https://github.com/oxidecomputer/sprockets

Now's the time on sprockets when we dance
https://github.com/oxidecomputer/sprockets

Last synced: 11 months ago
JSON representation

Now's the time on sprockets when we dance

• Host: GitHub
• URL: https://github.com/oxidecomputer/sprockets
• Owner: oxidecomputer
• License: mpl-2.0
• Created: 2022-04-05T22:24:43.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2025-07-14T16:51:42.000Z (12 months ago)
• Last Synced: 2025-07-14T18:39:44.991Z (12 months ago)
• Language: Rust
• Size: 316 KB
• Stars: 9
• Watchers: 21
• Forks: 1
• Open Issues: 14
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
## Overview

Sprockets provides a secure transport protocol for use in the Oxide bootstrap

network. It is designed specifically to work with a Root of Trust (RoT) capable

of providing device identities, signing capabilities, and a mechanism to

retrieve measurements for remote attestation. The protocol utilizes TLS 1.3

via [rustls](https://github.com/rustls/rustls) for secure session establishment

between bootstrap agents with authentication provided by local RoTs. Remote

attestation is performed over secure TLS 1.3 channels.

### Test Data

Test cases rely on a PKI that we define in `tls/test-keys/config.kdl`. Before

`cargo test` will execute tests as expected the test PKI must be generated

using the `pki-playground` tool. This is automated by `tls/build.rs`.

### Remote Attestation

After the TLS handshake is complete, the peers on either end of the connection

exchange, verify, and appraise attestations generated by their respective RoTs.

The protocol used to carry out this process is roughly:

```mermaid

%% sequence diagram describing the protocol used to exchange attestation

%% evidence between client & server

sequenceDiagram

    Client->>Client: Generate Nonce

    Server->>Server: Generate Nonce

    Client->>Server: Nonce

    Server->>Client: Nonce

    Client->>Client: Generate attest data
(Cert Chain, Log, Attestation)

    Server->>Server: Generate attest data
(Cert Chain, Log, Attestation)

    Client->>Client: Verify own attestation

    Server->>Server: Verify own attestation

    Client->>Server: Cert Chain

    Server->>Server: Appraise
Cert Chain

    Server->>Client: Cert Chain

    Client->>Client: Appraise
Cert Chain

    Client->>Server: Measurement Log

    Server->>Client: Measurement Log

    Client->>Server: Attestation

    Server->>Server: Verify signature over attestation
/w Leaf cert from chain

    Server->>Server: Appraise measurements

    Server->>Client: Attestation

    Client->>Client: Verify signature over attestation
/w Leaf cert from chain

    Client->>Client: Appraise measurements

```