more

taikoxyz · Feb 11, 2025 · 8638eeb · 8638eeb
1 parent d8f752e
commit 8638eeb
Show file tree

Hide file tree

Showing 6 changed files with 45 additions and 29 deletions.
diff --git a/packages/protocol/contracts/layer1/verifiers/SgxVerifier.sol b/packages/protocol/contracts/layer1/verifiers/SgxVerifier.sol
@@ -35,6 +35,7 @@ contract SgxVerifier is EssentialContract, IVerifier {
     uint64 public constant INSTANCE_VALIDITY_DELAY = 0;
 
     uint64 public immutable taikoChainId;
+    address public immutable automataDcapAttestation;
 
     /// @dev For gas savings, we shall assign each SGX instance with an id that when we need to
     /// set a new pub key, just write storage once.
@@ -78,10 +79,16 @@ contract SgxVerifier is EssentialContract, IVerifier {
     error SGX_INVALID_ATTESTATION();
     error SGX_INVALID_INSTANCE();
     error SGX_INVALID_PROOF();
-    error SGX_RA_NOT_SUPPORTED();
 
-    constructor(address _resolver, uint64 _taikoChainId) EssentialContract(_resolver) {
+    constructor(
+        address _resolver,
+        uint64 _taikoChainId,
+        address _automataDcapAttestation
+    )
+        EssentialContract(_resolver)
+    {
         taikoChainId = _taikoChainId;
+        automataDcapAttestation = _automataDcapAttestation;
     }
 
     /// @notice Initializes the contract.
@@ -126,13 +133,7 @@ contract SgxVerifier is EssentialContract, IVerifier {
         external
         returns (uint256)
     {
-        // TODO(daniel): replace with immutable
-        address automataDcapAttestation = resolve(LibStrings.B_AUTOMATA_DCAP_ATTESTATION, true);
-
-        require(automataDcapAttestation != address(0), SGX_RA_NOT_SUPPORTED());
-
-        (bool verified,) = IAttestation(automataDcapAttestation).verifyParsedQuote(_attestation);
-
+        (bool verified,) = _getAutomataDcapAttestation().verifyParsedQuote(_attestation);
         require(verified, SGX_INVALID_ATTESTATION());
 
         address[] memory addresses = new address[](1);
@@ -229,4 +230,8 @@ contract SgxVerifier is EssentialContract, IVerifier {
         return instances[id].validSince <= block.timestamp
             && block.timestamp <= instances[id].validSince + INSTANCE_EXPIRY;
     }
+
+    function _getAutomataDcapAttestation() internal view returns (IAttestation) {
+        return IAttestation(automataDcapAttestation);
+    }
 }
diff --git a/packages/protocol/contracts/layer1/verifiers/SgxVerifierBase.sol b/packages/protocol/contracts/layer1/verifiers/SgxVerifierBase.sol
@@ -71,7 +71,6 @@ abstract contract SgxVerifierBase is EssentialContract {
     error SGX_INVALID_ATTESTATION();
     error SGX_INVALID_INSTANCE();
     error SGX_INVALID_PROOF();
-    error SGX_RA_NOT_SUPPORTED();
 
     /// @notice Register an SGX instance after the attestation is verified
     /// @param _attestation The parsed attestation quote.
@@ -80,13 +79,7 @@ abstract contract SgxVerifierBase is EssentialContract {
         external
         returns (uint256)
     {
-        // TODO(daniel): replace with immutable
-        address automataDcapAttestation = resolve(LibStrings.B_AUTOMATA_DCAP_ATTESTATION, true);
-
-        require(automataDcapAttestation != address(0), SGX_RA_NOT_SUPPORTED());
-
-        (bool verified,) = IAttestation(automataDcapAttestation).verifyParsedQuote(_attestation);
-
+        (bool verified,) = _getAutomataDcapAttestation().verifyParsedQuote(_attestation);
         require(verified, SGX_INVALID_ATTESTATION());
 
         address[] memory addresses = new address[](1);
@@ -169,4 +162,6 @@ abstract contract SgxVerifierBase is EssentialContract {
         return instances[id].validSince <= block.timestamp
             && block.timestamp <= instances[id].validSince + INSTANCE_EXPIRY;
     }
+
+    function _getAutomataDcapAttestation() internal view virtual returns (IAttestation);
 }
diff --git a/packages/protocol/contracts/shared/common/EssentialContract.sol b/packages/protocol/contracts/shared/common/EssentialContract.sol
@@ -114,6 +114,11 @@ abstract contract EssentialContract is UUPSUpgradeable, Ownable2StepUpgradeable
         _;
     }
 
+    modifier onlyFromEither(address _addr1, address _addr2) {
+        require(msg.sender == _addr1 || msg.sender == _addr2, ACCESS_DENIED());
+        _;
+    }
+
     modifier onlyFrom(address _addr) {
         require(msg.sender == _addr, ACCESS_DENIED());
         _;

diff --git a/packages/protocol/script/layer1/based/DeployProtocolOnL1.s.sol b/packages/protocol/script/layer1/based/DeployProtocolOnL1.s.sol
@@ -288,7 +288,9 @@ contract DeployProtocolOnL1 is DeployCapability {
             registerTo: rollupResolver
         });
 
-        address sgxVerifier = deploySgxVerifier(owner, rollupResolver, l2ChainId);
+        address automataDcapAttestation = address(0); // not used
+        address sgxVerifier =
+            deploySgxVerifier(owner, rollupResolver, l2ChainId, automataDcapAttestation);
 
         (address risc0Verifier, address sp1Verifier) =
             deployZKVerifiers(owner, rollupResolver, l2ChainId);
@@ -314,18 +316,12 @@ contract DeployProtocolOnL1 is DeployCapability {
     function deploySgxVerifier(
         address owner,
         address rollupResolver,
-        uint64 l2ChainId
+        uint64 l2ChainId,
+        address automataDcapAttestation
     )
         private
         returns (address sgxVerifier)
     {
-        sgxVerifier = deployProxy({
-            name: "sgx_verifier",
-            impl: address(new SgxVerifier(rollupResolver, l2ChainId)),
-            data: abi.encodeCall(SgxVerifier.init, owner),
-            registerTo: rollupResolver
-        });
-
         // No need to proxy these, because they are 3rd party. If we want to modify, we simply
         // change the registerAddress("automata_dcap_attestation", address(attestation));
         P256Verifier p256Verifier = new P256Verifier();
@@ -341,6 +337,14 @@ contract DeployProtocolOnL1 is DeployCapability {
             ),
             registerTo: rollupResolver
         });
+
+        sgxVerifier = deployProxy({
+            name: "sgx_verifier",
+            impl: address(new SgxVerifier(rollupResolver, l2ChainId, automataProxy)),
+            data: abi.encodeCall(SgxVerifier.init, owner),
+            registerTo: rollupResolver
+        });
+
         // Log addresses for the user to register sgx instance
         console2.log("SigVerifyLib", address(sigVerifyLib));
         console2.log("PemCertChainLib", address(pemCertChainLib));

diff --git a/packages/protocol/script/layer1/devnet/UpgradeDevnetPacayaL1.s.sol b/packages/protocol/script/layer1/devnet/UpgradeDevnetPacayaL1.s.sol
@@ -117,7 +117,12 @@ contract UpgradeDevnetPacayaL1 is DeployCapability {
             data: abi.encodeCall(OpVerifier.init, (address(0))),
             registerTo: rollupResolver
         });
-        UUPSUpgradeable(sgxVerifier).upgradeTo(address(new SgxVerifier(rollupResolver, l2ChainId)));
+
+        address automataDcapAttestation = address(0); // not used!
+        UUPSUpgradeable(sgxVerifier).upgradeTo(
+            address(new SgxVerifier(rollupResolver, l2ChainId, automataDcapAttestation))
+        );
+
         register(rollupResolver, "sgx_verifier", sgxVerifier);
         UUPSUpgradeable(risc0Verifier).upgradeTo(
             address(new Risc0Verifier(rollupResolver, l2ChainId))

diff --git a/packages/protocol/test/layer1/Layer1Test.sol b/packages/protocol/test/layer1/Layer1Test.sol
@@ -103,11 +103,13 @@ abstract contract Layer1Test is CommonTest {
         );
     }
 
-    function deploySgxVerifier() internal returns (SgxVerifier) {
+    function deploySgxVerifier(address _automataDcapAttestation) internal returns (SgxVerifier) {
         return SgxVerifier(
             deploy({
                 name: "tier_sgx",
-                impl: address(new SgxVerifier(address(resolver), taikoChainId)),
+                impl: address(
+                    new SgxVerifier(address(resolver), taikoChainId, _automataDcapAttestation)
+                ),
                 data: abi.encodeCall(SgxVerifier.init, (address(0)))
             })
         );