Check hw separate flow (#1509)

Refactored check-hw tool to give a bit more information and have it's own code path - no more dry_run

.github/workflows/ci.yaml

@@ -224,7 +224,7 @@ jobs:
         run: |
           source "$HOME/.sgxsdk/sgxsdk/environment"
           mkdir -p ias_keys/production
-          echo "not_a_key" > ias_keys/production/api_key.txt
+          cp ias_keys/develop/api_key.txt ias_keys/production/api_key.txt
           SGX_MODE=SW make clippy
           SGX_MODE=HW make clippy
 

.github/workflows/release.yaml

@@ -192,6 +192,7 @@ jobs:
     env: # Or as an environment variable
       SPID: ${{ secrets.SPID_TESTNET }}
       API_KEY: ${{ secrets.API_KEY_TESTNET }}
+      API_KEY_MAINNET: ${{ secrets.API_KEY_MAINNET }}
     steps:
       - uses: actions/checkout@v3
         with:
@@ -209,6 +210,7 @@ jobs:
           secrets: |
             API_KEY=${{ secrets.API_KEY_TESTNET }}
             SPID=${{ secrets.SPID_TESTNET }}
+            API_KEY_MAINNET=${{ secrets.API_KEY_MAINNET }}
           build-args: |
             BUILD_VERSION=${{ steps.get_version.outputs.VERSION }}
             SGX_MODE=HW
@@ -217,10 +219,54 @@ jobs:
         run: |
           docker run -e VERSION=${{ steps.get_version.outputs.VERSION }} -v $GITHUB_WORKSPACE/build:/build check_hw_tool_build
           cp build/check_hw_${{ steps.get_version.outputs.VERSION }}.tar.gz check_hw_${{ steps.get_version.outputs.VERSION }}.tar.gz
+
+          # 1. Untar the archive
+          tar -xzf check_hw_${{ steps.get_version.outputs.VERSION }}.tar.gz
+
+          # 2. Rename the files
+          mv check_hw check_hw_testnet
+          mv check_hw_enclave.so check_hw_testnet_enclave.so
+
+          # 3. Retar the renamed files
+          tar -czf check_hw_${{ steps.get_version.outputs.VERSION }}_testnet.tar.gz check_hw_testnet check_hw_testnet_enclave.so
+
       - uses: actions/upload-artifact@v3
         with:
-          name: check_hw_${{ steps.get_version.outputs.VERSION }}.tar.gz
-          path: check_hw_${{ steps.get_version.outputs.VERSION }}.tar.gz
+          name: check_hw_${{ steps.get_version.outputs.VERSION }}_testnet.tar.gz
+          path: check_hw_${{ steps.get_version.outputs.VERSION }}_testnet.tar.gz
+
+#  check-hw-tool-mainnet:
+#    runs-on: ubuntu-20.04
+#    steps:
+#      - uses: actions/checkout@v3
+#        with:
+#          submodules: recursive
+#      - name: Get the version
+#        id: get_version
+#        run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\/v/}
+#      - name: Build check-hw-tool image
+#        uses: docker/build-push-action@v4
+#        with:
+#          file: deployment/dockerfiles/Dockerfile
+#          context: .
+#          load: true
+#          tags: check_hw_tool_build
+#          secrets: |
+#            API_KEY=${{ secrets.API_KEY_MAINNET }}
+#            SPID=${{ secrets.SPID_MAINNET }}
+#          build-args: |
+#            BUILD_VERSION=${{ steps.get_version.outputs.VERSION }}
+#            SGX_MODE=HW
+#            FEATURES=production
+#          target: compile-check-hw-tool
+#      - name: Run check-hw-tool image
+#        run: |
+#          docker run -e VERSION=${{ steps.get_version.outputs.VERSION }} -v $GITHUB_WORKSPACE/build:/build check_hw_tool_build
+#          cp build/check_hw_${{ steps.get_version.outputs.VERSION }}.tar.gz check_hw_${{ steps.get_version.outputs.VERSION }}.tar.gz
+#      - uses: actions/upload-artifact@v3
+#        with:
+#          name: check_hw_${{ steps.get_version.outputs.VERSION }}_mainnet.tar.gz
+#          path: check_hw_${{ steps.get_version.outputs.VERSION }}_mainnet.tar.gz
 
   publish-localsecret:
     runs-on: ubuntu-20.04
@@ -282,7 +328,8 @@ jobs:
         build-deb-testnet,
         build-deb-mainnet,
         MacOS-ARM64-CLI,
-        check-hw-tool,
+        check-hw-tool
+        # check-hw-tool-mainnet
       ]
     runs-on: ubuntu-20.04
     steps:
@@ -317,6 +364,9 @@ jobs:
       - uses: actions/download-artifact@v3
         with:
           name: check_hw_${{ steps.get_version.outputs.VERSION }}.tar.gz
+#      - uses: actions/download-artifact@v3
+#        with:
+#          name: check_hw_${{ steps.get_version.outputs.VERSION }}_mainnet.tar.gz
       - name: Release
         uses: softprops/action-gh-release@v1
         with:
@@ -331,3 +381,4 @@ jobs:
             secretcli-Linux
             secretcli-MacOS-arm64
             check_hw_${{ steps.get_version.outputs.VERSION }}.tar.gz
+#            check_hw_${{ steps.get_version.outputs.VERSION }}_mainnet.tar.gz

Makefile

@@ -372,7 +372,8 @@ build-check-hw-tool:
 	DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="${FEATURES}" \
                  --build-arg FEATURES_U=${FEATURES_U} \
                  --build-arg BUILDKIT_INLINE_CACHE=1 \
-                 --secret id=API_KEY,src=api_key.txt \
+                 --secret id=API_KEY,src=ias_keys/develop/api_key.txt \
+				 --secret id=API_KEY_MAINNET,src=ias_keys/production/api_key.txt \
                  --secret id=SPID,src=spid.txt \
                  --build-arg SECRET_NODE_TYPE=NODE \
                  --build-arg BUILD_VERSION=${VERSION} \

check-hw/Cargo.toml

@@ -9,12 +9,17 @@ edition = "2021"
 default = []
 production = []
 
+# Just here for compatability with enclave features
+verify-validator-whitelist = []
+light-client-validation = []
+random = []
+
 [dependencies]
 sgx_types = { path = "../third_party/incubator-teaclave-sgx-sdk/sgx_types" }
 sgx_urts = { path = "../third_party/incubator-teaclave-sgx-sdk/sgx_urts" }
 enclave-ffi-types = { path = "../cosmwasm/enclaves/ffi-types", features = [
     "build_headers",
 ] }
-
+clap = "2.33"
 parking_lot = "0.11"
 lazy_static = "1.4"

check-hw/rust-toolchain

@@ -1 +1 @@
-nightly-2022-08-27
+nightly-2022-10-22

check-hw/src/enclave.rs

@@ -4,18 +4,12 @@ use sgx_types::{
 use sgx_urts::SgxEnclave;
 use std::path::Path;
 
-#[cfg(feature = "production")]
-const ENCLAVE_DEBUG: i32 = 0;
-
-#[cfg(not(feature = "production"))]
-const ENCLAVE_DEBUG: i32 = 1;
-
-pub fn init_enclave(enclave_file: &str) -> SgxResult<SgxEnclave> {
+pub fn init_enclave(enclave_file: &str, enclave_debug: i32) -> SgxResult<SgxEnclave> {
     let mut launch_token: sgx_launch_token_t = [0; 1024];
     let mut launch_token_updated: i32 = 0;
     // call sgx_create_enclave to initialize an enclave instance
     // Debug Support: set 2nd parameter to 1
-    let debug: i32 = ENCLAVE_DEBUG;
+    let debug: i32 = enclave_debug;
     let mut misc_attr = sgx_misc_attribute_t {
         secs_attr: sgx_attributes_t { flags: 0, xfrm: 0 },
         misc_select: 0,

check-hw/src/enclave_api.rs

@@ -3,7 +3,9 @@ use std::{
     os::unix::prelude::IntoRawFd,
 };
 
-use enclave_ffi_types::{Ctx, EnclaveBuffer, OcallReturn, UntrustedVmError, UserSpaceBuffer};
+use enclave_ffi_types::{
+    Ctx, EnclaveBuffer, NodeAuthResult, OcallReturn, UntrustedVmError, UserSpaceBuffer,
+};
 use sgx_types::{
     c_int, sgx_calc_quote_size, sgx_enclave_id_t, sgx_epid_group_id_t, sgx_get_quote,
     sgx_init_quote, sgx_platform_info_t, sgx_quote_nonce_t, sgx_quote_sign_type_t, sgx_quote_t,
@@ -14,12 +16,11 @@ use sgx_types::{
 // ecalls
 
 extern "C" {
-    pub fn ecall_get_attestation_report(
+    pub fn ecall_check_patch_level(
         eid: sgx_enclave_id_t,
-        retval: *mut sgx_status_t,
+        retval: *mut NodeAuthResult,
         api_key: *const u8,
         api_key_len: u32,
-        dry_run: u8,
     ) -> sgx_status_t;
 }
 
@@ -90,7 +91,7 @@ pub extern "C" fn ocall_get_ias_socket(ret_fd: *mut c_int) -> sgx_status_t {
     let port = 443;
     let hostname = "api.trustedservices.intel.com";
     let addr = lookup_ipv4(hostname, port);
-    let sock = TcpStream::connect(&addr).expect("[-] Connect tls server failed!");
+    let sock = TcpStream::connect(addr).expect("[-] Connect tls server failed!");
 
     unsafe {
         *ret_fd = sock.into_raw_fd();

check-hw/src/main.rs

@@ -2,50 +2,95 @@ mod enclave;
 mod enclave_api;
 mod types;
 
+use clap::App;
 use lazy_static::lazy_static;
 use sgx_types::sgx_status_t;
 
-use crate::{enclave_api::ecall_get_attestation_report, types::EnclaveDoorbell};
+use crate::{enclave_api::ecall_check_patch_level, types::EnclaveDoorbell};
 
-static ENCLAVE_FILE: &str = "check_hw_enclave.so";
-const TCS_NUM: u8 = 8;
+use enclave_ffi_types::NodeAuthResult;
+
+const ENCLAVE_FILE_TESTNET: &str = "check_hw_testnet_enclave.so";
+const ENCLAVE_FILE_MAINNET: &str = "check_hw_enclave.so";
+const TCS_NUM: u8 = 1;
 
 lazy_static! {
-    static ref ENCLAVE_DOORBELL: EnclaveDoorbell = EnclaveDoorbell::new(ENCLAVE_FILE, TCS_NUM);
+    static ref ENCLAVE_DOORBELL: EnclaveDoorbell = {
+        let is_testnet = std::env::args().any(|arg| arg == "--testnet" || arg == "-t");
+        let enclave_file = if is_testnet {
+            ENCLAVE_FILE_TESTNET
+        } else {
+            ENCLAVE_FILE_MAINNET
+        };
+        EnclaveDoorbell::new(enclave_file, TCS_NUM, is_testnet as i32)
+    };
 }
 
-fn main() -> Result<(), sgx_status_t> {
+fn main() {
+    let matches = App::new("Check HW")
+        .version("1.0")
+        .arg(
+            clap::Arg::with_name("testnet")
+                .short("t")
+                .long("testnet")
+                .help("Run in testnet mode"),
+        )
+        .get_matches();
+
+    let is_testnet = matches.is_present("testnet");
+
     println!("Creating enclave instance..");
 
     let enclave_access_token = ENCLAVE_DOORBELL
         .get_access(1) // This can never be recursive
-        .ok_or(sgx_status_t::SGX_ERROR_BUSY)?;
+        .ok_or(sgx_status_t::SGX_ERROR_BUSY);
 
-    let enclave = enclave_access_token.enclave?;
+    if let Err(e) = enclave_access_token {
+        println!(
+            "Failed to get enclave access token: {:?} (is enclave currently running or busy?)",
+            e
+        );
+        return;
+    }
 
-    let api_key_bytes = include_bytes!("../../ias_keys/production/api_key.txt");
+    let enclave = enclave_access_token.unwrap().enclave;
 
-    let eid = enclave.geteid();
-    let mut retval = sgx_status_t::SGX_SUCCESS;
+    if let Err(e) = enclave {
+        println!("Failed to start enclave: {:?}", e);
+        return;
+    }
+
+    #[allow(clippy::if_same_then_else)]
+    let api_key_bytes = if is_testnet {
+        include_bytes!("../../ias_keys/develop/api_key.txt")
+    } else {
+        include_bytes!("../../ias_keys/production/api_key.txt")
+    };
+
+    let eid = enclave.unwrap().geteid();
+    let mut retval = NodeAuthResult::Success;
     let status = unsafe {
-        ecall_get_attestation_report(
+        ecall_check_patch_level(
             eid,
             &mut retval,
             api_key_bytes.as_ptr(),
             api_key_bytes.len() as u32,
-            1, // boolean
         )
     };
 
     if status != sgx_status_t::SGX_SUCCESS {
-        println!("could not generate attestation report");
-        return Err(status);
+        println!(
+            "Failed to run hardware verification test (is the correct enclave in the correct path?)"
+        );
+        return;
     }
 
-    if retval != sgx_status_t::SGX_SUCCESS {
-        println!("could not generate attestation report");
-        return Err(retval);
+    if retval != NodeAuthResult::Success {
+        println!("Failed to verify platform. Please see errors above for more info on what needs to be fixed before you can run a mainnet node. \n\
+        If you require assistance or more information, please contact us on Discord or Telegram. In addition, you may use the documentation available at \
+        https://docs.scrt.network
+        ");
+    } else {
+        println!("Platform verification successful! You are able to run a mainnet Secret node")
     }
-
-    Ok(())
 }

check-hw/src/types.rs

@@ -18,10 +18,10 @@ pub struct EnclaveDoorbell {
 }
 
 impl EnclaveDoorbell {
-    pub fn new(enclave_file: &str, count: u8) -> Self {
+    pub fn new(enclave_file: &str, count: u8, debug: i32) -> Self {
         // info!("Setting up enclave doorbell for up to {} threads", count);
         Self {
-            enclave: init_enclave(enclave_file),
+            enclave: init_enclave(enclave_file, debug),
             condvar: Condvar::new(),
             count: Mutex::new(count),
         }

cmd/secretd/attestation.go

@@ -95,7 +95,7 @@ blockchain. Writes the certificate in DER format to ~/attestation_cert
 				return fmt.Errorf("failed to initialize enclave: %w", err)
 			}
 
-			_, err = api.CreateAttestationReport(apiKeyFile, false)
+			_, err = api.CreateAttestationReport(apiKeyFile)
 			if err != nil {
 				return fmt.Errorf("failed to create attestation report: %w", err)
 			}
@@ -436,7 +436,7 @@ Please report any issues with this command
 				return fmt.Errorf("failed to initialize enclave: %w", err)
 			}
 
-			_, err = api.CreateAttestationReport(apiKeyFile, false)
+			_, err = api.CreateAttestationReport(apiKeyFile)
 			if err != nil {
 				return fmt.Errorf("failed to create attestation report: %w", err)
 			}

cosmwasm/contracts/v010/compute-tests/test-compute-contract/src/contract.rs

@@ -1705,8 +1705,6 @@ fn pass_null_pointer_to_imports_should_throw<S: Storage, A: Api, Q: Querier>(
     let null_ptr: *const CanonicalAddr = std::ptr::null();
     let null_canon_addr: &CanonicalAddr = unsafe { &*null_ptr };
 
-    use std::ptr;
-
     match &pass_type[..] {
         "read_db_key" => {
             unsafe { deps.storage.get(null_ptr_slice) };

cosmwasm/enclaves/execute/Cargo.toml

@@ -42,6 +42,7 @@ verify-validator-whitelist = [
   "light-client-validation"
 ]
 go-tests = []
+check-hw = []
 
 # This annotation is here to trick the IDE into showing us type information about this crate.
 # We always compile to the "sgx" target, so this will always be false.