Refactor/cherry pick (#107)

* fix: fix ci build

* refactor: switch to version 1.0.3

* chore: increase wait time

* refactor: update linking process

* refactor: fix issue with linked enclave

* refactor: rename to .attestation

* Fix missing version

---------

Co-authored-by: Denis <[email protected]>

.github/workflows/build-deb.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-22.04
     env:
       SGX_MODE: HW
-      VERSION: "1.0.2"
+      VERSION: "1.0.3"
       PRODUCTION_MODE: true
     steps:
       - uses: actions/checkout@v3

.gitignore

@@ -11,3 +11,7 @@ build/
 vendor
 **quote.dat
 sgxvm/Enclave_private.pem
+
+# Dynamic libraries
+**libsgx_wrapper**
+**libsgx_attestation_wrapper**

Makefile

@@ -1,4 +1,4 @@
-VERSION := v1.0.2
+VERSION := v1.0.3
 COMMIT := $(shell git log -1 --format='%H')
 ENCLAVE_HOME ?= $(HOME)/.swisstronik-enclave
 PRODUCTION_MODE ?= false

deb/postinst

@@ -8,15 +8,15 @@ then
     export SUDO_USER=root
 fi
 
-cat <<EOF > /etc/systemd/system/swisstronik-node-v1.0.2.service
+cat <<EOF > /etc/systemd/system/swisstronik-node-v1.0.3.service
 [Unit]
 Description=Swisstronik node service
 After=network.target
 
 [Service]
 Type=simple
 WorkingDirectory=$(eval echo ~"$SUDO_USER")
-ExecStart=/usr/local/bin/swisstronikd_v1.0.2 start --rpc.laddr "tcp://0.0.0.0:26657"  --json-rpc.address 0.0.0.0:8545 --json-rpc.ws-address 0.0.0.0:8546 --home /opt/swisstronik/.swisstronik
+ExecStart=/usr/local/bin/swisstronikd_v1.0.3 start --rpc.laddr "tcp://0.0.0.0:26657"  --json-rpc.address 0.0.0.0:8545 --json-rpc.ws-address 0.0.0.0:8546 --home /opt/swisstronik/.swisstronik
 User=$SUDO_USER
 Restart=on-failure
 StartLimitInterval=0

deb/postrm

@@ -3,8 +3,8 @@
 
 set -e
 
-systemctl stop swisstronik-node-v1.0.2                    || true
-systemctl disable swisstronik-node-v1.0.2                 || true
-rm -f /etc/systemd/system/swisstronik-node-v1.0.2.service || true
+systemctl stop swisstronik-node-v1.0.3                    || true
+systemctl disable swisstronik-node-v1.0.3                 || true
+rm -f /etc/systemd/system/swisstronik-node-v1.0.3.service || true
 rm -r /opt/swisstronik/                                   || true
 systemctl daemon-reload                                   || true

docker/deb.Dockerfile

@@ -47,7 +47,7 @@ RUN make build
 ############ Node binary for deb package
 FROM compile-base as build-deb
 
-ARG BUILD_VERSION="v1.0.2"
+ARG BUILD_VERSION="v1.0.3"
 ENV VERSION=${BUILD_VERSION}
 ARG DEB_BIN_DIR=/usr/local/bin
 ENV DEB_BIN_DIR=${DEB_BIN_DIR}
@@ -61,7 +61,7 @@ WORKDIR /root
 # Copy over binaries from the build-env
 COPY --from=compile-chain /root/chain/build/swisstronikd swisstronikd
 COPY --from=compile-chain /root/.swisstronik-enclave /usr/lib/.swisstronik-enclave
-COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.2.x86_64.so /usr/lib/.swisstronik-enclave/libsgx_wrapper_v1.0.2.x86_64.so
+COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.3.x86_64.so /usr/lib/.swisstronik-enclave/libsgx_wrapper_v1.0.3.x86_64.so
 
 COPY ./deb ./deb
 COPY ./scripts/build_deb.sh .

docker/node.Dockerfile

@@ -46,7 +46,7 @@ FROM base as hw-node
 
 COPY --from=compile-chain /root/chain/build/swisstronikd /usr/local/bin/swisstronikd
 COPY --from=compile-chain /root/.swisstronik-enclave /root/.swisstronik-enclave
-COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.2.x86_64.so /lib/x86_64-linux-gnu/libsgx_wrapper_v1.0.2.x86_64.so
+COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.3.x86_64.so /lib/x86_64-linux-gnu/libsgx_wrapper_v1.0.3.x86_64.so
 COPY --from=compile-chain /opt/intel /opt/intel
 
 EXPOSE 26656 26657 1317 9090 8545 8546 8999
@@ -62,7 +62,7 @@ RUN rm -rf /var/lib/apt/lists/*
 
 COPY --from=compile-chain /root/chain/build/swisstronikd /usr/bin/swisstronikd
 COPY --from=compile-chain /root/.swisstronik-enclave /root/.swisstronik-enclave
-COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.2.x86_64.so /lib/x86_64-linux-gnu/libsgx_wrapper_v1.0.2.x86_64.so
+COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.3.x86_64.so /lib/x86_64-linux-gnu/libsgx_wrapper_v1.0.3.x86_64.so
 COPY --from=compile-chain /opt/intel/sgxsdk/sdk_libs/* /lib/x86_64-linux-gnu/
 COPY --from=compile-chain /root/chain/scripts/local-node.sh /root/local-node.sh
 

go-sgxvm/Cargo.toml

@@ -18,5 +18,8 @@ protobuf = "=2.8.1"
 sgx_types = { git = "https://github.com/apache/teaclave-sgx-sdk.git", rev = "3c903bda" }
 sgx_urts = { git = "https://github.com/apache/teaclave-sgx-sdk.git", rev = "3c903bda" }
 
+[features]
+attestation_server = []
+
 [build-dependencies]
 cbindgen = "0.24.3"

go-sgxvm/Makefile

@@ -8,24 +8,30 @@ CXX=clang++
 SGX_MODE ?= HW
 ENCLAVE_HOME ?= $(HOME)/.swisstronik-enclave
 PRODUCTION_MODE ?= false
-VERSION := v1.0.2
+AS_MODE ?= false 
+VERSION := v1.0.3
+Wrapper_build_feature := ""
+
+Wrapper_lib := libsgx_wrapper_$(VERSION).x86_64.so
+ifeq ($(AS_MODE), true)
+	Wrapper_lib := libsgx_attestation_wrapper_$(VERSION).x86_64.so
+	Wrapper_build_feature += attestation_server
+endif
 
 build:
-	@ENCLAVE_HOME=$(ENCLAVE_HOME) PRODUCTION_MODE=$(PRODUCTION_MODE) SGX_MODE=$(SGX_MODE) make build -C ../sgxvm/
+	@ENCLAVE_HOME=$(ENCLAVE_HOME) PRODUCTION_MODE=$(PRODUCTION_MODE) SGX_MODE=$(SGX_MODE) AS_MODE=$(AS_MODE) VERSION=$(VERSION) make build -C ../sgxvm/
 	@protoc --rust_out src/protobuf_generated/ proto/node.proto
-	@ENCLAVE_HOME=$(ENCLAVE_HOME) cargo build --release
-	@mkdir -p $(ENCLAVE_HOME) && cp $(CURDIR)/../sgxvm/sgx-artifacts/bin/enclave.signed.so $(ENCLAVE_HOME)/$(VERSION)_enclave.signed.so
-	@cp $(CURDIR)/target/release/libsgxvm_wrapper.so $(CURDIR)/internal/api/libsgx_wrapper_$(VERSION).x86_64.so
+	@ENCLAVE_HOME=$(ENCLAVE_HOME) cargo build --features "$(Wrapper_build_feature)" --release
+	@cp $(CURDIR)/target/release/libsgxvm_wrapper.so $(CURDIR)/internal/api/$(Wrapper_lib)
 	@protoc --go_out=types --proto_path=../sgxvm/proto/ ../sgxvm/proto/ffi.proto
 	@protoc --go_out=types --proto_path=proto/ proto/node.proto
 	@cp types/github.com/SigmaGmbH/librustgo/types/* types/ && rm -rf types/github.com
 
 build_d:
-	@ENCLAVE_HOME=$(ENCLAVE_HOME) PRODUCTION_MODE=$(PRODUCTION_MODE) SGX_MODE=$(SGX_MODE) make build_d -C ../sgxvm/
+	@ENCLAVE_HOME=$(ENCLAVE_HOME) PRODUCTION_MODE=$(PRODUCTION_MODE) SGX_MODE=$(SGX_MODE) AS_MODE=$(AS_MODE) VERSION=$(VERSION) make build_d -C ../sgxvm/
 	@protoc --rust_out src/protobuf_generated/ proto/node.proto
-	@ENCLAVE_HOME=$(ENCLAVE_HOME) cargo build --release
-	@mkdir -p $(ENCLAVE_HOME) && cp $(CURDIR)/../sgxvm/sgx-artifacts/bin/enclave.signed.so $(ENCLAVE_HOME)/$(VERSION)_enclave.signed.so
-	@cp $(CURDIR)/target/release/libsgxvm_wrapper.so $(CURDIR)/internal/api/libsgx_wrapper_$(VERSION).x86_64.so
+	@ENCLAVE_HOME=$(ENCLAVE_HOME) cargo build --features "$(Wrapper_build_feature)" --release
+	@cp $(CURDIR)/target/release/libsgxvm_wrapper.so $(CURDIR)/internal/api/$(Wrapper_lib)
 	@protoc --go_out=types --proto_path=../sgxvm/proto/ ../sgxvm/proto/ffi.proto
 	@protoc --go_out=types --proto_path=proto/ proto/node.proto
 	@cp types/github.com/SigmaGmbH/librustgo/types/* types/ && rm -rf types/github.com

go-sgxvm/internal/api/lib_nosgx.go

@@ -79,6 +79,7 @@ func Call(
 	gasLimit, nonce uint64,
 	txContext *types.TransactionContext,
 	commit bool,
+	isUnencrypted bool,
 ) (*types.HandleTransactionResponse, error) {
 	return nil, nil
 }

go-sgxvm/internal/api/link_glibclinux_aarch64.go

@@ -2,5 +2,5 @@
 
 package api
 
-// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.2.aarch64
+// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.3.aarch64
 import "C"

go-sgxvm/internal/api/link_glibclinux_x86_64.attestation.go

@@ -0,0 +1,6 @@
+//go:build linux && !muslc && amd64 && !sys_sgx_wrapper && !nosgx && attestationServer
+
+package api
+
+// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_attestation_wrapper_v1.0.3.x86_64
+import "C"

go-sgxvm/internal/api/link_glibclinux_x86_64.go

@@ -1,6 +1,6 @@
-//go:build linux && !muslc && amd64 && !sys_sgx_wrapper && !nosgx
+//go:build linux && !muslc && amd64 && !sys_sgx_wrapper && !nosgx && !attestationServer
 
 package api
 
-// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.2.x86_64
+// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.3.x86_64
 import "C"

go-sgxvm/internal/api/link_mac.go

@@ -2,5 +2,5 @@
 
 package api
 
-// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.2
+// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.3
 import "C"

go-sgxvm/internal/api/link_muslc.go

@@ -2,5 +2,5 @@
 
 package api
 
-// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.2_muslc
+// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.3_muslc
 import "C"

go-sgxvm/internal/api/link_system.go

@@ -2,5 +2,5 @@
 
 package api
 
-// #cgo LDFLAGS: -lsgx_wrapper_v1.0.2
+// #cgo LDFLAGS: -lsgx_wrapper_v1.0.3
 import "C"

go-sgxvm/internal/api/link_windows.go

@@ -2,5 +2,5 @@
 
 package api
 
-// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.2
+// #cgo LDFLAGS: -Wl,-rpath,${SRCDIR} -L${SRCDIR} -lsgx_wrapper_v1.0.3
 import "C"

go-sgxvm/src/enclave/doorbell.rs

@@ -5,7 +5,16 @@ use std::env;
 use std::ops::Deref;
 use std::time::Duration;
 
-static ENCLAVE_FILE: &'static str = "v1.0.2_enclave.signed.so";
+#[cfg(not(feature = "attestation_server"))]
+static ENCLAVE_FILE: &'static str = "v1.0.3_enclave.signed.so";
+
+#[cfg(feature = "attestation_server")]
+static ENCLAVE_FILE: &'static str = "v1.0.3_attestation_enclave.signed.so";
+
+#[cfg(feature = "attestation_server")]
+const ENCLAVE_LOCK_TIMEOUT: u64 = 6 * 50;
+
+#[cfg(not(feature = "attestation_server"))]
 const ENCLAVE_LOCK_TIMEOUT: u64 = 6 * 5;
 
 pub struct EnclaveDoorbell {

sgxvm/Makefile

@@ -16,6 +16,8 @@ Enclave_build_feature = hardware_mode
 Enclave_Security_Link_Flags := -Wl,-z,relro,-z,now,-z,noexecstack
 Enclave_config_file ?= Enclave.config.development.xml
 Enclave_signing_key ?= Enclave_dev_private.pem
+Enclave_signed_file ?= enclave.signed.so
+VERSION ?= v1.0.3
 
 # ENCLAVE SETTINGS
 ifneq ($(SGX_MODE), HW)
@@ -30,6 +32,7 @@ endif
 
 ifeq ($(AS_MODE), true)
 	Enclave_build_feature += attestation_server
+	Enclave_signed_file := attestation_enclave.signed.so
 endif
 
 ifneq ($(PRODUCTION_MODE), true) 
@@ -127,7 +130,8 @@ define sign_enclave
 	@echo "Sign enclave using"
 	@/opt/intel/sgxsdk/bin/x64/sgx_sign -version
 	@mkdir -p $(CURDIR)/sgx-artifacts/bin
-	/opt/intel/sgxsdk/bin/x64/sgx_sign sign -key $(CURDIR)/$(Enclave_signing_key) -enclave $(CURDIR)/enclave.unsigned.so -out $(CURDIR)/sgx-artifacts/bin/enclave.signed.so -config $(CURDIR)/$(Enclave_config_file)
+	/opt/intel/sgxsdk/bin/x64/sgx_sign sign -key $(CURDIR)/$(Enclave_signing_key) -enclave $(CURDIR)/enclave.unsigned.so -out $(CURDIR)/sgx-artifacts/bin/$(Enclave_signed_file) -config $(CURDIR)/$(Enclave_config_file)
+	@mkdir -p $(ENCLAVE_HOME) && cp $(CURDIR)/../sgxvm/sgx-artifacts/bin/$(Enclave_signed_file) $(ENCLAVE_HOME)/$(VERSION)_$(Enclave_signed_file)
 endef
 
 define sgx_build

sgxvm/src/attestation/tls/auth.rs

@@ -34,7 +34,12 @@ impl rustls::ClientCertVerifier for ClientAuth {
         }
 
         if self.is_dcap {
-            crate::attestation::cert::verify_dcap_cert(&certs[0].0).unwrap();
+            crate::attestation::cert::verify_dcap_cert(&certs[0].0).map_err(|err| {
+                println!("[Attestastion Server] Cannot verify DCAP cert. Reason: {:?}", err);
+                rustls::TLSError::WebPKIError(
+                    webpki::Error::ExtensionValueInvalid,
+                )
+            })?;
             return Ok(rustls::ClientCertVerified::assertion());
         }