From 44f80c289985bd112adb3d28c567283b40365c22 Mon Sep 17 00:00:00 2001
From: peg <peg@magmacollective.org>
Date: Wed, 11 Dec 2024 11:11:15 +0100
Subject: [PATCH] Add TDX test network chainspec (#1204)

* Add tdx-testnet chainspec

* Add accepted MRTD values to TDX testnet chainspec

* Changelog

* Comments

* Improve naming following review
---
 CHANGELOG.md                           |  1 +
 node/cli/src/chain_spec/dev.rs         | 11 ++-
 node/cli/src/chain_spec/mod.rs         |  9 ++-
 node/cli/src/chain_spec/tdx_testnet.rs | 98 ++++++++++++++++++++++++++
 node/cli/src/command.rs                |  2 +
 5 files changed, 117 insertions(+), 4 deletions(-)
 create mode 100644 node/cli/src/chain_spec/tdx_testnet.rs

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3c1670223..95388bab7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -34,6 +34,7 @@ runtime
 - Protocol message versioning ([#1140](https://github.com/entropyxyz/entropy-core/pull/1140))
 - CLI command to get oracle headings ([#1170](https://github.com/entropyxyz/entropy-core/pull/1170))
 - Add TSS endpoint to get TDX quote ([#1173](https://github.com/entropyxyz/entropy-core/pull/1173))
+- Add TDX test network chainspec ([#1204](https://github.com/entropyxyz/entropy-core/pull/1204))
 - Test CLI command to retrieve quote and change endpoint / TSS account in one command ([#1198](https://github.com/entropyxyz/entropy-core/pull/1198))
 
 ### Changed
diff --git a/node/cli/src/chain_spec/dev.rs b/node/cli/src/chain_spec/dev.rs
index bdbdcf4a4..355785b55 100644
--- a/node/cli/src/chain_spec/dev.rs
+++ b/node/cli/src/chain_spec/dev.rs
@@ -13,7 +13,9 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-use crate::chain_spec::{get_account_id_from_seed, provisioning_certification_key, ChainSpec};
+use crate::chain_spec::{
+    get_account_id_from_seed, provisioning_certification_key, ChainSpec, MrtdValues,
+};
 use crate::endowed_accounts::endowed_accounts_dev;
 
 use entropy_runtime::{
@@ -123,6 +125,7 @@ pub fn development_config() -> ChainSpec {
             vec![],
             get_account_id_from_seed::<sr25519::Public>("Alice"),
             devnet_four_node_initial_tss_servers(),
+            None,
         ))
         .build()
 }
@@ -148,6 +151,7 @@ pub fn devnet_local_four_node_config() -> crate::chain_spec::ChainSpec {
             vec![],
             get_account_id_from_seed::<sr25519::Public>("Alice"),
             devnet_local_docker_four_node_initial_tss_servers(),
+            None,
         ))
         .build()
 }
@@ -169,6 +173,7 @@ pub fn development_genesis_config(
         String,
         BoundedVecEncodedVerifyingKey,
     )>,
+    accepted_mrtd_values: Option<MrtdValues>,
 ) -> serde_json::Value {
     // Note that any endowed_accounts added here will be included in the `elections` and
     // `technical_committee` genesis configs. If you don't want that, don't push those accounts to
@@ -283,10 +288,10 @@ pub fn development_genesis_config(
             max_instructions_per_programs: INITIAL_MAX_INSTRUCTIONS_PER_PROGRAM,
             total_signers: TOTAL_SIGNERS,
             threshold: SIGNER_THRESHOLD,
-            accepted_mrtd_values: vec![
+            accepted_mrtd_values: accepted_mrtd_values.unwrap_or(vec![
                 BoundedVec::try_from([0; 48].to_vec()).unwrap(),
                 BoundedVec::try_from([1; 48].to_vec()).unwrap(),
-            ],
+            ]),
             ..Default::default()
         },
         "programs": ProgramsConfig {
diff --git a/node/cli/src/chain_spec/mod.rs b/node/cli/src/chain_spec/mod.rs
index a4fbc6bcc..4e13ce939 100644
--- a/node/cli/src/chain_spec/mod.rs
+++ b/node/cli/src/chain_spec/mod.rs
@@ -33,6 +33,7 @@
 
 pub mod dev;
 pub mod integration_tests;
+pub mod tdx_testnet;
 pub mod testnet;
 
 pub use entropy_runtime::{AccountId, RuntimeGenesisConfig, Signature};
@@ -47,7 +48,10 @@ use serde_json::json;
 use sp_authority_discovery::AuthorityId as AuthorityDiscoveryId;
 use sp_consensus_babe::AuthorityId as BabeId;
 use sp_core::{sr25519, Pair, Public};
-use sp_runtime::traits::{IdentifyAccount, Verify};
+use sp_runtime::{
+    traits::{ConstU32, IdentifyAccount, Verify},
+    BoundedVec,
+};
 
 type AccountPublic = <Signature as Verify>::Signer;
 
@@ -215,3 +219,6 @@ pub fn authority_keys_from_seed(
         get_from_seed::<AuthorityDiscoveryId>(seed),
     )
 }
+
+/// Accepted build time measurement values for TDX attestation
+pub type MrtdValues = Vec<BoundedVec<u8, ConstU32<48>>>;
diff --git a/node/cli/src/chain_spec/tdx_testnet.rs b/node/cli/src/chain_spec/tdx_testnet.rs
new file mode 100644
index 000000000..058d215a9
--- /dev/null
+++ b/node/cli/src/chain_spec/tdx_testnet.rs
@@ -0,0 +1,98 @@
+// Copyright (C) 2023 Entropy Cryptography Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+use crate::chain_spec::{dev::development_genesis_config, get_account_id_from_seed, ChainSpec};
+
+use entropy_runtime::wasm_binary_unwrap;
+use entropy_shared::{BoundedVecEncodedVerifyingKey, X25519PublicKey as TssX25519PublicKey};
+use sc_service::ChainType;
+use sp_core::sr25519;
+use sp_runtime::BoundedVec;
+
+/// The build time measurement value from the current entropy-tss VM images
+const ACCEPTED_MRTD: [u8; 48] = [
+    145, 235, 43, 68, 209, 65, 212, 236, 224, 159, 12, 117, 194, 197, 61, 36, 122, 60, 104, 237,
+    215, 250, 254, 138, 53, 32, 201, 66, 166, 4, 164, 7, 222, 3, 174, 109, 197, 248, 127, 39, 66,
+    139, 37, 56, 135, 49, 24, 183,
+];
+
+lazy_static::lazy_static! {
+    /// This is the PCK from the certificates of the current TDX machine we are using for testing
+    pub static ref PCK: BoundedVecEncodedVerifyingKey = vec![
+    2, 166, 103, 136, 58, 157, 155, 124, 186, 75, 81, 133, 87, 255, 233, 182, 192, 125, 235, 230,
+    121, 173, 147, 108, 47, 190, 240, 181, 75, 181, 31, 148, 128,
+    ].try_into().unwrap();
+}
+
+fn tdx_devnet_four_node_initial_tss_servers(
+) -> Vec<(sp_runtime::AccountId32, TssX25519PublicKey, String, BoundedVecEncodedVerifyingKey)> {
+    let tss_ip = std::env::var("ENTROPY_TESTNET_TSS_IP")
+        .expect("ENTROPY_TESTNET_TSS_IP environment variable to be set");
+
+    let alice = (
+        crate::chain_spec::tss_account_id::ALICE.clone(),
+        crate::chain_spec::tss_x25519_public_key::ALICE,
+        format!("{tss_ip}:3001"),
+        PCK.clone(),
+    );
+
+    let bob = (
+        crate::chain_spec::tss_account_id::BOB.clone(),
+        crate::chain_spec::tss_x25519_public_key::BOB,
+        format!("{tss_ip}:3002"),
+        PCK.clone(),
+    );
+
+    let charlie = (
+        crate::chain_spec::tss_account_id::CHARLIE.clone(),
+        crate::chain_spec::tss_x25519_public_key::CHARLIE,
+        format!("{tss_ip}:3003"),
+        PCK.clone(),
+    );
+
+    let dave = (
+        crate::chain_spec::tss_account_id::DAVE.clone(),
+        crate::chain_spec::tss_x25519_public_key::DAVE,
+        format!("{tss_ip}:3004"),
+        PCK.clone(),
+    );
+
+    vec![alice, bob, charlie, dave]
+}
+
+/// The configuration used for the TDX testnet.
+///
+/// Since Entropy requires at two-of-three threshold setup, and requires an additional relayer node,
+/// we spin up four validators: Alice, Bob, Charlie and Dave.
+pub fn tdx_testnet_config() -> ChainSpec {
+    ChainSpec::builder(wasm_binary_unwrap(), Default::default())
+        .with_name("TDX-testnet")
+        .with_id("tdx")
+        .with_chain_type(ChainType::Development)
+        .with_properties(crate::chain_spec::entropy_properties())
+        .with_genesis_config_patch(development_genesis_config(
+            vec![
+                crate::chain_spec::authority_keys_from_seed("Alice"),
+                crate::chain_spec::authority_keys_from_seed("Bob"),
+                crate::chain_spec::authority_keys_from_seed("Charlie"),
+                crate::chain_spec::authority_keys_from_seed("Dave"),
+            ],
+            vec![],
+            get_account_id_from_seed::<sr25519::Public>("Alice"),
+            tdx_devnet_four_node_initial_tss_servers(),
+            Some(vec![BoundedVec::try_from(ACCEPTED_MRTD.to_vec()).unwrap()]),
+        ))
+        .build()
+}
diff --git a/node/cli/src/command.rs b/node/cli/src/command.rs
index b206b5ee5..92adba44e 100644
--- a/node/cli/src/command.rs
+++ b/node/cli/src/command.rs
@@ -74,6 +74,7 @@ impl SubstrateCli for Cli {
     // | integration-tests | Two nodes, Four threshold servers, Alice and Bob, Development Configuration |
     // | testnet-local     | Two Nodes, Two threshold servers, Alice and Bob, Testnet Configuration, Docker Compatible |
     // | testnet           | Four nodes, Two threshold servers, Own Seed, Testnet Configuration |
+    // | tdx-testnet       | Four nodes, Four threshold servers, Alice Bob Chalie and Dave, Development Configuration adapted for TDX testnet |
     fn load_spec(&self, id: &str) -> Result<Box<dyn sc_service::ChainSpec>, String> {
         Ok(match id {
             "" | "dev" => Box::new(chain_spec::dev::development_config()),
@@ -88,6 +89,7 @@ impl SubstrateCli for Cli {
             },
             "testnet-local" => Box::new(chain_spec::testnet::testnet_local_config()),
             "testnet" => Box::new(chain_spec::testnet::testnet_config()),
+            "tdx-testnet" => Box::new(chain_spec::tdx_testnet::tdx_testnet_config()),
             path => {
                 Box::new(chain_spec::ChainSpec::from_json_file(std::path::PathBuf::from(path))?)
             },