From 1bc4d26fd9e7c1aa461bda47a01aee1d0a47242a Mon Sep 17 00:00:00 2001
From: Laura Abbott <laura@oxide.computer>
Date: Thu, 29 Aug 2024 16:30:03 -0400
Subject: [PATCH] SPROCKETS

---
 Cargo.lock                                   | 433 ++++++++++++++++++-
 Cargo.toml                                   |   1 +
 sled-agent/Cargo.toml                        |   1 +
 sled-agent/src/bootstrap/client.rs           |  32 +-
 sled-agent/src/bootstrap/sprockets_server.rs |  33 +-
 workspace-hack/Cargo.toml                    |  36 +-
 6 files changed, 493 insertions(+), 43 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 923693276a9..bade5686ca8 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -338,6 +338,21 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
+[[package]]
+name = "attest-data"
+version = "0.2.0"
+source = "git+https://github.com/oxidecomputer/dice-util?branch=attest_messages_tq#22c9c8a84bc79a09c51af9cd7f63e3032ed41319"
+dependencies = [
+ "getrandom",
+ "hubpack",
+ "salty",
+ "serde",
+ "serde_with",
+ "sha3",
+ "static_assertions",
+ "thiserror",
+]
+
 [[package]]
 name = "atty"
 version = "0.2.14"
@@ -371,6 +386,53 @@ version = "1.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0"
 
+[[package]]
+name = "axum"
+version = "0.7.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3a6c9af12842a67734c9a2e355436e5d03b22383ed60cf13cd0c18fbfe3dcbcf"
+dependencies = [
+ "async-trait",
+ "axum-core",
+ "bytes",
+ "futures-util",
+ "http 1.1.0",
+ "http-body 1.0.0",
+ "http-body-util",
+ "itoa",
+ "matchit",
+ "memchr",
+ "mime",
+ "percent-encoding",
+ "pin-project-lite",
+ "rustversion",
+ "serde",
+ "sync_wrapper 1.0.1",
+ "tower",
+ "tower-layer",
+ "tower-service",
+]
+
+[[package]]
+name = "axum-core"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a15c63fd72d41492dc4f497196f5da1fb04fb7529e631d73630d1b491e47a2e3"
+dependencies = [
+ "async-trait",
+ "bytes",
+ "futures-util",
+ "http 1.1.0",
+ "http-body 1.0.0",
+ "http-body-util",
+ "mime",
+ "pin-project-lite",
+ "rustversion",
+ "sync_wrapper 0.1.2",
+ "tower-layer",
+ "tower-service",
+]
+
 [[package]]
 name = "backoff"
 version = "0.4.0"
@@ -1257,6 +1319,45 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
+[[package]]
+name = "console-api"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "86ed14aa9c9f927213c6e4f3ef75faaad3406134efe84ba2cb7983431d5f0931"
+dependencies = [
+ "futures-core",
+ "prost",
+ "prost-types",
+ "tonic",
+ "tracing-core",
+]
+
+[[package]]
+name = "console-subscriber"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e2e3a111a37f3333946ebf9da370ba5c5577b18eb342ec683eb488dd21980302"
+dependencies = [
+ "console-api",
+ "crossbeam-channel",
+ "crossbeam-utils",
+ "futures-task",
+ "hdrhistogram",
+ "humantime",
+ "hyper-util",
+ "prost",
+ "prost-types",
+ "serde",
+ "serde_json",
+ "thread_local",
+ "tokio",
+ "tokio-stream",
+ "tonic",
+ "tracing",
+ "tracing-core",
+ "tracing-subscriber",
+]
+
 [[package]]
 name = "const-oid"
 version = "0.9.6"
@@ -1964,6 +2065,23 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a7993efb860416547839c115490d4951c6d0f8ec04a3594d9dd99d50ed7ec170"
 
+[[package]]
+name = "dice-verifier"
+version = "0.1.0"
+source = "git+https://github.com/oxidecomputer/dice-util?branch=attest_messages_tq#22c9c8a84bc79a09c51af9cd7f63e3032ed41319"
+dependencies = [
+ "anyhow",
+ "attest-data",
+ "const-oid",
+ "ed25519-dalek",
+ "env_logger 0.11.5",
+ "log",
+ "p384",
+ "pem-rfc7468",
+ "sha3",
+ "x509-cert",
+]
+
 [[package]]
 name = "diesel"
 version = "2.2.3"
@@ -2412,6 +2530,7 @@ dependencies = [
  "rand_core",
  "serde",
  "sha2",
+ "signature",
  "subtle",
  "zeroize",
 ]
@@ -2539,6 +2658,15 @@ dependencies = [
  "syn 2.0.74",
 ]
 
+[[package]]
+name = "env_filter"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4f2c92ceda6ceec50f43169f9ee8424fe2db276791afde7b2cd8bc084cb376ab"
+dependencies = [
+ "log",
+]
+
 [[package]]
 name = "env_logger"
 version = "0.9.3"
@@ -2563,6 +2691,16 @@ dependencies = [
  "termcolor",
 ]
 
+[[package]]
+name = "env_logger"
+version = "0.11.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e13fa619b91fb2381732789fc5de83b45675e882f66623b7d8cb4f643017018d"
+dependencies = [
+ "env_filter",
+ "log",
+]
+
 [[package]]
 name = "equivalent"
 version = "1.0.1"
@@ -3247,6 +3385,25 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "h2"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "524e8ac6999421f49a846c2d4411f337e53497d8ec55d67753beffa43c5d9205"
+dependencies = [
+ "atomic-waker",
+ "bytes",
+ "fnv",
+ "futures-core",
+ "futures-sink",
+ "http 1.1.0",
+ "indexmap 2.4.0",
+ "slab",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
 [[package]]
 name = "half"
 version = "2.4.1"
@@ -3309,6 +3466,19 @@ dependencies = [
  "hashbrown 0.14.5",
 ]
 
+[[package]]
+name = "hdrhistogram"
+version = "7.5.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "765c9198f173dd59ce26ff9f95ef0aafd0a0fe01fb9d72841bc5066a4c06511d"
+dependencies = [
+ "base64 0.21.7",
+ "byteorder",
+ "flate2",
+ "nom",
+ "num-traits",
+]
+
 [[package]]
 name = "headers"
 version = "0.3.9"
@@ -3589,6 +3759,19 @@ dependencies = [
  "http 1.1.0",
 ]
 
+[[package]]
+name = "http-body-util"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "793429d76616a256bcb62c2a2ec2bed781c8307e797e2598c50010f2bee2544f"
+dependencies = [
+ "bytes",
+ "futures-util",
+ "http 1.1.0",
+ "http-body 1.0.0",
+ "pin-project-lite",
+]
+
 [[package]]
 name = "http-range"
 version = "0.1.5"
@@ -3686,14 +3869,14 @@ dependencies = [
  "futures-channel",
  "futures-core",
  "futures-util",
- "h2",
+ "h2 0.3.26",
  "http 0.2.12",
  "http-body 0.4.6",
  "httparse",
  "httpdate",
  "itoa",
  "pin-project-lite",
- "socket2 0.5.7",
+ "socket2 0.4.10",
  "tokio",
  "tower-service",
  "tracing",
@@ -3702,16 +3885,18 @@ dependencies = [
 
 [[package]]
 name = "hyper"
-version = "1.3.1"
+version = "1.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fe575dd17d0862a9a33781c8c4696a55c320909004a67a00fb286ba8b1bc496d"
+checksum = "50dfd22e0e76d0f662d429a5f80fcaf3855009297eab6a0a9f8543834744ba05"
 dependencies = [
  "bytes",
  "futures-channel",
  "futures-util",
+ "h2 0.4.6",
  "http 1.1.0",
  "http-body 1.0.0",
  "httparse",
+ "httpdate",
  "itoa",
  "pin-project-lite",
  "smallvec 1.13.2",
@@ -3741,7 +3926,7 @@ checksum = "a0bea761b46ae2b24eb4aef630d8d1c398157b6fc29e6350ecf090a0b70c952c"
 dependencies = [
  "futures-util",
  "http 1.1.0",
- "hyper 1.3.1",
+ "hyper 1.4.1",
  "hyper-util",
  "log",
  "rustls 0.22.4",
@@ -3771,6 +3956,19 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "hyper-timeout"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3203a961e5c83b6f5498933e78b6b263e208c197b63e9c6c53cc82ffd3f63793"
+dependencies = [
+ "hyper 1.4.1",
+ "hyper-util",
+ "pin-project-lite",
+ "tokio",
+ "tower-service",
+]
+
 [[package]]
 name = "hyper-tls"
 version = "0.5.0"
@@ -3786,16 +3984,16 @@ dependencies = [
 
 [[package]]
 name = "hyper-util"
-version = "0.1.3"
+version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ca38ef113da30126bbff9cd1705f9273e15d45498615d138b0c20279ac7a76aa"
+checksum = "cde7055719c54e36e95e8719f95883f22072a48ede39db7fc17a4e1d5281e9b9"
 dependencies = [
  "bytes",
  "futures-channel",
  "futures-util",
  "http 1.1.0",
  "http-body 1.0.0",
- "hyper 1.3.1",
+ "hyper 1.4.1",
  "pin-project-lite",
  "socket2 0.5.7",
  "tokio",
@@ -4457,6 +4655,16 @@ dependencies = [
  "pkg-config",
 ]
 
+[[package]]
+name = "libipcc"
+version = "0.1.0"
+source = "git+https://github.com/oxidecomputer/libipcc?rev=fdffa212373a8f92473ea5f411088912bf458d5f#fdffa212373a8f92473ea5f411088912bf458d5f"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "thiserror",
+]
+
 [[package]]
 name = "libloading"
 version = "0.8.3"
@@ -4464,7 +4672,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0c2a198fb6b0eada2a8df47933734e6d35d350665a33a3593d7164fa52c75c19"
 dependencies = [
  "cfg-if",
- "windows-targets 0.48.5",
+ "windows-targets 0.52.6",
 ]
 
 [[package]]
@@ -4718,12 +4926,27 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ffbee8634e0d45d258acb448e7eaab3fce7a0a467395d4d9f228e3c1f01fb2e4"
 
+[[package]]
+name = "matchers"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8263075bb86c5a1b1427b5ae862e8889656f126e9f77c484496e8b47cf5c5558"
+dependencies = [
+ "regex-automata 0.1.10",
+]
+
 [[package]]
 name = "matches"
 version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2532096657941c2fea9c289d370a250971c689d4f143798ff67113ec042024a5"
 
+[[package]]
+name = "matchit"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0e7465ac9959cc2b1404e8e2367b43684a6d13790fe23056cc8c6c5a6b7bcb94"
+
 [[package]]
 name = "maybe-uninit"
 version = "2.0.0"
@@ -6515,6 +6738,7 @@ dependencies = [
  "slog-error-chain",
  "slog-term",
  "smf",
+ "sprockets-tls",
  "static_assertions",
  "strum",
  "subprocess",
@@ -6602,13 +6826,14 @@ dependencies = [
  "clap",
  "clap_builder",
  "console",
- "const-oid",
  "crossbeam-epoch",
  "crossbeam-utils",
  "crypto-common",
- "der",
+ "curve25519-dalek",
  "digest",
  "dof",
+ "ecdsa",
+ "ed25519-dalek",
  "either",
  "elliptic-curve",
  "ff",
@@ -6630,6 +6855,7 @@ dependencies = [
  "hickory-proto",
  "hmac",
  "hyper 0.14.30",
+ "indexmap 1.9.3",
  "indexmap 2.4.0",
  "inout",
  "itertools 0.10.5",
@@ -6658,8 +6884,10 @@ dependencies = [
  "predicates",
  "proc-macro2",
  "quote",
+ "rand",
  "regex",
  "regex-automata 0.4.6",
+ "regex-syntax 0.6.29",
  "regex-syntax 0.8.4",
  "reqwest",
  "ring 0.17.8",
@@ -6692,12 +6920,14 @@ dependencies = [
  "toml_edit 0.19.15",
  "toml_edit 0.22.20",
  "tracing",
+ "tracing-core",
  "unicode-bidi",
  "unicode-normalization",
  "unicode-xid",
  "usdt",
  "usdt-impl",
  "uuid",
+ "x509-cert",
  "zerocopy 0.7.34",
  "zeroize",
 ]
@@ -8224,6 +8454,38 @@ dependencies = [
  "unarray",
 ]
 
+[[package]]
+name = "prost"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e13db3d3fde688c61e2446b4d843bc27a7e8af269a69440c0308021dc92333cc"
+dependencies = [
+ "bytes",
+ "prost-derive",
+]
+
+[[package]]
+name = "prost-derive"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "18bec9b0adc4eba778b33684b7ba3e7137789434769ee3ce3930463ef904cfca"
+dependencies = [
+ "anyhow",
+ "itertools 0.12.1",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.74",
+]
+
+[[package]]
+name = "prost-types"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cee5168b05f49d4b0ca581206eb14a7b22fafd963efe729ac48eb03266e25cc2"
+dependencies = [
+ "prost",
+]
+
 [[package]]
 name = "psl-types"
 version = "2.0.11"
@@ -8563,6 +8825,9 @@ name = "regex-automata"
 version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
+dependencies = [
+ "regex-syntax 0.6.29",
+]
 
 [[package]]
 name = "regex-automata"
@@ -8616,7 +8881,7 @@ dependencies = [
  "encoding_rs",
  "futures-core",
  "futures-util",
- "h2",
+ "h2 0.3.26",
  "http 0.2.12",
  "http-body 0.4.6",
  "hyper 0.14.30",
@@ -8635,7 +8900,7 @@ dependencies = [
  "serde",
  "serde_json",
  "serde_urlencoded",
- "sync_wrapper",
+ "sync_wrapper 0.1.2",
  "system-configuration",
  "tokio",
  "tokio-native-tls",
@@ -9022,6 +9287,21 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "rustls"
+version = "0.23.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05cff451f60db80f490f3c182b77c35260baace73209e9cdbbe526bfe3a4d402"
+dependencies = [
+ "log",
+ "once_cell",
+ "ring 0.17.8",
+ "rustls-pki-types",
+ "rustls-webpki 0.102.4",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "rustls-native-certs"
 version = "0.7.0"
@@ -9154,6 +9434,16 @@ dependencies = [
  "cipher",
 ]
 
+[[package]]
+name = "salty"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b947325a585e90733e0e9ec097228f40b637cc346f9bd68f84d5c6297d0fcfef"
+dependencies = [
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "samael"
 version = "0.0.15"
@@ -9562,6 +9852,15 @@ dependencies = [
  "keccak",
 ]
 
+[[package]]
+name = "sharded-slab"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f40ca3c46823713e0d4209592e8d6e826aa57e928f09752619fc696c499637f6"
+dependencies = [
+ "lazy_static",
+]
+
 [[package]]
 name = "shell-words"
 version = "1.1.0"
@@ -10102,6 +10401,36 @@ dependencies = [
  "der",
 ]
 
+[[package]]
+name = "sprockets-tls"
+version = "0.1.0"
+source = "git+https://github.com/oxidecomputer/sprockets.git?branch=ipcc#5090146b7805d65972f131e57a6d0319055bc102"
+dependencies = [
+ "anyhow",
+ "attest-data",
+ "camino",
+ "cfg-if",
+ "clap",
+ "console-subscriber",
+ "dice-verifier",
+ "ed25519-dalek",
+ "libipcc",
+ "pem-rfc7468",
+ "rustls 0.23.10",
+ "secrecy",
+ "serde",
+ "sha2",
+ "sha3",
+ "slog",
+ "slog-async",
+ "slog-term",
+ "thiserror",
+ "tokio",
+ "tokio-rustls 0.26.0",
+ "x509-cert",
+ "zeroize",
+]
+
 [[package]]
 name = "sqlformat"
 version = "0.2.4"
@@ -10411,6 +10740,12 @@ version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160"
 
+[[package]]
+name = "sync_wrapper"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7065abeca94b6a8a577f9bd45aa0867a2238b74e8eb67cf10d492bc39351394"
+
 [[package]]
 name = "system-configuration"
 version = "0.5.1"
@@ -10799,6 +11134,7 @@ dependencies = [
  "signal-hook-registry",
  "socket2 0.5.7",
  "tokio-macros",
+ "tracing",
  "windows-sys 0.52.0",
 ]
 
@@ -10870,6 +11206,17 @@ dependencies = [
  "tokio",
 ]
 
+[[package]]
+name = "tokio-rustls"
+version = "0.26.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4"
+dependencies = [
+ "rustls 0.23.10",
+ "rustls-pki-types",
+ "tokio",
+]
+
 [[package]]
 name = "tokio-stream"
 version = "0.1.15"
@@ -11001,6 +11348,36 @@ dependencies = [
  "winnow 0.6.18",
 ]
 
+[[package]]
+name = "tonic"
+version = "0.12.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c6f6ba989e4b2c58ae83d862d3a3e27690b6e3ae630d0deb59f3697f32aa88ad"
+dependencies = [
+ "async-stream",
+ "async-trait",
+ "axum",
+ "base64 0.22.1",
+ "bytes",
+ "h2 0.4.6",
+ "http 1.1.0",
+ "http-body 1.0.0",
+ "http-body-util",
+ "hyper 1.4.1",
+ "hyper-timeout",
+ "hyper-util",
+ "percent-encoding",
+ "pin-project",
+ "prost",
+ "socket2 0.5.7",
+ "tokio",
+ "tokio-stream",
+ "tower",
+ "tower-layer",
+ "tower-service",
+ "tracing",
+]
+
 [[package]]
 name = "toolchain_find"
 version = "0.4.0"
@@ -11062,9 +11439,13 @@ checksum = "b8fa9be0de6cf49e536ce1851f987bd21a43b771b09473c3549a6c853db37c1c"
 dependencies = [
  "futures-core",
  "futures-util",
+ "indexmap 1.9.3",
  "pin-project",
  "pin-project-lite",
+ "rand",
+ "slab",
  "tokio",
+ "tokio-util",
  "tower-layer",
  "tower-service",
  "tracing",
@@ -11112,6 +11493,22 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c06d3da6113f116aaee68e4d601191614c9053067f9ab7f6edbcb161237daa54"
 dependencies = [
  "once_cell",
+ "valuable",
+]
+
+[[package]]
+name = "tracing-subscriber"
+version = "0.3.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ad0f048c97dbd9faa9b7df56362b8ebcaa52adb06b498c050d2f4e32f90a7a8b"
+dependencies = [
+ "matchers",
+ "once_cell",
+ "regex",
+ "sharded-slab",
+ "thread_local",
+ "tracing",
+ "tracing-core",
 ]
 
 [[package]]
@@ -11649,6 +12046,12 @@ dependencies = [
  "log",
 ]
 
+[[package]]
+name = "valuable"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d"
+
 [[package]]
 name = "vcpkg"
 version = "0.2.15"
@@ -12476,9 +12879,9 @@ dependencies = [
 
 [[package]]
 name = "zeroize"
-version = "1.7.0"
+version = "1.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d"
+checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
 dependencies = [
  "zeroize_derive",
 ]
diff --git a/Cargo.toml b/Cargo.toml
index 3d1d19fa65b..00e54bb29ac 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -567,6 +567,7 @@ slog-term = "2.9.1"
 smf = "0.2"
 socket2 = { version = "0.5", features = ["all"] }
 sp-sim = { path = "sp-sim" }
+sprockets-tls = { git = "https://github.com/oxidecomputer/sprockets.git", branch = "ipcc" }
 sqlformat = "0.2.4"
 sqlparser = { version = "0.45.0", features = [ "visitor" ] }
 static_assertions = "1.1.0"
diff --git a/sled-agent/Cargo.toml b/sled-agent/Cargo.toml
index 2aefd8f4649..500a3165927 100644
--- a/sled-agent/Cargo.toml
+++ b/sled-agent/Cargo.toml
@@ -80,6 +80,7 @@ slog-async.workspace = true
 slog-dtrace.workspace = true
 slog-term.workspace = true
 smf.workspace = true
+sprockets-tls.workspace = true
 strum.workspace = true
 tar.workspace = true
 thiserror.workspace = true
diff --git a/sled-agent/src/bootstrap/client.rs b/sled-agent/src/bootstrap/client.rs
index bfdaf6e6d4e..53b8e5f68c5 100644
--- a/sled-agent/src/bootstrap/client.rs
+++ b/sled-agent/src/bootstrap/client.rs
@@ -12,13 +12,14 @@ use crate::bootstrap::views::Response;
 use crate::bootstrap::views::ResponseEnvelope;
 use sled_agent_types::sled::StartSledAgentRequest;
 use slog::Logger;
+use sprockets_tls::client::Client as SprocketsClient;
+use sprockets_tls::ipcc::{new_tls_client_config, IpccSprocketsClientConfig};
 use std::borrow::Cow;
 use std::io;
 use std::net::SocketAddrV6;
 use thiserror::Error;
 use tokio::io::AsyncReadExt;
 use tokio::io::AsyncWriteExt;
-use tokio::net::TcpStream;
 
 #[derive(Debug, Error)]
 pub enum Error {
@@ -67,12 +68,12 @@ pub enum Error {
 /// bootstrap agent.
 pub(crate) struct Client {
     addr: SocketAddrV6,
-    _log: Logger,
+    log: Logger,
 }
 
 impl Client {
-    pub(crate) fn new(addr: SocketAddrV6, _log: Logger) -> Self {
-        Self { addr, _log }
+    pub(crate) fn new(addr: SocketAddrV6, log: Logger) -> Self {
+        Self { addr, log }
     }
 
     /// Start sled agent by sending an initialization request determined from
@@ -100,10 +101,27 @@ impl Client {
         // far larger than we ever expect to see.
         const MAX_RESPONSE_LEN: u32 = 16 << 20;
 
+        let log = self.log.new(o!("component" => "SledAgentSprocketsClient"));
         // Establish connection and sprockets connection (if possible).
-        let stream = TcpStream::connect(self.addr)
-            .await
-            .map_err(|err| Error::Connect { addr: self.addr, err })?;
+        //let stream = TcpStream::connect(self.addr)
+        //    .await
+        //    .map_err(|err| Error::Connect { addr: self.addr, err })?;
+        let client_config = new_tls_client_config(
+            IpccSprocketsClientConfig {
+                root_keydir: "/usr/share/oxide/idcerts".into(),
+                roots: vec![
+                    "staging.pem".to_string(),
+                    "production.pem".to_string(),
+                ],
+            },
+            log.clone(),
+        )
+        .unwrap();
+
+        let stream =
+            SprocketsClient::connect(client_config, self.addr, log.clone())
+                .await
+                .unwrap();
 
         let mut stream = Box::new(tokio::io::BufStream::new(stream));
 
diff --git a/sled-agent/src/bootstrap/sprockets_server.rs b/sled-agent/src/bootstrap/sprockets_server.rs
index 8d92970d54f..125166cbd25 100644
--- a/sled-agent/src/bootstrap/sprockets_server.rs
+++ b/sled-agent/src/bootstrap/sprockets_server.rs
@@ -12,12 +12,14 @@ use crate::bootstrap::views::ResponseEnvelope;
 use crate::bootstrap::views::SledAgentResponse;
 use sled_agent_types::sled::StartSledAgentRequest;
 use slog::Logger;
+use sprockets_tls::ipcc::{new_tls_server_config, IpccSprocketsServerConfig};
+use sprockets_tls::server::Server;
+use sprockets_tls::Stream;
 use std::io;
 use std::net::SocketAddrV6;
 use tokio::io::AsyncReadExt;
 use tokio::io::AsyncWriteExt;
 use tokio::io::BufStream;
-use tokio::net::TcpListener;
 use tokio::net::TcpStream;
 use tokio::sync::mpsc;
 use tokio::sync::oneshot;
@@ -28,7 +30,7 @@ type TxRequestsChannel = mpsc::Sender<(
 )>;
 
 pub(super) struct SprocketsServer {
-    listener: TcpListener,
+    listener: Server,
     tx_requests: TxRequestsChannel,
     log: Logger,
 }
@@ -39,8 +41,21 @@ impl SprocketsServer {
         tx_requests: TxRequestsChannel,
         base_log: &Logger,
     ) -> io::Result<Self> {
-        let listener = TcpListener::bind(bind_addr).await?;
+        //let listener = TcpListener::bind(bind_addr).await?;
         let log = base_log.new(o!("component" => "SledAgentSprocketsServer"));
+        let config = new_tls_server_config(
+            IpccSprocketsServerConfig {
+                root_keydir: "/usr/share/oxide/idcerts".into(),
+                roots: vec![
+                    "staging.pem".to_string(),
+                    "production.pem".to_string(),
+                ],
+            },
+            log.clone(),
+        )
+        .unwrap();
+        let listener =
+            Server::listen(config, bind_addr, log.clone()).await.unwrap();
         info!(log, "Started listening"; "local_addr" => %bind_addr);
         Ok(Self { listener, tx_requests, log })
     }
@@ -52,9 +67,9 @@ impl SprocketsServer {
     /// `TcpListener::accept()`, which is cancel-safe. Note that cancelling this
     /// server does not necessarily cancel any outstanding requests that it has
     /// already received (and which may still be executing).
-    pub(super) async fn run(self) {
+    pub(super) async fn run(mut self) {
         loop {
-            let (stream, remote_addr) = match self.listener.accept().await {
+            let stream = match self.listener.accept().await {
                 Ok(conn) => conn,
                 Err(err) => {
                     error!(self.log, "accept() failed"; "err" => #%err);
@@ -62,7 +77,7 @@ impl SprocketsServer {
                 }
             };
 
-            let log = self.log.new(o!("remote_addr" => remote_addr));
+            let log = self.log.new(o!("remote_addr" => "XXXX"));
             info!(log, "Accepted connection");
 
             let tx_requests = self.tx_requests.clone();
@@ -79,7 +94,7 @@ impl SprocketsServer {
 }
 
 async fn handle_start_sled_agent_request(
-    stream: TcpStream,
+    stream: Stream<TcpStream>,
     tx_requests: TxRequestsChannel,
     log: &Logger,
 ) -> Result<(), String> {
@@ -131,7 +146,7 @@ async fn handle_start_sled_agent_request(
 }
 
 async fn read_request(
-    stream: &mut Box<BufStream<TcpStream>>,
+    stream: &mut Box<BufStream<Stream<TcpStream>>>,
 ) -> Result<Request<'static>, String> {
     // Bound to avoid allocating an unreasonable amount of memory from a bogus
     // length prefix from a client. We authenticate clients via sprockets before
@@ -175,7 +190,7 @@ async fn read_request(
 }
 
 async fn write_response(
-    stream: &mut Box<BufStream<TcpStream>>,
+    stream: &mut Box<BufStream<Stream<TcpStream>>>,
     response: Result<Response, String>,
 ) -> Result<(), String> {
     // Build and serialize response.
diff --git a/workspace-hack/Cargo.toml b/workspace-hack/Cargo.toml
index ab1f8b971ea..d05e267fe89 100644
--- a/workspace-hack/Cargo.toml
+++ b/workspace-hack/Cargo.toml
@@ -35,12 +35,13 @@ cipher = { version = "0.4.4", default-features = false, features = ["block-paddi
 clap = { version = "4.5.16", features = ["cargo", "derive", "env", "wrap_help"] }
 clap_builder = { version = "4.5.15", default-features = false, features = ["cargo", "color", "env", "std", "suggestions", "usage", "wrap_help"] }
 console = { version = "0.15.8" }
-const-oid = { version = "0.9.6", default-features = false, features = ["db", "std"] }
 crossbeam-epoch = { version = "0.9.18" }
 crossbeam-utils = { version = "0.8.19" }
 crypto-common = { version = "0.1.6", default-features = false, features = ["getrandom", "std"] }
-der = { version = "0.7.9", default-features = false, features = ["derive", "flagset", "oid", "pem", "std"] }
+curve25519-dalek = { version = "4.1.3", features = ["digest", "legacy_compatibility", "rand_core"] }
 digest = { version = "0.10.7", features = ["mac", "oid", "std"] }
+ecdsa = { version = "0.16.9", features = ["pem", "signing", "std", "verifying"] }
+ed25519-dalek = { version = "2.1.1", features = ["digest", "pkcs8", "rand_core"] }
 either = { version = "1.13.0" }
 elliptic-curve = { version = "0.13.8", features = ["ecdh", "hazmat", "pem", "std"] }
 ff = { version = "0.13.0", default-features = false, features = ["alloc"] }
@@ -62,7 +63,8 @@ hex = { version = "0.4.3", features = ["serde"] }
 hickory-proto = { version = "0.24.1", features = ["text-parsing"] }
 hmac = { version = "0.12.1", default-features = false, features = ["reset"] }
 hyper = { version = "0.14.30", features = ["full"] }
-indexmap = { version = "2.4.0", features = ["serde"] }
+indexmap-dff4ba8e3ae991db = { package = "indexmap", version = "1.9.3", default-features = false, features = ["std"] }
+indexmap-f595c2ba2a3f28df = { package = "indexmap", version = "2.4.0", features = ["serde"] }
 inout = { version = "0.1.3", default-features = false, features = ["std"] }
 itertools-5ef9efb8ec2df382 = { package = "itertools", version = "0.12.1" }
 itertools-93f6ce9d446188ac = { package = "itertools", version = "0.10.5" }
@@ -86,9 +88,11 @@ postgres-types = { version = "0.2.7", default-features = false, features = ["wit
 predicates = { version = "3.1.2" }
 proc-macro2 = { version = "1.0.86" }
 quote = { version = "1.0.36" }
+rand = { version = "0.8.5", features = ["small_rng"] }
 regex = { version = "1.10.6" }
 regex-automata = { version = "0.4.6", default-features = false, features = ["dfa", "hybrid", "meta", "nfa", "perf", "unicode"] }
-regex-syntax = { version = "0.8.4" }
+regex-syntax-3b31131e45eafb45 = { package = "regex-syntax", version = "0.6.29" }
+regex-syntax-c38e5c1d305a1b54 = { package = "regex-syntax", version = "0.8.4" }
 reqwest = { version = "0.11.27", features = ["blocking", "cookies", "json", "rustls-tls", "stream"] }
 ring = { version = "0.17.8", features = ["std"] }
 rsa = { version = "0.9.6", features = ["serde", "sha2"] }
@@ -107,7 +111,7 @@ string_cache = { version = "0.8.7" }
 subtle = { version = "2.5.0" }
 syn-f595c2ba2a3f28df = { package = "syn", version = "2.0.74", features = ["extra-traits", "fold", "full", "visit", "visit-mut"] }
 time = { version = "0.3.36", features = ["formatting", "local-offset", "macros", "parsing"] }
-tokio = { version = "1.39.3", features = ["full", "test-util"] }
+tokio = { version = "1.39.3", features = ["full", "test-util", "tracing"] }
 tokio-postgres = { version = "0.7.11", features = ["with-chrono-0_4", "with-serde_json-1", "with-uuid-1"] }
 tokio-stream = { version = "0.1.15", features = ["net", "sync"] }
 tokio-util = { version = "0.7.11", features = ["codec", "io-util"] }
@@ -115,13 +119,15 @@ toml = { version = "0.7.8" }
 toml_datetime = { version = "0.6.8", default-features = false, features = ["serde"] }
 toml_edit-3c51e837cfc5589a = { package = "toml_edit", version = "0.22.20", features = ["serde"] }
 tracing = { version = "0.1.40", features = ["log"] }
+tracing-core = { version = "0.1.32" }
 unicode-bidi = { version = "0.3.15" }
 unicode-normalization = { version = "0.1.23" }
 usdt = { version = "0.5.0" }
 usdt-impl = { version = "0.5.0", default-features = false, features = ["asm", "des"] }
 uuid = { version = "1.10.0", features = ["serde", "v4"] }
+x509-cert = { version = "0.2.5" }
 zerocopy = { version = "0.7.34", features = ["derive", "simd"] }
-zeroize = { version = "1.7.0", features = ["std", "zeroize_derive"] }
+zeroize = { version = "1.8.1", features = ["std", "zeroize_derive"] }
 
 [build-dependencies]
 ahash = { version = "0.8.11" }
@@ -143,12 +149,13 @@ cipher = { version = "0.4.4", default-features = false, features = ["block-paddi
 clap = { version = "4.5.16", features = ["cargo", "derive", "env", "wrap_help"] }
 clap_builder = { version = "4.5.15", default-features = false, features = ["cargo", "color", "env", "std", "suggestions", "usage", "wrap_help"] }
 console = { version = "0.15.8" }
-const-oid = { version = "0.9.6", default-features = false, features = ["db", "std"] }
 crossbeam-epoch = { version = "0.9.18" }
 crossbeam-utils = { version = "0.8.19" }
 crypto-common = { version = "0.1.6", default-features = false, features = ["getrandom", "std"] }
-der = { version = "0.7.9", default-features = false, features = ["derive", "flagset", "oid", "pem", "std"] }
+curve25519-dalek = { version = "4.1.3", features = ["digest", "legacy_compatibility", "rand_core"] }
 digest = { version = "0.10.7", features = ["mac", "oid", "std"] }
+ecdsa = { version = "0.16.9", features = ["pem", "signing", "std", "verifying"] }
+ed25519-dalek = { version = "2.1.1", features = ["digest", "pkcs8", "rand_core"] }
 either = { version = "1.13.0" }
 elliptic-curve = { version = "0.13.8", features = ["ecdh", "hazmat", "pem", "std"] }
 ff = { version = "0.13.0", default-features = false, features = ["alloc"] }
@@ -170,7 +177,8 @@ hex = { version = "0.4.3", features = ["serde"] }
 hickory-proto = { version = "0.24.1", features = ["text-parsing"] }
 hmac = { version = "0.12.1", default-features = false, features = ["reset"] }
 hyper = { version = "0.14.30", features = ["full"] }
-indexmap = { version = "2.4.0", features = ["serde"] }
+indexmap-dff4ba8e3ae991db = { package = "indexmap", version = "1.9.3", default-features = false, features = ["std"] }
+indexmap-f595c2ba2a3f28df = { package = "indexmap", version = "2.4.0", features = ["serde"] }
 inout = { version = "0.1.3", default-features = false, features = ["std"] }
 itertools-5ef9efb8ec2df382 = { package = "itertools", version = "0.12.1" }
 itertools-93f6ce9d446188ac = { package = "itertools", version = "0.10.5" }
@@ -194,9 +202,11 @@ postgres-types = { version = "0.2.7", default-features = false, features = ["wit
 predicates = { version = "3.1.2" }
 proc-macro2 = { version = "1.0.86" }
 quote = { version = "1.0.36" }
+rand = { version = "0.8.5", features = ["small_rng"] }
 regex = { version = "1.10.6" }
 regex-automata = { version = "0.4.6", default-features = false, features = ["dfa", "hybrid", "meta", "nfa", "perf", "unicode"] }
-regex-syntax = { version = "0.8.4" }
+regex-syntax-3b31131e45eafb45 = { package = "regex-syntax", version = "0.6.29" }
+regex-syntax-c38e5c1d305a1b54 = { package = "regex-syntax", version = "0.8.4" }
 reqwest = { version = "0.11.27", features = ["blocking", "cookies", "json", "rustls-tls", "stream"] }
 ring = { version = "0.17.8", features = ["std"] }
 rsa = { version = "0.9.6", features = ["serde", "sha2"] }
@@ -217,7 +227,7 @@ syn-dff4ba8e3ae991db = { package = "syn", version = "1.0.109", features = ["extr
 syn-f595c2ba2a3f28df = { package = "syn", version = "2.0.74", features = ["extra-traits", "fold", "full", "visit", "visit-mut"] }
 time = { version = "0.3.36", features = ["formatting", "local-offset", "macros", "parsing"] }
 time-macros = { version = "0.2.18", default-features = false, features = ["formatting", "parsing"] }
-tokio = { version = "1.39.3", features = ["full", "test-util"] }
+tokio = { version = "1.39.3", features = ["full", "test-util", "tracing"] }
 tokio-postgres = { version = "0.7.11", features = ["with-chrono-0_4", "with-serde_json-1", "with-uuid-1"] }
 tokio-stream = { version = "0.1.15", features = ["net", "sync"] }
 tokio-util = { version = "0.7.11", features = ["codec", "io-util"] }
@@ -225,14 +235,16 @@ toml = { version = "0.7.8" }
 toml_datetime = { version = "0.6.8", default-features = false, features = ["serde"] }
 toml_edit-3c51e837cfc5589a = { package = "toml_edit", version = "0.22.20", features = ["serde"] }
 tracing = { version = "0.1.40", features = ["log"] }
+tracing-core = { version = "0.1.32" }
 unicode-bidi = { version = "0.3.15" }
 unicode-normalization = { version = "0.1.23" }
 unicode-xid = { version = "0.2.4" }
 usdt = { version = "0.5.0" }
 usdt-impl = { version = "0.5.0", default-features = false, features = ["asm", "des"] }
 uuid = { version = "1.10.0", features = ["serde", "v4"] }
+x509-cert = { version = "0.2.5" }
 zerocopy = { version = "0.7.34", features = ["derive", "simd"] }
-zeroize = { version = "1.7.0", features = ["std", "zeroize_derive"] }
+zeroize = { version = "1.8.1", features = ["std", "zeroize_derive"] }
 
 [target.x86_64-unknown-linux-gnu.dependencies]
 dof = { version = "0.3.0", default-features = false, features = ["des"] }