ten-protocol · tudor-malene · May 8, 2024
diff --git a/go/enclave/storage/db_init.go b/go/enclave/storage/db_init.go
@@ -24,36 +24,40 @@ func CreateDBFromConfig(cfg *config.EnclaveConfig, logger gethlog.Logger) (encla
 		return sqlite.CreateTemporarySQLiteDB(cfg.HostID.String(), "mode=memory&cache=shared&_foreign_keys=on", *cfg, logger)
 	}
 
-	if !cfg.WillAttest {
+	if !cfg.WillAttest && len(cfg.SqliteDBPath) > 0 {
 		// persistent but not secure in an enclave, we'll connect to a throwaway sqlite DB and test out persistence/sql implementations
 		logger.Warn("Attestation is disabled, using a basic sqlite DB for persistence")
 		// when we want to test persistence after node restart the SqliteDBPath should be set
 		// (if empty string then a temp sqldb file will be created for the lifetime of the enclave)
 		return sqlite.CreateTemporarySQLiteDB(cfg.SqliteDBPath, "_foreign_keys=on", *cfg, logger)
 	}
 
+	if !cfg.WillAttest && len(cfg.EdgelessDBHost) > 0 {
+		logger.Warn("Attestation is disabled, using a simulation edglessdb DB for persistence")
+		return getEdgelessDB(cfg, logger)
+	}
 	// persistent and with attestation means connecting to edgeless DB in a trusted enclave from a secure enclave
 	logger.Info(fmt.Sprintf("Preparing Edgeless DB connection to %s...", cfg.EdgelessDBHost))
 	return getEdgelessDB(cfg, logger)
 }
 
 // validateDBConf high-level checks that you have a valid configuration for DB creation
 func validateDBConf(cfg *config.EnclaveConfig) error {
-	if cfg.UseInMemoryDB && cfg.EdgelessDBHost != "" {
-		return fmt.Errorf("invalid db config, useInMemoryDB=true so EdgelessDB host not expected, but EdgelessDBHost=%s", cfg.EdgelessDBHost)
-	}
-	if !cfg.WillAttest && cfg.EdgelessDBHost != "" {
-		return fmt.Errorf("invalid db config, willAttest=false so EdgelessDB host not supported, but EdgelessDBHost=%s", cfg.EdgelessDBHost)
-	}
-	if !cfg.UseInMemoryDB && cfg.WillAttest && cfg.EdgelessDBHost == "" {
-		return fmt.Errorf("useInMemoryDB=false, willAttest=true so expected an EdgelessDB host but none was provided")
-	}
-	if cfg.SqliteDBPath != "" && cfg.UseInMemoryDB {
-		return fmt.Errorf("useInMemoryDB=true so sqlite database will not be used and no path is needed, but sqliteDBPath=%s", cfg.SqliteDBPath)
-	}
-	if cfg.SqliteDBPath != "" && cfg.WillAttest {
-		return fmt.Errorf("willAttest=true so sqlite database will not be used and no path is needed, but sqliteDBPath=%s", cfg.SqliteDBPath)
-	}
+	//if cfg.UseInMemoryDB && cfg.EdgelessDBHost != "" {
+	//	return fmt.Errorf("invalid db config, useInMemoryDB=true so EdgelessDB host not expected, but EdgelessDBHost=%s", cfg.EdgelessDBHost)
+	//}
+	//if !cfg.WillAttest && cfg.EdgelessDBHost != "" {
+	//	return fmt.Errorf("invalid db config, willAttest=false so EdgelessDB host not supported, but EdgelessDBHost=%s", cfg.EdgelessDBHost)
+	//}
+	//if !cfg.UseInMemoryDB && cfg.WillAttest && cfg.EdgelessDBHost == "" {
+	//	return fmt.Errorf("useInMemoryDB=false, willAttest=true so expected an EdgelessDB host but none was provided")
+	//}
+	//if cfg.SqliteDBPath != "" && cfg.UseInMemoryDB {
+	//	return fmt.Errorf("useInMemoryDB=true so sqlite database will not be used and no path is needed, but sqliteDBPath=%s", cfg.SqliteDBPath)
+	//}
+	//if cfg.SqliteDBPath != "" && cfg.WillAttest {
+	//	return fmt.Errorf("willAttest=true so sqlite database will not be used and no path is needed, but sqliteDBPath=%s", cfg.SqliteDBPath)
+	//}
 	return nil
 }
 

diff --git a/go/enclave/storage/init/edgelessdb/edb_attestation.go b/go/enclave/storage/init/edgelessdb/edb_attestation.go
@@ -20,6 +20,8 @@ import (
 	"net/http"
 	"net/url"
 
+	"github.com/ten-protocol/go-ten/go/config"
+
 	gethlog "github.com/ethereum/go-ethereum/log"
 
 	"github.com/edgelesssys/ego/attestation"
@@ -60,10 +62,10 @@ var defaultEDBConstraints = &EdgelessAttestationConstraints{
 }
 
 // performEDBRemoteAttestation perform the SGX enclave attestation to verify edb running in a legit enclave and with expected edb version etc.
-func performEDBRemoteAttestation(edbHost string, constraints *EdgelessAttestationConstraints, logger gethlog.Logger) (string, error) {
+func performEDBRemoteAttestation(config config.EnclaveConfig, edbHost string, constraints *EdgelessAttestationConstraints, logger gethlog.Logger) (string, error) {
 	logger.Info("Verifying attestation from edgeless DB...")
 	edbHTTPAddr := fmt.Sprintf("%s:%s", edbHost, edbHTTPPort)
-	certs, tcbStatus, err := performRAAndFetchTLSCert(edbHTTPAddr, constraints)
+	certs, tcbStatus, err := performRAAndFetchTLSCert(config, edbHTTPAddr, constraints)
 	if err != nil {
 		// todo (#1550) - should we check the error type with: err == attestation.ErrTCBLevelInvalid?
 		// for now it's maximum strictness (we can revisit this and permit some tcbStatuses if desired)
@@ -80,14 +82,14 @@ func performEDBRemoteAttestation(edbHost string, constraints *EdgelessAttestatio
 
 // performRAAndFetchTLSCert gets the TLS certificate from the Edgeless DB server in PEM format. It performs remote attestation
 // to verify the certificate. Attestation constraints must be provided to validate against.
-func performRAAndFetchTLSCert(host string, constraints *EdgelessAttestationConstraints) ([]*pem.Block, tcbstatus.Status, error) {
+func performRAAndFetchTLSCert(enclaveConfig config.EnclaveConfig, host string, constraints *EdgelessAttestationConstraints) ([]*pem.Block, tcbstatus.Status, error) {
 	// we don't need to verify the TLS because we will be verifying the attestation report and that can't be faked
 	cert, quote, err := httpGetCertQuote(&tls.Config{InsecureSkipVerify: true}, host, quoteEndpoint) //nolint:gosec
 	if err != nil {
 		return nil, tcbstatus.Unknown, err
 	}
 
-	if len(quote) == 0 {
+	if len(quote) == 0 && enclaveConfig.WillAttest {
 		return nil, tcbstatus.Unknown, errors.New("no quote found, attestation failed")
 	}
 
@@ -106,6 +108,10 @@ func performRAAndFetchTLSCert(host string, constraints *EdgelessAttestationConst
 		certs = append(certs, block)
 	}
 
+	if !enclaveConfig.WillAttest {
+		return certs, tcbstatus.Unknown, nil
+	}
+
 	report, verifyErr := enclave.VerifyRemoteReport(quote)
 	// depending on how strict you are being, some invalid TCBLevels would be acceptable (e.g. something might need an
 	//		upgrade but not have any known vulnerabilities). That's why we proceed when TCBLevelInvalid and let caller decide

diff --git a/go/enclave/storage/init/edgelessdb/edgelessdb.go b/go/enclave/storage/init/edgelessdb/edgelessdb.go
@@ -81,7 +81,7 @@ const (
 	edbManifestEndpoint  = "/manifest"
 	edbSignatureEndpoint = "/signature"
 
-	dataDir         = "/data"
+	dataDir         = "data"
 	certIssuer      = "obscuroCA"
 	certSubject     = "obscuroUser"
 	enclaveHostName = "enclave"
@@ -138,7 +138,7 @@ func Connector(edbCfg *Config, config config.EnclaveConfig, logger gethlog.Logge
 	}
 
 	// load credentials from encrypted persistence if available, otherwise perform handshake and initialization to prepare them
-	edbCredentials, err := getHandshakeCredentials(edbCfg, logger)
+	edbCredentials, err := getHandshakeCredentials(config, edbCfg, logger)
 	if err != nil {
 		return nil, err
 	}
@@ -181,15 +181,15 @@ func waitForEdgelessDBToStart(edbHost string, logger gethlog.Logger) error {
 		edgelessDBStartTimeout, edgelessHTTPAddr, err)
 }
 
-func getHandshakeCredentials(edbCfg *Config, logger gethlog.Logger) (*Credentials, error) {
+func getHandshakeCredentials(enclaveConfig config.EnclaveConfig, edbCfg *Config, logger gethlog.Logger) (*Credentials, error) {
 	// if we have previously performed the handshake we can retrieve the creds from disk and proceed
 	edbCreds, found, err := loadCredentialsFromFile()
 	if err != nil {
 		return nil, err
 	}
 	if !found {
 		// they don't exist on disk so we have to perform the handshake and set them up
-		edbCreds, err = performHandshake(edbCfg, logger)
+		edbCreds, err = performHandshake(enclaveConfig, edbCfg, logger)
 		if err != nil {
 			return nil, err
 		}
@@ -216,7 +216,7 @@ func loadCredentialsFromFile() (*Credentials, bool, error) {
 	return edbCreds, true, nil
 }
 
-func performHandshake(edbCfg *Config, logger gethlog.Logger) (*Credentials, error) {
+func performHandshake(enclaveConfig config.EnclaveConfig, edbCfg *Config, logger gethlog.Logger) (*Credentials, error) {
 	// we need to make sure this dir exists before we start read/writing files in there
 	err := os.MkdirAll(dataDir, 0o644)
 	if err != nil {
@@ -229,7 +229,7 @@ func performHandshake(edbCfg *Config, logger gethlog.Logger) (*Credentials, erro
 	// The trust path is as follows:
 	// 1. The Obscuro Enclave performs RA on the database enclave, and the RA object contains a certificate which only the database enclave controls.
 	// 2. Connecting to the database via mutually authenticated TLS using the above certificate, will give the Obscuro enclave confidence that it is only giving data away to some code and hardware it trusts.
-	edbPEM, err := performEDBRemoteAttestation(edbCfg.Host, defaultEDBConstraints, logger)
+	edbPEM, err := performEDBRemoteAttestation(enclaveConfig, edbCfg.Host, defaultEDBConstraints, logger)
 	if err != nil {
 		return nil, err
 	}

diff --git a/go/node/docker_node.go b/go/node/docker_node.go
@@ -177,6 +177,7 @@ func (d *DockerNode) startEnclave() error {
 		"-maxRollupSize=65536",
 		fmt.Sprintf("-logLevel=%d", d.cfg.logLevel),
 		"-obscuroGenesis", "{}",
+		"-edgelessDBHost", d.cfg.nodeName+"-edgelessdb",
 	)
 
 	if d.cfg.sgxEnabled {
@@ -187,14 +188,9 @@ func (d *DockerNode) startEnclave() error {
 
 		// prepend the entry.sh execution
 		cmd = append([]string{"/home/obscuro/go-obscuro/go/enclave/main/entry.sh"}, cmd...)
-		cmd = append(cmd,
-			"-edgelessDBHost", d.cfg.nodeName+"-edgelessdb",
-			"-willAttest=true",
-		)
+		cmd = append(cmd, "-willAttest=true")
 	} else {
-		cmd = append(cmd,
-			"-sqliteDBPath", "/data/sqlite.db",
-		)
+		cmd = append(cmd, "-willAttest=false")
 	}
 
 	enclaveVolume := map[string]string{d.cfg.nodeName + "-enclave-volume": _enclaveDataDir}
@@ -204,26 +200,25 @@ func (d *DockerNode) startEnclave() error {
 }
 
 func (d *DockerNode) startEdgelessDB() error {
-	if !d.cfg.sgxEnabled {
-		// Non-SGX hardware use sqlite database so EdgelessDB is not required.
-		return nil
-	}
-
 	envs := map[string]string{
 		"EDG_EDB_CERT_DNS": d.cfg.nodeName + "-edgelessdb",
 	}
+	devices := map[string]string{}
 
-	devices := map[string]string{
-		"/dev/sgx_enclave":   "/dev/sgx_enclave",
-		"/dev/sgx_provision": "/dev/sgx_provision",
+	if d.cfg.sgxEnabled {
+		devices["/dev/sgx_enclave"] = "/dev/sgx_enclave"
+		devices["/dev/sgx_provision"] = "/dev/sgx_provision"
+	} else {
+		envs["OE_SIMULATION"] = "1"
 	}
 
 	// only set the pccsAddr env var if it's defined
 	if d.cfg.pccsAddr != "" {
 		envs["PCCS_ADDR"] = d.cfg.pccsAddr
 	}
+	dbVolume := map[string]string{d.cfg.nodeName + "-db-volume": "/data"}
 
-	_, err := docker.StartNewContainer(d.cfg.nodeName+"-edgelessdb", d.cfg.edgelessDBImage, nil, nil, envs, devices, nil)
+	_, err := docker.StartNewContainer(d.cfg.nodeName+"-edgelessdb", d.cfg.edgelessDBImage, nil, nil, envs, devices, dbVolume)
 
 	return err
 }