feat(proof_data_handler): add new endpoints to the TEE prover interfa…

…ce API (#1993)

## What ❔

This PR introduces three new endpoints to the prover interface API:
1. `/tee/proof_inputs` - for fetching input data for the TEE verifier.
It is intended for TEE workers to obtain a batch to process.
2. `/tee/submit_proofs/<l1_batch_number>` - for submitting TEE proof.
3. `/tee/register_attestation` - for registering TEE attestation.

The first two introduced API endpoints correspond to the existing,
analogous `/proof_generation_data` and `/submit_proof/<l1_batch_number>`
endpoints used for the ZK proofs.

The state of batches (e.g., _proven_, _taken_, etc.) is tracked in the
database. The `TeeVerifierInputProducer` generates serialized TEE prover
inputs, which are then stored in the object store.

To run the unit tests, you need to use the following command: `zk test
rust --package zksync_proof_data_handler --lib tests`. Running `cargo
test` directly fails because the `zk` command sets up an additional
database for testing purposes.

To test it manually, run the ZK server with the command:
```
zk server --components proof_data_handler --use-node-framework
```
and then send an HTTP request:
- to get TEE verifier input data:
  ```
curl -X POST -H "Content-Type: application/json" --data-raw "{}" -vvv
http://127.0.0.1:3320/tee/proof_inputs
  ```
  To inspect the database for the TEE verifier input data jobs, run:
  ```
  $ PGPASSWORD='notsecurepassword' psql -h 127.0.0.1 -p 5432 -U postgres
  # \c zksync_local
  # SELECT * FROM tee_verifier_input_producer_jobs;
  ```
- register TEE attestation:
  ```
curl -X POST -H "Content-Type: application/json" --data-raw '{
"attestation": [ 4, 3, 2, 1, 0 ], "pubkey": [ 5, 6, 7, 8, 9 ] }' -vvv
http://127.0.0.1:3320/tee/register_attestation
  ```
  To inspect the database for the TEE attestations, run:
  ```
  $ PGPASSWORD='notsecurepassword' psql -h 127.0.0.1 -p 5432 -U postgres
  # \c zksync_local
  # SELECT * FROM tee_attestations;
  ```
- to submit TEE proof:
  ```
curl -X POST -H "Content-Type: application/json" --data-raw '{
"signature": [ 0, 1, 2, 3, 4 ], "pubkey": [ 5, 6, 7, 8, 9 ], "proof": [
10, 11, 12, 13, 14 ] }' -vvv http://127.0.0.1:3320/tee/submit_proofs/1
  ```
  To inspect the database for the TEE proofs, run:
  ```
  $ PGPASSWORD='notsecurepassword' psql -h 127.0.0.1 -p 5432 -U postgres
  # \c zksync_local
  # SELECT * FROM tee_proof_generation_details;
  ```

## Why ❔

This PR contributes to the effort outlined in the docs:
-
https://www.notion.so/matterlabs/2FA-for-zk-rollups-with-TEEs-a2266138bd554fda8846e898fef75131?pvs=4
-
https://www.notion.so/matterlabs/Proof-2F-verification-with-SGX-5fca2c619dd147938971cc00ae53e2b0?pvs=4

## Checklist

<!-- Check your PR fulfills the following items. -->
<!-- For draft PRs check the boxes as you complete them. -->

- [x] PR title corresponds to the body of PR (we generate changelog
entries from PRs).
- [x] Tests for the changes have been added / updated.
- [x] Documentation comments have been added / updated.
- [x] Code has been formatted via `zk fmt` and `zk lint`.
- [x] Spellcheck has been run via `zk spellcheck`.

Cargo.toml

@@ -116,6 +116,7 @@ google-cloud-storage = "0.15.0"
 governor = "0.4.2"
 hex = "0.4"
 http = "0.2.9"
+hyper = "0.14.29"
 iai = "0.1"
 insta = "1.29.0"
 itertools = "0.10"

checks-config/era.dic

@@ -973,3 +973,11 @@ uncached
 untrimmed
 UNNEST
 semver
+TeeRequestProcessor
+l1_batch_number
+RequestProcessorError
+map_err
+proof_inputs
+submit_proofs
+ready_to_be_proven
+privkey

core/lib/config/src/configs/proof_data_handler.rs

@@ -6,6 +6,7 @@ use serde::Deserialize;
 pub struct ProofDataHandlerConfig {
     pub http_port: u16,
     pub proof_generation_timeout_in_secs: u16,
+    pub tee_support: bool,
 }
 
 impl ProofDataHandlerConfig {

core/lib/config/src/testonly.rs

@@ -626,6 +626,7 @@ impl Distribution<configs::ProofDataHandlerConfig> for EncodeDist {
         configs::ProofDataHandlerConfig {
             http_port: self.sample(rng),
             proof_generation_timeout_in_secs: self.sample(rng),
+            tee_support: self.sample(rng),
         }
     }
 }

core/lib/dal/migrations/20240523085604_add_tee_proof_generation_details_table.down.sql

@@ -0,0 +1,4 @@
+DROP TABLE IF EXISTS tee_attestations;
+DROP TABLE IF EXISTS tee_proof_generation_details;
+
+DROP INDEX IF EXISTS idx_tee_proof_generation_details_status_prover_taken_at;

core/lib/dal/migrations/20240523085604_add_tee_proof_generation_details_table.up.sql

@@ -0,0 +1,22 @@
+CREATE TABLE IF NOT EXISTS tee_attestations
+(
+    pubkey                  BYTEA PRIMARY KEY,
+    attestation             BYTEA
+);
+
+CREATE TABLE IF NOT EXISTS tee_proof_generation_details
+(
+    l1_batch_number         BIGINT PRIMARY KEY REFERENCES tee_verifier_input_producer_jobs (l1_batch_number) ON DELETE CASCADE,
+    status                  TEXT      NOT NULL,
+    signature               BYTEA,
+    pubkey                  BYTEA REFERENCES tee_attestations (pubkey) ON DELETE SET NULL,
+    proof                   BYTEA,
+    tee_type                TEXT,
+    created_at              TIMESTAMP NOT NULL,
+    updated_at              TIMESTAMP NOT NULL,
+    prover_taken_at         TIMESTAMP
+);
+
+CREATE INDEX IF NOT EXISTS idx_tee_proof_generation_details_status_prover_taken_at
+    ON tee_proof_generation_details (prover_taken_at)
+    WHERE status = 'picked_by_prover';

core/lib/dal/src/lib.rs

@@ -20,7 +20,7 @@ use crate::{
     snapshot_recovery_dal::SnapshotRecoveryDal, snapshots_creator_dal::SnapshotsCreatorDal,
     snapshots_dal::SnapshotsDal, storage_logs_dal::StorageLogsDal,
     storage_logs_dedup_dal::StorageLogsDedupDal, storage_web3_dal::StorageWeb3Dal,
-    sync_dal::SyncDal, system_dal::SystemDal,
+    sync_dal::SyncDal, system_dal::SystemDal, tee_proof_generation_dal::TeeProofGenerationDal,
     tee_verifier_input_producer_dal::TeeVerifierInputProducerDal, tokens_dal::TokensDal,
     tokens_web3_dal::TokensWeb3Dal, transactions_dal::TransactionsDal,
     transactions_web3_dal::TransactionsWeb3Dal, vm_runner_dal::VmRunnerDal,
@@ -50,6 +50,7 @@ pub mod storage_logs_dedup_dal;
 pub mod storage_web3_dal;
 pub mod sync_dal;
 pub mod system_dal;
+pub mod tee_proof_generation_dal;
 pub mod tee_verifier_input_producer_dal;
 pub mod tokens_dal;
 pub mod tokens_web3_dal;
@@ -111,6 +112,8 @@ where
 
     fn proof_generation_dal(&mut self) -> ProofGenerationDal<'_, 'a>;
 
+    fn tee_proof_generation_dal(&mut self) -> TeeProofGenerationDal<'_, 'a>;
+
     fn system_dal(&mut self) -> SystemDal<'_, 'a>;
 
     fn snapshots_dal(&mut self) -> SnapshotsDal<'_, 'a>;
@@ -213,6 +216,10 @@ impl<'a> CoreDal<'a> for Connection<'a, Core> {
         ProofGenerationDal { storage: self }
     }
 
+    fn tee_proof_generation_dal(&mut self) -> TeeProofGenerationDal<'_, 'a> {
+        TeeProofGenerationDal { storage: self }
+    }
+
     fn system_dal(&mut self) -> SystemDal<'_, 'a> {
         SystemDal { storage: self }
     }