vault-auth-tee

TEE remote attestation plugin for Hashicorp Vault

Disclaimer

This plugin has not yet received an audit. Use at your own risk.

License

All of the code is licensed under the Mozilla Public License 2.0 unless otherwise specified. Most of the vault plugin code is based on the vault builtin/credential/cert plugin.

Build Setup

$ wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
$ sudo bash -c 'echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list'
$ sudo apt update
$ sudo apt install -y --no-install-recommends \
    libsgx-headers \
    libsgx-enclave-common \
    libsgx-urts \
    libsgx-dcap-quote-verify \
    libsgx-dcap-quote-verify-dev

Configuration

Create or Update via the ${plugin}/tees/$name endpoint

{
    "name": "TEE_role_name",
    "token_policies": "policy1,policy2,...",
    "types": "sgx",
    "sgx_mrsigner": "298037d88782e022e019b3020745b78aa40ed95c77da4bf7f3253d3a44c4fd7e",
    "sgx_mrenclave": "18946b3547d3ca036f4df7b516857e28fd512d69fed3411dc660537912faabf8",
    "sgx_isv_prodid": 0,
    "sgx_min_isv_svn": 0,
    "sgx_allowed_tcb_levels": "Ok,ConfigNeeded,OutOfDate,OutOfDateConfigNeeded,SwHardeningNeeded,ConfigAndSwHardeningNeeded"
}

• At least one of sgx_mrsigner or sgx_mrenclave must be set. If both are set, both are used for matching.
• sgx_isv_prodid is optional and defaults to 0.
• sgx_min_isv_svn is optional and defaults to 0.
• sgx_allowed_tcb_levels is optional and defaults to Ok.

Authentication

• Client TEE generates a self-signed TLS client certificate
• Client TEE generates an attestation report, which includes the hash of the public key of the client certificate (in case of SGX, a sha256 sum of the public key)
• Client TEE fetches all collateral material via e.g. Intel DCAP (tee_qv_get_collateral)
• Client TEE sends POST request with a TLS connection using the client certificate to Vault via the ${plugin}/login endpoint with the name, attestation report and the attestation collateral material
• An optional challenge can be included in the POST request, which is then included in the attestation report of the vault response

{
    "name": "The name of the TEE role to authenticate against.",
    "quote": "The quote Base64 encoded.",
    "collateral": "The collateral Json string encoded.",
    "challenge": "An optional challenge hex encoded."
}

The response contains the Vault token and, if a challenge was included, the vault attestation report, which must contain the challenge bytes in the report_data of the quote.

{
    "auth": {
        "client_token": "The Vault token.",
        "....": "...."
    },
    "data": {
        "quote": "The vault quote Base64 encoded.",
        "collateral": "The vault collateral Json string encoded."
    }
}

Collateral Json encoding

See sgx_ql_lib_common.h

{
    "major_version": uint16,
    "minor_version": uint16,
    "tee_type": uint32,
    "pck_crl_issuer_chain": []byte,
    "root_ca_crl": []byte,
    "pck_crl": []byte,
    "tcb_info_issuer_chain": []byte,
    "tcb_info": []byte,
    "qe_identity_issuer_chain": []byte,
    "qe_identity": []byte
}