Skip to content

Sgx progress #1738

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
valdok merged 10 commits into from
Jan 28, 2026
Merged

Sgx progress #1738

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
0d0e736
removed mr_signer enforcement during registration and upgrade
Dec 8, 2025
9985472
removed support for no-dcap attestation flag
Dec 8, 2025
89cfe0c
removed support for epid_whitelist_disabled
Dec 8, 2025
c6dd745
removed spid and api_key usage
Dec 11, 2025
079f91c
removed spid and api_key from files and build process
Dec 11, 2025
bb8c9e7
build fix
Dec 22, 2025
5357d7b
Blocked EOL cpus
Dec 24, 2025
83f6463
machine_id to mulitple IDs, WIP
Dec 29, 2025
58a4790
machine_id to multiple IDs, fixed
Dec 29, 2025
12e7a2b
build fix (tests)
Jan 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions .env.local
View file
Open in desktop

This file was deleted.

8 changes: 0 additions & 8 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,10 +200,7 @@ jobs:
source "$HOME/.sgxsdk/sgxsdk/environment"
export SGX_MODE=SW
cp librust_cosmwasm_enclave.signed.so ./x/compute/internal/keeper
mkdir -p ias_keys/develop
mkdir -p /opt/secret/.sgx_secrets/
echo "not_a_key" > ias_keys/develop/spid.txt
echo "not_a_key" > ias_keys/develop/api_key.txt
LOG_LEVEL=ERROR go test -v -tags "test" ./x/compute/client/...
LOG_LEVEL=ERROR SKIP_LIGHT_CLIENT_VALIDATION=TRUE go test -p 1 -timeout 90m -v -tags "test" ./x/compute/internal/...
- name: Test x/cron
Expand Down Expand Up @@ -260,8 +257,6 @@ jobs:
- name: Clippy
run: |
source "$HOME/.sgxsdk/sgxsdk/environment"
mkdir -p ias_keys/production
cp ias_keys/develop/api_key.txt ias_keys/production/api_key.txt
SGX_MODE=SW make clippy
SGX_MODE=HW make clippy

Expand All @@ -282,9 +277,6 @@ jobs:
context: .
load: true
tags: ghcr.io/scrtlabs/localsecret:v0.0.0
secrets: |
API_KEY=00000000000000000000000000000000
SPID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
build-args: |
SECRET_NODE_TYPE=BOOTSTRAP
CHAIN_ID=secretdev-1
Expand Down
47 changes: 0 additions & 47 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,6 @@ jobs:
matrix:
db_backend: [goleveldb]
runs-on: ubuntu-22.04
env: # Or as an environment variable
SPID: ${{ secrets.SPID_TESTNET }}
API_KEY: ${{ secrets.API_KEY_TESTNET }}
steps:
- uses: actions/checkout@v4
with:
Expand All @@ -45,9 +42,6 @@ jobs:
context: .
load: true
tags: deb_build
secrets: |
API_KEY=${{ secrets.API_KEY_TESTNET }}
SPID=${{ secrets.SPID_TESTNET }}
build-args: |
SECRET_NODE_TYPE=NODE
DB_BACKEND=${{ matrix.db_backend }}
Expand All @@ -71,9 +65,6 @@ jobs:
matrix:
db_backend: [goleveldb]
runs-on: ubuntu-24.04
env: # Or as an environment variable
SPID: ${{ secrets.SPID_TESTNET }}
API_KEY: ${{ secrets.API_KEY_TESTNET }}
steps:
- name: Clean up space (workaround)
run: |
Expand Down Expand Up @@ -105,9 +96,6 @@ jobs:
context: .
load: true
tags: deb_build
secrets: |
API_KEY=${{ secrets.API_KEY_TESTNET }}
SPID=${{ secrets.SPID_TESTNET }}
build-args: |
SECRET_NODE_TYPE=NODE
DB_BACKEND=${{ matrix.db_backend }}
Expand All @@ -132,8 +120,6 @@ jobs:
matrix:
db_backend: [goleveldb]
env: # Or as an environment variable
SPID: ${{ secrets.SPID_MAINNET }}
API_KEY: ${{ secrets.API_KEY_MAINNET }}
REGISTRY: ghcr.io
IMAGE_NAME: scrtlabs/secret-network-node
steps:
Expand Down Expand Up @@ -164,9 +150,6 @@ jobs:
context: .
push: false
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:v${{ steps.get_version.outputs.VERSION }}
secrets: |
API_KEY=${{ secrets.API_KEY_MAINNET }}
SPID=${{ secrets.SPID_MAINNET }}
build-args: |
FEATURES=verify-validator-whitelist,light-client-validation,random,production
FEATURES_U=production
Expand All @@ -187,9 +170,6 @@ jobs:
context: .
load: true
tags: deb_build
secrets: |
API_KEY=${{ secrets.API_KEY_MAINNET }}
SPID=${{ secrets.SPID_MAINNET }}
build-args: |
FEATURES=verify-validator-whitelist,light-client-validation,random,production
FEATURES_U=production
Expand All @@ -215,8 +195,6 @@ jobs:
matrix:
db_backend: [goleveldb]
env: # Or as an environment variable
SPID: ${{ secrets.SPID_MAINNET }}
API_KEY: ${{ secrets.API_KEY_MAINNET }}
REGISTRY: ghcr.io
IMAGE_NAME: scrtlabs/secret-network-node
steps:
Expand All @@ -241,9 +219,6 @@ jobs:
context: .
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:v${{ steps.get_version.outputs.VERSION }}
secrets: |
API_KEY=${{ secrets.API_KEY_MAINNET }}
SPID=${{ secrets.SPID_MAINNET }}
build-args: |
FEATURES=verify-validator-whitelist,light-client-validation,random,production
FEATURES_U=production
Expand All @@ -264,9 +239,6 @@ jobs:
context: .
load: true
tags: deb_build
secrets: |
API_KEY=${{ secrets.API_KEY_MAINNET }}
SPID=${{ secrets.SPID_MAINNET }}
build-args: |
FEATURES=verify-validator-whitelist,light-client-validation,random,production
FEATURES_U=production
Expand Down Expand Up @@ -330,10 +302,6 @@ jobs:

check-hw-tool:
runs-on: ubuntu-22.04
env: # Or as an environment variable
SPID: ${{ secrets.SPID_TESTNET }}
API_KEY: ${{ secrets.API_KEY_TESTNET }}
API_KEY_MAINNET: ${{ secrets.API_KEY_MAINNET }}
steps:
- uses: actions/checkout@v4
with:
Expand All @@ -348,10 +316,6 @@ jobs:
context: .
load: true
tags: check_hw_tool_build
secrets: |
API_KEY=${{ secrets.API_KEY_TESTNET }}
SPID=${{ secrets.SPID_TESTNET }}
API_KEY_MAINNET=${{ secrets.API_KEY_MAINNET }}
build-args: |
BUILD_VERSION=${{ steps.get_version.outputs.VERSION }}
SGX_MODE=HW
Expand All @@ -368,10 +332,6 @@ jobs:

check-hw-tool-2404:
runs-on: ubuntu-24.04
env: # Or as an environment variable
SPID: ${{ secrets.SPID_TESTNET }}
API_KEY: ${{ secrets.API_KEY_TESTNET }}
API_KEY_MAINNET: ${{ secrets.API_KEY_MAINNET }}
steps:
- uses: actions/checkout@v4
with:
Expand All @@ -386,10 +346,6 @@ jobs:
context: .
load: true
tags: check_hw_tool_build
secrets: |
API_KEY=${{ secrets.API_KEY_TESTNET }}
SPID=${{ secrets.SPID_TESTNET }}
API_KEY_MAINNET=${{ secrets.API_KEY_MAINNET }}
build-args: |
BUILD_VERSION=${{ steps.get_version.outputs.VERSION }}
SGX_MODE=HW
Expand Down Expand Up @@ -432,9 +388,6 @@ jobs:
context: .
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get_version.outputs.VERSION }}
secrets: |
API_KEY=00000000000000000000000000000000
SPID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
build-args: |
SECRET_NODE_TYPE=BOOTSTRAP
CHAIN_ID=secretdev-1
Expand Down
42 changes: 4 additions & 38 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,6 @@ VERSION ?= $(shell echo $(shell git describe --tags) | sed 's/^v//')
COMMIT := $(shell git log -1 --format='%H')
DOCKER := $(shell which docker)

# SPID and API_KEY are used for Intel SGX attestation
SPID ?= 00000000000000000000000000000000
API_KEY ?= FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

# Environment variables and build tags setup
LEDGER_ENABLED ?= true
BINDIR ?= $(GOPATH)/bin
Expand Down Expand Up @@ -157,7 +153,7 @@ go.sum: go.mod
build_cli:
CGO_LDFLAGS=$(CGO_LDFLAGS) go build -o secretcli -mod=readonly $(GCFLAGS) -tags "$(filter-out sgx, $(GO_TAGS)) secretcli" -ldflags '$(LD_FLAGS)' ./cmd/secretd

build_local_no_rust: bin-data-$(IAS_BUILD)
build_local_no_rust:
cp go-cosmwasm/target/$(BUILD_PROFILE)/libgo_cosmwasm.so go-cosmwasm/api
CGO_LDFLAGS=$(CGO_LDFLAGS) go build -mod=readonly $(GCFLAGS) -tags "$(GO_TAGS)" -ldflags '$(LD_FLAGS)' ./cmd/secretd

Expand Down Expand Up @@ -238,8 +234,6 @@ localsecret:
DOCKER_BUILDKIT=1 docker build \
--build-arg FEATURES="${FEATURES},debug-print,random,light-client-validation" \
--build-arg FEATURES_U=${FEATURES_U} \
--secret id=API_KEY,src=.env.local \
--secret id=SPID,src=.env.local \
--build-arg SGX_MODE=SW \
$(DOCKER_BUILD_ARGS) \
--build-arg SECRET_NODE_TYPE=BOOTSTRAP \
Expand All @@ -254,8 +248,6 @@ build-ibc-hermes:
build-testnet-bootstrap:
@mkdir build 2>&3 || true
DOCKER_BUILDKIT=1 docker build --build-arg BUILDKIT_INLINE_CACHE=1 \
--secret id=API_KEY,src=api_key.txt \
--secret id=SPID,src=spid.txt \
--build-arg BUILD_VERSION=${VERSION} \
--build-arg SGX_MODE=${SGX_MODE} \
$(DOCKER_BUILD_ARGS) \
Expand All @@ -269,8 +261,6 @@ build-testnet-bootstrap:
build-testnet:
@mkdir build 2>&3 || true
DOCKER_BUILDKIT=1 docker build --build-arg BUILDKIT_INLINE_CACHE=1 \
--secret id=API_KEY,src=api_key.txt \
--secret id=SPID,src=spid.txt \
--build-arg BUILD_VERSION=${VERSION} \
--build-arg SGX_MODE=${SGX_MODE} \
--build-arg FEATURES="verify-validator-whitelist,light-client-validation,random,${FEATURES}" \
Expand All @@ -282,8 +272,6 @@ build-testnet:
-t ghcr.io/scrtlabs/secret-network-node-testnet:v$(VERSION) \
--target release-image .
DOCKER_BUILDKIT=1 docker build --build-arg BUILDKIT_INLINE_CACHE=1 \
--secret id=API_KEY,src=api_key.txt \
--secret id=SPID,src=spid.txt \
--build-arg BUILD_VERSION=${VERSION} \
--build-arg SGX_MODE=${SGX_MODE} \
--build-arg FEATURES="verify-validator-whitelist,light-client-validation,random,${FEATURES}" \
Expand All @@ -302,8 +290,6 @@ build-mainnet-upgrade:
DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="verify-validator-whitelist,light-client-validation,production, ${FEATURES}" \
--build-arg FEATURES_U="production, ${FEATURES_U}" \
--build-arg BUILDKIT_INLINE_CACHE=1 \
--secret id=API_KEY,src=api_key.txt \
--secret id=SPID,src=spid.txt \
--build-arg SECRET_NODE_TYPE=NODE \
--build-arg DB_BACKEND=${DB_BACKEND} \
--build-arg BUILD_VERSION=${VERSION} \
Expand All @@ -315,8 +301,6 @@ build-mainnet-upgrade:
DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="verify-validator-whitelist,light-client-validation,production, ${FEATURES}" \
--build-arg FEATURES_U="production, ${FEATURES_U}" \
--build-arg BUILDKIT_INLINE_CACHE=1 \
--secret id=API_KEY,src=api_key.txt \
--secret id=SPID,src=spid.txt \
--build-arg DB_BACKEND=${DB_BACKEND} \
--build-arg BUILD_VERSION=${VERSION} \
--build-arg SGX_MODE=HW \
Expand All @@ -331,8 +315,6 @@ build-mainnet:
DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="verify-validator-whitelist,light-client-validation,production,random, ${FEATURES}" \
--build-arg FEATURES_U=${FEATURES_U} \
--build-arg BUILDKIT_INLINE_CACHE=1 \
--secret id=API_KEY,src=api_key.txt \
--secret id=SPID,src=spid.txt \
--build-arg SECRET_NODE_TYPE=NODE \
--build-arg BUILD_VERSION=${VERSION} \
--build-arg SGX_MODE=HW \
Expand All @@ -345,8 +327,6 @@ build-mainnet:
DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="verify-validator-whitelist,light-client-validation,production,random, ${FEATURES}" \
--build-arg FEATURES_U=${FEATURES_U} \
--build-arg BUILDKIT_INLINE_CACHE=1 \
--secret id=API_KEY,src=api_key.txt \
--secret id=SPID,src=spid.txt \
--build-arg BUILD_VERSION=${VERSION} \
--build-arg DB_BACKEND=${DB_BACKEND} \
--build-arg CGO_LDFLAGS=${DOCKER_CGO_LDFLAGS} \
Expand All @@ -363,9 +343,6 @@ build-check-hw-tool:
DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="${FEATURES}" \
--build-arg FEATURES_U=${FEATURES_U} \
--build-arg BUILDKIT_INLINE_CACHE=1 \
--secret id=API_KEY,src=ias_keys/develop/api_key.txt \
--secret id=API_KEY_MAINNET,src=ias_keys/production/api_key.txt \
--secret id=SPID,src=spid.txt \
--build-arg SECRET_NODE_TYPE=NODE \
--build-arg BUILD_VERSION=${VERSION} \
--build-arg SGX_MODE=HW \
Expand Down Expand Up @@ -460,19 +437,19 @@ build-test-contracts:
cp $(TEST_CONTRACT_V1_PATH)/random-test/v1_random_test.wasm $(TEST_COMPUTE_MODULE_PATH)/v1_random_test.wasm


prep-go-tests: build-test-contracts bin-data-sw
prep-go-tests: build-test-contracts
# empty BUILD_PROFILE means debug mode which compiles faster
SGX_MODE=SW $(MAKE) build-linux
cp ./$(EXECUTE_ENCLAVE_PATH)/librust_cosmwasm_enclave.signed.so ./x/compute/internal/keeper
cp ./$(EXECUTE_ENCLAVE_PATH)/librust_cosmwasm_enclave.signed.so .

go-tests: build-test-contracts bin-data-sw
go-tests: build-test-contracts
# SGX_MODE=SW $(MAKE) build-tm-secret-enclave
SGX_MODE=SW $(MAKE) build-linux
cp ./$(EXECUTE_ENCLAVE_PATH)/librust_cosmwasm_enclave.signed.so ./x/compute/internal/keeper
GOMAXPROCS=8 SGX_MODE=SW SCRT_SGX_STORAGE='./' SKIP_LIGHT_CLIENT_VALIDATION=TRUE go test -count 1 -failfast -timeout 90m -v ./x/compute/internal/... $(GO_TEST_ARGS)

go-tests-hw: build-test-contracts bin-data
go-tests-hw: build-test-contracts
# empty BUILD_PROFILE means debug mode which compiles faster
# SGX_MODE=HW $(MAKE) build-tm-secret-enclave
SGX_MODE=HW $(MAKE) build-linux
Expand Down Expand Up @@ -516,17 +493,6 @@ build-erc20-contract: build-test-contracts
cd .$(CW_CONTRACTS_V010_PATH)/erc20 && RUSTFLAGS='-C link-arg=-s' cargo build --release --target wasm32-unknown-unknown --locked
wasm-opt -Os .$(CW_CONTRACTS_V010_PATH)/erc20/target/wasm32-unknown-unknown/release/cw_erc20.wasm -o ./erc20.wasm

bin-data: bin-data-sw bin-data-develop bin-data-production

bin-data-sw:
cd ./x/registration/internal/types && go-bindata -o ias_bin_sw.go -pkg types -prefix "../../../../ias_keys/sw_dummy/" -tags "!hw" ../../../../ias_keys/sw_dummy/...

bin-data-develop:
cd ./x/registration/internal/types && go-bindata -o ias_bin_dev.go -pkg types -prefix "../../../../ias_keys/develop/" -tags "develop,hw" ../../../../ias_keys/develop/...

bin-data-production:
cd ./x/registration/internal/types && go-bindata -o ias_bin_prod.go -pkg types -prefix "../../../../ias_keys/production/" -tags "production,hw" ../../../../ias_keys/production/...

# Before running this you might need to do:
# 1. sudo docker login -u ABC -p XYZ
# 2. sudo docker buildx create --use
Expand Down
9 changes: 4 additions & 5 deletions azure-pipelines.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ jobs:
- checkout: "self"
submodules: true
displayName: "Checkout Repository and Submodules"
- script: echo $(spid) > spid.txt; echo $(api-key-dev) > api_key.txt
displayName: "Save api keys"

- task: Docker@2
Expand All @@ -45,7 +44,7 @@ jobs:
$(tag)
latest
buildContext: .
arguments: --secret id=API_KEY,src=api_key.txt --secret id=SPID,src=spid.txt --cache-from $(baseImageRepository) --build-arg SGX_MODE=$(SGX_MODE) --build-arg FEATURES=$(FEATURES) --target compile-secretd
arguments: --cache-from $(baseImageRepository) --build-arg SGX_MODE=$(SGX_MODE) --build-arg FEATURES=$(FEATURES) --target compile-secretd
dockerfile: '$(dockerfilePath)'

- task: Docker@2
Expand All @@ -57,7 +56,7 @@ jobs:
$(tag)
latest
buildContext: .
arguments: --secret id=API_KEY,src=api_key.txt --secret id=SPID,src=spid.txt --cache-from $(baseImageRepositoryLocalTests) --build-arg SGX_MODE=$(SGX_MODE) --build-arg FEATURES=$(FEATURES_TESTS_LOCAL) --target compile-secretd
arguments: --cache-from $(baseImageRepositoryLocalTests) --build-arg SGX_MODE=$(SGX_MODE) --build-arg FEATURES=$(FEATURES_TESTS_LOCAL) --target compile-secretd
dockerfile: '$(dockerfilePath)'

- script: |
Expand All @@ -74,7 +73,7 @@ jobs:
repository: '$(nodeImageRepository)'
tags: latest
buildContext: .
arguments: --secret id=API_KEY,src=api_key.txt --secret id=SPID,src=spid.txt --build-arg SCRT_BIN_IMAGE=$(baseImageRepository):$(tag) --cache-from $(nodeImageRepository) --build-arg SGX_MODE=$(SGX_MODE) --build-arg FEATURES=$(FEATURES) --target release-image
arguments: --build-arg SCRT_BIN_IMAGE=$(baseImageRepository):$(tag) --cache-from $(nodeImageRepository) --build-arg SGX_MODE=$(SGX_MODE) --build-arg FEATURES=$(FEATURES) --target release-image
Dockerfile: deployment/dockerfiles/Dockerfile

- task: Docker@2
Expand All @@ -84,7 +83,7 @@ jobs:
repository: rust-enclave-test
tags: latest
buildContext: .
arguments: --secret id=API_KEY,src=api_key.txt --secret id=SPID,src=spid.txt --build-arg SGX_MODE=HW
arguments: --build-arg SGX_MODE=HW
Dockerfile: deployment/dockerfiles/tests/enclave-test.Dockerfile

- task: Docker@2
Expand Down
Loading
Loading