From 242f7b4bbf47e871b50ea19d47fa940cf100d26f Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Thu, 28 May 2020 14:30:45 +0200 Subject: [PATCH 1/9] [worker] initialize chain after keys have been provisioned --- worker/src/main.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/worker/src/main.rs b/worker/src/main.rs index 3f6bf7529c..3b5749781f 100644 --- a/worker/src/main.rs +++ b/worker/src/main.rs @@ -251,7 +251,6 @@ fn worker(node_url: &str, w_ip: &str, w_port: &str, mu_ra_port: &str, shard: &Sh info!("Enclave nonce = {:?}", nonce); let uxt = enclave_perform_ra(eid, genesis_hash, nonce, w_url.as_bytes().to_vec()).unwrap(); - let mut latest_head = init_chain_relay(eid, &api); let ue = UncheckedExtrinsic::decode(&mut uxt.as_slice()).unwrap(); let mut _xthex = hex::encode(ue.encode()); @@ -294,6 +293,8 @@ fn worker(node_url: &str, w_ip: &str, w_port: &str, mu_ra_port: &str, shard: &Sh } } + let mut latest_head = init_chain_relay(eid, &api); + // ------------------------------------------------------------------------ // subscribe to events and react on firing println!("*** Subscribing to events"); From e67e22c269e0670219e2321f865a4462f6e25c67 Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Thu, 28 May 2020 16:34:52 +0200 Subject: [PATCH 2/9] [worker] fix cli for key_provisioning tests --- worker/src/cli.yml | 4 ++++ worker/src/main.rs | 16 +++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/worker/src/cli.yml b/worker/src/cli.yml index c9f23be39e..5bd8940507 100644 --- a/worker/src/cli.yml +++ b/worker/src/cli.yml @@ -90,6 +90,10 @@ subcommands: help: Run integration tests takes_value: false - provisioning-server: + long: provisioning-server help: Run TEE server for MU-RA key provisioning + takes_value: false - provisioning-client: + long: provisioning-client help: Run TEE client for MU-RA key provisioning + takes_value: false diff --git a/worker/src/main.rs b/worker/src/main.rs index 3b5749781f..6f70806a5a 100644 --- a/worker/src/main.rs +++ b/worker/src/main.rs @@ -186,8 +186,22 @@ fn main() { println!("[+] Done!"); enclave.destroy(); } else if _matches.is_present("provisioning-client") { - println!("*** Running Enclave MU-RA TLS server\n"); + println!("*** Running Enclave MU-RA TLS client\n"); let enclave = enclave_init().unwrap(); + let shard = match _matches.values_of("shard") { + Some(values) => values + .map(|shard| { + shard + .from_base58() + .unwrap_or_else(|_| panic!("shard must be hex encoded")) + }) + .map(|s| ShardIdentifier::from_slice(s.as_slice())) + .collect(), + _ => vec![ShardIdentifier::from_slice( + &enclave_mrenclave(enclave.geteid()).unwrap(), + )], + }; + enclave_request_key_provisioning( enclave.geteid(), sgx_quote_sign_type_t::SGX_UNLINKABLE_SIGNATURE, From 528d46d07808531bb51fd63e55d2935c6c2667f7 Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Thu, 28 May 2020 16:59:32 +0200 Subject: [PATCH 3/9] [worker/mu-ra] pass shard that should be exchanged is passed to request_key_provisioning --- enclave/Enclave.edl | 6 +++++- enclave/src/tls_ra.rs | 32 ++++++++++++++++++++++++-------- worker/src/enclave/tls_ra.rs | 20 ++++++++++++++++++-- worker/src/main.rs | 2 ++ 4 files changed, 49 insertions(+), 11 deletions(-) diff --git a/enclave/Enclave.edl b/enclave/Enclave.edl index d793f194ef..fae7572ca0 100644 --- a/enclave/Enclave.edl +++ b/enclave/Enclave.edl @@ -71,7 +71,11 @@ enclave { public sgx_status_t dump_ra_to_disk(); public sgx_status_t run_key_provisioning_server(int fd,sgx_quote_sign_type_t quote_type); - public sgx_status_t request_key_provisioning(int fd,sgx_quote_sign_type_t quote_type); + public sgx_status_t request_key_provisioning( + int fd, + sgx_quote_sign_type_t quote_type, + [in, size=shard_size] uint8_t* shard, size_t shard_size + ); public size_t test_main_entrance(); }; diff --git a/enclave/src/tls_ra.rs b/enclave/src/tls_ra.rs index 4019658a2f..3967630781 100644 --- a/enclave/src/tls_ra.rs +++ b/enclave/src/tls_ra.rs @@ -8,14 +8,17 @@ use sgx_types::*; use log::*; use rustls::{ClientConfig, ClientSession, ServerConfig, ServerSession, Stream}; +use sgx_externalities::SgxExternalitiesTrait; +use std::slice; +use substratee_node_primitives::ShardIdentifier; -use crate::aes; use crate::attestation::{create_ra_report_and_signature, DEV_HOSTNAME}; use crate::cert; use crate::constants::ENCRYPTED_STATE_FILE; use crate::io; use crate::rsa3072; use crate::utils::UnwrapOrSgxErrorUnexpected; +use crate::{aes, state}; use crate::{ocall_read_ipfs, ocall_write_ipfs}; struct ClientAuth { @@ -117,10 +120,18 @@ pub unsafe extern "C" fn run_key_provisioning_server( let mut tls = rustls::Stream::new(&mut sess, &mut conn); println!(" [Enclave] (MU-RA-Server) MU-RA successful sending keys"); - let (rsa_pair, aes, enc_state) = match read_files_to_send() { - Ok((r, a, s)) => (r, a, s), - Err(e) => return e, - }; + let mut shard = [0u8; 32]; + // warn!("shard len: {:?}", shard.len()); + // match tls.read(&mut shard) { + // Ok(_) => info!(" [Enclave] (MU-RA-Server) Received Shard"), + // Err(_e) => return sgx_status_t::SGX_ERROR_UNEXPECTED, + // }; + + let (rsa_pair, aes, enc_state) = + match read_files_to_send(&ShardIdentifier::from_slice(&shard[..])) { + Ok((r, a, s)) => (r, a, s), + Err(e) => return e, + }; match send_files(&mut tls, &rsa_pair, &aes, &enc_state) { Ok(_) => println!(" [Enclave] (MU-RA-Server) Registration procedure successful!\n"), @@ -151,11 +162,11 @@ fn tls_server_config(sign_type: sgx_quote_sign_type_t) -> SgxResult SgxResult<(Vec, aes::Aes, Vec)> { +fn read_files_to_send(shard: &ShardIdentifier) -> SgxResult<(Vec, aes::Aes, Vec)> { let shielding_key = rsa3072::unseal_pair().sgx_error()?; let aes = aes::read_sealed().sgx_error()?; let rsa_pair = serde_json::to_string(&shielding_key).sgx_error()?; - let enc_state = io::read(ENCRYPTED_STATE_FILE).sgx_error()?; + let enc_state = state::load(shard).sgx_error()?.encode(); let rsa_len = rsa_pair.as_bytes().len(); info!(" [Enclave] Read Shielding Key: {:?}", rsa_len); @@ -210,11 +221,14 @@ fn send_files( } #[no_mangle] -pub extern "C" fn request_key_provisioning( +pub unsafe extern "C" fn request_key_provisioning( socket_fd: c_int, sign_type: sgx_quote_sign_type_t, + shard: *const u8, + shard_size: usize, ) -> sgx_status_t { let _ = backtrace::enable_backtrace("enclave.signed.so", PrintFormat::Short); + let shard = slice::from_raw_parts(shard, shard_size); let cfg = match tls_client_config(sign_type) { Ok(cfg) => cfg, @@ -230,6 +244,8 @@ pub extern "C" fn request_key_provisioning( println!(); println!(" [Enclave] (MU-RA-Client) MU-RA successful waiting for keys..."); + // + // tls.write(shard).unwrap(); match receive_files(&mut tls) { Ok(_) => println!(" [Enclave] (MU-RA-Client) Registration procedure successful!\n"), diff --git a/worker/src/enclave/tls_ra.rs b/worker/src/enclave/tls_ra.rs index 0fecf1b6bd..c1b424fd0b 100644 --- a/worker/src/enclave/tls_ra.rs +++ b/worker/src/enclave/tls_ra.rs @@ -19,7 +19,9 @@ use std::os::unix::io::AsRawFd; use sgx_types::*; +use codec::Encode; use log::*; +use substratee_node_primitives::ShardIdentifier; extern "C" { fn run_key_provisioning_server( @@ -33,6 +35,8 @@ extern "C" { retval: *mut sgx_status_t, socket_fd: c_int, sign_type: sgx_quote_sign_type_t, + shard: *const u8, + shard_size: usize, ) -> sgx_status_t; } @@ -72,12 +76,24 @@ pub fn enclave_request_key_provisioning( eid: sgx_enclave_id_t, sign_type: sgx_quote_sign_type_t, addr: &str, + shard: ShardIdentifier, ) -> SgxResult<()> { info!("[MU-RA-Client] Requesting key provisioning from {}", addr); let socket = TcpStream::connect(addr).unwrap(); let mut status = sgx_status_t::SGX_SUCCESS; - let result = - unsafe { request_key_provisioning(eid, &mut status, socket.as_raw_fd(), sign_type) }; + + warn!("Shard len: {:?}", shard.encode().len()); + + let result = unsafe { + request_key_provisioning( + eid, + &mut status, + socket.as_raw_fd(), + sign_type, + shard.encode().as_ptr(), + shard.encode().len(), + ) + }; if status != sgx_status_t::SGX_SUCCESS { return Err(status); } diff --git a/worker/src/main.rs b/worker/src/main.rs index 6f70806a5a..ad8260ce8e 100644 --- a/worker/src/main.rs +++ b/worker/src/main.rs @@ -206,6 +206,7 @@ fn main() { enclave.geteid(), sgx_quote_sign_type_t::SGX_UNLINKABLE_SIGNATURE, &format!("localhost:{}", mu_ra_port), + shard[0], ) .unwrap(); println!("[+] Done!"); @@ -293,6 +294,7 @@ fn worker(node_url: &str, w_ip: &str, w_port: &str, mu_ra_port: &str, shard: &Sh eid, sgx_quote_sign_type_t::SGX_UNLINKABLE_SIGNATURE, &mura_url, + *shard, ) .unwrap(); debug!("key provisioning successfully performed"); From 872b9c07aa23a5940b61439846e51c496003d385 Mon Sep 17 00:00:00 2001 From: clangenb Date: Fri, 29 May 2020 08:02:54 +0200 Subject: [PATCH 4/9] [enclave/cert] fix mr_enclave fetch and comparison --- enclave/src/cert.rs | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/enclave/src/cert.rs b/enclave/src/cert.rs index afedf7c450..9cccbe7fb5 100644 --- a/enclave/src/cert.rs +++ b/enclave/src/cert.rs @@ -402,10 +402,12 @@ fn verify_attn_report(report_raw: &[u8], pub_k: Vec) -> Result<(), sgx_statu // TODO: lack security check here let sgx_quote: sgx_quote_t = unsafe { ptr::read(quote.as_ptr() as *const _) }; - let ti: sgx_target_info_t = sgx_target_info_t::default(); - - if sgx_quote.report_body.mr_enclave.m != ti.mr_enclave.m { - error!("mr_enclave is not equal to self"); + let ti = crate::attestation::get_mrenclave_of_self().sgx_error()?; + if sgx_quote.report_body.mr_enclave.m != ti.m { + error!( + "mr_enclave is not equal to self {:?} != {:?}", + sgx_quote.report_body.mr_enclave.m, ti.m + ); return Err(sgx_status_t::SGX_ERROR_UNEXPECTED); } From e34013a372217479bd3d1c0dc142a038d0dabc15 Mon Sep 17 00:00:00 2001 From: clangenb Date: Fri, 29 May 2020 08:19:20 +0200 Subject: [PATCH 5/9] [enclave/tls_ra] remove state exchange from ra as every new worker fetches calculates the state from 0. --- enclave/Enclave.edl | 6 +- enclave/src/tls_ra.rs | 121 ++++------------------------------- worker/src/enclave/tls_ra.rs | 19 +----- worker/src/main.rs | 16 ----- 4 files changed, 16 insertions(+), 146 deletions(-) diff --git a/enclave/Enclave.edl b/enclave/Enclave.edl index fae7572ca0..e907602247 100644 --- a/enclave/Enclave.edl +++ b/enclave/Enclave.edl @@ -71,11 +71,7 @@ enclave { public sgx_status_t dump_ra_to_disk(); public sgx_status_t run_key_provisioning_server(int fd,sgx_quote_sign_type_t quote_type); - public sgx_status_t request_key_provisioning( - int fd, - sgx_quote_sign_type_t quote_type, - [in, size=shard_size] uint8_t* shard, size_t shard_size - ); + public sgx_status_t request_key_provisioning(int fd, sgx_quote_sign_type_t quote_type); public size_t test_main_entrance(); }; diff --git a/enclave/src/tls_ra.rs b/enclave/src/tls_ra.rs index 3967630781..2dfb08a376 100644 --- a/enclave/src/tls_ra.rs +++ b/enclave/src/tls_ra.rs @@ -8,18 +8,12 @@ use sgx_types::*; use log::*; use rustls::{ClientConfig, ClientSession, ServerConfig, ServerSession, Stream}; -use sgx_externalities::SgxExternalitiesTrait; -use std::slice; -use substratee_node_primitives::ShardIdentifier; +use crate::aes; use crate::attestation::{create_ra_report_and_signature, DEV_HOSTNAME}; use crate::cert; -use crate::constants::ENCRYPTED_STATE_FILE; -use crate::io; use crate::rsa3072; use crate::utils::UnwrapOrSgxErrorUnexpected; -use crate::{aes, state}; -use crate::{ocall_read_ipfs, ocall_write_ipfs}; struct ClientAuth { outdated_ok: bool, @@ -40,7 +34,7 @@ impl rustls::ClientCertVerifier for ClientAuth { &self, _certs: &[rustls::Certificate], ) -> Result { - info!("client cert: {:?}", _certs); + debug!("client cert: {:?}", _certs); // This call will automatically verify cert is properly signed match cert::verify_mra_cert(&_certs[0].0) { Ok(()) => Ok(rustls::ClientCertVerified::assertion()), @@ -79,7 +73,7 @@ impl rustls::ServerCertVerifier for ServerAuth { _hostname: webpki::DNSNameRef, _ocsp: &[u8], ) -> Result { - info!("server cert: {:?}", _certs); + debug!("server cert: {:?}", _certs); // This call will automatically verify cert is properly signed match cert::verify_mra_cert(&_certs[0].0) { Ok(()) => Ok(rustls::ServerCertVerified::assertion()), @@ -120,21 +114,13 @@ pub unsafe extern "C" fn run_key_provisioning_server( let mut tls = rustls::Stream::new(&mut sess, &mut conn); println!(" [Enclave] (MU-RA-Server) MU-RA successful sending keys"); - let mut shard = [0u8; 32]; - // warn!("shard len: {:?}", shard.len()); - // match tls.read(&mut shard) { - // Ok(_) => info!(" [Enclave] (MU-RA-Server) Received Shard"), - // Err(_e) => return sgx_status_t::SGX_ERROR_UNEXPECTED, - // }; - - let (rsa_pair, aes, enc_state) = - match read_files_to_send(&ShardIdentifier::from_slice(&shard[..])) { - Ok((r, a, s)) => (r, a, s), - Err(e) => return e, - }; - - match send_files(&mut tls, &rsa_pair, &aes, &enc_state) { - Ok(_) => println!(" [Enclave] (MU-RA-Server) Registration procedure successful!\n"), + let (rsa_pair, aes) = match read_files_to_send() { + Ok((r, a)) => (r, a), + Err(e) => return e, + }; + + match send_files(&mut tls, &rsa_pair, &aes) { + Ok(_) => println!(" [Enclave] (MU-RA-Server) Successfully provisioned keys!\n"), Err(e) => return e, } @@ -162,61 +148,27 @@ fn tls_server_config(sign_type: sgx_quote_sign_type_t) -> SgxResult SgxResult<(Vec, aes::Aes, Vec)> { +fn read_files_to_send() -> SgxResult<(Vec, aes::Aes)> { let shielding_key = rsa3072::unseal_pair().sgx_error()?; let aes = aes::read_sealed().sgx_error()?; let rsa_pair = serde_json::to_string(&shielding_key).sgx_error()?; - let enc_state = state::load(shard).sgx_error()?.encode(); let rsa_len = rsa_pair.as_bytes().len(); info!(" [Enclave] Read Shielding Key: {:?}", rsa_len); info!(" [Enclave] Read AES key {:?}\nIV: {:?}\n", aes.0, aes.1); - Ok((rsa_pair.as_bytes().to_vec(), aes, enc_state)) + Ok((rsa_pair.as_bytes().to_vec(), aes)) } fn send_files( tls: &mut Stream, rsa_pair: &[u8], aes: &(Vec, Vec), - enc_state: &[u8], ) -> SgxResult<()> { tls.write(&rsa_pair.len().to_le_bytes()).sgx_error()?; tls.write(&rsa_pair).sgx_error()?; tls.write(&aes.0[..]).sgx_error()?; tls.write(&aes.1[..]).sgx_error()?; - - println!( - " [Enclave] (MU-RA-Server) Keys sent, writing state to IPFS (= file hosting service)" - ); - info!(" [Enclave] (MU-RA-Server) Sending encrypted state length"); - - tls.write(&enc_state.len().to_le_bytes()).sgx_error()?; - if enc_state.is_empty() { - println!( - " [Enclave] (MU-RA-Server) No state has been written yet. Nothing to write to ipfs." - ); - println!(" [Enclave] (MU-RA-Server) Registration procedure successful!\n"); - return Ok(()); - } - let mut rt: sgx_status_t = sgx_status_t::SGX_ERROR_UNEXPECTED; - let mut cid_buf: [u8; 46] = [0; 46]; - let res = unsafe { - ocall_write_ipfs( - &mut rt as *mut sgx_status_t, - enc_state.as_ptr() as *const u8, - enc_state.len() as u32, - cid_buf.as_mut_ptr() as *mut u8, - cid_buf.len() as u32, - ) - }; - - if res == sgx_status_t::SGX_ERROR_UNEXPECTED || rt == sgx_status_t::SGX_ERROR_UNEXPECTED { - return Err(sgx_status_t::SGX_ERROR_UNEXPECTED); - } - - println!(" [Enclave] (MU-RA-Server) Write to IPFS successful, sending storage hash"); - tls.write(&cid_buf).sgx_error()?; Ok(()) } @@ -224,11 +176,8 @@ fn send_files( pub unsafe extern "C" fn request_key_provisioning( socket_fd: c_int, sign_type: sgx_quote_sign_type_t, - shard: *const u8, - shard_size: usize, ) -> sgx_status_t { let _ = backtrace::enable_backtrace("enclave.signed.so", PrintFormat::Short); - let shard = slice::from_raw_parts(shard, shard_size); let cfg = match tls_client_config(sign_type) { Ok(cfg) => cfg, @@ -244,8 +193,6 @@ pub unsafe extern "C" fn request_key_provisioning( println!(); println!(" [Enclave] (MU-RA-Client) MU-RA successful waiting for keys..."); - // - // tls.write(shard).unwrap(); match receive_files(&mut tls) { Ok(_) => println!(" [Enclave] (MU-RA-Client) Registration procedure successful!\n"), @@ -292,49 +239,7 @@ fn receive_files(tls: &mut Stream) -> SgxResult<()> { aes::seal(aes_key, aes_iv)?; - println!(" [Enclave] (MU-RA-Client) Received and stored keys, waiting for storage hash..."); - - let mut state_len_arr = [0u8; 8]; - let state_len = tls - .read(&mut state_len_arr) - .map(|_| usize::from_le_bytes(state_len_arr)) - .sgx_error_with_log("Error receiving state length")?; - - if state_len == 0 { - println!(" [Enclave] (MU-RA-Client) No state has been written yet, nothing to fetch from IPFS"); - println!(" [Enclave] (MU-RA-Client) Registration Procedure successful!\n"); - return Ok(()); - } - - let mut cid = [0u8; 46]; - tls.read(&mut cid) - .map(|_| { - info!( - " [Enclave] (MU-RA-Client) Received ipfs CID: {:?}", - &cid[..] - ) - }) - .sgx_error_with_log(" [Enclave] (MU-RA-Client) Error receiving ipfs CID")?; - - println!(" [Enclave] (MU-RA-Client) Received IPFS storage hash, reading from IPFS..."); - - let mut enc_state = vec![0u8; state_len]; - let mut rt: sgx_status_t = sgx_status_t::SGX_ERROR_UNEXPECTED; - let _res = unsafe { - ocall_read_ipfs( - &mut rt as *mut sgx_status_t, - enc_state.as_mut_ptr(), - enc_state.len() as u32, - cid.as_ptr(), - cid.len() as u32, - ) - }; - println!( - " [Enclave] (MU-RA-Client) Got encrypted state from ipfs: {:?}\n", - enc_state - ); - io::write(&enc_state, ENCRYPTED_STATE_FILE)?; - println!(" [Enclave] (MU-RA-Client) Successfully read state from IPFS"); + println!(" [Enclave] (MU-RA-Client) Successfully received keys."); Ok(()) } diff --git a/worker/src/enclave/tls_ra.rs b/worker/src/enclave/tls_ra.rs index c1b424fd0b..181042e5f3 100644 --- a/worker/src/enclave/tls_ra.rs +++ b/worker/src/enclave/tls_ra.rs @@ -19,9 +19,7 @@ use std::os::unix::io::AsRawFd; use sgx_types::*; -use codec::Encode; use log::*; -use substratee_node_primitives::ShardIdentifier; extern "C" { fn run_key_provisioning_server( @@ -35,8 +33,6 @@ extern "C" { retval: *mut sgx_status_t, socket_fd: c_int, sign_type: sgx_quote_sign_type_t, - shard: *const u8, - shard_size: usize, ) -> sgx_status_t; } @@ -76,24 +72,13 @@ pub fn enclave_request_key_provisioning( eid: sgx_enclave_id_t, sign_type: sgx_quote_sign_type_t, addr: &str, - shard: ShardIdentifier, ) -> SgxResult<()> { info!("[MU-RA-Client] Requesting key provisioning from {}", addr); let socket = TcpStream::connect(addr).unwrap(); let mut status = sgx_status_t::SGX_SUCCESS; - warn!("Shard len: {:?}", shard.encode().len()); - - let result = unsafe { - request_key_provisioning( - eid, - &mut status, - socket.as_raw_fd(), - sign_type, - shard.encode().as_ptr(), - shard.encode().len(), - ) - }; + let result = + unsafe { request_key_provisioning(eid, &mut status, socket.as_raw_fd(), sign_type) }; if status != sgx_status_t::SGX_SUCCESS { return Err(status); } diff --git a/worker/src/main.rs b/worker/src/main.rs index ad8260ce8e..ff13256a84 100644 --- a/worker/src/main.rs +++ b/worker/src/main.rs @@ -188,25 +188,10 @@ fn main() { } else if _matches.is_present("provisioning-client") { println!("*** Running Enclave MU-RA TLS client\n"); let enclave = enclave_init().unwrap(); - let shard = match _matches.values_of("shard") { - Some(values) => values - .map(|shard| { - shard - .from_base58() - .unwrap_or_else(|_| panic!("shard must be hex encoded")) - }) - .map(|s| ShardIdentifier::from_slice(s.as_slice())) - .collect(), - _ => vec![ShardIdentifier::from_slice( - &enclave_mrenclave(enclave.geteid()).unwrap(), - )], - }; - enclave_request_key_provisioning( enclave.geteid(), sgx_quote_sign_type_t::SGX_UNLINKABLE_SIGNATURE, &format!("localhost:{}", mu_ra_port), - shard[0], ) .unwrap(); println!("[+] Done!"); @@ -294,7 +279,6 @@ fn worker(node_url: &str, w_ip: &str, w_port: &str, mu_ra_port: &str, shard: &Sh eid, sgx_quote_sign_type_t::SGX_UNLINKABLE_SIGNATURE, &mura_url, - *shard, ) .unwrap(); debug!("key provisioning successfully performed"); From 3611c4a8f171dd5c99de741c362632cf83080105 Mon Sep 17 00:00:00 2001 From: clangenb Date: Fri, 29 May 2020 09:20:00 +0200 Subject: [PATCH 6/9] [worker] change get_most_recent_worker -> get_first_worker that is not equal to self --- substratee-node-primitives/src/lib.rs | 19 +++++++++++- worker/src/main.rs | 43 +++++++++++---------------- 2 files changed, 35 insertions(+), 27 deletions(-) diff --git a/substratee-node-primitives/src/lib.rs b/substratee-node-primitives/src/lib.rs index ba3584b72f..59a294be47 100644 --- a/substratee-node-primitives/src/lib.rs +++ b/substratee-node-primitives/src/lib.rs @@ -43,11 +43,12 @@ pub mod calls { pub fn get_worker_for_shard( api: &substrate_api_client::Api

, shard: &ShardIdentifier, - ) -> Option + ) -> Option>> where MultiSignature: From, { api.get_storage_map("SubstrateeRegistry", "WorkerForShard", shard, None) + .and_then(|w| get_worker_info(&api, w)) } pub fn get_worker_amount(api: &substrate_api_client::Api

) -> Option @@ -57,6 +58,22 @@ pub mod calls { api.get_storage_value("SubstrateeRegistry", "EnclaveCount", None) } + pub fn get_first_worker_that_is_not_equal_to_self( + api: &substrate_api_client::Api

, + self_account: &AccountId, + ) -> Option>> + where + MultiSignature: From, + { + for n in 0..api.get_storage_value("SubstrateeRegistry", "EnclaveCount", None)? { + let worker = get_worker_info(api, n)?; + if &worker.pubkey != self_account { + return Some(worker); + } + } + None + } + pub fn get_latest_state( api: &substrate_api_client::Api

, shard: &ShardIdentifier, diff --git a/worker/src/main.rs b/worker/src/main.rs index ff13256a84..10fae67f2a 100644 --- a/worker/src/main.rs +++ b/worker/src/main.rs @@ -18,6 +18,7 @@ use std::fs::{self, File}; use std::io::stdin; use std::io::Write; use std::path::Path; +use std::slice; use std::str; use std::sync::mpsc::{channel, Sender}; use std::thread; @@ -47,8 +48,7 @@ use enclave::api::{ }; use enclave::tls_ra::{enclave_request_key_provisioning, enclave_run_key_provisioning_server}; use sp_finality_grandpa::{AuthorityList, VersionedAuthorityList, GRANDPA_AUTHORITIES_KEY}; -use std::slice; -use substratee_node_primitives::calls::{get_worker_for_shard, get_worker_info}; +use substratee_node_primitives::calls::get_first_worker_that_is_not_equal_to_self; use substratee_worker_api::Api as WorkerApi; use ws_server::start_ws_server; @@ -262,33 +262,24 @@ fn worker(node_url: &str, w_ip: &str, w_port: &str, mu_ra_port: &str, shard: &Sh println!("[<] Extrinsic got finalized. Hash: {:?}\n", tx_hash); // browse enclave registry - match get_worker_for_shard(&api, shard) { + match get_first_worker_that_is_not_equal_to_self(&api, &tee_accountid) { Some(w) => { - let master_worker = get_worker_info(&api, w).unwrap(); - if master_worker.pubkey == tee_accountid { - info!("the most recently active worker is myself"); - ensure_shard_initialized(shard); - } else { - let _url = String::from_utf8_lossy(&master_worker.url[..]).to_string(); - let _w_api = WorkerApi::new(_url.clone()); - let _url_split: Vec<_> = _url.split(':').collect(); - let mura_url = format!("{}:{}", _url_split[0], _w_api.get_mu_ra_port().unwrap()); - - info!("Requesting key provisioning from worker at {}", mura_url); - enclave_request_key_provisioning( - eid, - sgx_quote_sign_type_t::SGX_UNLINKABLE_SIGNATURE, - &mura_url, - ) - .unwrap(); - debug!("key provisioning successfully performed"); - } + let _url = String::from_utf8_lossy(&w.url[..]).to_string(); + let _w_api = WorkerApi::new(_url.clone()); + let _url_split: Vec<_> = _url.split(':').collect(); + let mura_url = format!("{}:{}", _url_split[0], _w_api.get_mu_ra_port().unwrap()); + + info!("Requesting key provisioning from worker at {}", mura_url); + enclave_request_key_provisioning( + eid, + sgx_quote_sign_type_t::SGX_UNLINKABLE_SIGNATURE, + &mura_url, + ) + .unwrap(); + debug!("key provisioning successfully performed"); } None => { - info!( - "no worker has ever published a state update for shard {}", - shard.encode().to_base58() - ); + info!("there are no other workers"); ensure_shard_initialized(shard); } } From 5ca2e18ea7e37ffdc15755ca8c207205d7c12173 Mon Sep 17 00:00:00 2001 From: clangenb Date: Fri, 29 May 2020 10:23:14 +0200 Subject: [PATCH 7/9] [worker] ensure_shard_initialized now in any case as we do not fetch a state while provisioning secrets. And put it at the very beginning of `fn worker` --- worker/src/main.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/worker/src/main.rs b/worker/src/main.rs index 10fae67f2a..cdd5336568 100644 --- a/worker/src/main.rs +++ b/worker/src/main.rs @@ -209,6 +209,7 @@ fn worker(node_url: &str, w_ip: &str, w_port: &str, mu_ra_port: &str, shard: &Sh // ------------------------------------------------------------------------ // check for required files check_files(); + ensure_shard_initialized(shard); // ------------------------------------------------------------------------ // initialize the enclave #[cfg(feature = "production")] @@ -280,7 +281,6 @@ fn worker(node_url: &str, w_ip: &str, w_port: &str, mu_ra_port: &str, shard: &Sh } None => { info!("there are no other workers"); - ensure_shard_initialized(shard); } } From f7700eacfe2f010aaa03be05616452bdcf3a892d Mon Sep 17 00:00:00 2001 From: clangenb Date: Fri, 29 May 2020 10:27:55 +0200 Subject: [PATCH 8/9] [enclave/tls_ra] remove unsafe from request_key_provisioning --- enclave/src/tls_ra.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enclave/src/tls_ra.rs b/enclave/src/tls_ra.rs index 2dfb08a376..f0b9b0799c 100644 --- a/enclave/src/tls_ra.rs +++ b/enclave/src/tls_ra.rs @@ -173,7 +173,7 @@ fn send_files( } #[no_mangle] -pub unsafe extern "C" fn request_key_provisioning( +pub extern "C" fn request_key_provisioning( socket_fd: c_int, sign_type: sgx_quote_sign_type_t, ) -> sgx_status_t { From 316fafd08a53ea548f174fc872627a944896264e Mon Sep 17 00:00:00 2001 From: clangenb Date: Fri, 29 May 2020 10:45:55 +0200 Subject: [PATCH 9/9] bump version: 0.6.5-sub2.0.0-alpha.7 --- Cargo.lock | 10 +++++----- client/Cargo.toml | 2 +- enclave/Cargo.lock | 14 +++++++------- enclave/Cargo.toml | 2 +- enclave/chain_relay/Cargo.toml | 2 +- stf/Cargo.toml | 2 +- substratee-node-primitives/Cargo.toml | 2 +- worker/Cargo.toml | 2 +- worker/worker-api/Cargo.toml | 2 +- 9 files changed, 19 insertions(+), 19 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index b618db11e8..bd2b391846 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3771,7 +3771,7 @@ checksum = "d2a965994514ab35d3893e9260245f2947fd1981cdd4fffd2c6e6d1a9ce02e6a" [[package]] name = "substratee-client" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "base58", "blake2-rfc", @@ -3803,7 +3803,7 @@ dependencies = [ [[package]] name = "substratee-node-primitives" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "base58", "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)", @@ -3851,7 +3851,7 @@ dependencies = [ [[package]] name = "substratee-stf" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "base58", "clap", @@ -3876,7 +3876,7 @@ dependencies = [ [[package]] name = "substratee-worker" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "base58", "cid", @@ -3915,7 +3915,7 @@ dependencies = [ [[package]] name = "substratee-worker-api" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "hex 0.4.2", "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)", diff --git a/client/Cargo.toml b/client/Cargo.toml index 0be8e5c130..9ead5b19e2 100644 --- a/client/Cargo.toml +++ b/client/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "substratee-client" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" authors = ["Supercomputing Systems AG "] edition = "2018" diff --git a/enclave/Cargo.lock b/enclave/Cargo.lock index 3fe0998449..abb58e4452 100644 --- a/enclave/Cargo.lock +++ b/enclave/Cargo.lock @@ -172,7 +172,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" [[package]] name = "chain-relay" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "derive_more 0.99.5 (registry+https://github.com/rust-lang/crates.io-index)", "finality-grandpa 0.11.2 (registry+https://github.com/rust-lang/crates.io-index)", @@ -2068,7 +2068,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" [[package]] name = "substratee-node-primitives" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "parity-scale-codec 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)", "primitive-types 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)", @@ -2078,7 +2078,7 @@ dependencies = [ [[package]] name = "substratee-stf" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "derive_more 0.99.5 (registry+https://github.com/rust-lang/crates.io-index)", "env_logger 0.7.1 (git+https://github.com/mesalock-linux/env_logger-sgx)", @@ -2097,12 +2097,12 @@ dependencies = [ [[package]] name = "substratee-worker-enclave" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "aes 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)", "base64 0.10.1 (git+https://github.com/mesalock-linux/rust-base64-sgx)", "bit-vec 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)", - "chain-relay 0.6.4-sub2.0.0-alpha.7", + "chain-relay 0.6.5-sub2.0.0-alpha.7", "chrono 0.4.11 (git+https://github.com/mesalock-linux/chrono-sgx)", "env_logger 0.7.1 (git+https://github.com/mesalock-linux/env_logger-sgx)", "httparse 1.3.4 (registry+https://github.com/rust-lang/crates.io-index)", @@ -2136,8 +2136,8 @@ dependencies = [ "sp-runtime 2.0.0-alpha.7 (registry+https://github.com/rust-lang/crates.io-index)", "sp-std 2.0.0-alpha.7 (registry+https://github.com/rust-lang/crates.io-index)", "substrate-api-client 0.4.6-sub2.0.0-alpha.7 (git+https://github.com/scs/substrate-api-client?tag=v0.4.6-sub2.0.0-alpha.7)", - "substratee-node-primitives 0.6.4-sub2.0.0-alpha.7", - "substratee-stf 0.6.4-sub2.0.0-alpha.7", + "substratee-node-primitives 0.6.5-sub2.0.0-alpha.7", + "substratee-stf 0.6.5-sub2.0.0-alpha.7", "webpki 0.21.2 (git+https://github.com/mesalock-linux/webpki?branch=mesalock_sgx)", "webpki-roots 0.19.0 (git+https://github.com/mesalock-linux/webpki-roots?branch=mesalock_sgx)", "yasna 0.3.1 (git+https://github.com/mesalock-linux/yasna.rs-sgx?rev=sgx_1.1.2)", diff --git a/enclave/Cargo.toml b/enclave/Cargo.toml index bfd1b308a4..b97af1ccc1 100644 --- a/enclave/Cargo.toml +++ b/enclave/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "substratee-worker-enclave" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" authors = ["Supercomputing Systems AG "] edition = "2018" diff --git a/enclave/chain_relay/Cargo.toml b/enclave/chain_relay/Cargo.toml index 0a961e4984..33b3a5edb3 100644 --- a/enclave/chain_relay/Cargo.toml +++ b/enclave/chain_relay/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "chain-relay" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" authors = ["Supercomputing Systems AG "] edition = "2018" diff --git a/stf/Cargo.toml b/stf/Cargo.toml index 31aac7c9d2..9c64711c29 100644 --- a/stf/Cargo.toml +++ b/stf/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "substratee-stf" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" authors = ["Supercomputing Systems AG "] edition = "2018" diff --git a/substratee-node-primitives/Cargo.toml b/substratee-node-primitives/Cargo.toml index 77839e51fc..046f5601cb 100644 --- a/substratee-node-primitives/Cargo.toml +++ b/substratee-node-primitives/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "substratee-node-primitives" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" authors = ["clangenbacher "] edition = "2018" diff --git a/worker/Cargo.toml b/worker/Cargo.toml index 546dea79c9..70ef8295ba 100644 --- a/worker/Cargo.toml +++ b/worker/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "substratee-worker" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" authors = ["Supercomputing Systems AG "] build = "build.rs" edition = "2018" diff --git a/worker/worker-api/Cargo.toml b/worker/worker-api/Cargo.toml index 80ad3c4386..48195f0041 100644 --- a/worker/worker-api/Cargo.toml +++ b/worker/worker-api/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "substratee-worker-api" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" authors = ["Supercomputing Systems AG "] edition = "2018"