WIP - azure dcap

go/common/gethencoding/geth_encoding.go

@@ -311,10 +311,13 @@ func (enc *gethEncodingServiceImpl) CreateEthHeaderForBatch(h *common.BatchHeade
 	// wrap in a caching layer
 	return common.GetCachedValue(enc.gethHeaderCache, enc.logger, h.Hash(), func(a any) (*types.Header, error) {
 		// deterministically calculate the private randomness that will be exposed to the EVM
+		enc.logger.Debug("CreateEthHeaderForBatch before")
 		secret, err := enc.storage.FetchSecret()
 		if err != nil {
+			enc.logger.Debug("CreateEthHeaderForBatch error")
 			enc.logger.Crit("Could not fetch shared secret. Exiting.", log.ErrKey, err)
 		}
+		enc.logger.Debug("CreateEthHeaderForBatch after")
 		perBatchRandomness := crypto.CalculateRootBatchEntropy(secret[:], h.Number)
 
 		// calculate the converted hash of the parent, for a correct converted chain

go/enclave/components/shared_secret_process.go

@@ -110,11 +110,12 @@ func (ssp *SharedSecretProcessor) verifyAttestationAndEncryptSecret(att *common.
 		return nil, fmt.Errorf("unable to verify identity - %w", err)
 	}
 	ssp.logger.Info(fmt.Sprintf("Successfully verified attestation and identity. Owner: %s", att.EnclaveID))
-
+	ssp.logger.Debug("verifyAttestationAndEncryptSecret before")
 	secret, err := ssp.storage.FetchSecret()
 	if err != nil {
 		return nil, fmt.Errorf("could not retrieve secret; this should not happen. Cause: %w", err)
 	}
+	ssp.logger.Debug("verifyAttestationAndEncryptSecret after")
 	return crypto.EncryptSecret(att.PubKey, *secret, ssp.logger)
 }
 

go/enclave/enclave.go

@@ -312,11 +312,14 @@ func (e *enclaveImpl) Status() (common.Status, common.SystemError) {
 		return common.Status{StatusCode: common.Unavailable}, responses.ToInternalError(fmt.Errorf("requested Status with the enclave stopping"))
 	}
 
+	e.logger.Debug("Status before")
 	_, err := e.storage.FetchSecret()
 	if err != nil {
 		if errors.Is(err, errutil.ErrNotFound) {
+			e.logger.Debug("Status not found")
 			return common.Status{StatusCode: common.AwaitingSecret, L2Head: _noHeadBatch}, nil
 		}
+		e.logger.Debug("Status ?", log.ErrKey, err)
 		return common.Status{StatusCode: common.Unavailable}, responses.ToInternalError(err)
 	}
 	var l1HeadHash gethcommon.Hash

go/enclave/main/entry.sh

@@ -11,21 +11,33 @@ if [ ! -L /dev/sgx/enclave ]; then
 	ln -s /dev/sgx_enclave /dev/sgx/enclave
 fi
 
-# If the PCCS_ADDR, the host is provided
-# Do not use the default PCCS_URL defined in /etc/sgx_default_qcnl.conf
-# Particularly used in Alibaba cloud
-if [ -n "${PCCS_ADDR}" ]; then
-	PCCS_URL=https://${PCCS_ADDR}/sgx/certification/v3/
-fi
+# Todo - pass this in as a parameter
+PCCS_URL=https://global.acccache.azure.net/sgx/certification/v3/
 
 # Install the libsgx-dcap-default-qpl and redefine /etc/sgx_default_qcnl.conf (Alibaba)
-if [ -n "${PCCS_URL}" ]; then
-	apt-get install -qq libsgx-dcap-default-qpl
-	echo "PCCS_URL: ${PCCS_URL}"
-	echo "PCCS_URL=${PCCS_URL}\nUSE_SECURE_CERT=FALSE" > /etc/sgx_default_qcnl.conf
-else
-# Otherwise use the Azure library
-	apt-get install -qq az-dcap-client
-fi
+apt-get install -qq libsgx-dcap-default-qpl
+echo "PCCS_URL: ${PCCS_URL}"
+
+echo '{
+  "pccs_url": "https://global.acccache.azure.net/sgx/certification/v3/",
+  "use_secure_cert": false,
+  "collateral_service": "https://global.acccache.azure.net/sgx/certification/v3/",
+  "pccs_api_version": "3.1",
+  "retry_times": 6,
+  "retry_delay": 5,
+  "local_pck_url": "http://169.254.169.254/metadata/THIM/sgx/certification/v3/",
+  "pck_cache_expire_hours": 24,
+  "verify_collateral_cache_expire_hours": 24,
+  "custom_request_options": {
+      "get_cert": {
+          "headers": {
+              "metadata": "true"
+          },
+          "params": {
+              "api-version": "2021-07-22-preview"
+          }
+      }
+  }
+}'  > /etc/sgx_default_qcnl.conf
 
 "$@"

go/enclave/rpc_server.go

@@ -68,16 +68,25 @@ func (s *RPCServer) Status(context.Context, *generated.StatusRequest) (*generate
 	if sysError != nil {
 		s.logger.Error("Enclave error on Status", log.ErrKey, sysError)
 	}
+	s.logger.Debug("rpc status after", "status", status)
 	var l2Head []byte
 	if status.L2Head != nil {
 		l2Head = status.L2Head.Bytes()
 	}
-	return &generated.StatusResponse{
+	s.logger.Debug("rpc status after 1", "l1head", status.L1Head)
+	s.logger.Debug("rpc status after 2", "StatusCode", status.StatusCode)
+	s.logger.Debug("rpc status after 3", "l2Head", l2Head)
+	s.logger.Debug("rpc status after 4", "sysError", sysError)
+	sr := &generated.StatusResponse{
 		StatusCode:  int32(status.StatusCode),
 		L1Head:      status.L1Head.Bytes(),
 		L2Head:      l2Head,
 		SystemError: toRPCError(sysError),
-	}, nil
+	}
+
+	s.logger.Debug(fmt.Sprintf("rpc statusresponse: %v", sr))
+
+	return sr, nil
 }
 
 func (s *RPCServer) Attestation(context.Context, *generated.AttestationRequest) (*generated.AttestationResponse, error) {

go/enclave/storage/storage.go

@@ -252,19 +252,26 @@ func (s *storageImpl) StoreSecret(secret crypto.SharedEnclaveSecret) error {
 func (s *storageImpl) FetchSecret() (*crypto.SharedEnclaveSecret, error) {
 	defer s.logDuration("FetchSecret", measure.NewStopwatch())
 
+	s.logger.Debug("1")
 	if s.cachedSharedSecret != nil {
 		return s.cachedSharedSecret, nil
 	}
+	s.logger.Debug("2")
 
 	var ss crypto.SharedEnclaveSecret
 
 	cfg, err := enclavedb.FetchConfig(s.db.GetSQLDB(), masterSeedCfg)
+	s.logger.Debug("3")
 	if err != nil {
+		s.logger.Debug("4", log.ErrKey, err)
 		return nil, err
 	}
+	s.logger.Debug("5")
 	if err := rlp.DecodeBytes(cfg, &ss); err != nil {
+		s.logger.Debug("6", log.ErrKey, err)
 		return nil, fmt.Errorf("could not decode shared secret")
 	}
+	s.logger.Debug("7", "ss", ss)
 
 	s.cachedSharedSecret = &ss
 	return s.cachedSharedSecret, nil