fix(tee): address review feedback and simplify TEE implementation

tarrencev · claude · tarrencev · commit f8efaa4a9cb4 · 2025-12-15T11:52:43.000-06:00
- Remove mock provider from CLI (keep only for tests) - Simplify TeeProviderType enum to only include SevSnp - Replace panic! with proper anyhow::bail! error handling - Remove unused uuid dependency from workspace - Add PartialEq, Eq derives to TeeQuoteResponse for testability - Make tracing dependency optional (only with snp feature) - Consolidate tee feature flags (tee now enables tee-snp automatically) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/Cargo.toml b/Cargo.toml
@@ -170,7 +170,6 @@ tokio = { version = "1.39.2", features = [ "full" ] }
 tokio-util = "0.7.12"
 toml = "0.8"
 url = { version = "2.4.0", features = [ "serde" ] }
-uuid = { version = "1.0", features = [ "v4" ] }
 
 # serde
 serde = { version = "1.0", features = [ "derive" ] }
diff --git a/crates/cli/Cargo.toml b/crates/cli/Cargo.toml
@@ -42,10 +42,8 @@ cartridge = [
 	"katana-node/cartridge",
 	"katana-rpc-server/cartridge",
 ]
-default = [ "cartridge", "server" ]
-explorer = [ "katana-node/explorer", "katana-utils/explorer" ]
-native = [ "katana-node/native" ]
-server = [  ]
-tee = [ "dep:katana-tee", "katana-node/tee" ]
-tee-mock = [ "tee", "katana-node/tee-mock", "katana-tee/mock" ]
-tee-snp = [ "tee", "katana-node/tee-snp", "katana-tee/snp" ]
+default = ["cartridge", "server"]
+explorer = ["katana-node/explorer", "katana-utils/explorer"]
+native = ["katana-node/native"]
+server = []
+tee = ["dep:katana-tee", "katana-node/tee", "katana-node/tee-snp", "katana-tee/snp"]
diff --git a/crates/cli/src/args.rs b/crates/cli/src/args.rs
@@ -451,31 +451,7 @@ impl SequencerNodeArgs {
 
     #[cfg(feature = "tee")]
     fn tee_config(&self) -> Option<TeeConfig> {
-        use katana_tee::TeeProviderType;
-
-        use crate::options::TeeProviderType as CliTeeProviderType;
-
-        self.tee.tee_provider.map(|provider| {
-            let provider_type = match provider {
-                CliTeeProviderType::SevSnp => {
-                    #[cfg(feature = "tee-snp")]
-                    {
-                        TeeProviderType::SevSnp
-                    }
-                    #[cfg(not(feature = "tee-snp"))]
-                    {
-                        panic!("SEV-SNP TEE provider requires the 'tee-snp' feature to be enabled")
-                    }
-                }
-                #[cfg(feature = "tee-mock")]
-                CliTeeProviderType::Mock => TeeProviderType::Mock,
-                #[cfg(not(feature = "tee-mock"))]
-                CliTeeProviderType::Mock => {
-                    panic!("Mock TEE provider requires the 'tee-mock' feature to be enabled")
-                }
-            };
-            TeeConfig { provider_type }
-        })
+        self.tee.tee_provider.map(|provider_type| TeeConfig { provider_type })
     }
 
     /// Parse the node config from the command line arguments and the config file,
diff --git a/crates/cli/src/options.rs b/crates/cli/src/options.rs
@@ -761,58 +761,24 @@ fn parse_pruning_mode(s: &str) -> Result<PruningMode, String> {
     }
 }
 
-/// TEE provider types available for attestation.
-#[cfg(feature = "tee")]
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
-#[serde(rename_all = "lowercase")]
-pub enum TeeProviderType {
-    /// AMD SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging).
-    SevSnp,
-    /// Mock provider for testing (requires mock feature in katana-tee).
-    Mock,
-}
-
-#[cfg(feature = "tee")]
-impl std::fmt::Display for TeeProviderType {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        match self {
-            Self::SevSnp => write!(f, "sev-snp"),
-            Self::Mock => write!(f, "mock"),
-        }
-    }
-}
-
-#[cfg(feature = "tee")]
-impl std::str::FromStr for TeeProviderType {
-    type Err = String;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        match s.to_lowercase().as_str() {
-            "sev-snp" | "snp" => Ok(Self::SevSnp),
-            "mock" => Ok(Self::Mock),
-            other => {
-                Err(format!("Unknown TEE provider: {}. Valid options are: sev-snp, mock", other))
-            }
-        }
-    }
-}
-
 #[cfg(feature = "tee")]
 #[derive(Debug, Args, Clone, Serialize, Deserialize, Default, PartialEq)]
 #[command(next_help_heading = "TEE options")]
 pub struct TeeOptions {
-    /// Enable TEE attestation support with the specified provider.
+    /// Enable TEE attestation support with AMD SEV-SNP.
     ///
     /// When enabled, the TEE RPC API becomes available for generating
-    /// hardware-backed attestation quotes. The provider type determines
-    /// which TEE backend to use for quote generation.
-    ///
-    /// Available providers:
-    /// - sev-snp: AMD SEV-SNP (Secure Encrypted Virtualization) - requires SEV-SNP VM
-    /// - mock: Mock provider for testing (does not require TEE hardware)
+    /// hardware-backed attestation quotes. Requires running in an SEV-SNP VM
+    /// with /dev/sev-guest available.
     #[arg(long = "tee.provider", value_name = "PROVIDER")]
+    #[arg(value_parser = parse_tee_provider)]
     #[serde(default)]
-    pub tee_provider: Option<TeeProviderType>,
+    pub tee_provider: Option<katana_tee::TeeProviderType>,
+}
+
+#[cfg(feature = "tee")]
+fn parse_tee_provider(s: &str) -> Result<katana_tee::TeeProviderType, String> {
+    s.parse()
 }
 
 #[cfg(feature = "tee")]
diff --git a/crates/node/Cargo.toml b/crates/node/Cargo.toml
@@ -50,5 +50,4 @@ cartridge = ["katana-rpc-api/cartridge", "katana-rpc-server/cartridge"]
 explorer = ["katana-rpc-server/explorer"]
 native = ["katana-executor/native"]
 tee = ["dep:katana-tee", "katana-rpc-api/tee", "katana-rpc-server/tee"]
-tee-mock = ["tee", "katana-tee/mock"]
 tee-snp = ["tee", "katana-tee/snp"]
diff --git a/crates/node/src/lib.rs b/crates/node/src/lib.rs
@@ -280,13 +280,21 @@ where
                 use katana_tee::{TeeProvider, TeeProviderType};
 
                 let tee_provider: Arc<dyn TeeProvider> = match tee_config.provider_type {
-                    #[cfg(feature = "tee-snp")]
-                    TeeProviderType::SevSnp => Arc::new(
-                        katana_tee::SevSnpProvider::new()
-                            .context("Failed to initialize SEV-SNP provider")?,
-                    ),
-                    #[cfg(feature = "tee-mock")]
-                    TeeProviderType::Mock => Arc::new(katana_tee::MockProvider::new()),
+                    TeeProviderType::SevSnp => {
+                        #[cfg(feature = "tee-snp")]
+                        {
+                            Arc::new(
+                                katana_tee::SevSnpProvider::new()
+                                    .context("Failed to initialize SEV-SNP provider")?,
+                            )
+                        }
+                        #[cfg(not(feature = "tee-snp"))]
+                        {
+                            anyhow::bail!(
+                                "SEV-SNP TEE provider requires the 'tee-snp' feature to be enabled"
+                            );
+                        }
+                    }
                 };
 
                 let api = TeeApi::new(provider.clone(), tee_provider);
diff --git a/crates/rpc/rpc-api/src/tee.rs b/crates/rpc/rpc-api/src/tee.rs
@@ -5,7 +5,7 @@ use katana_primitives::Felt;
 use serde::{Deserialize, Serialize};
 
 /// Response type for TEE quote generation.
-#[derive(Debug, Clone, Serialize, Deserialize)]
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct TeeQuoteResponse {
     /// The raw attestation quote bytes (hex-encoded).
diff --git a/crates/tee/Cargo.toml b/crates/tee/Cargo.toml
@@ -6,7 +6,7 @@ version.workspace = true
 
 [dependencies]
 thiserror.workspace = true
-tracing.workspace = true
+tracing = { workspace = true, optional = true }
 bincode = { workspace = true, optional = true }
 sev-snp = { workspace = true, optional = true }
 
@@ -16,5 +16,4 @@ tempfile.workspace = true
 
 [features]
 default = []
-mock = []
-snp = ["dep:sev-snp", "dep:bincode"]
+snp = ["dep:sev-snp", "dep:bincode", "dep:tracing"]
diff --git a/crates/tee/src/lib.rs b/crates/tee/src/lib.rs
@@ -7,7 +7,6 @@
 //!
 //! - **SEV-SNP (AMD Secure Encrypted Virtualization)**: Via Automata Network SDK (requires `snp`
 //!   feature)
-//! - **Mock**: For testing on non-TEE hardware (requires `mock` feature)
 //!
 //! # Example
 //!
@@ -24,50 +23,32 @@
 mod error;
 mod provider;
 
-#[cfg(any(test, feature = "mock"))]
+#[cfg(test)]
 mod mock;
 
 #[cfg(feature = "snp")]
 mod snp;
 
 pub use error::TeeError;
-#[cfg(any(test, feature = "mock"))]
+#[cfg(test)]
 pub use mock::MockProvider;
 pub use provider::TeeProvider;
 #[cfg(feature = "snp")]
 pub use snp::SevSnpProvider;
 
-/// TEE provider type enumeration for CLI parsing.
+/// TEE provider type enumeration.
+///
+/// Currently only SEV-SNP is supported for production use.
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum TeeProviderType {
-    /// AMD SEV-SNP provider (only available with snp feature).
-    #[cfg(feature = "snp")]
+    /// AMD SEV-SNP provider.
     SevSnp,
-    /// Mock provider for testing (only available with mock feature).
-    #[cfg(any(test, feature = "mock"))]
-    Mock,
-}
-
-impl Default for TeeProviderType {
-    fn default() -> Self {
-        #[cfg(feature = "snp")]
-        {
-            Self::SevSnp
-        }
-        #[cfg(not(feature = "snp"))]
-        {
-            Self::Mock
-        }
-    }
 }
 
 impl std::fmt::Display for TeeProviderType {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         match self {
-            #[cfg(feature = "snp")]
             Self::SevSnp => write!(f, "sev-snp"),
-            #[cfg(any(test, feature = "mock"))]
-            Self::Mock => write!(f, "mock"),
         }
     }
 }
@@ -77,11 +58,10 @@ impl std::str::FromStr for TeeProviderType {
 
     fn from_str(s: &str) -> Result<Self, Self::Err> {
         match s.to_lowercase().as_str() {
-            #[cfg(feature = "snp")]
             "sev-snp" | "snp" => Ok(Self::SevSnp),
-            #[cfg(any(test, feature = "mock"))]
-            "mock" => Ok(Self::Mock),
-            other => Err(format!("Unknown TEE provider type: {}", other)),
+            other => {
+                Err(format!("Unknown TEE provider: '{}'. Available providers: sev-snp", other))
+            }
         }
     }
 }
diff --git a/crates/tee/src/mock.rs b/crates/tee/src/mock.rs
@@ -1,5 +1,3 @@
-use tracing::debug;
-
 use crate::error::TeeError;
 use crate::provider::TeeProvider;
 
@@ -27,8 +25,6 @@ impl MockProvider {
 
 impl TeeProvider for MockProvider {
     fn generate_quote(&self, user_data: &[u8; 64]) -> Result<Vec<u8>, TeeError> {
-        debug!(target: "tee::mock", "Generating mock attestation quote");
-
         // Mock quote format:
         // [4 bytes: magic] [prefix] [64 bytes: user_data] [4 bytes: checksum]
         let magic = b"MOCK";
