feat(nautilus-local): mock NSM device + Sui localnet E2E#31
Open
chargarlic wants to merge 3 commits intomainfrom
Open
feat(nautilus-local): mock NSM device + Sui localnet E2E#31chargarlic wants to merge 3 commits intomainfrom
chargarlic wants to merge 3 commits intomainfrom
Conversation
Create the nautilus-local tool with: - Clap CLI with parse, run, and attest subcommands - EIF binary format parser that extracts kernel, cmdline, ramdisk, metadata, and signature sections - Parse subcommand that displays EIF metadata and section info - Unit tests verifying parsing against real EIF files The parser correctly handles the EIF header format (0x224 bytes) with section offsets/sizes arrays and sequential section entries. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…alnet E2E workflow Adds a complete local development environment for Nautilus enclaves: - **mock-nsm**: CUSE daemon that creates /dev/nsm, handles NSM ioctl protocol, and generates COSE_Sign1 attestation documents with a proper X.509 cert chain (fixed root CA → ephemeral leaf cert, PCRs, Ed25519 public key) - **nautilus-local**: QEMU manager that boots EIF files locally with Alpine linux-virt kernel, e1000 NIC, overlay initrd with mock-nsm + kernel modules - **Sui localnet integration**: Mock attestations pass on-chain verification (`load_nitro_attestation`) on a patched Sui localnet. Includes: - `scripts/patch-sui-localnet.sh` to swap AWS root CA with mock CA - `scripts/test-localnet-e2e.sh` for automated full-flow testing All endpoints working: /health_check, /get_attestation, /process_data. Verified E2E: patch Sui → start localnet → boot enclave → register on-chain.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a complete local development environment for Nautilus enclaves — no AWS Nitro required.
/dev/nsminside QEMU, handles the NSM ioctl protocol, and generates COSE_Sign1 attestation documents with a proper X.509 certificate chain (fixed mock root CA → ephemeral leaf cert)load_nitro_attestationverification on a patched localnet. Includesscripts/patch-sui-localnet.shandscripts/test-localnet-e2e.shfor automated testingAll endpoints working:
/health_check,/get_attestation,/process_data.Verified E2E flow
scripts/patch-sui-localnet.sh ~/sui)nautilus-local run out/nitro.eif --secrets '...' --memory 1Gtest-publish --with-unpublished-dependencies)load_nitro_attestation+register_enclavePTBAutomated via:
./scripts/test-localnet-e2e.shTest plan
cd tools/mock-nsm && cargo test— 4 tests (cert generation, determinism, size limits)cd tools/nautilus-local && cargo test— 4 tests (overlay, EIF parsing)nautilus-local run out/nitro.eif --secrets '...' --memory 1Gthencurl localhost:3000/health_checkandcurl localhost:3000/get_attestation./scripts/test-localnet-e2e.sh --sui-dir ~/sui— full on-chain E2E