From 0d0e73643b72b23fc1304e1f928f6ae42fa40355 Mon Sep 17 00:00:00 2001 From: vlad Date: Mon, 8 Dec 2025 12:07:56 +0000 Subject: [PATCH 01/10] removed mr_signer enforcement during registration and upgrade --- .../enclaves/execute/src/registration/cert.rs | 53 ------------------- .../execute/src/registration/offchain.rs | 7 +-- .../execute/src/registration/onchain.rs | 18 +++---- cosmwasm/enclaves/shared/crypto/src/consts.rs | 17 ------ 4 files changed, 9 insertions(+), 86 deletions(-) diff --git a/cosmwasm/enclaves/execute/src/registration/cert.rs b/cosmwasm/enclaves/execute/src/registration/cert.rs index 332331fe2..a524ae2ee 100644 --- a/cosmwasm/enclaves/execute/src/registration/cert.rs +++ b/cosmwasm/enclaves/execute/src/registration/cert.rs @@ -1,9 +1,3 @@ -#![cfg_attr(not(feature = "SGX_MODE_HW"), allow(unused))] - -use log::*; -use enclave_crypto::consts::{SigningMethod, SELF_REPORT_BODY, SIGNING_METHOD}; -use enclave_ffi_types::NodeAuthResult; - pub enum Error { GenericError, } @@ -41,53 +35,6 @@ pub fn extract_asn1_value(cert: &[u8], oid: &[u8]) -> Result, Error> { Ok(payload) } -pub fn verify_ra_report( - report_mr_signer: &[u8; 32], - report_mr_enclave: &[u8; 32], - override_verify_type: Option, -) -> NodeAuthResult { - let signing_method: SigningMethod = match override_verify_type { - Some(method) => method, - None => SIGNING_METHOD, - }; - - // verify certificate - match signing_method { - SigningMethod::MRENCLAVE => { - if (*report_mr_enclave) != SELF_REPORT_BODY.mr_enclave.m - || (*report_mr_signer) != SELF_REPORT_BODY.mr_signer.m - { - error!( - "Got a different mr_enclave or mr_signer than expected. Invalid certificate" - ); - warn!( - "mr_enclave: received: {:?} \n expected: {:?}", - report_mr_enclave, SELF_REPORT_BODY.mr_enclave.m - ); - warn!( - "mr_signer: received: {:?} \n expected: {:?}", - report_mr_signer, SELF_REPORT_BODY.mr_signer.m - ); - return NodeAuthResult::MrEnclaveMismatch; - } - } - SigningMethod::MRSIGNER => { - if (*report_mr_signer) != SELF_REPORT_BODY.mr_signer.m { - error!("Got a different mrsigner than expected. Invalid certificate"); - warn!( - "received: {:?} \n expected: {:?}", - report_mr_signer, SELF_REPORT_BODY.mr_signer.m - ); - return NodeAuthResult::MrSignerMismatch; - } - } - SigningMethod::NONE => {} - } - - NodeAuthResult::Success -} - - #[cfg(all(feature = "SGX_MODE_HW", feature = "production", not(feature = "test")))] #[allow(dead_code)] const WHITELIST_FROM_FILE: &str = include_str!("../../whitelist.txt"); diff --git a/cosmwasm/enclaves/execute/src/registration/offchain.rs b/cosmwasm/enclaves/execute/src/registration/offchain.rs index 66f4a7d66..3725f4863 100644 --- a/cosmwasm/enclaves/execute/src/registration/offchain.rs +++ b/cosmwasm/enclaves/execute/src/registration/offchain.rs @@ -985,12 +985,7 @@ fn is_export_approved_offchain(f_in: File, report: &sgx_report_body_t) -> bool { } fn is_export_approved(report: &sgx_report_body_t) -> bool { - // Current policy: we demand the same mr_signer - - if report.mr_signer.m != SELF_REPORT_BODY.mr_signer.m { - println!("Migration target uses different signer"); - return false; - } + // Current policy: we only check mr_enclave, mr_signer can be anything { let extra = KEY_MANAGER.extra_data.lock().unwrap(); diff --git a/cosmwasm/enclaves/execute/src/registration/onchain.rs b/cosmwasm/enclaves/execute/src/registration/onchain.rs index f79951df1..c1c6dee1e 100644 --- a/cosmwasm/enclaves/execute/src/registration/onchain.rs +++ b/cosmwasm/enclaves/execute/src/registration/onchain.rs @@ -7,7 +7,6 @@ use std::panic; use enclave_ffi_types::NodeAuthResult; use crate::registration::attestation::{verify_quote_sgx, AttestationCombined}; -use crate::registration::cert::verify_ra_report; use enclave_utils::{ oom_handler::{self, get_then_clear_oom_happened}, @@ -16,7 +15,7 @@ use enclave_utils::{ use sgx_types::sgx_ql_qv_result_t; -use enclave_crypto::consts::SigningMethod; +use enclave_crypto::consts::SELF_REPORT_BODY; use super::seed_exchange::encrypt_seed; use std::slice; @@ -46,7 +45,6 @@ fn verify_attestation_dcap( let tm_s = get_current_block_time_s(); trace!("Current block time: {}", tm_s); - // test self let report_body = match verify_quote_sgx(attestation, tm_s, true) { Ok(r) => { trace!("Remote quote verified ok"); @@ -61,13 +59,13 @@ fn verify_attestation_dcap( } }; - let veritication_res = verify_ra_report( - &report_body.mr_signer.m, - &report_body.mr_enclave.m, - Some(SigningMethod::MRSIGNER), - ); - if NodeAuthResult::Success != veritication_res { - return veritication_res; + if (report_body.mr_enclave.m) != SELF_REPORT_BODY.mr_enclave.m { + error!( + "mrenclave expected={}, actual={}", + hex::encode(SELF_REPORT_BODY.mr_enclave.m), + hex::encode(report_body.mr_enclave.m) + ); + return NodeAuthResult::MrEnclaveMismatch; } pub_key.copy_from_slice(&report_body.report_data.d[..32]); diff --git a/cosmwasm/enclaves/shared/crypto/src/consts.rs b/cosmwasm/enclaves/shared/crypto/src/consts.rs index 026aafddf..4ab722888 100644 --- a/cosmwasm/enclaves/shared/crypto/src/consts.rs +++ b/cosmwasm/enclaves/shared/crypto/src/consts.rs @@ -7,14 +7,6 @@ use lazy_static::lazy_static; use log::*; use sgx_types::{sgx_report_body_t, sgx_self_report}; -#[allow(dead_code)] -#[derive(PartialEq, Eq, Debug)] -pub enum SigningMethod { - MRSIGNER, - MRENCLAVE, - NONE, -} - pub const SCRT_SGX_STORAGE_ENV_VAR: &str = "SCRT_SGX_STORAGE"; pub const DEFAULT_SGX_SECRET_PATH: &str = "/opt/secret/.sgx_secrets/"; @@ -70,15 +62,6 @@ pub const SEALED_FILE_REK: &str = "rek.sealed"; pub const SEALED_FILE_IRS: &str = "irs.sealed"; pub const SEALED_FILE_VALIDATOR_SET: &str = "validator_set.sealed"; -#[cfg(feature = "production")] -pub const SIGNING_METHOD: SigningMethod = SigningMethod::MRENCLAVE; - -#[cfg(all(not(feature = "production"), not(feature = "test")))] -pub const SIGNING_METHOD: SigningMethod = SigningMethod::MRSIGNER; - -#[cfg(all(not(feature = "production"), feature = "test"))] -pub const SIGNING_METHOD: SigningMethod = SigningMethod::MRSIGNER; - pub const CONSENSUS_SEED_EXCHANGE_KEYPAIR_DERIVE_ORDER: u32 = 1; pub const CONSENSUS_IO_EXCHANGE_KEYPAIR_DERIVE_ORDER: u32 = 2; pub const CONSENSUS_STATE_IKM_DERIVE_ORDER: u32 = 3; From 99854729ae9d85321d20d734463b7a5d13341910 Mon Sep 17 00:00:00 2001 From: vlad Date: Mon, 8 Dec 2025 12:23:39 +0000 Subject: [PATCH 02/10] removed support for no-dcap attestation flag --- cmd/secretd/attestation.go | 9 ++------- .../execute/src/registration/offchain.rs | 19 +++++++------------ go-cosmwasm/api/lib.go | 10 ++-------- go-cosmwasm/api/lib_mock.go | 2 +- 4 files changed, 12 insertions(+), 28 deletions(-) diff --git a/cmd/secretd/attestation.go b/cmd/secretd/attestation.go index 55e708714..fa3a99ec0 100644 --- a/cmd/secretd/attestation.go +++ b/cmd/secretd/attestation.go @@ -95,11 +95,9 @@ blockchain. Writes the certificate in DER format to ~/attestation_cert } } - no_epid, _ := cmd.Flags().GetBool(flag_no_epid) - no_dcap, _ := cmd.Flags().GetBool(flag_no_dcap) is_migration_report, _ := cmd.Flags().GetBool(flag_is_migration_report) - _, err = api.CreateAttestationReport(no_epid, no_dcap, is_migration_report) + _, err = api.CreateAttestationReport(is_migration_report) if err != nil { return fmt.Errorf("failed to create attestation report: %w", err) } @@ -502,10 +500,7 @@ Please report any issues with this command } } - no_epid, _ := cmd.Flags().GetBool(flag_no_epid) - no_dcap, _ := cmd.Flags().GetBool(flag_no_dcap) - - _, err = api.CreateAttestationReport(no_epid, no_dcap, false) + _, err = api.CreateAttestationReport(false) if err != nil { return fmt.Errorf("failed to create attestation report: %w", err) } diff --git a/cosmwasm/enclaves/execute/src/registration/offchain.rs b/cosmwasm/enclaves/execute/src/registration/offchain.rs index 3725f4863..334068786 100644 --- a/cosmwasm/enclaves/execute/src/registration/offchain.rs +++ b/cosmwasm/enclaves/execute/src/registration/offchain.rs @@ -391,20 +391,15 @@ pub unsafe extern "C" fn ecall_get_attestation_report(flags: u32) -> sgx_status_ } }; - let attestation = match 2 & flags { - 0 => { - report_data[0..32].copy_from_slice(&kp.get_pubkey()); + let attestation = { + report_data[0..32].copy_from_slice(&kp.get_pubkey()); - match get_attestation_report_dcap(&report_data) { - Ok(x) => x, - Err(e) => { - return e; - } + match get_attestation_report_dcap(&report_data) { + Ok(x) => x, + Err(e) => { + return e; } } - _ => { - return sgx_status_t::SGX_ERROR_FEATURE_NOT_SUPPORTED; - } }; let out_path = make_sgx_secret_path(if is_migration_report { @@ -582,7 +577,7 @@ pub unsafe extern "C" fn ecall_migration_op(opcode: u32) -> sgx_types::sgx_statu println!("Create self migration report"); export_local_migration_report(); - ecall_get_attestation_report(0x11) // migration, no-epid + ecall_get_attestation_report(0x10) // migration } 2 => { println!("Export encrypted data to the next aurhorized enclave"); diff --git a/go-cosmwasm/api/lib.go b/go-cosmwasm/api/lib.go index defeae218..1cb85a5b6 100644 --- a/go-cosmwasm/api/lib.go +++ b/go-cosmwasm/api/lib.go @@ -515,17 +515,11 @@ func KeyGen() ([]byte, error) { return receiveVector(res), nil } -// CreateAttestationReport Send CreateAttestationReport request to enclave -func CreateAttestationReport(no_epid bool, no_dcap bool, is_migration_report bool) (bool, error) { +// CreateAttestationReport Send request to enclave +func CreateAttestationReport(is_migration_report bool) (bool, error) { errmsg := C.Buffer{} flags := u32(0) - if no_epid { - flags |= u32(1) - } - if no_dcap { - flags |= u32(2) - } if is_migration_report { flags |= u32(0x10) } diff --git a/go-cosmwasm/api/lib_mock.go b/go-cosmwasm/api/lib_mock.go index f25f6e643..632c86026 100644 --- a/go-cosmwasm/api/lib_mock.go +++ b/go-cosmwasm/api/lib_mock.go @@ -272,7 +272,7 @@ func KeyGen() ([]byte, error) { } // KeyGen Seng KeyGen request to enclave -func CreateAttestationReport(no_epid bool, no_dcap bool, is_migration_report bool) (bool, error) { +func CreateAttestationReport(is_migration_report bool) (bool, error) { //errmsg := C.Buffer{} //_, err := C.create_attestation_report(&errmsg) //if err != nil { From 89cfe0c8178ca06e8202c581b68b750c42446760 Mon Sep 17 00:00:00 2001 From: vlad Date: Mon, 8 Dec 2025 12:24:46 +0000 Subject: [PATCH 03/10] removed support for epid_whitelist_disabled --- cosmwasm/enclaves/execute/Cargo.toml | 3 +- .../enclaves/execute/src/registration/cert.rs | 35 ------------------- .../src/registration/check_patch_level.rs | 3 -- .../enclaves/execute/src/registration/mod.rs | 5 --- 4 files changed, 1 insertion(+), 45 deletions(-) diff --git a/cosmwasm/enclaves/execute/Cargo.toml b/cosmwasm/enclaves/execute/Cargo.toml index 2302c8579..adfdd86da 100644 --- a/cosmwasm/enclaves/execute/Cargo.toml +++ b/cosmwasm/enclaves/execute/Cargo.toml @@ -10,7 +10,7 @@ name = "secret_enclave" crate-type = ["staticlib"] [features] -default = ["SGX_MODE_SW", "random", "epid_whitelist_disabled"] +default = ["SGX_MODE_SW", "random"] SGX_MODE_SW = [] SGX_MODE_HW = [] production = [ @@ -31,7 +31,6 @@ test = [ "block-verifier/test" ] use_seed_service_on_bootstrap = [] -epid_whitelist_disabled = [] light-client-validation = [ "enclave_contract_engine/light-client-validation", "block-verifier" diff --git a/cosmwasm/enclaves/execute/src/registration/cert.rs b/cosmwasm/enclaves/execute/src/registration/cert.rs index a524ae2ee..d9a441fdf 100644 --- a/cosmwasm/enclaves/execute/src/registration/cert.rs +++ b/cosmwasm/enclaves/execute/src/registration/cert.rs @@ -45,17 +45,6 @@ const WHITELIST_FROM_FILE: &str = include_str!("../../whitelist.txt"); ))] const WHITELIST_FROM_FILE: &str = include_str!("fixtures/test_whitelist.txt"); -#[cfg(not(feature = "epid_whitelist_disabled"))] -pub fn check_epid_gid_is_whitelisted(epid_gid: &u32) -> bool { - let decoded = base64::decode(WHITELIST_FROM_FILE.trim()).unwrap(); //will never fail since data is constant - decoded.as_chunks::<4>().0.iter().any(|&arr| { - if epid_gid == &u32::from_be_bytes(arr) { - return true; - } - false - }) -} - #[cfg(feature = "test")] pub mod tests { use std::io::Read; @@ -106,28 +95,4 @@ pub mod tests { #[cfg(not(feature = "SGX_MODE_HW"))] pub fn test_certificate_invalid_configuration_needed() {} - - #[cfg(not(feature = "epid_whitelist_disabled"))] - pub fn test_epid_whitelist() { - // check that we parse this correctly - let res = crate::registration::cert::check_epid_gid_is_whitelisted(&(0xc12 as u32)); - assert_eq!(res, true); - - // check that 2nd number works - let res = crate::registration::cert::check_epid_gid_is_whitelisted(&(0x6942 as u32)); - assert_eq!(res, true); - - // check all kinds of failures that should return false - let res = crate::registration::cert::check_epid_gid_is_whitelisted(&(0x0 as u32)); - assert_eq!(res, false); - - let res = crate::registration::cert::check_epid_gid_is_whitelisted(&(0x120c as u32)); - assert_eq!(res, false); - - let res = crate::registration::cert::check_epid_gid_is_whitelisted(&(0xc120000 as u32)); - assert_eq!(res, false); - - let res = crate::registration::cert::check_epid_gid_is_whitelisted(&(0x1242 as u32)); - assert_eq!(res, false); - } } diff --git a/cosmwasm/enclaves/execute/src/registration/check_patch_level.rs b/cosmwasm/enclaves/execute/src/registration/check_patch_level.rs index 7a55d5f7d..a6b5e61ef 100644 --- a/cosmwasm/enclaves/execute/src/registration/check_patch_level.rs +++ b/cosmwasm/enclaves/execute/src/registration/check_patch_level.rs @@ -25,9 +25,6 @@ use crate::sgx_types::{ #[cfg(feature = "SGX_MODE_HW")] use std::{cmp, mem}; -#[cfg(not(feature = "epid_whitelist_disabled"))] -use crate::registration::cert::check_epid_gid_is_whitelisted; - use crate::registration::report::AttestationReport; /// # Safety diff --git a/cosmwasm/enclaves/execute/src/registration/mod.rs b/cosmwasm/enclaves/execute/src/registration/mod.rs index bea253659..02ff0e58d 100644 --- a/cosmwasm/enclaves/execute/src/registration/mod.rs +++ b/cosmwasm/enclaves/execute/src/registration/mod.rs @@ -40,11 +40,6 @@ pub mod tests { panic!("{}: {} tests failed", file!(), failures); } - #[cfg(not(feature = "epid_whitelist_disabled"))] - count_failures!(failures, { - cert::tests::test_epid_whitelist(); - }); - // The test doesn't work for some reason // #[cfg(feature = "SGX_MODE_HW")] // count_failures!(failures, { From c6dd745a732d38868ca182dd1371bc8cd52ddfed Mon Sep 17 00:00:00 2001 From: vlad Date: Thu, 11 Dec 2025 15:14:27 +0000 Subject: [PATCH 04/10] removed spid and api_key usage --- cmd/secretd/attestation.go | 12 +----- cosmwasm/enclaves/execute/Enclave.edl | 10 +---- .../src/registration/check_patch_level.rs | 1 - .../execute/src/registration/offchain.rs | 22 ----------- cosmwasm/packages/sgx-vm/src/seed.rs | 28 ++------------ go-cosmwasm/api/bindings.h | 4 +- go-cosmwasm/api/lib.go | 15 ++------ go-cosmwasm/api/lib_mock.go | 4 +- go-cosmwasm/src/lib.rs | 37 +++---------------- x/compute/internal/keeper/keeper_test.go | 8 +--- .../internal/keeper/enclave/enclave.go | 4 +- .../internal/keeper/enclave_interface.go | 2 +- x/registration/internal/keeper/keeper.go | 7 +--- 13 files changed, 25 insertions(+), 129 deletions(-) diff --git a/cmd/secretd/attestation.go b/cmd/secretd/attestation.go index fa3a99ec0..de0809c06 100644 --- a/cmd/secretd/attestation.go +++ b/cmd/secretd/attestation.go @@ -136,18 +136,8 @@ blockchain. Writes the certificate in DER format to ~/attestation_cert regGenState := reg.GetGenesisStateFromAppState(cdc, appState) - spidFile, err := reg.GetSpid() - if err != nil { - return fmt.Errorf("failed to initialize enclave: %w", err) - } - - apiKeyFile, err := reg.GetApiKey() - if err != nil { - return fmt.Errorf("failed to initialize enclave: %w", err) - } - // the master key of the generated certificate is returned here - masterKey, err := api.InitBootstrap(spidFile, apiKeyFile) + masterKey, err := api.InitBootstrap() if err != nil { return fmt.Errorf("failed to initialize enclave: %w", err) } diff --git a/cosmwasm/enclaves/execute/Enclave.edl b/cosmwasm/enclaves/execute/Enclave.edl index e48e04c13..003d6cd4d 100644 --- a/cosmwasm/enclaves/execute/Enclave.edl +++ b/cosmwasm/enclaves/execute/Enclave.edl @@ -23,11 +23,7 @@ enclave { ); public sgx_status_t ecall_init_bootstrap( - [out, count=32] uint8_t* public_key, - [in, count=spid_len] const uint8_t* spid, - uint32_t spid_len, - [in, count=api_key_len] const uint8_t* api_key, - uint32_t api_key_len + [out, count=32] uint8_t* public_key ); public sgx_status_t ecall_key_gen( @@ -95,9 +91,7 @@ enclave { [in, count=master_key_len] const uint8_t* master_key, uintptr_t master_key_len, [in, count=encrypted_seed_len] const uint8_t* encrypted_seed, - uintptr_t encrypted_seed_len, - [in, count=api_key_len] const uint8_t* api_key, - uint32_t api_key_len + uintptr_t encrypted_seed_len ); public sgx_status_t ecall_configure_runtime( diff --git a/cosmwasm/enclaves/execute/src/registration/check_patch_level.rs b/cosmwasm/enclaves/execute/src/registration/check_patch_level.rs index a6b5e61ef..c09593b01 100644 --- a/cosmwasm/enclaves/execute/src/registration/check_patch_level.rs +++ b/cosmwasm/enclaves/execute/src/registration/check_patch_level.rs @@ -69,7 +69,6 @@ unsafe fn check_patch_level_dcap(pub_k: &[u8; 32]) -> (NodeAuthResult, Option sgx_status_t { validate_mut_ptr!( public_key.as_mut_ptr(), @@ -69,14 +65,6 @@ pub unsafe extern "C" fn ecall_init_bootstrap( sgx_status_t::SGX_ERROR_UNEXPECTED, ); - validate_const_ptr!(spid, spid_len as usize, sgx_status_t::SGX_ERROR_UNEXPECTED); - - validate_const_ptr!( - api_key, - api_key_len as usize, - sgx_status_t::SGX_ERROR_UNEXPECTED, - ); - let mut key_manager = Keychain::new_empty(); if let Err(_e) = key_manager.create_consensus_seed() { @@ -159,18 +147,8 @@ pub unsafe extern "C" fn ecall_init_node( master_key_len: u32, encrypted_seed: *const u8, encrypted_seed_len: u32, - api_key: *const u8, - api_key_len: u32, // seed structure 1 byte - length (96 or 48) | genesis seed bytes | current seed bytes (optional) ) -> sgx_status_t { - validate_const_ptr!( - api_key, - api_key_len as usize, - sgx_status_t::SGX_ERROR_UNEXPECTED, - ); - - let _api_key_slice = slice::from_raw_parts(api_key, api_key_len as usize); - #[cfg(all(feature = "SGX_MODE_HW", feature = "production"))] { let temp_key_result = KeyPair::new(); diff --git a/cosmwasm/packages/sgx-vm/src/seed.rs b/cosmwasm/packages/sgx-vm/src/seed.rs index ac2bb6019..dfa2fe360 100644 --- a/cosmwasm/packages/sgx-vm/src/seed.rs +++ b/cosmwasm/packages/sgx-vm/src/seed.rs @@ -13,18 +13,12 @@ extern "C" { master_key_len: u32, encrypted_seed: *const u8, encrypted_seed_len: u32, - api_key: *const u8, - api_key_len: u32, ) -> sgx_status_t; pub fn ecall_init_bootstrap( eid: sgx_enclave_id_t, retval: *mut sgx_status_t, public_key: &mut [u8; 32], - spid: *const u8, - spid_len: u32, - api_key: *const u8, - api_key_len: u32, ) -> sgx_status_t; pub fn ecall_key_gen( @@ -102,11 +96,7 @@ pub fn untrusted_health_check() -> SgxResult { Ok(ret) } -pub fn untrusted_init_node( - master_key: &[u8], - encrypted_seed: &[u8], - api_key: &[u8], -) -> SgxResult<()> { +pub fn untrusted_init_node(master_key: &[u8], encrypted_seed: &[u8]) -> SgxResult<()> { info!("Initializing enclave.."); // Bind the token to a local variable to ensure its @@ -129,8 +119,6 @@ pub fn untrusted_init_node( master_key.len() as u32, encrypted_seed.as_ptr(), encrypted_seed.len() as u32, - api_key.as_ptr(), - api_key.len() as u32, ) }; @@ -352,7 +340,7 @@ pub fn untrusted_key_gen() -> SgxResult<[u8; 32]> { Ok(public_key) } -pub fn untrusted_init_bootstrap(spid: &[u8], api_key: &[u8]) -> SgxResult<[u8; 32]> { +pub fn untrusted_init_bootstrap() -> SgxResult<[u8; 32]> { info!("Hello from just before initializing - untrusted_init_bootstrap"); // Bind the token to a local variable to ensure its @@ -368,17 +356,7 @@ pub fn untrusted_init_bootstrap(spid: &[u8], api_key: &[u8]) -> SgxResult<[u8; 3 let mut retval = sgx_status_t::SGX_SUCCESS; let mut public_key = [0u8; 32]; // let status = unsafe { ecall_get_encrypted_seed(eid, &mut retval, cert, cert_len, & mut seed) }; - let status = unsafe { - ecall_init_bootstrap( - eid, - &mut retval, - &mut public_key, - spid.as_ptr(), - spid.len() as u32, - api_key.as_ptr(), - api_key.len() as u32, - ) - }; + let status = unsafe { ecall_init_bootstrap(eid, &mut retval, &mut public_key) }; if status != sgx_status_t::SGX_SUCCESS { return Err(status); diff --git a/go-cosmwasm/api/bindings.h b/go-cosmwasm/api/bindings.h index 3438fc0e7..933d91cbb 100644 --- a/go-cosmwasm/api/bindings.h +++ b/go-cosmwasm/api/bindings.h @@ -185,11 +185,11 @@ Buffer handle(cache_t *cache, Buffer sig_info, uint8_t handle_type); -Buffer init_bootstrap(Buffer spid, Buffer api_key, Buffer *err); +Buffer init_bootstrap(Buffer *err); cache_t *init_cache(Buffer data_dir, Buffer supported_features, uintptr_t _cache_size, Buffer *err); -bool init_node(Buffer master_key, Buffer encrypted_seed, Buffer api_key, Buffer *err); +bool init_node(Buffer master_key, Buffer encrypted_seed, Buffer *err); Buffer instantiate(cache_t *cache, Buffer contract_id, diff --git a/go-cosmwasm/api/lib.go b/go-cosmwasm/api/lib.go index 1cb85a5b6..3f466faed 100644 --- a/go-cosmwasm/api/lib.go +++ b/go-cosmwasm/api/lib.go @@ -75,30 +75,23 @@ func SubmitValidatorSetEvidence(evidence []byte) error { return nil } -func InitBootstrap(spid []byte, apiKey []byte) ([]byte, error) { +func InitBootstrap() ([]byte, error) { errmsg := C.Buffer{} - spidSlice := sendSlice(spid) - defer freeAfterSend(spidSlice) - apiKeySlice := sendSlice(apiKey) - defer freeAfterSend(apiKeySlice) - - res, err := C.init_bootstrap(spidSlice, apiKeySlice, &errmsg) + res, err := C.init_bootstrap(&errmsg) if err != nil { return nil, errorWithMessage(err, errmsg) } return receiveVector(res), nil } -func LoadSeedToEnclave(masterKey []byte, seed []byte, apiKey []byte) (bool, error) { +func LoadSeedToEnclave(masterKey []byte, seed []byte) (bool, error) { pkSlice := sendSlice(masterKey) defer freeAfterSend(pkSlice) seedSlice := sendSlice(seed) defer freeAfterSend(seedSlice) - apiKeySlice := sendSlice(apiKey) - defer freeAfterSend(apiKeySlice) errmsg := C.Buffer{} - _, err := C.init_node(pkSlice, seedSlice, apiKeySlice, &errmsg) + _, err := C.init_node(pkSlice, seedSlice, &errmsg) if err != nil { return false, errorWithMessage(err, errmsg) } diff --git a/go-cosmwasm/api/lib_mock.go b/go-cosmwasm/api/lib_mock.go index 632c86026..11a2accf8 100644 --- a/go-cosmwasm/api/lib_mock.go +++ b/go-cosmwasm/api/lib_mock.go @@ -35,7 +35,7 @@ func HealthCheck() ([]byte, error) { return nil, nil } -func InitBootstrap(spid []byte, apiKey []byte) ([]byte, error) { +func InitBootstrap() ([]byte, error) { return nil, nil } @@ -47,7 +47,7 @@ func SubmitValidatorSetEvidence(evidence []byte) error { return nil } -func LoadSeedToEnclave(masterKey []byte, seed []byte, apiKey []byte) (bool, error) { +func LoadSeedToEnclave(masterKey []byte, seed []byte) (bool, error) { return true, nil } diff --git a/go-cosmwasm/src/lib.rs b/go-cosmwasm/src/lib.rs index 1b8641a99..960311278 100644 --- a/go-cosmwasm/src/lib.rs +++ b/go-cosmwasm/src/lib.rs @@ -121,30 +121,10 @@ pub extern "C" fn get_encrypted_genesis_seed(pk: Buffer, err: Option<&mut Buffer } #[no_mangle] -pub extern "C" fn init_bootstrap( - spid: Buffer, - api_key: Buffer, - err: Option<&mut Buffer>, -) -> Buffer { +pub extern "C" fn init_bootstrap(err: Option<&mut Buffer>) -> Buffer { trace!("Hello from right before init_bootstrap"); - let spid_slice = match unsafe { spid.read() } { - None => { - set_error(Error::empty_arg("spid"), err); - return Buffer::default(); - } - Some(r) => r, - }; - - let api_key_slice = match unsafe { api_key.read() } { - None => { - set_error(Error::empty_arg("api_key"), err); - return Buffer::default(); - } - Some(r) => r, - }; - - match untrusted_init_bootstrap(spid_slice, api_key_slice) { + match untrusted_init_bootstrap() { Err(e) => { set_error(Error::enclave_err(e.to_string()), err); Buffer::default() @@ -160,7 +140,6 @@ pub extern "C" fn init_bootstrap( pub extern "C" fn init_node( master_key: Buffer, encrypted_seed: Buffer, - api_key: Buffer, err: Option<&mut Buffer>, ) -> bool { let pk_slice = match unsafe { master_key.read() } { @@ -171,12 +150,8 @@ pub extern "C" fn init_node( None => &[], Some(r) => r, }; - let api_key_slice = match unsafe { api_key.read() } { - None => &[], - Some(r) => r, - }; - match untrusted_init_node(pk_slice, encrypted_seed_slice, api_key_slice) { + match untrusted_init_node(pk_slice, encrypted_seed_slice) { Ok(()) => { clear_error(); true @@ -264,7 +239,7 @@ pub extern "C" fn submit_block_signatures( let commit_slice = match unsafe { commit.read() } { None => { - set_error(Error::empty_arg("api_key"), err); + set_error(Error::empty_arg("commit"), err); return TwoBuffers::default(); } Some(r) => r, @@ -292,7 +267,7 @@ pub extern "C" fn submit_block_signatures( }; // let val_set_slice = match unsafe { val_set.read() } { // None => { - // set_error(Error::empty_arg("api_key"), err); + // set_error(Error::empty_arg("val_set"), err); // return TwoBuffers::default(); // } // Some(r) => r, @@ -300,7 +275,7 @@ pub extern "C" fn submit_block_signatures( // // let next_val_set_slice = match unsafe { next_val_set.read() } { // None => { - // set_error(Error::empty_arg("api_key"), err); + // set_error(Error::empty_arg("next_val_set"), err); // return TwoBuffers::default(); // } // Some(r) => r, diff --git a/x/compute/internal/keeper/keeper_test.go b/x/compute/internal/keeper/keeper_test.go index 917ace132..14f1b54a6 100644 --- a/x/compute/internal/keeper/keeper_test.go +++ b/x/compute/internal/keeper/keeper_test.go @@ -39,13 +39,7 @@ func init() { config.SetBech32PrefixForConsensusNode(eng.Bech32PrefixConsAddr, eng.Bech32PrefixConsPub) config.Seal() - spid, err := os.ReadFile("../../../../ias_keys/develop/spid.txt") - apiKey, err := os.ReadFile("../../../../ias_keys/develop/api_key.txt") - - fmt.Printf("This IS spid: %v\n", spid) - fmt.Printf("This IS api key: %v\n", apiKey) - - _, err = api.InitBootstrap(spid, apiKey) + _, err = api.InitBootstrap() if err != nil { panic(fmt.Sprintf("Error initializing the enclave: %v", err)) } diff --git a/x/registration/internal/keeper/enclave/enclave.go b/x/registration/internal/keeper/enclave/enclave.go index 5e8dff6cb..3613c11fc 100644 --- a/x/registration/internal/keeper/enclave/enclave.go +++ b/x/registration/internal/keeper/enclave/enclave.go @@ -6,8 +6,8 @@ import ( type Api struct{} -func (Api) LoadSeed(masterKey []byte, seed []byte, apiKey []byte) (bool, error) { - return api.LoadSeedToEnclave(masterKey, seed, apiKey) +func (Api) LoadSeed(masterKey []byte, seed []byte) (bool, error) { + return api.LoadSeedToEnclave(masterKey, seed) } func (Api) GetEncryptedSeed(masterCert []byte) ([]byte, error) { diff --git a/x/registration/internal/keeper/enclave_interface.go b/x/registration/internal/keeper/enclave_interface.go index 3b676da27..d5f118176 100644 --- a/x/registration/internal/keeper/enclave_interface.go +++ b/x/registration/internal/keeper/enclave_interface.go @@ -1,7 +1,7 @@ package keeper type EnclaveInterface interface { - LoadSeed(masterKey []byte, seed []byte, apiKey []byte) (bool, error) + LoadSeed(masterKey []byte, seed []byte) (bool, error) GetEncryptedSeed(masterCert []byte) ([]byte, error) GetEncryptedGenesisSeed(pk []byte) ([]byte, error) } diff --git a/x/registration/internal/keeper/keeper.go b/x/registration/internal/keeper/keeper.go index 4b4567512..9170ab4a4 100644 --- a/x/registration/internal/keeper/keeper.go +++ b/x/registration/internal/keeper/keeper.go @@ -95,11 +95,6 @@ func getLegacySeedParams(path string) ([]byte, []byte) { } func InitializeNode(homeDir string, enclave EnclaveInterface) { - apiKey, err := types.GetApiKey() - if err != nil { - panic(errorsmod.Wrap(types.ErrSeedInitFailed, err.Error())) - } - var ( encSeed []byte pk []byte @@ -123,7 +118,7 @@ func InitializeNode(homeDir string, enclave EnclaveInterface) { // On upgrade LoadSeed will write the new seed to "SeedPath -- seed.txt" which then will be parsed by the upgrade handler to create new_seed.json // On registration both seed.jsםn and new_seed.json will be created by 'secretd q register secret-network-params' on manual flow or by auto-registration flow" - _, err = enclave.LoadSeed(pk, sizedEndSeed, apiKey) + _, err := enclave.LoadSeed(pk, sizedEndSeed) if err != nil { panic(errorsmod.Wrap(types.ErrSeedInitFailed, err.Error())) } From 079f91ce69372a768d8f056dd52a67b83c2b85ff Mon Sep 17 00:00:00 2001 From: vlad Date: Thu, 11 Dec 2025 15:17:26 +0000 Subject: [PATCH 05/10] removed spid and api_key from files and build process --- .env.local | 2 - .github/workflows/ci.yaml | 8 ---- .github/workflows/release.yaml | 47 ------------------- Makefile | 42 ++--------------- azure-pipelines.yml | 9 ++-- deployment/dockerfiles/Dockerfile | 20 -------- deployment/dockerfiles/Dockerfile.2404 | 21 --------- .../dockerfiles/tests/enclave-test.Dockerfile | 3 -- .../dockerfiles/tests/system-tests.Dockerfile | 9 ---- ias_keys/develop/api_key.txt | 1 - ias_keys/develop/spid.txt | 1 - ias_keys/sw_dummy/api_key.txt | 1 - ias_keys/sw_dummy/spid.txt | 1 - x/registration/alias.go | 2 - x/registration/internal/types/reg_keys.go | 21 --------- .../internal/types/reg_keys_secretcli.go | 11 ----- 16 files changed, 8 insertions(+), 191 deletions(-) delete mode 100644 .env.local delete mode 100644 ias_keys/develop/api_key.txt delete mode 100644 ias_keys/develop/spid.txt delete mode 100644 ias_keys/sw_dummy/api_key.txt delete mode 100644 ias_keys/sw_dummy/spid.txt delete mode 100644 x/registration/internal/types/reg_keys.go delete mode 100644 x/registration/internal/types/reg_keys_secretcli.go diff --git a/.env.local b/.env.local deleted file mode 100644 index bdee64e1d..000000000 --- a/.env.local +++ /dev/null @@ -1,2 +0,0 @@ -API_KEY=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -SPID=00000000000000000000000000000000 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 994beee4d..5108f5018 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -200,10 +200,7 @@ jobs: source "$HOME/.sgxsdk/sgxsdk/environment" export SGX_MODE=SW cp librust_cosmwasm_enclave.signed.so ./x/compute/internal/keeper - mkdir -p ias_keys/develop mkdir -p /opt/secret/.sgx_secrets/ - echo "not_a_key" > ias_keys/develop/spid.txt - echo "not_a_key" > ias_keys/develop/api_key.txt LOG_LEVEL=ERROR go test -v -tags "test" ./x/compute/client/... LOG_LEVEL=ERROR SKIP_LIGHT_CLIENT_VALIDATION=TRUE go test -p 1 -timeout 90m -v -tags "test" ./x/compute/internal/... - name: Test x/cron @@ -260,8 +257,6 @@ jobs: - name: Clippy run: | source "$HOME/.sgxsdk/sgxsdk/environment" - mkdir -p ias_keys/production - cp ias_keys/develop/api_key.txt ias_keys/production/api_key.txt SGX_MODE=SW make clippy SGX_MODE=HW make clippy @@ -282,9 +277,6 @@ jobs: context: . load: true tags: ghcr.io/scrtlabs/localsecret:v0.0.0 - secrets: | - API_KEY=00000000000000000000000000000000 - SPID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF build-args: | SECRET_NODE_TYPE=BOOTSTRAP CHAIN_ID=secretdev-1 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 76837e28d..ae7c248ee 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -17,9 +17,6 @@ jobs: matrix: db_backend: [goleveldb] runs-on: ubuntu-22.04 - env: # Or as an environment variable - SPID: ${{ secrets.SPID_TESTNET }} - API_KEY: ${{ secrets.API_KEY_TESTNET }} steps: - uses: actions/checkout@v4 with: @@ -45,9 +42,6 @@ jobs: context: . load: true tags: deb_build - secrets: | - API_KEY=${{ secrets.API_KEY_TESTNET }} - SPID=${{ secrets.SPID_TESTNET }} build-args: | SECRET_NODE_TYPE=NODE DB_BACKEND=${{ matrix.db_backend }} @@ -71,9 +65,6 @@ jobs: matrix: db_backend: [goleveldb] runs-on: ubuntu-24.04 - env: # Or as an environment variable - SPID: ${{ secrets.SPID_TESTNET }} - API_KEY: ${{ secrets.API_KEY_TESTNET }} steps: - name: Clean up space (workaround) run: | @@ -105,9 +96,6 @@ jobs: context: . load: true tags: deb_build - secrets: | - API_KEY=${{ secrets.API_KEY_TESTNET }} - SPID=${{ secrets.SPID_TESTNET }} build-args: | SECRET_NODE_TYPE=NODE DB_BACKEND=${{ matrix.db_backend }} @@ -132,8 +120,6 @@ jobs: matrix: db_backend: [goleveldb] env: # Or as an environment variable - SPID: ${{ secrets.SPID_MAINNET }} - API_KEY: ${{ secrets.API_KEY_MAINNET }} REGISTRY: ghcr.io IMAGE_NAME: scrtlabs/secret-network-node steps: @@ -164,9 +150,6 @@ jobs: context: . push: false tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:v${{ steps.get_version.outputs.VERSION }} - secrets: | - API_KEY=${{ secrets.API_KEY_MAINNET }} - SPID=${{ secrets.SPID_MAINNET }} build-args: | FEATURES=verify-validator-whitelist,light-client-validation,random,production FEATURES_U=production @@ -187,9 +170,6 @@ jobs: context: . load: true tags: deb_build - secrets: | - API_KEY=${{ secrets.API_KEY_MAINNET }} - SPID=${{ secrets.SPID_MAINNET }} build-args: | FEATURES=verify-validator-whitelist,light-client-validation,random,production FEATURES_U=production @@ -215,8 +195,6 @@ jobs: matrix: db_backend: [goleveldb] env: # Or as an environment variable - SPID: ${{ secrets.SPID_MAINNET }} - API_KEY: ${{ secrets.API_KEY_MAINNET }} REGISTRY: ghcr.io IMAGE_NAME: scrtlabs/secret-network-node steps: @@ -241,9 +219,6 @@ jobs: context: . push: true tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:v${{ steps.get_version.outputs.VERSION }} - secrets: | - API_KEY=${{ secrets.API_KEY_MAINNET }} - SPID=${{ secrets.SPID_MAINNET }} build-args: | FEATURES=verify-validator-whitelist,light-client-validation,random,production FEATURES_U=production @@ -264,9 +239,6 @@ jobs: context: . load: true tags: deb_build - secrets: | - API_KEY=${{ secrets.API_KEY_MAINNET }} - SPID=${{ secrets.SPID_MAINNET }} build-args: | FEATURES=verify-validator-whitelist,light-client-validation,random,production FEATURES_U=production @@ -330,10 +302,6 @@ jobs: check-hw-tool: runs-on: ubuntu-22.04 - env: # Or as an environment variable - SPID: ${{ secrets.SPID_TESTNET }} - API_KEY: ${{ secrets.API_KEY_TESTNET }} - API_KEY_MAINNET: ${{ secrets.API_KEY_MAINNET }} steps: - uses: actions/checkout@v4 with: @@ -348,10 +316,6 @@ jobs: context: . load: true tags: check_hw_tool_build - secrets: | - API_KEY=${{ secrets.API_KEY_TESTNET }} - SPID=${{ secrets.SPID_TESTNET }} - API_KEY_MAINNET=${{ secrets.API_KEY_MAINNET }} build-args: | BUILD_VERSION=${{ steps.get_version.outputs.VERSION }} SGX_MODE=HW @@ -368,10 +332,6 @@ jobs: check-hw-tool-2404: runs-on: ubuntu-24.04 - env: # Or as an environment variable - SPID: ${{ secrets.SPID_TESTNET }} - API_KEY: ${{ secrets.API_KEY_TESTNET }} - API_KEY_MAINNET: ${{ secrets.API_KEY_MAINNET }} steps: - uses: actions/checkout@v4 with: @@ -386,10 +346,6 @@ jobs: context: . load: true tags: check_hw_tool_build - secrets: | - API_KEY=${{ secrets.API_KEY_TESTNET }} - SPID=${{ secrets.SPID_TESTNET }} - API_KEY_MAINNET=${{ secrets.API_KEY_MAINNET }} build-args: | BUILD_VERSION=${{ steps.get_version.outputs.VERSION }} SGX_MODE=HW @@ -432,9 +388,6 @@ jobs: context: . push: true tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get_version.outputs.VERSION }} - secrets: | - API_KEY=00000000000000000000000000000000 - SPID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF build-args: | SECRET_NODE_TYPE=BOOTSTRAP CHAIN_ID=secretdev-1 diff --git a/Makefile b/Makefile index 6b19ff5de..9068130fb 100644 --- a/Makefile +++ b/Makefile @@ -2,10 +2,6 @@ VERSION ?= $(shell echo $(shell git describe --tags) | sed 's/^v//') COMMIT := $(shell git log -1 --format='%H') DOCKER := $(shell which docker) -# SPID and API_KEY are used for Intel SGX attestation -SPID ?= 00000000000000000000000000000000 -API_KEY ?= FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF - # Environment variables and build tags setup LEDGER_ENABLED ?= true BINDIR ?= $(GOPATH)/bin @@ -157,7 +153,7 @@ go.sum: go.mod build_cli: CGO_LDFLAGS=$(CGO_LDFLAGS) go build -o secretcli -mod=readonly $(GCFLAGS) -tags "$(filter-out sgx, $(GO_TAGS)) secretcli" -ldflags '$(LD_FLAGS)' ./cmd/secretd -build_local_no_rust: bin-data-$(IAS_BUILD) +build_local_no_rust: cp go-cosmwasm/target/$(BUILD_PROFILE)/libgo_cosmwasm.so go-cosmwasm/api CGO_LDFLAGS=$(CGO_LDFLAGS) go build -mod=readonly $(GCFLAGS) -tags "$(GO_TAGS)" -ldflags '$(LD_FLAGS)' ./cmd/secretd @@ -238,8 +234,6 @@ localsecret: DOCKER_BUILDKIT=1 docker build \ --build-arg FEATURES="${FEATURES},debug-print,random,light-client-validation" \ --build-arg FEATURES_U=${FEATURES_U} \ - --secret id=API_KEY,src=.env.local \ - --secret id=SPID,src=.env.local \ --build-arg SGX_MODE=SW \ $(DOCKER_BUILD_ARGS) \ --build-arg SECRET_NODE_TYPE=BOOTSTRAP \ @@ -254,8 +248,6 @@ build-ibc-hermes: build-testnet-bootstrap: @mkdir build 2>&3 || true DOCKER_BUILDKIT=1 docker build --build-arg BUILDKIT_INLINE_CACHE=1 \ - --secret id=API_KEY,src=api_key.txt \ - --secret id=SPID,src=spid.txt \ --build-arg BUILD_VERSION=${VERSION} \ --build-arg SGX_MODE=${SGX_MODE} \ $(DOCKER_BUILD_ARGS) \ @@ -269,8 +261,6 @@ build-testnet-bootstrap: build-testnet: @mkdir build 2>&3 || true DOCKER_BUILDKIT=1 docker build --build-arg BUILDKIT_INLINE_CACHE=1 \ - --secret id=API_KEY,src=api_key.txt \ - --secret id=SPID,src=spid.txt \ --build-arg BUILD_VERSION=${VERSION} \ --build-arg SGX_MODE=${SGX_MODE} \ --build-arg FEATURES="verify-validator-whitelist,light-client-validation,random,${FEATURES}" \ @@ -282,8 +272,6 @@ build-testnet: -t ghcr.io/scrtlabs/secret-network-node-testnet:v$(VERSION) \ --target release-image . DOCKER_BUILDKIT=1 docker build --build-arg BUILDKIT_INLINE_CACHE=1 \ - --secret id=API_KEY,src=api_key.txt \ - --secret id=SPID,src=spid.txt \ --build-arg BUILD_VERSION=${VERSION} \ --build-arg SGX_MODE=${SGX_MODE} \ --build-arg FEATURES="verify-validator-whitelist,light-client-validation,random,${FEATURES}" \ @@ -302,8 +290,6 @@ build-mainnet-upgrade: DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="verify-validator-whitelist,light-client-validation,production, ${FEATURES}" \ --build-arg FEATURES_U="production, ${FEATURES_U}" \ --build-arg BUILDKIT_INLINE_CACHE=1 \ - --secret id=API_KEY,src=api_key.txt \ - --secret id=SPID,src=spid.txt \ --build-arg SECRET_NODE_TYPE=NODE \ --build-arg DB_BACKEND=${DB_BACKEND} \ --build-arg BUILD_VERSION=${VERSION} \ @@ -315,8 +301,6 @@ build-mainnet-upgrade: DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="verify-validator-whitelist,light-client-validation,production, ${FEATURES}" \ --build-arg FEATURES_U="production, ${FEATURES_U}" \ --build-arg BUILDKIT_INLINE_CACHE=1 \ - --secret id=API_KEY,src=api_key.txt \ - --secret id=SPID,src=spid.txt \ --build-arg DB_BACKEND=${DB_BACKEND} \ --build-arg BUILD_VERSION=${VERSION} \ --build-arg SGX_MODE=HW \ @@ -331,8 +315,6 @@ build-mainnet: DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="verify-validator-whitelist,light-client-validation,production,random, ${FEATURES}" \ --build-arg FEATURES_U=${FEATURES_U} \ --build-arg BUILDKIT_INLINE_CACHE=1 \ - --secret id=API_KEY,src=api_key.txt \ - --secret id=SPID,src=spid.txt \ --build-arg SECRET_NODE_TYPE=NODE \ --build-arg BUILD_VERSION=${VERSION} \ --build-arg SGX_MODE=HW \ @@ -345,8 +327,6 @@ build-mainnet: DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="verify-validator-whitelist,light-client-validation,production,random, ${FEATURES}" \ --build-arg FEATURES_U=${FEATURES_U} \ --build-arg BUILDKIT_INLINE_CACHE=1 \ - --secret id=API_KEY,src=api_key.txt \ - --secret id=SPID,src=spid.txt \ --build-arg BUILD_VERSION=${VERSION} \ --build-arg DB_BACKEND=${DB_BACKEND} \ --build-arg CGO_LDFLAGS=${DOCKER_CGO_LDFLAGS} \ @@ -363,9 +343,6 @@ build-check-hw-tool: DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="${FEATURES}" \ --build-arg FEATURES_U=${FEATURES_U} \ --build-arg BUILDKIT_INLINE_CACHE=1 \ - --secret id=API_KEY,src=ias_keys/develop/api_key.txt \ - --secret id=API_KEY_MAINNET,src=ias_keys/production/api_key.txt \ - --secret id=SPID,src=spid.txt \ --build-arg SECRET_NODE_TYPE=NODE \ --build-arg BUILD_VERSION=${VERSION} \ --build-arg SGX_MODE=HW \ @@ -460,19 +437,19 @@ build-test-contracts: cp $(TEST_CONTRACT_V1_PATH)/random-test/v1_random_test.wasm $(TEST_COMPUTE_MODULE_PATH)/v1_random_test.wasm -prep-go-tests: build-test-contracts bin-data-sw +prep-go-tests: build-test-contracts # empty BUILD_PROFILE means debug mode which compiles faster SGX_MODE=SW $(MAKE) build-linux cp ./$(EXECUTE_ENCLAVE_PATH)/librust_cosmwasm_enclave.signed.so ./x/compute/internal/keeper cp ./$(EXECUTE_ENCLAVE_PATH)/librust_cosmwasm_enclave.signed.so . -go-tests: build-test-contracts bin-data-sw +go-tests: build-test-contracts # SGX_MODE=SW $(MAKE) build-tm-secret-enclave SGX_MODE=SW $(MAKE) build-linux cp ./$(EXECUTE_ENCLAVE_PATH)/librust_cosmwasm_enclave.signed.so ./x/compute/internal/keeper GOMAXPROCS=8 SGX_MODE=SW SCRT_SGX_STORAGE='./' SKIP_LIGHT_CLIENT_VALIDATION=TRUE go test -count 1 -failfast -timeout 90m -v ./x/compute/internal/... $(GO_TEST_ARGS) -go-tests-hw: build-test-contracts bin-data +go-tests-hw: build-test-contracts # empty BUILD_PROFILE means debug mode which compiles faster # SGX_MODE=HW $(MAKE) build-tm-secret-enclave SGX_MODE=HW $(MAKE) build-linux @@ -516,17 +493,6 @@ build-erc20-contract: build-test-contracts cd .$(CW_CONTRACTS_V010_PATH)/erc20 && RUSTFLAGS='-C link-arg=-s' cargo build --release --target wasm32-unknown-unknown --locked wasm-opt -Os .$(CW_CONTRACTS_V010_PATH)/erc20/target/wasm32-unknown-unknown/release/cw_erc20.wasm -o ./erc20.wasm -bin-data: bin-data-sw bin-data-develop bin-data-production - -bin-data-sw: - cd ./x/registration/internal/types && go-bindata -o ias_bin_sw.go -pkg types -prefix "../../../../ias_keys/sw_dummy/" -tags "!hw" ../../../../ias_keys/sw_dummy/... - -bin-data-develop: - cd ./x/registration/internal/types && go-bindata -o ias_bin_dev.go -pkg types -prefix "../../../../ias_keys/develop/" -tags "develop,hw" ../../../../ias_keys/develop/... - -bin-data-production: - cd ./x/registration/internal/types && go-bindata -o ias_bin_prod.go -pkg types -prefix "../../../../ias_keys/production/" -tags "production,hw" ../../../../ias_keys/production/... - # Before running this you might need to do: # 1. sudo docker login -u ABC -p XYZ # 2. sudo docker buildx create --use diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 2d735d342..a11db00c1 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -33,7 +33,6 @@ jobs: - checkout: "self" submodules: true displayName: "Checkout Repository and Submodules" - - script: echo $(spid) > spid.txt; echo $(api-key-dev) > api_key.txt displayName: "Save api keys" - task: Docker@2 @@ -45,7 +44,7 @@ jobs: $(tag) latest buildContext: . - arguments: --secret id=API_KEY,src=api_key.txt --secret id=SPID,src=spid.txt --cache-from $(baseImageRepository) --build-arg SGX_MODE=$(SGX_MODE) --build-arg FEATURES=$(FEATURES) --target compile-secretd + arguments: --cache-from $(baseImageRepository) --build-arg SGX_MODE=$(SGX_MODE) --build-arg FEATURES=$(FEATURES) --target compile-secretd dockerfile: '$(dockerfilePath)' - task: Docker@2 @@ -57,7 +56,7 @@ jobs: $(tag) latest buildContext: . - arguments: --secret id=API_KEY,src=api_key.txt --secret id=SPID,src=spid.txt --cache-from $(baseImageRepositoryLocalTests) --build-arg SGX_MODE=$(SGX_MODE) --build-arg FEATURES=$(FEATURES_TESTS_LOCAL) --target compile-secretd + arguments: --cache-from $(baseImageRepositoryLocalTests) --build-arg SGX_MODE=$(SGX_MODE) --build-arg FEATURES=$(FEATURES_TESTS_LOCAL) --target compile-secretd dockerfile: '$(dockerfilePath)' - script: | @@ -74,7 +73,7 @@ jobs: repository: '$(nodeImageRepository)' tags: latest buildContext: . - arguments: --secret id=API_KEY,src=api_key.txt --secret id=SPID,src=spid.txt --build-arg SCRT_BIN_IMAGE=$(baseImageRepository):$(tag) --cache-from $(nodeImageRepository) --build-arg SGX_MODE=$(SGX_MODE) --build-arg FEATURES=$(FEATURES) --target release-image + arguments: --build-arg SCRT_BIN_IMAGE=$(baseImageRepository):$(tag) --cache-from $(nodeImageRepository) --build-arg SGX_MODE=$(SGX_MODE) --build-arg FEATURES=$(FEATURES) --target release-image Dockerfile: deployment/dockerfiles/Dockerfile - task: Docker@2 @@ -84,7 +83,7 @@ jobs: repository: rust-enclave-test tags: latest buildContext: . - arguments: --secret id=API_KEY,src=api_key.txt --secret id=SPID,src=spid.txt --build-arg SGX_MODE=HW + arguments: --build-arg SGX_MODE=HW Dockerfile: deployment/dockerfiles/tests/enclave-test.Dockerfile - task: Docker@2 diff --git a/deployment/dockerfiles/Dockerfile b/deployment/dockerfiles/Dockerfile index 612046b09..25e706f00 100644 --- a/deployment/dockerfiles/Dockerfile +++ b/deployment/dockerfiles/Dockerfile @@ -134,18 +134,6 @@ RUN mkdir -p /go/src/github.com/scrtlabs/SecretNetwork/go-cosmwasm/target/releas COPY --from=compile-enclave /go/src/github.com/scrtlabs/SecretNetwork/go-cosmwasm/target/release/libgo_cosmwasm.so /go/src/github.com/scrtlabs/SecretNetwork/go-cosmwasm/target/release/libgo_cosmwasm.so COPY --from=compile-enclave /go/src/github.com/scrtlabs/SecretNetwork/go-cosmwasm/librust_cosmwasm_enclave.signed.so /go/src/github.com/scrtlabs/SecretNetwork/go-cosmwasm/librust_cosmwasm_enclave.signed.so -RUN mkdir -p /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/develop -RUN mkdir -p /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/sw_dummy -RUN mkdir -p /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/production - -RUN --mount=type=secret,id=SPID,dst=/run/secrets/spid.txt cat /run/secrets/spid.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/develop/spid.txt -RUN --mount=type=secret,id=SPID,dst=/run/secrets/spid.txt cat /run/secrets/spid.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/sw_dummy/spid.txt -RUN --mount=type=secret,id=SPID,dst=/run/secrets/spid.txt cat /run/secrets/spid.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/production/spid.txt - -RUN --mount=type=secret,id=API_KEY,dst=/run/secrets/api_key.txt cat /run/secrets/api_key.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/develop/api_key.txt -RUN --mount=type=secret,id=API_KEY,dst=/run/secrets/api_key.txt cat /run/secrets/api_key.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/sw_dummy/api_key.txt -RUN --mount=type=secret,id=API_KEY,dst=/run/secrets/api_key.txt cat /run/secrets/api_key.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/production/api_key.txt - RUN . /opt/sgxsdk/environment && env && CGO_LDFLAGS=${CGO_LDFLAGS} DB_BACKEND=${DB_BACKEND} VERSION=${VERSION} FEATURES=${FEATURES} SGX_MODE=${SGX_MODE} make build_local_no_rust RUN . /opt/sgxsdk/environment && env && VERSION=${VERSION} FEATURES=${FEATURES} SGX_MODE=${SGX_MODE} make build_cli @@ -312,14 +300,6 @@ RUN STORAGE_PATH=$(echo ${VERSION} | awk -F'[.]' '{print $1 $2}') \ && wget -O check-hw/check_hw_enclave.so https://engfilestorage.blob.core.windows.net/v$STORAGE_PATH/librust_cosmwasm_enclave.signed.so COPY --from=compile-secretd /go/src/github.com/scrtlabs/SecretNetwork/go-cosmwasm/librust_cosmwasm_enclave.signed.so check-hw/check_hw_enclave_testnet.so -RUN mkdir -p /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/develop -RUN mkdir -p /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/sw_dummy -RUN mkdir -p /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/production - -RUN --mount=type=secret,id=API_KEY,dst=/run/secrets/api_key.txt cat /run/secrets/api_key.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/develop/api_key.txt -RUN --mount=type=secret,id=API_KEY,dst=/run/secrets/api_key.txt cat /run/secrets/api_key.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/sw_dummy/api_key.txt -RUN --mount=type=secret,id=API_KEY_MAINNET,dst=/run/secrets/api_key.txt cat /run/secrets/api_key.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/production/api_key.txt - WORKDIR /go/src/github.com/scrtlabs/SecretNetwork/check-hw diff --git a/deployment/dockerfiles/Dockerfile.2404 b/deployment/dockerfiles/Dockerfile.2404 index 744b0543f..bc0cd4d2c 100644 --- a/deployment/dockerfiles/Dockerfile.2404 +++ b/deployment/dockerfiles/Dockerfile.2404 @@ -134,18 +134,6 @@ RUN mkdir -p /go/src/github.com/scrtlabs/SecretNetwork/go-cosmwasm/target/releas COPY --from=compile-enclave /go/src/github.com/scrtlabs/SecretNetwork/go-cosmwasm/target/release/libgo_cosmwasm.so /go/src/github.com/scrtlabs/SecretNetwork/go-cosmwasm/target/release/libgo_cosmwasm.so COPY --from=compile-enclave /go/src/github.com/scrtlabs/SecretNetwork/go-cosmwasm/librust_cosmwasm_enclave.signed.so /go/src/github.com/scrtlabs/SecretNetwork/go-cosmwasm/librust_cosmwasm_enclave.signed.so -RUN mkdir -p /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/develop -RUN mkdir -p /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/sw_dummy -RUN mkdir -p /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/production - -RUN --mount=type=secret,id=SPID,dst=/run/secrets/spid.txt cat /run/secrets/spid.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/develop/spid.txt -RUN --mount=type=secret,id=SPID,dst=/run/secrets/spid.txt cat /run/secrets/spid.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/sw_dummy/spid.txt -RUN --mount=type=secret,id=SPID,dst=/run/secrets/spid.txt cat /run/secrets/spid.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/production/spid.txt - -RUN --mount=type=secret,id=API_KEY,dst=/run/secrets/api_key.txt cat /run/secrets/api_key.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/develop/api_key.txt -RUN --mount=type=secret,id=API_KEY,dst=/run/secrets/api_key.txt cat /run/secrets/api_key.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/sw_dummy/api_key.txt -RUN --mount=type=secret,id=API_KEY,dst=/run/secrets/api_key.txt cat /run/secrets/api_key.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/production/api_key.txt - RUN . /opt/sgxsdk/environment && env && CGO_LDFLAGS=${CGO_LDFLAGS} DB_BACKEND=${DB_BACKEND} VERSION=${VERSION} FEATURES=${FEATURES} SGX_MODE=${SGX_MODE} make build_local_no_rust RUN . /opt/sgxsdk/environment && env && VERSION=${VERSION} FEATURES=${FEATURES} SGX_MODE=${SGX_MODE} make build_cli @@ -312,15 +300,6 @@ RUN STORAGE_PATH=$(echo ${VERSION} | awk -F'[.]' '{print $1 $2}') \ && wget -O check-hw/check_hw_enclave.so https://engfilestorage.blob.core.windows.net/v$STORAGE_PATH/librust_cosmwasm_enclave.signed.so COPY --from=compile-secretd /go/src/github.com/scrtlabs/SecretNetwork/go-cosmwasm/librust_cosmwasm_enclave.signed.so check-hw/check_hw_enclave_testnet.so -RUN mkdir -p /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/develop -RUN mkdir -p /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/sw_dummy -RUN mkdir -p /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/production - -RUN --mount=type=secret,id=API_KEY,dst=/run/secrets/api_key.txt cat /run/secrets/api_key.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/develop/api_key.txt -RUN --mount=type=secret,id=API_KEY,dst=/run/secrets/api_key.txt cat /run/secrets/api_key.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/sw_dummy/api_key.txt -RUN --mount=type=secret,id=API_KEY_MAINNET,dst=/run/secrets/api_key.txt cat /run/secrets/api_key.txt > /go/src/github.com/scrtlabs/SecretNetwork/ias_keys/production/api_key.txt - - WORKDIR /go/src/github.com/scrtlabs/SecretNetwork/check-hw RUN make diff --git a/deployment/dockerfiles/tests/enclave-test.Dockerfile b/deployment/dockerfiles/tests/enclave-test.Dockerfile index 69536d454..2ab8a5d76 100644 --- a/deployment/dockerfiles/tests/enclave-test.Dockerfile +++ b/deployment/dockerfiles/tests/enclave-test.Dockerfile @@ -28,9 +28,6 @@ COPY rust-toolchain rust-toolchain RUN rustup component add rust-src RUN cargo install xargo --version 0.3.25 -RUN --mount=type=secret,id=SPID,dst=/run/secrets/spid.txt cat /run/secrets/spid.txt > /enclave-test/cosmwasm/enclaves/execute/spid.txt -RUN --mount=type=secret,id=API_KEY,dst=/run/secrets/api_key.txt cat /run/secrets/api_key.txt > /enclave-test/cosmwasm/enclaves/execute/api_key.txt - COPY deployment/ci/enclave-test.sh . RUN chmod +x enclave-test.sh diff --git a/deployment/dockerfiles/tests/system-tests.Dockerfile b/deployment/dockerfiles/tests/system-tests.Dockerfile index 1fbb37fe0..f00977602 100644 --- a/deployment/dockerfiles/tests/system-tests.Dockerfile +++ b/deployment/dockerfiles/tests/system-tests.Dockerfile @@ -25,17 +25,8 @@ COPY go.sum . COPY cmd cmd RUN true COPY client client -COPY ias_keys ias_keys COPY eip191 eip191 -COPY spid.txt ias_keys/develop/spid.txt -COPY spid.txt ias_keys/sw_dummy/spid.txt -COPY spid.txt ias_keys/production/spid.txt - -COPY api_key.txt ias_keys/develop/api_key.txt -COPY api_key.txt ias_keys/sw_dummy/api_key.txt -COPY api_key.txt ias_keys/production/api_key.txt - COPY deployment/ci/go-tests.sh . COPY deployment/ci/go-tests-bench.sh . #COPY path/to/tests.js diff --git a/ias_keys/develop/api_key.txt b/ias_keys/develop/api_key.txt deleted file mode 100644 index 2e4d1dc7e..000000000 --- a/ias_keys/develop/api_key.txt +++ /dev/null @@ -1 +0,0 @@ -024bfdb2e8b842a79d2237a295962efc \ No newline at end of file diff --git a/ias_keys/develop/spid.txt b/ias_keys/develop/spid.txt deleted file mode 100644 index 196492547..000000000 --- a/ias_keys/develop/spid.txt +++ /dev/null @@ -1 +0,0 @@ -FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF \ No newline at end of file diff --git a/ias_keys/sw_dummy/api_key.txt b/ias_keys/sw_dummy/api_key.txt deleted file mode 100644 index 445c72458..000000000 --- a/ias_keys/sw_dummy/api_key.txt +++ /dev/null @@ -1 +0,0 @@ -00000000000000000000000000000000 \ No newline at end of file diff --git a/ias_keys/sw_dummy/spid.txt b/ias_keys/sw_dummy/spid.txt deleted file mode 100644 index 196492547..000000000 --- a/ias_keys/sw_dummy/spid.txt +++ /dev/null @@ -1 +0,0 @@ -FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF \ No newline at end of file diff --git a/x/registration/alias.go b/x/registration/alias.go index 99e2d4b4f..ebf9e497d 100644 --- a/x/registration/alias.go +++ b/x/registration/alias.go @@ -43,8 +43,6 @@ var ( NewQuerier = keeper.NewQuerier GetGenesisStateFromAppState = keeper.GetGenesisStateFromAppState IsHexString = keeper.IsHexString - GetApiKey = types.GetApiKey - GetSpid = types.GetSpid // variable aliases ModuleCdc = types.ModuleCdc DefaultCodespace = types.DefaultCodespace diff --git a/x/registration/internal/types/reg_keys.go b/x/registration/internal/types/reg_keys.go deleted file mode 100644 index bd9e883bc..000000000 --- a/x/registration/internal/types/reg_keys.go +++ /dev/null @@ -1,21 +0,0 @@ -//go:build !test && !secretcli - -package types - -func GetApiKey() ([]byte, error) { - apiKeyFile, err := Asset("api_key.txt") - if err != nil { - return nil, err - } - - return apiKeyFile, nil -} - -func GetSpid() ([]byte, error) { - apiKeyFile, err := Asset("spid.txt") - if err != nil { - return nil, err - } - - return apiKeyFile, nil -} diff --git a/x/registration/internal/types/reg_keys_secretcli.go b/x/registration/internal/types/reg_keys_secretcli.go deleted file mode 100644 index 814fd1eb2..000000000 --- a/x/registration/internal/types/reg_keys_secretcli.go +++ /dev/null @@ -1,11 +0,0 @@ -//go:build test || secretcli - -package types - -func GetApiKey() ([]byte, error) { - return nil, nil -} - -func GetSpid() ([]byte, error) { - return nil, nil -} From bb8c9e77b32baf206fdcf28c3241547399ab0943 Mon Sep 17 00:00:00 2001 From: vlad Date: Mon, 22 Dec 2025 14:22:38 +0000 Subject: [PATCH 06/10] build fix --- x/registration/internal/keeper/mock/enclave.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x/registration/internal/keeper/mock/enclave.go b/x/registration/internal/keeper/mock/enclave.go index d71e0b584..053d81851 100644 --- a/x/registration/internal/keeper/mock/enclave.go +++ b/x/registration/internal/keeper/mock/enclave.go @@ -2,9 +2,9 @@ package mock // To be able to run unit tests without needing the enclave -type MockEnclaveApi struct{} +type MockEnclaveApi struct{} -func (MockEnclaveApi) LoadSeed(_ []byte, _ []byte, _ []byte) (bool, error) { +func (MockEnclaveApi) LoadSeed(_ []byte, _ []byte) (bool, error) { return true, nil } From 5357d7b31a1b5e6567c3170e56a18c768c0ddf31 Mon Sep 17 00:00:00 2001 From: vlad Date: Wed, 24 Dec 2025 20:53:47 +0000 Subject: [PATCH 07/10] Blocked EOL cpus --- cosmwasm/enclaves/execute/src/registration/attestation.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cosmwasm/enclaves/execute/src/registration/attestation.rs b/cosmwasm/enclaves/execute/src/registration/attestation.rs index a4ae44634..8200c4cea 100644 --- a/cosmwasm/enclaves/execute/src/registration/attestation.rs +++ b/cosmwasm/enclaves/execute/src/registration/attestation.rs @@ -530,7 +530,8 @@ impl AttestationCombined { let set = &FMSPC_EOL; let fmspc_str: &str = &fmspc; if set.contains(fmspc_str) { - warn!("The CPU is deprecated"); + error!("The CPU is deprecated. Running forbidden"); + return false; } // fmspc.starts_with("0090") } else { From 83f64633ead44b32918e0d1437d373a065a40476 Mon Sep 17 00:00:00 2001 From: vlad Date: Mon, 29 Dec 2025 15:02:42 +0000 Subject: [PATCH 08/10] machine_id to mulitple IDs, WIP --- x/compute/client/cli/tx.go | 31 +++++++++++++++++++ x/compute/internal/keeper/keeper.go | 2 +- x/compute/internal/keeper/msg_server.go | 40 ++++++++++++++++++++----- x/compute/internal/types/msg.go | 40 ++++++++++++++++++++++--- 4 files changed, 101 insertions(+), 12 deletions(-) diff --git a/x/compute/client/cli/tx.go b/x/compute/client/cli/tx.go index 508d35732..7db6b89e7 100644 --- a/x/compute/client/cli/tx.go +++ b/x/compute/client/cli/tx.go @@ -6,6 +6,7 @@ import ( "fmt" "os" "strconv" + "strings" "github.com/cosmos/cosmos-sdk/client/tx" @@ -646,6 +647,28 @@ Examples: return cmd } +func ParseHexList(s string) ([][]byte, error) { + if strings.TrimSpace(s) == "" { + return nil, nil // or empty slice, your choice + } + + parts := strings.Split(s, ",") + out := make([][]byte, 0, len(parts)) + + for i, p := range parts { + p = strings.TrimSpace(p) + + b, err := hex.DecodeString(p) + if err != nil { + return nil, fmt.Errorf("invalid hex token #%d (%q): %w", i, p, err) + } + + out = append(out, b) + } + + return out, nil +} + func UpdateMachineWhitelistCmd() *cobra.Command { cmd := &cobra.Command{ Use: "update-machine-whitelist [proposal-id] [machine-id]", @@ -667,6 +690,14 @@ Machine ID must match the approved proposal exactly.`, // Read machine ID machineId := args[1] + ids, err := ParseHexList(machineId) + if err != nil { + return fmt.Errorf("machine_id malformed") + } + if len(ids) == 0 { + return fmt.Errorf("machine_id must not be empty") + } + msg := &types.MsgUpdateMachineWhitelist{ Sender: clientCtx.GetFromAddress().String(), ProposalId: proposalID, diff --git a/x/compute/internal/keeper/keeper.go b/x/compute/internal/keeper/keeper.go index 7c2cf5e02..13d3e2477 100644 --- a/x/compute/internal/keeper/keeper.go +++ b/x/compute/internal/keeper/keeper.go @@ -342,7 +342,7 @@ func (k Keeper) SetEnclaveColdEvidences(ctx sdk.Context) error { err := api.OnApproveMachineID(id, &proof, false) if err != nil { - fmt.Println("Couldn't approme machine-id ", id) + fmt.Println("Couldn't approve machine-id ", id) } } } diff --git a/x/compute/internal/keeper/msg_server.go b/x/compute/internal/keeper/msg_server.go index e6b0934e2..17eee7553 100644 --- a/x/compute/internal/keeper/msg_server.go +++ b/x/compute/internal/keeper/msg_server.go @@ -4,6 +4,7 @@ import ( "context" "encoding/hex" "fmt" + "strings" errorsmod "cosmossdk.io/errors" sdk "github.com/cosmos/cosmos-sdk/types" @@ -336,6 +337,28 @@ func (m msgServer) UpdateMachineWhitelistProposal(goCtx context.Context, msg *ty return &types.MsgUpdateMachineWhitelistProposalResponse{}, nil } +func ParseHexList(s string) ([][]byte, error) { + if strings.TrimSpace(s) == "" { + return nil, nil // or empty slice, your choice + } + + parts := strings.Split(s, ",") + out := make([][]byte, 0, len(parts)) + + for i, p := range parts { + p = strings.TrimSpace(p) + + b, err := hex.DecodeString(p) + if err != nil { + return nil, fmt.Errorf("invalid hex token #%d (%q): %w", i, p, err) + } + + out = append(out, b) + } + + return out, nil +} + func (m msgServer) UpdateMachineWhitelist(goCtx context.Context, msg *types.MsgUpdateMachineWhitelist) (*types.MsgUpdateMachineWhitelistResponse, error) { ctx := sdk.UnwrapSDKContext(goCtx) @@ -352,19 +375,22 @@ func (m msgServer) UpdateMachineWhitelist(goCtx context.Context, msg *types.MsgU store := m.keeper.storeService.OpenKVStore(ctx) - id, err := hex.DecodeString(msg.MachineId) + ids, err := ParseHexList(msg.MachineId) if err != nil { return nil, err } - { + for _, id := range ids { proof := [32]byte{} - if err := api.OnApproveMachineID(id, &proof, true); err != nil { - return nil, err + err := api.OnApproveMachineID(id, &proof, true) + id_txt := hex.EncodeToString(id) + if err != nil { + fmt.Println("Failed to add machine_id: %s", id_txt) + } else { + fmt.Println("Added machine_id: %s", id_txt) + key := append(types.MachineIDEvidencePrefix, id...) + _ = store.Set(key, proof[:]) } - - key := append(types.MachineIDEvidencePrefix, id...) - _ = store.Set(key, proof[:]) } return &types.MsgUpdateMachineWhitelistResponse{}, nil diff --git a/x/compute/internal/types/msg.go b/x/compute/internal/types/msg.go index 2ae6bde96..b392d5e05 100644 --- a/x/compute/internal/types/msg.go +++ b/x/compute/internal/types/msg.go @@ -1,6 +1,8 @@ package types import ( + "encoding/hex" + fmt "fmt" "strings" errorsmod "cosmossdk.io/errors" @@ -327,13 +329,39 @@ func (msg MsgUpdateMachineWhitelistProposal) Type() string { return "update-machine-whitelist-proposal" } +func ParseHexList(s string) ([][]byte, error) { + if strings.TrimSpace(s) == "" { + return nil, nil // or empty slice, your choice + } + + parts := strings.Split(s, ",") + out := make([][]byte, 0, len(parts)) + + for i, p := range parts { + p = strings.TrimSpace(p) + + b, err := hex.DecodeString(p) + if err != nil { + return nil, fmt.Errorf("invalid hex token #%d (%q): %w", i, p, err) + } + + out = append(out, b) + } + + return out, nil +} + func (msg MsgUpdateMachineWhitelistProposal) ValidateBasic() error { if _, err := sdk.AccAddressFromBech32(msg.Authority); err != nil { return errorsmod.Wrap(err, "invalid authority") } - if len(msg.MachineId) != 40 { - return errorsmod.Wrap(ErrInvalid, "machine_id must be 40 characters") + ids, err := ParseHexList(msg.MachineId) + if err != nil { + return errorsmod.Wrap(ErrInvalid, "machine_id malformed") + } + if len(ids) == 0 { + return errorsmod.Wrap(ErrInvalid, "machine_id must not be empty") } return nil @@ -368,8 +396,12 @@ func (msg MsgUpdateMachineWhitelist) ValidateBasic() error { return errorsmod.Wrap(sdkerrors.ErrInvalidRequest, "proposal ID cannot be zero") } - if len(msg.MachineId) != 40 { - return errorsmod.Wrap(sdkerrors.ErrInvalidRequest, "machine ID must be 40 characters") + ids, err := ParseHexList(msg.MachineId) + if err != nil { + return errorsmod.Wrap(ErrInvalid, "machine_id malformed") + } + if len(ids) == 0 { + return errorsmod.Wrap(ErrInvalid, "machine_id must not be empty") } return nil From 58a47905a343ab5ecbd0ae694f893703307a70e9 Mon Sep 17 00:00:00 2001 From: vlad Date: Mon, 29 Dec 2025 16:57:01 +0000 Subject: [PATCH 09/10] machine_id to multiple IDs, fixed --- .../execute/src/registration/offchain.rs | 115 +++++++++++++++--- .../block-verifier/src/wasm_messages.rs | 7 ++ x/compute/internal/keeper/msg_server.go | 4 +- 3 files changed, 107 insertions(+), 19 deletions(-) diff --git a/cosmwasm/enclaves/execute/src/registration/offchain.rs b/cosmwasm/enclaves/execute/src/registration/offchain.rs index bc073c0e6..a2fd8cb22 100644 --- a/cosmwasm/enclaves/execute/src/registration/offchain.rs +++ b/cosmwasm/enclaves/execute/src/registration/offchain.rs @@ -693,44 +693,123 @@ fn calculate_machine_id_evidence(machine_id: &[u8]) -> [u8; HASH_SIZE] { ret } +struct ProtobufParser<'a> { + pub cursor: &'a [u8], +} + +impl ProtobufParser<'_> { + fn cut_head(&mut self, size: usize) { + self.cursor = &self.cursor[size..]; + } + + pub fn read_uint(&mut self) -> Option { + let mut ret: usize = 0; + let len = self.cursor.len(); + for i in 0..len { + let byte = self.cursor[i]; + + if byte & 0x80 == 0 { + self.cut_head(i + 1); + ret |= (byte as usize) << (i * 7); + return Some(ret); + } + + ret |= ((byte & 0x7f) as usize) << (i * 7); + } + + None + } + + pub fn read_fix_arr(&mut self, fixed: &[u8]) -> bool { + let fixed_len = fixed.len(); + if self.cursor.len() < fixed_len { + return false; + } + + if &self.cursor[0..fixed_len] != fixed { + return false; + } + + self.cut_head(fixed_len); + true + } + + fn read_const_size(&mut self, len: usize) -> bool { + if self.cursor.len() < len { + return false; + } + + self.cut_head(len); + true + } +} + fn is_msg_machine_id(msg_in_block: &[u8], machine_id: &[u8]) -> bool { - trace!("*** block msg: {:?}", hex::encode(msg_in_block)); + trace!("*** block msg: {}", hex::encode(msg_in_block)); + //trace!("*** target: {}", hex::encode(machine_id)); // we expect a message of the form: // 0a 2d (addr, len=45 bytes) // 10 (proposal-id, varible length) - // 1a 28 (machine_id 40 bytes) + // 1a size (machine_ids) - let msg_len = msg_in_block.len(); + let mut r = ProtobufParser { + cursor: msg_in_block, + }; - if msg_len < 91 { - trace!("len mismatch: {}", msg_in_block.len()); + if !r.read_fix_arr([0x0a, 0x2d].as_slice()) { + trace!("wrong sub1"); return false; } - if &msg_in_block[0..2] != [0x0a, 0x2d].as_slice() { - trace!("wrong sub1"); + if !r.read_const_size(45) { + trace!("wrong sub2"); return false; } - if &msg_in_block[47..48] != [0x10].as_slice() { - trace!("wrong sub2"); + if !r.read_fix_arr([0x10].as_slice()) { + trace!("wrong sub3"); return false; } - let offs = msg_len - 42; + if r.read_uint().is_none() { + trace!("wrong sub4"); + return false; + } - if &msg_in_block[offs..offs + 2] != [0x1a, 0x28].as_slice() { - trace!("wrong sub3"); + if !r.read_fix_arr([0x1a].as_slice()) { + trace!("wrong sub5"); return false; } - if &msg_in_block[offs + 2..offs + 42] != machine_id { - trace!("wrong mrenclave"); + if let Some(x) = r.read_uint() { + r.cursor = &r.cursor[0..x]; + } else { + trace!("wrong sub6"); return false; + }; + + loop { + let (elem_size, is_last) = if let Some(pos) = r.cursor.iter().position(|&b| b == b',') { + (pos, false) + } else { + (r.cursor.len(), true) + }; + + //trace!("elem: {}", hex::encode(&r.cursor[0..elem_size])); + + if (elem_size == machine_id.len()) && (&r.cursor[0..elem_size] == machine_id) { + return true; + } + + if is_last { + break; + } + + r.cut_head(elem_size + 1); } - true + false } #[cfg(feature = "light-client-validation")] @@ -738,10 +817,12 @@ fn check_machine_id_in_block(msg_slice: &[u8]) -> bool { let mut verified_msgs = VERIFIED_BLOCK_MESSAGES.lock().unwrap(); while verified_msgs.remaining() > 0 { - if let Some(verified_msg) = verified_msgs.get_next() { - if is_msg_machine_id(&verified_msg, msg_slice) { + if let Some(verified_msg) = verified_msgs.show_next() { + if is_msg_machine_id(verified_msg, msg_slice) { return true; } + + verified_msgs.get_next(); // skip } } false diff --git a/cosmwasm/enclaves/shared/block-verifier/src/wasm_messages.rs b/cosmwasm/enclaves/shared/block-verifier/src/wasm_messages.rs index b32338e60..0cfdcf63c 100644 --- a/cosmwasm/enclaves/shared/block-verifier/src/wasm_messages.rs +++ b/cosmwasm/enclaves/shared/block-verifier/src/wasm_messages.rs @@ -24,6 +24,13 @@ impl VerifiedBlockMessages { self.messages.pop_front() } + pub fn show_next(&mut self) -> Option<&[u8]> { + match self.messages.front() { + Some(msg) => Some(msg.as_slice()), + None => None, + } + } + pub fn remaining(&self) -> usize { self.messages.len() } diff --git a/x/compute/internal/keeper/msg_server.go b/x/compute/internal/keeper/msg_server.go index 17eee7553..e6d5355cf 100644 --- a/x/compute/internal/keeper/msg_server.go +++ b/x/compute/internal/keeper/msg_server.go @@ -385,9 +385,9 @@ func (m msgServer) UpdateMachineWhitelist(goCtx context.Context, msg *types.MsgU err := api.OnApproveMachineID(id, &proof, true) id_txt := hex.EncodeToString(id) if err != nil { - fmt.Println("Failed to add machine_id: %s", id_txt) + fmt.Println("Failed to add machine_id: ", id_txt) } else { - fmt.Println("Added machine_id: %s", id_txt) + fmt.Println("Added machine_id: ", id_txt) key := append(types.MachineIDEvidencePrefix, id...) _ = store.Set(key, proof[:]) } From 12e7a2b821d03cf512eacb80056b34e199535ce1 Mon Sep 17 00:00:00 2001 From: vlad Date: Wed, 28 Jan 2026 08:54:54 +0000 Subject: [PATCH 10/10] build fix (tests) --- .../enclaves/execute/src/registration/mod.rs | 6 --- .../execute/src/registration/report.rs | 54 ++++++------------- 2 files changed, 15 insertions(+), 45 deletions(-) diff --git a/cosmwasm/enclaves/execute/src/registration/mod.rs b/cosmwasm/enclaves/execute/src/registration/mod.rs index 02ff0e58d..0a30fde35 100644 --- a/cosmwasm/enclaves/execute/src/registration/mod.rs +++ b/cosmwasm/enclaves/execute/src/registration/mod.rs @@ -26,14 +26,8 @@ pub mod tests { count_failures!(failures, { report::tests::test_sgx_quote_parse_from(); - report::tests::test_attestation_report_from_cert(); - report::tests::test_attestation_report_from_cert_invalid(); - report::tests::test_attestation_report_from_cert_api_version_not_compatible(); - report::tests::test_attestation_report_test(); report::tests::test_attestation_dcap(); report::tests::test_attestation_dcap_temper(); - cert::tests::test_certificate_valid(); - cert::tests::test_certificate_invalid_configuration_needed(); }); if failures != 0 { diff --git a/cosmwasm/enclaves/execute/src/registration/report.rs b/cosmwasm/enclaves/execute/src/registration/report.rs index 58ce39af7..f0c7e8376 100644 --- a/cosmwasm/enclaves/execute/src/registration/report.rs +++ b/cosmwasm/enclaves/execute/src/registration/report.rs @@ -551,7 +551,6 @@ pub struct AttestationReport { pub tcb_eval_data_number: u16, } - #[cfg(feature = "test")] pub mod tests { use serde_json::json; @@ -610,7 +609,7 @@ pub mod tests { cert } - fn attesation_report() -> Value { + fn attesation_report() -> serde_json::Value { let report = json!({ "version": 3, "timestamp": "2020-02-11T22:25:59.682915", @@ -702,41 +701,6 @@ pub mod tests { ); } - pub fn test_attestation_report_from_cert() { - let tls_ra_cert = tls_ra_cert_der_v4(); - let report = AttestationReport::from_cert(&tls_ra_cert); - assert!(report.is_ok()); - - let report = report.unwrap(); - assert_eq!(report.sgx_quote_status, SgxQuoteStatus::GroupOutOfDate); - } - - pub fn test_attestation_report_from_cert_invalid() { - let tls_ra_cert = tls_ra_cert_der_v4(); - let report = AttestationReport::from_cert(&tls_ra_cert); - assert!(report.is_ok()); - - let report = report.unwrap(); - assert_eq!(report.sgx_quote_status, SgxQuoteStatus::GroupOutOfDate); - } - - pub fn test_attestation_report_from_cert_api_version_not_compatible() { - let tls_ra_cert = tls_ra_cert_der_v3(); - let report = AttestationReport::from_cert(&tls_ra_cert); - assert!(report.is_err()); - } - - pub fn test_attestation_report_test() { - let tls_ra_cert = tls_ra_cert_der_test(); - let report = AttestationReport::from_cert(&tls_ra_cert); - - if report.is_err() { - println!("err: {:?}", report) - } - - assert!(report.is_ok()); - } - fn load_attestation_dcap() -> (Vec, Vec, i64) { let mut vec_quote = vec![]; { @@ -759,7 +723,13 @@ pub mod tests { pub fn test_attestation_dcap() { let (vec_quote, vec_coll, time_s) = load_attestation_dcap(); - let res = verify_quote_sgx(&vec_quote, &vec_coll, time_s, None, false); + let attestation = crate::registration::attestation::AttestationCombined { + quote: vec_quote, + coll: vec_coll, + jwt_token: Vec::new(), + }; + + let res = verify_quote_sgx(&attestation, time_s, false); assert!(res.is_ok()); } @@ -774,7 +744,13 @@ pub mod tests { p_data.d[6] = p_data.d[6] ^ 4; }; - let res = verify_quote_sgx(&vec_quote, &vec_coll, time_s, None, false); + let attestation = crate::registration::attestation::AttestationCombined { + quote: vec_quote, + coll: vec_coll, + jwt_token: Vec::new(), + }; + + let res = verify_quote_sgx(&attestation, time_s, false); assert!(!res.is_ok()); } }