2e1b4f0085b45ba11d0c79dc9d1a9d1afc057d009d0f1c7" +dependencies = [ + "axum", + "bytes", + "futures", + "libc", + "tokio", + "vsock", +] + [[package]] name = "toml_datetime" version = "0.7.3" diff --git a/Cargo.toml b/Cargo.toml index 7144059..332e1f9 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -11,10 +11,10 @@ repository = "https://github.com/flashbots/attested-tls-proxy" keywords = ["attested-TLS", "CVM", "TDX"] [dependencies] -attested-tls = { git = "https://github.com/flashbots/attested-tls", branch = "main" } -nested-tls = { git = "https://github.com/flashbots/attested-tls", branch = "main" } -attestation = { git = "https://github.com/flashbots/attested-tls", branch = "main" } -pccs = { git = "https://github.com/flashbots/attested-tls", branch = "main" } +attested-tls = { git = "https://github.com/flashbots/attested-tls", branch = "peg/nitro" } +nested-tls = { git = "https://github.com/flashbots/attested-tls", branch = "peg/nitro" } +attestation = { git = "https://github.com/flashbots/attested-tls", branch = "peg/nitro" } +pccs = { git = "https://github.com/flashbots/attested-tls", branch = "peg/nitro" } tokio = { version = "1.50.0", features = ["full"] } tokio-rustls = { version = "0.26.4", default-features = false, features = ["aws_lc_rs"] } x509-parser = { version = "0.18.0", features = ["verify"] } @@ -49,7 +49,7 @@ pin-project-lite = "0.2.16" [dev-dependencies] tempfile = "3.23.0" tdx-quote = { version = "0.0.5", features = ["mock"] } -attestation = { git = "https://github.com/flashbots/attested-tls", branch = "main", features = ["mock"] } +attestation = { git = "https://github.com/flashbots/attested-tls", branch = "peg/nitro", features = ["mock"] } tokio = { version = "1.48.0", features = ["full"] } jsonrpsee = { version = "0.26.0", features = ["server"] } diff --git a/attestation-provider-server/Cargo.toml b/attestation-provider-server/Cargo.toml index f3f683b..841b613 100644 --- a/attestation-provider-server/Cargo.toml +++ b/attestation-provider-server/Cargo.toml @@ -14,6 +14,7 @@ axum = "0.8.6" clap = { version = "4.5.51", features = ["derive", "env"] } anyhow = "1.0.100" hex = "0.4.3" +tokio-vsock = { version = "0.7.2", features = ["axum08"] } tracing = "0.1.41" tracing-subscriber = { version = "0.3.20", features = ["env-filter", "json"] } parity-scale-codec = "3.7.5" diff --git a/attestation-provider-server/src/lib.rs b/attestation-provider-server/src/lib.rs index a7134c1..0a63ba9 100644 --- a/attestation-provider-server/src/lib.rs +++ b/attestation-provider-server/src/lib.rs @@ -3,13 +3,13 @@ use std::net::SocketAddr; use anyhow::anyhow; use attested_tls_proxy::attestation::{AttestationExchangeMessage, AttestationVerifier}; +use axum::serve::Listener; use axum::{ extract::{Path, State}, http::StatusCode, response::{IntoResponse, Response}, }; use parity_scale_codec::{Decode, Encode}; -use tokio::net::TcpListener; #[derive(Clone)] struct SharedState { @@ -17,10 +17,14 @@ struct SharedState { } /// An HTTP server which provides attestations -pub async fn attestation_provider_server( - listener: TcpListener, +pub async fn attestation_provider_server( + listener: L, attestation_generator: AttestationGenerator, -) -> anyhow::Result<()> { +) -> anyhow::Result<()> +where + L: Listener, + L::Addr: std::fmt::Debug, +{ let app = axum::Router::new() .route("/attest/{input_data}", axum::routing::get(get_attest)) .with_state(SharedState { @@ -97,6 +101,7 @@ impl IntoResponse for ServerError { #[cfg(test)] mod tests { use super::*; + use tokio::net::TcpListener; #[tokio::test] async fn test_attestation_provider_server() { diff --git a/attestation-provider-server/src/main.rs b/attestation-provider-server/src/main.rs index 276d43c..ed64b8b 100644 --- a/attestation-provider-server/src/main.rs +++ b/attestation-provider-server/src/main.rs @@ -2,9 +2,10 @@ use attestation_provider_server::{attestation_provider_client, attestation_provi use attested_tls_proxy::attestation::{ AttestationGenerator, AttestationVerifier, measurements::MeasurementPolicy, }; -use clap::{Parser, Subcommand}; +use clap::{Parser, Subcommand, ValueEnum}; use std::{net::SocketAddr, path::PathBuf}; use tokio::net::TcpListener; +use tokio_vsock::{VMADDR_CID_ANY, VsockAddr, VsockListener}; use tracing::level_filters::LevelFilter; const GIT_REV: &str = match option_env!("GIT_REV") { @@ -30,9 +31,15 @@ struct Cli { #[derive(Subcommand, Debug, Clone)] enum CliCommand { Server { + /// Network transport to use for the server listener + #[arg(long, value_enum, default_value_t = ListenTransport::Tcp)] + listen_transport: ListenTransport, /// Socket address to listen on #[arg(short, long, default_value = "0.0.0.0:0", env = "LISTEN_ADDR")] listen_addr: SocketAddr, + /// Vsock port to listen on when using `--listen-transport vsock` + #[arg(long, default_value_t = 8000, env = "VSOCK_PORT")] + vsock_port: u32, /// Type of attestation to present (will attempt to detect if not given) #[arg(long)] server_attestation_type: Option, @@ -46,6 +53,12 @@ enum CliCommand { }, } +#[derive(ValueEnum, Debug, Clone, Copy, PartialEq, Eq)] +enum ListenTransport { + Tcp, + Vsock, +} + #[tokio::main] async fn main() -> anyhow::Result<()> { let cli = Cli::parse(); @@ -74,16 +87,26 @@ async fn main() -> anyhow::Result<()> { match cli.command { CliCommand::Server { + listen_transport, listen_addr, + vsock_port, server_attestation_type, } => { let attestation_generator = AttestationGenerator::new_with_detection(server_attestation_type, None)?; - let listener = TcpListener::bind(listen_addr).await?; - - println!("Listening on {}", listener.local_addr()?); - attestation_provider_server(listener, attestation_generator).await?; + match listen_transport { + ListenTransport::Tcp => { + let listener = TcpListener::bind(listen_addr).await?; + println!("Listening on {}", listener.local_addr()?); + attestation_provider_server(listener, attestation_generator).await?; + } + ListenTransport::Vsock => { + let listener = VsockListener::bind(VsockAddr::new(VMADDR_CID_ANY, vsock_port))?; + println!("Listening on vsock cid={} port={}", VMADDR_CID_ANY, vsock_port); + attestation_provider_server(listener, attestation_generator).await?; + } + } } CliCommand::Client { server_addr, From 25bd5de45b440c0bc3317035daf573a97bd88134 Mon Sep 17 00:00:00 2001 From: peg Date: Wed, 20 May 2026 14:33:39 +0200 Subject: [PATCH 2/3] Experimental nitro support in attestation-provider-server client side, and flake to build docker image --- Cargo.lock | 477 +++++++++++++++++++----- Cargo.toml | 3 + attestation-provider-server/Cargo.toml | 7 +- attestation-provider-server/src/lib.rs | 60 ++- attestation-provider-server/src/main.rs | 42 ++- flake.lock | 27 ++ flake.nix | 75 ++++ 7 files changed, 586 insertions(+), 105 deletions(-) create mode 100644 flake.lock create mode 100644 flake.nix diff --git a/Cargo.lock b/Cargo.lock index 6d17492..6ae095c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -8,6 +8,19 @@ version = "2.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa" +[[package]] +name = "ahash" +version = "0.8.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5a15f179cd60c4584b8a8c596927aadc462e27f2ca70c04e0071964a73ba7a75" +dependencies = [ + "cfg-if", + "getrandom 0.3.4", + "once_cell", + "version_check", + "zerocopy", +] + [[package]] name = "aho-corasick" version = "1.1.4" @@ -32,6 +45,17 @@ dependencies = [ "alloc-no-stdlib", ] +[[package]] +name = "annotate-snippets" +version = "0.12.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92570a3f9c98e7e84df84b71d0965ac99b1871fcd75a3773a3bd1bad13f64cf7" +dependencies = [ + "anstyle", + "memchr", + "unicode-width", +] + [[package]] name = "anstream" version = "0.6.21" @@ -88,6 +112,12 @@ version = "1.0.102" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c" +[[package]] +name = "arraydeque" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7d902e3d592a523def97af8f317b08ce16b7ab854c1985a0c671e6f15cebc236" + [[package]] name = "arrayref" version = "0.3.9" @@ -193,15 +223,17 @@ checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0" [[package]] name = "attestation" version = "0.0.1" -source = "git+https://github.com/flashbots/attested-tls?branch=main#dab9db727b1436c0b9f066562ff625535f9c2234" +source = "git+https://github.com/flashbots/attested-tls?branch=peg%2Fnitro#6fb445686cfae4242080e76085e2b7bbbb22a678" dependencies = [ "anyhow", "az-tdx-vtpm", "base64 0.22.1", - "configfs-tsm", - "dcap-qvl 0.3.12 (git+https://github.com/Phala-Network/dcap-qvl.git?rev=f1dcc65371e941a7b83e3234833d23a1fb232ab1)", + "dcap-qvl", "hex", "http", + "mock-tdx", + "nsm-nitro-enclave-utils", + "nsm-nitro-enclave-utils-keygen", "num-bigint", "once_cell", "openssl", @@ -213,7 +245,7 @@ dependencies = [ "rustls-webpki", "serde", "serde_json", - "tdx-quote", + "tdx-attest 0.5.8", "thiserror 2.0.17", "time", "tokio", @@ -231,8 +263,13 @@ dependencies = [ "anyhow", "attested-tls-proxy", "axum", + "bytes", "clap", "hex", + "http", + "http-body-util", + "hyper", + "hyper-util", "parity-scale-codec", "reqwest", "tokio", @@ -244,7 +281,7 @@ dependencies = [ [[package]] name = "attested-tls" version = "0.0.1" -source = "git+https://github.com/flashbots/attested-tls?branch=main#dab9db727b1436c0b9f066562ff625535f9c2234" +source = "git+https://github.com/flashbots/attested-tls?branch=peg%2Fnitro#6fb445686cfae4242080e76085e2b7bbbb22a678" dependencies = [ "anyhow", "attestation", @@ -315,6 +352,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0ec6fb3fe69024a75fa7e1bfb48aa6cf59706a101658ea01bfd33b2b248a038f" dependencies = [ "aws-lc-sys", + "untrusted 0.7.1", "zeroize", ] @@ -330,11 +368,25 @@ dependencies = [ "fs_extra", ] +[[package]] +name = "aws-nitro-enclaves-nsm-api" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d92c1f4471b33f6a7af9ea421b249ed18a11c71156564baf6293148fa6ad1b09" +dependencies = [ + "libc", + "log", + "nix 0.26.4", + "serde", + "serde_bytes", + "serde_cbor", +] + [[package]] name = "axum" -version = "0.8.6" +version = "0.8.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8a18ed336352031311f4e0b4dd2ff392d4fbb370777c9d18d7fc9d7359f73871" +checksum = "31b698c5f9a010f6573133b09e0de5408834d0c82f8d7475a89fc1867a71cd90" dependencies = [ "axum-core", "bytes", @@ -390,7 +442,7 @@ checksum = "9b3d0900c6757c9674b05b0479236458297026e25fb505186dc8d7735091a21c" dependencies = [ "bincode 1.3.3", "jsonwebkey", - "memoffset", + "memoffset 0.9.1", "openssl", "serde", "serde-big-array", @@ -690,6 +742,23 @@ dependencies = [ "sha2", ] +[[package]] +name = "cc-eventlog" +version = "0.5.11" +source = "git+https://github.com/Dstack-TEE/dstack.git?rev=07d2cf6bd376a3c56f855aa47c8de003bb427e48#07d2cf6bd376a3c56f855aa47c8de003bb427e48" +dependencies = [ + "anyhow", + "digest", + "ez-hash", + "fs-err", + "hex", + "parity-scale-codec", + "serde", + "serde-human-bytes", + "serde_json", + "sha2", +] + [[package]] name = "cfg-if" version = "1.0.4" @@ -712,6 +781,33 @@ dependencies = [ "serde", ] +[[package]] +name = "ciborium" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "42e69ffd6f0917f5c029256a24d0161db17cea3997d185db0d35926308770f0e" +dependencies = [ + "ciborium-io", + "ciborium-ll", + "serde", +] + +[[package]] +name = "ciborium-io" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "05afea1e0a06c9be33d539b876f1ce3692f4afea2cb41f740e7743225ed1c757" + +[[package]] +name = "ciborium-ll" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "57663b653d948a338bfb3eeba9bb2fd5fcfaecb9e199e87e1eda4d9e8b240fd9" +dependencies = [ + "ciborium-io", + "half 2.7.1", +] + [[package]] name = "clap" version = "4.5.51" @@ -773,12 +869,6 @@ version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75" -[[package]] -name = "configfs-tsm" -version = "0.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "187437900921c8172f33316ad51a3267df588e99a2aebfa5ca1a2ed44df9e703" - [[package]] name = "console" version = "0.15.11" @@ -832,6 +922,16 @@ dependencies = [ "unicode-segmentation", ] +[[package]] +name = "coset" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1eb98d5e9155e2cf7cd942c8b3033097d4563b6fb0a00b9caecb74669555c058" +dependencies = [ + "ciborium", + "ciborium-io", +] + [[package]] name = "cpufeatures" version = "0.2.17" @@ -880,6 +980,12 @@ version = "0.8.21" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28" +[[package]] +name = "crunchy" +version = "0.2.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "460fbee9c2c2f33933d720630a6a0bac33ba7053db5344fac858d4b8952d77d5" + [[package]] name = "crypto-bigint" version = "0.5.5" @@ -968,43 +1074,6 @@ version = "2.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2a2330da5de22e8a3cb63252ce2abb30116bf5265e89c0e01bc17015ce30a476" -[[package]] -name = "dcap-qvl" -version = "0.3.12" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "67e7842b81018f3b991dc65ec0a95ff347332de58478c4ac43459095af00cc89" -dependencies = [ - "anyhow", - "asn1_der", - "base64 0.22.1", - "borsh", - "byteorder", - "chrono", - "const-oid", - "dcap-qvl-webpki", - "der", - "derive_more 2.1.1", - "futures", - "hex", - "log", - "p256", - "parity-scale-codec", - "pem", - "reqwest", - "ring", - "rustls-pki-types", - "scale-info", - "serde", - "serde-human-bytes", - "serde_json", - "sha2", - "signature", - "tracing", - "urlencoding", - "wasm-bindgen-futures", - "x509-cert", -] - [[package]] name = "dcap-qvl" version = "0.3.12" @@ -1056,7 +1125,7 @@ dependencies = [ "rustls-pki-types", "sha2", "signature", - "untrusted", + "untrusted 0.9.0", ] [[package]] @@ -1193,7 +1262,7 @@ dependencies = [ "libc", "option-ext", "redox_users", - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -1209,12 +1278,12 @@ dependencies = [ [[package]] name = "dstack-attest" -version = "0.5.8" -source = "git+https://github.com/Dstack-TEE/dstack.git?rev=4f602dddc0542cd34da031c90ac0b3a560f316ed#4f602dddc0542cd34da031c90ac0b3a560f316ed" +version = "0.5.11" +source = "git+https://github.com/Dstack-TEE/dstack.git?rev=07d2cf6bd376a3c56f855aa47c8de003bb427e48#07d2cf6bd376a3c56f855aa47c8de003bb427e48" dependencies = [ "anyhow", - "cc-eventlog", - "dcap-qvl 0.3.12 (registry+https://github.com/rust-lang/crates.io-index)", + "cc-eventlog 0.5.11", + "dcap-qvl", "dstack-types", "errify", "ez-hash", @@ -1224,19 +1293,20 @@ dependencies = [ "insta", "or-panic", "parity-scale-codec", + "rmp-serde", "serde", "serde-human-bytes", "serde_json", "sha2", "sha3", - "tdx-attest", + "tdx-attest 0.5.11", "tracing", ] [[package]] name = "dstack-types" -version = "0.5.8" -source = "git+https://github.com/Dstack-TEE/dstack.git?rev=4f602dddc0542cd34da031c90ac0b3a560f316ed#4f602dddc0542cd34da031c90ac0b3a560f316ed" +version = "0.5.11" +source = "git+https://github.com/Dstack-TEE/dstack.git?rev=07d2cf6bd376a3c56f855aa47c8de003bb427e48#07d2cf6bd376a3c56f855aa47c8de003bb427e48" dependencies = [ "parity-scale-codec", "serde", @@ -1298,6 +1368,7 @@ dependencies = [ "ff", "generic-array", "group", + "hkdf", "pem-rfc7468", "pkcs8", "rand_core 0.6.4", @@ -1312,6 +1383,24 @@ version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "34aa73646ffb006b8f5147f3dc182bd4bcb190227ce861fc4a4844bf8e3cb2c0" +[[package]] +name = "encoding_rs" +version = "0.8.35" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3" +dependencies = [ + "cfg-if", +] + +[[package]] +name = "encoding_rs_io" +version = "0.1.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1cc3c5651fb62ab8aa3103998dade57efdd028544bd300516baa31840c252a83" +dependencies = [ + "encoding_rs", +] + [[package]] name = "enum-as-inner" version = "0.6.1" @@ -1379,7 +1468,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ "libc", - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -1649,6 +1738,23 @@ dependencies = [ "tracing", ] +[[package]] +name = "half" +version = "1.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1b43ede17f21864e81be2fa654110bf1e793774238d86ef8555c37e6519c0403" + +[[package]] +name = "half" +version = "2.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ea2d84b969582b4b1864a92dc5d27cd2b77b622a8d79306834f1be5ba20d84b" +dependencies = [ + "cfg-if", + "crunchy", + "zerocopy", +] + [[package]] name = "hashbrown" version = "0.16.0" @@ -2281,9 +2387,18 @@ dependencies = [ [[package]] name = "memchr" -version = "2.7.6" +version = "2.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79" + +[[package]] +name = "memoffset" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f52b00d39961fc5b2736ea853c9cc86238e165017a493d1d5c8eac6bdc4cc273" +checksum = "5de893c32cde5f383baa4c04c5d6dbdd735cfd4a794b0debdb2bb1b421da5ff4" +dependencies = [ + "autocfg", +] [[package]] name = "memoffset" @@ -2337,6 +2452,29 @@ dependencies = [ "windows-sys 0.61.2", ] +[[package]] +name = "mock-tdx" +version = "0.0.1" +source = "git+https://github.com/flashbots/attested-tls?branch=peg%2Fnitro#6fb445686cfae4242080e76085e2b7bbbb22a678" +dependencies = [ + "axum", + "dcap-qvl", + "hex", + "p256", + "parity-scale-codec", + "rcgen 0.14.7", + "serde", + "serde-saphyr", + "serde_bytes", + "serde_json", + "sha2", + "time", + "tokio", + "urlencoding", + "x509-parser 0.18.1", + "yasna 0.5.2", +] + [[package]] name = "moka" version = "0.12.11" @@ -2358,7 +2496,7 @@ dependencies = [ [[package]] name = "nested-tls" version = "0.0.1" -source = "git+https://github.com/flashbots/attested-tls?branch=main#dab9db727b1436c0b9f066562ff625535f9c2234" +source = "git+https://github.com/flashbots/attested-tls?branch=peg%2Fnitro#6fb445686cfae4242080e76085e2b7bbbb22a678" dependencies = [ "rustls", "tokio", @@ -2366,6 +2504,19 @@ dependencies = [ "tracing", ] +[[package]] +name = "nix" +version = "0.26.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "598beaf3cc6fdd9a5dfb1630c2800c7acd31df7aaf0f565796fba2b53ca1af1b" +dependencies = [ + "bitflags 1.3.2", + "cfg-if", + "libc", + "memoffset 0.7.1", + "pin-utils", +] + [[package]] name = "nix" version = "0.31.2" @@ -2376,9 +2527,15 @@ dependencies = [ "cfg-if", "cfg_aliases", "libc", - "memoffset", + "memoffset 0.9.1", ] +[[package]] +name = "nohash-hasher" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2bf50223579dc7cdcfb3bfcacf7069ff68243f8c363f62ffa99cf000a6b9c451" + [[package]] name = "nom" version = "7.1.3" @@ -2389,13 +2546,53 @@ dependencies = [ "minimal-lexical", ] +[[package]] +name = "nsm-nitro-enclave-utils" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0be8326f0a1c769ee90da2bdaf6e0859c7873b2047a5d06d97f7f2abb273dc15" +dependencies = [ + "aws-nitro-enclaves-nsm-api", + "coset", + "getrandom 0.3.4", + "hex", + "nsm-nitro-enclave-utils-keygen", + "p384", + "ring", + "rustls-pki-types", + "rustls-webpki", + "sealed", + "serde", + "serde_bytes", + "serde_json", + "sha2", + "x509-cert", +] + +[[package]] +name = "nsm-nitro-enclave-utils-keygen" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ff968e3b62edc3ac9c6fd324490a6a14278ea6289efeb7d91425feaf62592051" +dependencies = [ + "clap", + "p384", + "rand_core 0.6.4", + "sec1", + "serde", + "serde_bytes", + "serde_json", + "sha2", + "x509-cert", +] + [[package]] name = "nu-ansi-term" version = "0.50.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5" dependencies = [ - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -2516,15 +2713,14 @@ checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe" [[package]] name = "openssl" -version = "0.10.78" +version = "0.10.79" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f38c4372413cdaaf3cc79dd92d29d7d9f5ab09b51b10dded508fb90bb70b9222" +checksum = "bf0b434746ee2832f4f0baf10137e1cabb18cbe6912c69e2e33263c45250f542" dependencies = [ "bitflags 2.10.0", "cfg-if", "foreign-types", "libc", - "once_cell", "openssl-macros", "openssl-sys", ] @@ -2551,9 +2747,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.114" +version = "0.9.115" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13ce1245cd07fcc4cfdb438f7507b0c7e4f3849a69fd84d52374c66d83741bb6" +checksum = "158fe5b292746440aa6e7a7e690e55aeb72d41505e2804c23c6973ad0e9c9781" dependencies = [ "cc", "libc", @@ -2665,10 +2861,10 @@ dependencies = [ [[package]] name = "pccs" version = "0.0.1" -source = "git+https://github.com/flashbots/attested-tls?branch=main#dab9db727b1436c0b9f066562ff625535f9c2234" +source = "git+https://github.com/flashbots/attested-tls?branch=peg%2Fnitro#6fb445686cfae4242080e76085e2b7bbbb22a678" dependencies = [ "anyhow", - "dcap-qvl 0.3.12 (git+https://github.com/Phala-Network/dcap-qvl.git?rev=f1dcc65371e941a7b83e3234833d23a1fb232ab1)", + "dcap-qvl", "hex", "reqwest", "serde", @@ -2931,7 +3127,7 @@ dependencies = [ "once_cell", "socket2 0.6.1", "tracing", - "windows-sys 0.60.2", + "windows-sys 0.59.0", ] [[package]] @@ -2951,13 +3147,13 @@ checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f" [[package]] name = "ra-tls" -version = "0.5.8" -source = "git+https://github.com/Dstack-TEE/dstack.git?rev=4f602dddc0542cd34da031c90ac0b3a560f316ed#4f602dddc0542cd34da031c90ac0b3a560f316ed" +version = "0.5.11" +source = "git+https://github.com/Dstack-TEE/dstack.git?rev=07d2cf6bd376a3c56f855aa47c8de003bb427e48#07d2cf6bd376a3c56f855aa47c8de003bb427e48" dependencies = [ "anyhow", "bon", - "cc-eventlog", - "dcap-qvl 0.3.12 (registry+https://github.com/rust-lang/crates.io-index)", + "cc-eventlog 0.5.11", + "dcap-qvl", "dstack-attest", "dstack-types", "elliptic-curve", @@ -3071,6 +3267,7 @@ version = "0.14.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "10b99e0098aa4082912d4c649628623db6aba77335e4f4569ff5083a6448b32e" dependencies = [ + "aws-lc-rs", "pem", "ring", "rustls-pki-types", @@ -3205,7 +3402,7 @@ dependencies = [ "cfg-if", "getrandom 0.2.16", "libc", - "untrusted", + "untrusted 0.9.0", "windows-sys 0.52.0", ] @@ -3289,7 +3486,7 @@ dependencies = [ "errno", "libc", "linux-raw-sys", - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -3338,7 +3535,7 @@ dependencies = [ "aws-lc-rs", "ring", "rustls-pki-types", - "untrusted", + "untrusted 0.9.0", ] [[package]] @@ -3353,6 +3550,17 @@ version = "1.0.20" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f" +[[package]] +name = "saphyr-parser-bw" +version = "0.0.610" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6d643f5e972f17219245b82f038c22cd3c74320bb17c6e8f7e8537de268b1bc6" +dependencies = [ + "arraydeque", + "smallvec", + "thiserror 2.0.17", +] + [[package]] name = "scale-info" version = "2.11.6" @@ -3384,6 +3592,17 @@ version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" +[[package]] +name = "sealed" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "22f968c5ea23d555e670b449c1c5e7b2fc399fdaec1d304a17cd48e288abc107" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "sec1" version = "0.7.3" @@ -3434,6 +3653,26 @@ dependencies = [ "serde", ] +[[package]] +name = "serde-saphyr" +version = "0.0.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "546b4da4f679832602a8f8ab8ddc10b6b1d2e1a13b4f9dddcaee499436fa06ad" +dependencies = [ + "ahash", + "annotate-snippets", + "base64 0.21.7", + "encoding_rs_io", + "getrandom 0.3.4", + "nohash-hasher", + "num-traits", + "regex", + "saphyr-parser-bw", + "serde", + "smallvec", + "zmij", +] + [[package]] name = "serde_bytes" version = "0.11.19" @@ -3444,6 +3683,16 @@ dependencies = [ "serde_core", ] +[[package]] +name = "serde_cbor" +version = "0.11.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2bef2ebfde456fb76bbcf9f59315333decc4fda0b2b44b420243c11e0f5ec1f5" +dependencies = [ + "half 1.8.3", + "serde", +] + [[package]] name = "serde_core" version = "1.0.228" @@ -3607,8 +3856,8 @@ checksum = "bbbb5d9659141646ae647b42fe094daf6c6192d1620870b449d9557f748b2daa" [[package]] name = "size-parser" -version = "0.5.8" -source = "git+https://github.com/Dstack-TEE/dstack.git?rev=4f602dddc0542cd34da031c90ac0b3a560f316ed#4f602dddc0542cd34da031c90ac0b3a560f316ed" +version = "0.5.11" +source = "git+https://github.com/Dstack-TEE/dstack.git?rev=07d2cf6bd376a3c56f855aa47c8de003bb427e48#07d2cf6bd376a3c56f855aa47c8de003bb427e48" dependencies = [ "anyhow", "serde", @@ -3758,7 +4007,26 @@ version = "0.5.8" source = "git+https://github.com/Dstack-TEE/dstack.git?rev=4f602dddc0542cd34da031c90ac0b3a560f316ed#4f602dddc0542cd34da031c90ac0b3a560f316ed" dependencies = [ "anyhow", - "cc-eventlog", + "cc-eventlog 0.5.8", + "fs-err", + "hex", + "libc", + "parity-scale-codec", + "serde", + "serde-human-bytes", + "serde_json", + "sha2", + "thiserror 2.0.17", + "vsock", +] + +[[package]] +name = "tdx-attest" +version = "0.5.11" +source = "git+https://github.com/Dstack-TEE/dstack.git?rev=07d2cf6bd376a3c56f855aa47c8de003bb427e48#07d2cf6bd376a3c56f855aa47c8de003bb427e48" +dependencies = [ + "anyhow", + "cc-eventlog 0.5.11", "fs-err", "hex", "libc", @@ -3795,7 +4063,7 @@ dependencies = [ "getrandom 0.3.4", "once_cell", "rustix", - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -3903,6 +4171,27 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" +[[package]] +name = "tls_codec" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0de2e01245e2bb89d6f05801c564fa27624dbd7b1846859876c7dad82e90bf6b" +dependencies = [ + "tls_codec_derive", + "zeroize", +] + +[[package]] +name = "tls_codec_derive" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2d2e76690929402faae40aebdda620a2c0e25dd6d3b9afe48867dfd95991f4bd" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "tokio" version = "1.50.0" @@ -4205,12 +4494,24 @@ version = "1.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f6ccf251212114b54433ec949fd6a7841275f9ada20dddd2f29e9ceea4501493" +[[package]] +name = "unicode-width" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b4ac048d71ede7ee76d585517add45da530660ef4390e49b098733c6e897f254" + [[package]] name = "unicode-xid" version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853" +[[package]] +name = "untrusted" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" + [[package]] name = "untrusted" version = "0.9.0" @@ -4314,7 +4615,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b82aeb12ad864eb8cd26a6c21175d0bdc66d398584ee6c93c76964c3bcfc78ff" dependencies = [ "libc", - "nix", + "nix 0.31.2", ] [[package]] @@ -4729,7 +5030,10 @@ checksum = "1301e935010a701ae5f8655edc0ad17c44bad3ac5ce8c39185f75453b720ae94" dependencies = [ "const-oid", "der", + "sha1", + "signature", "spki", + "tls_codec", ] [[package]] @@ -4769,6 +5073,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d43b0f71ce057da06bc0851b23ee24f3f86190b07203dd8f567d0b706a185202" dependencies = [ "asn1-rs 0.7.1", + "aws-lc-rs", "data-encoding", "der-parser 10.0.0", "lazy_static", diff --git a/Cargo.toml b/Cargo.toml index 332e1f9..e4b7a1d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,9 @@ [workspace] members = [".", "attestation-provider-server"] +[patch.crates-io] +dcap-qvl = { git = "https://github.com/Phala-Network/dcap-qvl.git", rev = "f1dcc65371e941a7b83e3234833d23a1fb232ab1" } + [package] name = "attested-tls-proxy" version = "1.1.1" diff --git a/attestation-provider-server/Cargo.toml b/attestation-provider-server/Cargo.toml index 841b613..b90cb47 100644 --- a/attestation-provider-server/Cargo.toml +++ b/attestation-provider-server/Cargo.toml @@ -10,10 +10,15 @@ repository = "https://github.com/flashbots/attested-tls-proxy" [dependencies] attested-tls-proxy = { path = ".." } tokio = { version = "1.48.0", features = ["full"] } -axum = "0.8.6" +axum = "0.8.9" clap = { version = "4.5.51", features = ["derive", "env"] } anyhow = "1.0.100" +bytes = "1.11.1" hex = "0.4.3" +http = "1.3.1" +http-body-util = "0.1.3" +hyper = "1.7.0" +hyper-util = { version = "0.1.17", features = ["tokio"] } tokio-vsock = { version = "0.7.2", features = ["axum08"] } tracing = "0.1.41" tracing-subscriber = { version = "0.3.20", features = ["env-filter", "json"] } diff --git a/attestation-provider-server/src/lib.rs b/attestation-provider-server/src/lib.rs index 0a63ba9..6258490 100644 --- a/attestation-provider-server/src/lib.rs +++ b/attestation-provider-server/src/lib.rs @@ -9,7 +9,19 @@ use axum::{ http::StatusCode, response::{IntoResponse, Response}, }; +use bytes::Bytes; +use http_body_util::BodyExt; +use hyper::Request; +use hyper::client::conn::http1; +use hyper_util::rt::TokioIo; use parity_scale_codec::{Decode, Encode}; +use tokio_vsock::{VsockAddr, VsockStream}; + +#[derive(Debug, Clone, Copy)] +pub enum AttestationProviderEndpoint { + Tcp(SocketAddr), + Vsock { cid: u32, port: u32 }, +} #[derive(Clone)] struct SharedState { @@ -56,17 +68,40 @@ async fn get_attest( /// A client helper which makes a request to `/attest` pub async fn attestation_provider_client( - server_addr: SocketAddr, + server_endpoint: AttestationProviderEndpoint, attestation_verifier: AttestationVerifier, ) -> anyhow::Result { let input_data = [0; 64]; - let response = reqwest::get(format!( - "http://{server_addr}/attest/{}", - hex::encode(input_data) - )) - .await? - .bytes() - .await?; + let response = match server_endpoint { + AttestationProviderEndpoint::Tcp(server_addr) => reqwest::get(format!( + "http://{server_addr}/attest/{}", + hex::encode(input_data) + )) + .await? + .bytes() + .await? + .to_vec(), + AttestationProviderEndpoint::Vsock { cid, port } => { + let stream = VsockStream::connect(VsockAddr::new(cid, port)).await?; + let io = TokioIo::new(stream); + let (mut sender, connection) = http1::handshake(io).await?; + + tokio::spawn(async move { + if let Err(err) = connection.await { + eprintln!("vsock HTTP connection error: {err}"); + } + }); + + let request = Request::builder() + .method(http::Method::GET) + .uri(format!("/attest/{}", hex::encode(input_data))) + .header(http::header::HOST, format!("{cid}:{port}")) + .body(http_body_util::Empty::::new())?; + + let response = sender.send_request(request).await?; + response.into_body().collect().await?.to_bytes().to_vec() + } + }; let remote_attestation_message = AttestationExchangeMessage::decode(&mut &response[..])?; let remote_attestation_type = remote_attestation_message.attestation_type; @@ -115,8 +150,11 @@ mod tests { .await .unwrap(); }); - attestation_provider_client(server_addr, AttestationVerifier::expect_none()) - .await - .unwrap(); + attestation_provider_client( + AttestationProviderEndpoint::Tcp(server_addr), + AttestationVerifier::expect_none(), + ) + .await + .unwrap(); } } diff --git a/attestation-provider-server/src/main.rs b/attestation-provider-server/src/main.rs index ed64b8b..9b4154e 100644 --- a/attestation-provider-server/src/main.rs +++ b/attestation-provider-server/src/main.rs @@ -32,8 +32,8 @@ struct Cli { enum CliCommand { Server { /// Network transport to use for the server listener - #[arg(long, value_enum, default_value_t = ListenTransport::Tcp)] - listen_transport: ListenTransport, + #[arg(long, value_enum, default_value_t = NetworkTransport::Tcp)] + listen_transport: NetworkTransport, /// Socket address to listen on #[arg(short, long, default_value = "0.0.0.0:0", env = "LISTEN_ADDR")] listen_addr: SocketAddr, @@ -45,8 +45,18 @@ enum CliCommand { server_attestation_type: Option, }, Client { + /// Network transport to use for the attestation provider server + #[arg(long, value_enum, default_value_t = NetworkTransport::Tcp)] + server_transport: NetworkTransport, /// Socket address of a attestation provider server + #[arg(short, long, default_value = "127.0.0.1:8000", env = "SERVER_ADDR")] server_addr: SocketAddr, + /// Vsock CID of the attestation provider server when using `--server-transport vsock` + #[arg(long, default_value_t = 10, env = "SERVER_CID")] + server_cid: u32, + /// Vsock port of the attestation provider server when using `--server-transport vsock` + #[arg(long, default_value_t = 8000, env = "SERVER_VSOCK_PORT")] + server_vsock_port: u32, /// Optional path to file containing JSON measurements to be enforced on the remote party #[arg(long, global = true, env = "MEASUREMENTS_FILE")] measurements_file: Option, @@ -54,7 +64,7 @@ enum CliCommand { } #[derive(ValueEnum, Debug, Clone, Copy, PartialEq, Eq)] -enum ListenTransport { +enum NetworkTransport { Tcp, Vsock, } @@ -96,20 +106,26 @@ async fn main() -> anyhow::Result<()> { AttestationGenerator::new_with_detection(server_attestation_type, None)?; match listen_transport { - ListenTransport::Tcp => { + NetworkTransport::Tcp => { let listener = TcpListener::bind(listen_addr).await?; println!("Listening on {}", listener.local_addr()?); attestation_provider_server(listener, attestation_generator).await?; } - ListenTransport::Vsock => { + NetworkTransport::Vsock => { let listener = VsockListener::bind(VsockAddr::new(VMADDR_CID_ANY, vsock_port))?; - println!("Listening on vsock cid={} port={}", VMADDR_CID_ANY, vsock_port); + println!( + "Listening on vsock cid={} port={}", + VMADDR_CID_ANY, vsock_port + ); attestation_provider_server(listener, attestation_generator).await?; } } } CliCommand::Client { + server_transport, server_addr, + server_cid, + server_vsock_port, measurements_file, } => { let measurement_policy = match measurements_file { @@ -125,8 +141,20 @@ async fn main() -> anyhow::Result<()> { internal_pccs: None, }; + let server_endpoint = match server_transport { + NetworkTransport::Tcp => { + attestation_provider_server::AttestationProviderEndpoint::Tcp(server_addr) + } + NetworkTransport::Vsock => { + attestation_provider_server::AttestationProviderEndpoint::Vsock { + cid: server_cid, + port: server_vsock_port, + } + } + }; + let attestation_message = - attestation_provider_client(server_addr, attestation_verifier).await?; + attestation_provider_client(server_endpoint, attestation_verifier).await?; println!("{attestation_message:?}") } diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..94e0bfb --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1778869304, + "narHash": "sha256-30sZNZoA1cqF5JNO9fVX+wgiQYjB7HJqqJ4ztCDeBZE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d233902339c02a9c334e7e593de68855ad26c4cb", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..68d616e --- /dev/null +++ b/flake.nix @@ -0,0 +1,75 @@ +{ + description = "attested-tls-proxy with a reproducible attestation-provider-server OCI image"; + + inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + + outputs = { self, nixpkgs }: + let + system = "x86_64-linux"; + pkgs = import nixpkgs { inherit system; }; + + server = pkgs.rustPlatform.buildRustPackage { + pname = "attestation-provider-server"; + version = "1.1.1"; + src = ./.; + + cargoLock = { + lockFile = ./Cargo.lock; + outputHashes = { + "attestation-0.0.1" = "sha256-1I9iQcFNt02fHs8Q18LK2+f8U0TzhfdFz7JvV0mKJUw="; + "attested-tls-0.0.1" = "sha256-1I9iQcFNt02fHs8Q18LK2+f8U0TzhfdFz7JvV0mKJUw="; + "cc-eventlog-0.5.11" = "sha256-q6Vrlx4N7Ce2EQTQH+0HCSEzFZmY8PzDHxrO8L3kMsQ="; + "cc-eventlog-0.5.8" = "sha256-KEauakj53LrhKTc0yYp5SM8ec0cFNm4YVuHCJYiPQjw="; + "dcap-qvl-0.3.12" = "sha256-rLTp5wIhXRAcBtJb7lfd1TAg7yPRnwa0cBa1YT4LwKU="; + "dstack-attest-0.5.11" = "sha256-q6Vrlx4N7Ce2EQTQH+0HCSEzFZmY8PzDHxrO8L3kMsQ="; + "dstack-types-0.5.11" = "sha256-q6Vrlx4N7Ce2EQTQH+0HCSEzFZmY8PzDHxrO8L3kMsQ="; + "nested-tls-0.0.1" = "sha256-1I9iQcFNt02fHs8Q18LK2+f8U0TzhfdFz7JvV0mKJUw="; + "pccs-0.0.1" = "sha256-1I9iQcFNt02fHs8Q18LK2+f8U0TzhfdFz7JvV0mKJUw="; + "ra-tls-0.5.11" = "sha256-q6Vrlx4N7Ce2EQTQH+0HCSEzFZmY8PzDHxrO8L3kMsQ="; + "size-parser-0.5.11" = "sha256-q6Vrlx4N7Ce2EQTQH+0HCSEzFZmY8PzDHxrO8L3kMsQ="; + "tdx-attest-0.5.11" = "sha256-q6Vrlx4N7Ce2EQTQH+0HCSEzFZmY8PzDHxrO8L3kMsQ="; + "tdx-attest-0.5.8" = "sha256-KEauakj53LrhKTc0yYp5SM8ec0cFNm4YVuHCJYiPQjw="; + }; + }; + cargoBuildFlags = [ "-p" "attestation-provider-server" ]; + cargoHash = "sha256-rLTp5wIhXRAcBtJb7lfd1TAg7yPRnwa0cBa1YT4LwKU="; + + nativeBuildInputs = [ pkgs.pkg-config ]; + buildInputs = [ pkgs.openssl pkgs.tpm2-tss ]; + + doCheck = false; + }; + + imageRoot = pkgs.buildEnv { + name = "attestation-provider-server-image-root"; + paths = [ server pkgs.cacert ]; + pathsToLink = [ "/bin" "/etc/ssl/certs" ]; + }; + in + { + packages.${system} = { + attestation-provider-server = server; + attestation-provider-server-image = pkgs.dockerTools.buildLayeredImage { + name = "attestation-provider-server"; + tag = "latest"; + contents = [ imageRoot ]; + config = { + Cmd = [ + "/bin/attestation-provider-server" + "server" + "--listen-transport" + "vsock" + "--vsock-port" + "8000" + ]; + }; + }; + default = self.packages.${system}.attestation-provider-server-image; + }; + + devShells.${system}.default = pkgs.mkShell { + nativeBuildInputs = with pkgs; [ pkg-config ]; + buildInputs = with pkgs; [ tpm2-tss openssl ]; + }; + }; +} From 91e57b3a4e9a83182c8a0e235ef127ed7fa51e38 Mon Sep 17 00:00:00 2001 From: peg Date: Wed, 20 May 2026 14:57:03 +0200 Subject: [PATCH 3/3] Flake should set attestation type to nitro --- flake.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/flake.nix b/flake.nix index 68d616e..09781a0 100644 --- a/flake.nix +++ b/flake.nix @@ -61,6 +61,8 @@ "vsock" "--vsock-port" "8000" + "--server-attestation-type" + "aws-nitro" ]; }; };