scrtlabs · valdok · Apr 11, 2024 · Feb 8, 2024 · Feb 8, 2024 · Feb 8, 2024
@@ -161,6 +161,31 @@ jobs:
           cp libgo_cosmwasm.so ./go-cosmwasm/api/libgo_cosmwasm.so
           cp librust_cosmwasm_enclave.signed.so ./go-cosmwasm/librust_cosmwasm_enclave.signed.so
           find "$(pwd)" -name \*.wasm
+      - name: Install Quote library SDK
+        run: |
+          curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
+          sudo add-apt-repository "deb https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main"
+          DCAP_VERSION=1.17.100.4-focal1
+          PSW_VERSION=2.20.100.4-focal1
+          sudo apt-get update
+          sudo apt-get install -y \
+              libsgx-aesm-launch-plugin=$PSW_VERSION \
+              libsgx-enclave-common=$PSW_VERSION \
+              libsgx-epid=$PSW_VERSION \
+              libsgx-launch=$PSW_VERSION \
+              libsgx-quote-ex=$PSW_VERSION \
+              libsgx-uae-service=$PSW_VERSION \
+              libsgx-qe3-logic=$DCAP_VERSION \
+              libsgx-pce-logic=$DCAP_VERSION \
+              libsgx-aesm-ecdsa-plugin=$PSW_VERSION \
+              libsgx-aesm-pce-plugin=$PSW_VERSION \
+              libsgx-dcap-ql=$DCAP_VERSION \
+              libsgx-dcap-quote-verify=$DCAP_VERSION \
+              libsgx-dcap-default-qpl=$DCAP_VERSION \
+              libsgx-urts=$PSW_VERSION
+          LIB_PATH=/usr/lib/x86_64-linux-gnu
+          sudo ln -s $LIB_PATH/libsgx_dcap_ql.so.1 $LIB_PATH/libsgx_dcap_ql.so
+          sudo ln -s $LIB_PATH/libsgx_dcap_quoteverify.so.1 $LIB_PATH/libsgx_dcap_quoteverify.so
       - name: Test x/registration
         run: |
           source "$HOME/.sgxsdk/sgxsdk/environment"

@@ -35,6 +35,7 @@ import (
 	v1_10 "github.com/scrtlabs/SecretNetwork/app/upgrades/v1.10"
 	v1_11 "github.com/scrtlabs/SecretNetwork/app/upgrades/v1.11"
 	v1_12 "github.com/scrtlabs/SecretNetwork/app/upgrades/v1.12"
+	v1_13 "github.com/scrtlabs/SecretNetwork/app/upgrades/v1.13"
 	v1_3 "github.com/scrtlabs/SecretNetwork/app/upgrades/v1.3"
 	v1_4 "github.com/scrtlabs/SecretNetwork/app/upgrades/v1.4"
 	v1_5 "github.com/scrtlabs/SecretNetwork/app/upgrades/v1.5"
@@ -107,6 +108,7 @@ var (
 		v1_10.Upgrade,
 		v1_11.Upgrade,
 		v1_12.Upgrade,
+		v1_13.Upgrade,
 	}
 )
 

@@ -0,0 +1,45 @@
+package v1_13
+
+import (
+	"fmt"
+
+	store "github.com/cosmos/cosmos-sdk/store/types"
+	sdk "github.com/cosmos/cosmos-sdk/types"
+	"github.com/cosmos/cosmos-sdk/types/module"
+	upgradetypes "github.com/cosmos/cosmos-sdk/x/upgrade/types"
+	"github.com/scrtlabs/SecretNetwork/app/keepers"
+	"github.com/scrtlabs/SecretNetwork/app/upgrades"
+	"github.com/scrtlabs/SecretNetwork/go-cosmwasm/api"
+)
+
+const upgradeName = "v1.13"
+
+var Upgrade = upgrades.Upgrade{
+	UpgradeName:          upgradeName,
+	CreateUpgradeHandler: createUpgradeHandler,
+	StoreUpgrades:        store.StoreUpgrades{},
+}
+
+func createUpgradeHandler(mm *module.Manager, _ *keepers.SecretAppKeepers, configurator module.Configurator,
+) upgradetypes.UpgradeHandler {
+	return func(ctx sdk.Context, _ upgradetypes.Plan, vm module.VersionMap) (module.VersionMap, error) {
+		ctx.Logger().Info(` _    _ _____   _____ _____            _____  ______ `)
+		ctx.Logger().Info(`| |  | |  __ \ / ____|  __ \     /\   |  __ \|  ____|`)
+		ctx.Logger().Info(`| |  | | |__) | |  __| |__) |   /  \  | |  | | |__   `)
+		ctx.Logger().Info(`| |  | |  ___/| | |_ |  _  /   / /\ \ | |  | |  __|  `)
+		ctx.Logger().Info(`| |__| | |    | |__| | | \ \  / ____ \| |__| | |____ `)
+		ctx.Logger().Info(` \____/|_|     \_____|_|  \_\/_/    \_\_____/|______|`)
+
+		// WASM Hooks doesn't require any initialization code:
+		// https://github.com/osmosis-labs/osmosis/blob/8b4c62a26/app/upgrades/v14/upgrades.go#L12-L21
+
+		ctx.Logger().Info(fmt.Sprintf("Running module migrations for %s...", upgradeName))
+
+		_, err := api.MigrateSealing()
+		if err != nil {
+			return nil, err
+		}
+
+		return mm.RunMigrations(ctx, configurator, vm)
+	}
+}
@@ -8,9 +8,9 @@ use enclave_ffi_types::{
 };
 use sgx_types::{
     c_int, sgx_calc_quote_size, sgx_enclave_id_t, sgx_epid_group_id_t, sgx_get_quote,
-    sgx_init_quote, sgx_platform_info_t, sgx_quote_nonce_t, sgx_quote_sign_type_t, sgx_quote_t,
-    sgx_report_attestation_status, sgx_report_t, sgx_spid_t, sgx_status_t, sgx_target_info_t,
-    sgx_update_info_bit_t,
+    sgx_init_quote, sgx_platform_info_t, sgx_ql_qe_report_info_t, sgx_ql_qv_result_t,
+    sgx_quote_nonce_t, sgx_quote_sign_type_t, sgx_quote_t, sgx_report_attestation_status,
+    sgx_report_t, sgx_spid_t, sgx_status_t, sgx_target_info_t, sgx_update_info_bit_t,
 };
 
 // ecalls
@@ -186,3 +186,53 @@ pub extern "C" fn ocall_read_db(
 pub extern "C" fn ocall_allocate(_buffer: *const u8, _length: usize) -> UserSpaceBuffer {
     unimplemented!()
 }
+
+#[no_mangle]
+pub extern "C" fn ocall_get_quote_ecdsa_params(
+    ret_val: *mut sgx_status_t,
+    p_qe_info: *mut sgx_target_info_t,
+    p_quote_size: *mut u32,
+) -> sgx_status_t {
+    unimplemented!()
+}
+#[no_mangle]
+pub extern "C" fn ocall_get_quote_ecdsa(
+    ret_val: *mut sgx_status_t,
+    p_report: *const sgx_report_t,
+    p_quote: *mut u8,
+    n_quote: u32,
+) -> sgx_status_t {
+    unimplemented!()
+}
+
+#[no_mangle]
+pub extern "C" fn ocall_get_quote_ecdsa_collateral(
+    ret_val: *mut sgx_status_t,
+    p_quote: *const u8,
+    n_quote: u32,
+    p_col: *mut u8,
+    n_col: u32,
+    p_col_out: *mut u32,
+) -> sgx_status_t {
+    unimplemented!()
+}
+
+#[no_mangle]
+pub extern "C" fn ocall_verify_quote_ecdsa(
+    ret_val: *mut sgx_status_t,
+    p_quote: *const u8,
+    n_quote: u32,
+    p_col: *const u8,
+    n_col: u32,
+    p_target_info: *const sgx_target_info_t,
+    time_s: i64,
+    p_qve_report_info: *mut sgx_ql_qe_report_info_t,
+    p_supp_data: *mut u8,
+    n_supp_data: u32,
+    p_supp_data_size: *mut u32,
+    p_time_s: *mut i64,
+    p_collateral_expiration_status: *mut u32,
+    p_qv_result: *mut sgx_ql_qv_result_t,
+) -> sgx_status_t {
+    unimplemented!()
+}
@@ -30,6 +30,8 @@ const (
 	flagReset                     = "reset"
 	flagPulsar                    = "pulsar"
 	flagCustomRegistrationService = "registration-service"
+	flag_no_epid                  = "no-epid"
+	flag_no_dcap                  = "no-dcap"
 )
 
 const (
@@ -95,14 +97,19 @@ blockchain. Writes the certificate in DER format to ~/attestation_cert
 				return fmt.Errorf("failed to initialize enclave: %w", err)
 			}
 
-			_, err = api.CreateAttestationReport(apiKeyFile)
+			no_epid, _ := cmd.Flags().GetBool(flag_no_epid)
+			no_dcap, _ := cmd.Flags().GetBool(flag_no_dcap)
+
+			_, err = api.CreateAttestationReport(apiKeyFile, no_epid, no_dcap)
 			if err != nil {
 				return fmt.Errorf("failed to create attestation report: %w", err)
 			}
 			return nil
 		},
 	}
 	cmd.Flags().Bool(flagReset, false, "Optional flag to regenerate the enclave registration key")
+	cmd.Flags().Bool(flag_no_epid, false, "Optional flag to disable EPID attestation")
+	cmd.Flags().Bool(flag_no_dcap, false, "Optional flag to disable DCAP attestation")
 
 	return cmd
 }
@@ -247,6 +254,47 @@ func ParseCert() *cobra.Command {
 	return cmd
 }
 
+func DumpBin() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "dump [binary file]",
+		Short: "Dump a binary file",
+		Long: "Helper to display the contents of a binary file, and extract the public key of the secret node, which is used to" +
+			"register the node, during node initialization",
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			data, err := os.ReadFile(args[0])
+			if err != nil {
+				return err
+			}
+
+			fmt.Printf("%s\n", hex.EncodeToString(data))
+			return nil
+		},
+	}
+
+	return cmd
+}
+
+func MigrateSealings() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "migrate_sealing",
+		Short: "Migrate sealed files to the current format",
+		Long:  "Re-create SGX-sealed files according to the current format",
+		Args:  cobra.ExactArgs(0),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, err := api.MigrateSealing()
+			if err != nil {
+				return fmt.Errorf("failed to start enclave. Enclave returned: %s", err)
+			}
+
+			fmt.Printf("Migration succeeded\n")
+			return nil
+		},
+	}
+
+	return cmd
+}
+
 func ConfigureSecret() *cobra.Command {
 	cmd := &cobra.Command{
 		Use: "configure-secret [master-key] [seed]",
@@ -436,7 +484,10 @@ Please report any issues with this command
 				return fmt.Errorf("failed to initialize enclave: %w", err)
 			}
 
-			_, err = api.CreateAttestationReport(apiKeyFile)
+			no_epid, _ := cmd.Flags().GetBool(flag_no_epid)
+			no_dcap, _ := cmd.Flags().GetBool(flag_no_dcap)
+
+			_, err = api.CreateAttestationReport(apiKeyFile, no_epid, no_dcap)
 			if err != nil {
 				return fmt.Errorf("failed to create attestation report: %w", err)
 			}
@@ -582,5 +633,8 @@ Please report any issues with this command
 	cmd.Flags().String(flagLegacyBootstrapNode, "", "DEPRECATED: This flag is no longer required or in use")
 	cmd.Flags().String(flagLegacyRegistrationNode, "", "DEPRECATED: This flag is no longer required or in use")
 
+	cmd.Flags().Bool(flag_no_epid, false, "Optional flag to disable EPID attestation")
+	cmd.Flags().Bool(flag_no_dcap, false, "Optional flag to disable DCAP attestation")
+
 	return cmd
 }
@@ -62,6 +62,37 @@ func ParseCert() *cobra.Command {
 	return cmd
 }
 
+func DumpBin() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "dump [binary file]",
+		Short: "Dump a binary file",
+		Long: "Helper to display the contents of a binary file, and extract the public key of the secret node, which is used to" +
+			"register the node, during node initialization",
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			println("This is a secretd only function, yo")
+			return nil
+		},
+	}
+
+	return cmd
+}
+
+func MigrateSealings() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "migrate_sealing",
+		Short: "Migrate sealed files to the current format",
+		Long:  "Re-create SGX-sealed files according to the current format",
+		Args:  cobra.ExactArgs(0),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			println("This is a secretd only function, yo")
+			return nil
+		},
+	}
+
+	return cmd
+}
+
 func ConfigureSecret() *cobra.Command {
 	cmd := &cobra.Command{
 		Use: "configure-secret [master-key] [seed]",

@@ -109,7 +109,6 @@ func NewRootCmd() (*cobra.Command, app.EncodingConfig) {
 				return err
 			}
 			initClientCtx, err = clientconfig.ReadFromClientConfig(initClientCtx)
-
 			if err != nil {
 				return err
 			}
@@ -179,6 +178,8 @@ func initRootCmd(rootCmd *cobra.Command, encodingConfig app.EncodingConfig) {
 		InitAttestation(),
 		InitBootstrapCmd(),
 		ParseCert(),
+		DumpBin(),
+		MigrateSealings(),
 		ConfigureSecret(),
 		HealthCheck(),
 		ResetEnclave(),

@@ -5,6 +5,8 @@ enclave {
     from "sgx_net.edl" import *;
     from "sgx_time.edl" import *;
     include "sgx_quote.h"
+    include "sgx_ql_quote.h"
+    include "sgx_qve_header.h"
     from "sgx_backtrace.edl" import *;
     from "sgx_tstdc.edl" import *;
     from "sgx_tprotected_fs.edl" import *;
@@ -32,9 +34,13 @@ enclave {
             [out, count=32] uint8_t* public_key
         );
 
+        public sgx_status_t ecall_migrate_sealing(
+        );
+
         public sgx_status_t ecall_get_attestation_report(
             [in, count=api_key_len] const uint8_t* api_key,
-            uint32_t api_key_len
+            uint32_t api_key_len,
+            uint32_t flags
         );
 
         public NodeAuthResult ecall_authenticate_new_node(
@@ -235,6 +241,41 @@ enclave {
             [out] uint32_t* p_quote_len
         );
 
+        sgx_status_t ocall_get_quote_ecdsa_params(
+            [out] sgx_target_info_t* p_qe_info,
+            [out] uint32_t* p_quote_size
+        );
+
+        sgx_status_t ocall_get_quote_ecdsa(
+            [in] const sgx_report_t* p_report,
+            [out, size=n_quote] uint8_t* p_quote,
+            uint32_t n_quote
+        );
+
+        sgx_status_t ocall_get_quote_ecdsa_collateral(
+            [in, size=n_quote] const uint8_t* p_quote,
+            uint32_t n_quote,
+            [out, size=n_col] uint8_t* p_col,
+            uint32_t n_col,
+            [out] uint32_t* p_col_out
+        );
+
+        sgx_status_t ocall_verify_quote_ecdsa(
+            [in, size=n_quote] const uint8_t* p_quote,
+            uint32_t n_quote,
+            [in, size=n_col] const uint8_t* p_col,
+            uint32_t n_col,
+            [in] const sgx_target_info_t* p_target_info,
+            int64_t time_s,
+            [out] sgx_ql_qe_report_info_t* p_qve_report_info,
+            [out, size=n_supp_data] uint8_t* p_supp_data,
+            uint32_t n_supp_data,
+            [out] uint32_t* p_supp_data_size,
+            [out] int64_t* p_time_s,
+            [out] uint32_t* p_collateral_expiration_status,
+            [out] sgx_ql_qv_result_t* p_qv_result
+        );
+
         sgx_status_t ocall_get_update_info(
             [in] sgx_platform_info_t * platformBlob,
             int32_t enclaveTrusted,

@@ -91,8 +91,8 @@ RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lenclave
 RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
 RustEnclave_Link_Flags := -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
 	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
-	-Wl,--start-group -lsgx_tstdc -lsgx_tcxx -l$(Crypto_Library_Name) -l$(Service_Library_Name) -l$(ProtectedFs_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
-	-Wl,--version-script=Enclave.lds \
+	-Wl,--start-group -lsgx_tstdc -lsgx_tcxx -lsgx_dcap_tvl -l$(Crypto_Library_Name) -l$(Service_Library_Name) -l$(ProtectedFs_Library_Name) $(RustEnclave_Link_Libs) -Wl,--end-group \
+	-Wl,--version-script=Enclave.lds -lsgx_pthread \
 	$(ENCLAVE_LDFLAGS)