Feat/attestation server (#89)

* feat: add "attestation_server" feature * refactor: add go build tag for attestation server * feat: move attestation server to separate command * feat: add build_AS command * feat: add draft CLI commands * chore: add protobuf requests * refactor: update seal function * refactor: update `unseal` function * refactor: update `random` keymanager function * refactor: update encryption process * refactor: update keys derivation * fix: fix build issues * chore: clippy * feat: add support of legacy format * refactor: fix naming * refactor: update naming * refactor: correct naming * fix: fix issue with deserialization * refactor: correct naming * intermediate: fixing errors * fix: fix compilation issues * refactor: use block number to manage node pk * fix: restore tests * feat: implement commands for epochs management * chore: intermediate commit * fix: fix borrow checker issuer * chore: small improvements * refactor: return list of epoch numbers and starting blocks * test: add tests for keys management * test: add test for get node public key * test: add test draft for contract tx * test: use correct node public key * test: update tests * test: update encryption test * chore: add test part * test: restoring tests * test: update encryption test * test: update encryption test * fix: fix issue with broken decryption * chore: increase test balances * fix: fix typo * chore: disable debug * fix: fix getNodePublicKey request * refactor: remove unused code * feat: add list epochs command * feat: skip integration test
SigmaGmbH · May 15, 2024 · 2d79755 · 2d79755
1 parent 08c1519
commit 2d79755
Show file tree

Hide file tree

Showing 65 changed files with 4,054 additions and 1,079 deletions.
diff --git a/Makefile b/Makefile
@@ -90,6 +90,11 @@ build_d: go.sum
 	$(MAKE) -C go-sgxvm build_d
 	go build -mod=mod $(BUILD_FLAGS)  -tags osusergo,netgo -o build/swisstronikd ./cmd/swisstronikd
 
+build_attestation_server: go.sum
+	AS_MODE=true $(MAKE) -C go-sgxvm build_AS
+
+build_attestation_server_d: go.sum
+	AS_MODE=true $(MAKE) -C go-sgxvm build_AS_d
 
 ###############################################################################
 ### 		          Build commands for CLI (without SGX support) 			###

diff --git a/cmd/swisstronikd/cmd/enclave.go b/cmd/swisstronikd/cmd/enclave.go
@@ -13,7 +13,7 @@ import (
 
 const flagShouldReset = "reset"
 
-// Cmd creates a CLI main command
+// EnclaveCmd creates a CLI main command
 func EnclaveCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "enclave",
@@ -22,23 +22,45 @@ func EnclaveCmd() *cobra.Command {
 	}
 
 	cmd.AddCommand(
+		ListEpochs(),
 		EPIDRemoteAttestationCmd(),
 		DCAPRemoteAttestationCmd(),
-		StartAttestationServer(),
 		Status(),
 	)
 	return cmd
 }
 
-// EPIDRemoteAttestationCmd returns request-master-key-epid cobra Command.
+// ListEpochs returns list-epochs cobra Command.
+func ListEpochs() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "list-epochs",
+		Short: "Outputs stored epochs",
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			epochs, err := librustgo.ListEpochs()
+			if err != nil {
+				return err
+			}
+
+			for _, epoch := range epochs {
+				fmt.Println("Epoch #", epoch.EpochNumber, "Starting block: ", epoch.StartingBlock)
+			}
+
+			return nil
+		},
+	}
+
+	return cmd
+}
+
+// EPIDRemoteAttestationCmd returns request-epoch-keys-epid cobra Command.
 func EPIDRemoteAttestationCmd() *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "request-master-key-epid [bootstrap-node-address]",
-		Short: "Requests master key from bootstrap node using EPID",
-		Long:  `Initializes SGX enclave by passing process of EPID Remote Attestation agains bootstrap node. 
-		If remote attestation was successful, bootstrap node shares encrypted master key with this node. 
+		Use:   "request-epoch-keys-epid [attestation-server-address]",
+		Short: "Requests epoch keys from attestation server using EPID",
+		Long: `Initializes SGX enclave by passing process of EPID Remote Attestation agains attestation server. 
+		If remote attestation was successful, attestation server shares encrypted epoch keys with this node. 
 		Process of Remote Attestation is performed over pure TCP protocol.`,
-		Args:  cobra.ExactArgs(1),
+		Args: cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			clientCtx := client.GetClientContextFromCmd(cmd)
 			serverCtx := server.GetServerContextFromCmd(cmd)
@@ -55,7 +77,7 @@ func EPIDRemoteAttestationCmd() *cobra.Command {
 				return err
 			}
 
-			if err := librustgo.RequestMasterKey(host, port, false); err != nil {
+			if err := librustgo.RequestEpochKeys(host, port, false); err != nil {
 				return err
 			}
 
@@ -67,15 +89,15 @@ func EPIDRemoteAttestationCmd() *cobra.Command {
 	return cmd
 }
 
-// DCAPRemoteAttestationCmd returns request-master-key-dcap cobra Command.
+// DCAPRemoteAttestationCmd returns request-epochs-keys-dcap cobra Command.
 func DCAPRemoteAttestationCmd() *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "request-master-key-dcap [bootstrap-node-address]",
-		Short: "Requests master key from bootstrap node using DCAP",
-		Long:  `Initializes SGX enclave by passing process of DCAP Remote Attestation agains bootstrap node. 
-		If remote attestation was successful, bootstrap node shares encrypted master key with this node. 
+		Use:   "request-epoch-keys-dcap [attestation-server-address]",
+		Short: "Requests epoch keys from attestation server using DCAP",
+		Long: `Initializes SGX enclave by passing process of DCAP Remote Attestation agains attestation server. 
+		If remote attestation was successful, attestation server node shares encrypted epoch keys with this node. 
 		Process of Remote Attestation is performed over pure TCP protocol.`,
-		Args:  cobra.ExactArgs(1),
+		Args: cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			clientCtx := client.GetClientContextFromCmd(cmd)
 			serverCtx := server.GetServerContextFromCmd(cmd)
@@ -92,7 +114,7 @@ func DCAPRemoteAttestationCmd() *cobra.Command {
 				return err
 			}
 
-			if err := librustgo.RequestMasterKey(host, port, true); err != nil {
+			if err := librustgo.RequestEpochKeys(host, port, true); err != nil {
 				return err
 			}
 
@@ -104,25 +126,7 @@ func DCAPRemoteAttestationCmd() *cobra.Command {
 	return cmd
 }
 
-// StartAttestationServer returns start-attestation-server cobra Command.
-func StartAttestationServer() *cobra.Command {
-	cmd := &cobra.Command{
-		Use:   "start-attestation-server [epid-address-with-port] [dcap-address-with-port]",
-		Short: "Starts attestation server",
-		Long:  "Start server for Intel SGX Remote Attestation to share master key with new nodes",
-		Args:  cobra.ExactArgs(2),
-		RunE: func(_ *cobra.Command, args []string) error {
-			if err := librustgo.StartAttestationServer(args[0], args[1]); err != nil {
-				return err
-			}
-			return server.WaitForQuitSignals()
-		},
-	}
-
-	return cmd
-}
-
-// Healthcheck checks if Intel SGX Enclave is accessible and if Intel SGX was properly configured
+// Status checks if Intel SGX Enclave is accessible and if Intel SGX was properly configured
 func Status() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "status",

diff --git a/cmd/swisstronikd/cmd/testnet.go b/cmd/swisstronikd/cmd/testnet.go
@@ -148,16 +148,16 @@ func initializeEnclave() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "init-testnet-enclave",
 		Short: "Initialize SGX Enclave for local testnet",
-		Long:  `Initializes SGX enclave by creating new master key
-		*** WARNING: Do not use this command to setup master key for validator ***`,
+		Long:  `Initializes SGX enclave with local key manager
+		*** WARNING: Do not use this command to setup validator node ***`,
 		Args:  cobra.ExactArgs(0),
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			shouldReset, err := cmd.Flags().GetBool(flagShouldReset)
 			if err != nil {
 				return err
 			}
 
-			if err := librustgo.InitializeMasterKey(shouldReset); err != nil {
+			if err := librustgo.InitializeEnclave(shouldReset); err != nil {
 				return err
 			}
 
@@ -167,7 +167,7 @@ func initializeEnclave() *cobra.Command {
 		},
 	}
 
-	cmd.Flags().Bool(flagShouldReset, false, "reset already existing master key. Default: false")
+	cmd.Flags().Bool(flagShouldReset, false, "reset already existing epoch manager. Default: false")
 
 	return cmd
 }

diff --git a/go-sgxvm/Makefile b/go-sgxvm/Makefile
@@ -27,3 +27,9 @@ build_d:
 	@protoc --go_out=types --proto_path=../sgxvm/proto/ ../sgxvm/proto/ffi.proto
 	@protoc --go_out=types --proto_path=proto/ proto/node.proto
 	@cp types/github.com/SigmaGmbH/librustgo/types/* types/ && rm -rf types/github.com
+
+build_AS: build
+	go build -tags osusergo,netgo,attestationServer -o ../build/attestationServer ./cmd/attestation
+
+build_AS_d: build_d
+	go build -tags osusergo,netgo,attestationServer -o ../build/attestationServer ./cmd/attestation
diff --git a/go-sgxvm/cbindgen.toml b/go-sgxvm/cbindgen.toml
@@ -61,15 +61,18 @@ exclude = [
     "handle_request",
     "ecall_allocate",
     "ecall_status",
-    "ecall_init_master_key",
+    "ecall_initialize_enclave",
     "ecall_attest_peer_epid",
     "ecall_attest_peer_dcap",
     "ecall_is_initialized",
-    "ecall_request_master_key_epid",
-    "ecall_request_master_key_dcap",
+    "ecall_request_epoch_keys_epid",
+    "ecall_request_epoch_keys_dcap",
     "sgx_tvl_verify_qve_report_and_identity",
     "ecall_dump_dcap_quote",
     "ecall_verify_dcap_quote",
+    "ecall_remove_latest_epoch",
+    "ecall_list_epochs",
+    "ecall_add_epoch",
     "ocall_query_raw",
     "ocall_allocate",
     "ocall_sgx_init_quote",

diff --git a/go-sgxvm/cmd/attestation/cmd/root.go b/go-sgxvm/cmd/attestation/cmd/root.go
@@ -0,0 +1,102 @@
+package cmd
+
+import (
+	"fmt"
+	"github.com/SigmaGmbH/librustgo/internal/api"
+	"github.com/spf13/cobra"
+	"strconv"
+)
+
+func RootCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "attestation-server",
+		Short: "Commands for interaction with Swisstronik Attestation Server",
+	}
+
+	cmd.AddCommand(
+		StartAttestationServer(),
+		AddNewEpoch(),
+		ListEpochs(),
+		RemoveLatestEpoch(),
+	)
+
+	return cmd
+}
+
+// StartAttestationServer returns start-attestation-server cobra Command.
+func StartAttestationServer() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "start-server [epid-address-with-port] [dcap-address-with-port]",
+		Short: "Starts attestation server",
+		Long:  "Start server for Intel SGX Remote Attestation to share encryption keys with new nodes",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(_ *cobra.Command, args []string) error {
+			if err := api.StartAttestationServer(args[0], args[1]); err != nil {
+				return err
+			}
+			return WaitForQuitSignals()
+		},
+	}
+
+	return cmd
+}
+
+// AddNewEpoch returns create-epoch-key cobra Command.
+func AddNewEpoch() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "add-new-epoch [starting-block]",
+		Short: "Creates new epoch",
+		Long:  "Creates new epoch inside Intel SGX Enclave",
+		Args:  cobra.ExactArgs(1),
+		Run: func(_ *cobra.Command, args []string) {
+			startingBlock, err := strconv.ParseUint(args[0], 10, 64)
+			if err != nil {
+				panic(err)
+			}
+
+			if err := api.AddEpoch(startingBlock); err != nil {
+				panic(err)
+			}
+		},
+	}
+
+	return cmd
+}
+
+// ListEpochs returns list-epochs cobra Command.
+func ListEpochs() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "list-epochs",
+		Short: "Lists all stored epochs",
+		Long:  "Lists all stored epochs with their starting blocks",
+		Run: func(_ *cobra.Command, args []string) {
+			res, err := api.ListEpochs()
+
+			if err != nil {
+				panic(err)
+			}
+
+			for _, epoch := range res {
+				fmt.Println("Epoch #", epoch.EpochNumber, "Starting block: ", epoch.StartingBlock)
+			}
+		},
+	}
+
+	return cmd
+}
+
+// RemoveLatestEpoch returns remove-epoch cobra Command.
+func RemoveLatestEpoch() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "remove-latest-epoch",
+		Short: "Removes latest epoch ",
+		Long:  "Allows to remove latest epoch, for example in case, if epoch starting block was set incorrectly",
+		Run: func(_ *cobra.Command, args []string) {
+			if err := api.RemoveLatestEpoch(); err != nil {
+				panic(err)
+			}
+		},
+	}
+
+	return cmd
+}
diff --git a/go-sgxvm/cmd/attestation/cmd/utils.go b/go-sgxvm/cmd/attestation/cmd/utils.go
@@ -0,0 +1,25 @@
+package cmd
+
+import (
+	"os"
+	"os/signal"
+	"strconv"
+	"syscall"
+)
+
+// ErrorCode contains the exit code for server exit.
+type ErrorCode struct {
+	Code int
+}
+
+func (e ErrorCode) Error() string {
+	return strconv.Itoa(e.Code)
+}
+
+// WaitForQuitSignals waits for SIGINT and SIGTERM and returns.
+func WaitForQuitSignals() ErrorCode {
+	sigs := make(chan os.Signal, 1)
+	signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
+	sig := <-sigs
+	return ErrorCode{Code: int(sig.(syscall.Signal)) + 128}
+}
diff --git a/go-sgxvm/cmd/attestation/main.go b/go-sgxvm/cmd/attestation/main.go
@@ -0,0 +1,9 @@
+package main
+
+import "github.com/SigmaGmbH/librustgo/cmd/attestation/cmd"
+
+func main() {
+	if err := cmd.RootCmd().Execute(); err != nil {
+		panic(err)
+	}
+}