on-chain machine-id WIP

Author: vlad

cosmwasm/enclaves/execute/Enclave.edl

@@ -53,6 +53,12 @@ enclave {
  uint32_t msg_len
  );
 
+ public sgx_status_t ecall_onchain_approve_machine_id(
+ [in, count=n_id] const uint8_t* p_id,
+ uint32_t n_id,
+ [out, count=32] uint8_t* p_proof
+ );
+
  public sgx_status_t ecall_get_attestation_report(
  uint32_t flags
  );

cosmwasm/enclaves/execute/src/registration/offchain.rs

@@ -705,6 +705,20 @@ pub unsafe extern "C" fn ecall_onchain_approve_upgrade(
  sgx_types::sgx_status_t::SGX_SUCCESS
 }
 
+#[no_mangle]
+pub unsafe extern "C" fn ecall_onchain_approve_machine_id(
+ p_id: *const u8,
+ n_id: u32,
+ p_proof: *mut u8,
+) -> sgx_types::sgx_status_t {
+ validate_const_ptr!(p_id, n_id as usize, sgx_status_t::SGX_ERROR_UNEXPECTED);
+ validate_mut_ptr!(p_proof, 32, sgx_status_t::SGX_ERROR_UNEXPECTED);
+
+ // TODO
+
+ sgx_types::sgx_status_t::SGX_SUCCESS
+}
+
 pub fn calculate_truncated_hash(input: &[u8]) -> [u8; 20] {
  let mut res = [0u8; 20];
 

cosmwasm/packages/sgx-vm/src/lib.rs

@@ -54,9 +54,9 @@ pub use crate::attestation::{
  create_attestation_report_u, untrusted_get_encrypted_genesis_seed, untrusted_get_encrypted_seed,
 };
 pub use crate::seed::{
- untrusted_approve_upgrade, untrusted_get_network_pubkey, untrusted_health_check,
- untrusted_init_bootstrap, untrusted_init_node, untrusted_key_gen, untrusted_migration_op,
- untrusted_rotate_store, untrusted_submit_validator_set_evidence,
+ untrusted_approve_machine_id, untrusted_approve_upgrade, untrusted_get_network_pubkey,
+ untrusted_health_check, untrusted_init_bootstrap, untrusted_init_node, untrusted_key_gen,
+ untrusted_migration_op, untrusted_rotate_store, untrusted_submit_validator_set_evidence,
 };
 
 pub use crate::random::untrusted_submit_block_signatures;

cosmwasm/packages/sgx-vm/src/seed.rs

@@ -62,6 +62,14 @@ extern "C" {
  msg_len: u32,
  ) -> sgx_types::sgx_status_t;
 
+ pub fn ecall_onchain_approve_machine_id(
+ eid: sgx_enclave_id_t,
+ retval: *mut sgx_status_t,
+ p_id: *const u8,
+ n_id: u32,
+ p_proof: *mut u8,
+ ) -> sgx_types::sgx_status_t;
+
  /// Trigger a query method in a wasm contract
  pub fn ecall_health_check(
  eid: sgx_enclave_id_t,
@@ -276,6 +284,41 @@ pub fn untrusted_approve_upgrade(msg_slice: &[u8]) -> SgxResult<()> {
  Ok(())
 }
 
+pub fn untrusted_approve_machine_id(machine_id: &[u8]) -> SgxResult<Vec<u8>> {
+ // Bind the token to a local variable to ensure its
+ // destructor runs in the end of the function
+ let enclave_access_token = ENCLAVE_DOORBELL
+ .get_access(1) // This can never be recursive
+ .ok_or(sgx_status_t::SGX_ERROR_BUSY)?;
+ let enclave = (*enclave_access_token)?;
+
+ //info!("Initialized enclave successfully!");
+
+ let mut proof = [0_u8; 32];
+
+ let eid = enclave.geteid();
+ let mut ret = sgx_status_t::SGX_SUCCESS;
+ let status = unsafe {
+ ecall_onchain_approve_machine_id(
+ eid,
+ &mut ret,
+ machine_id.as_ptr(),
+ machine_id.len() as u32,
+ proof.as_mut_ptr(),
+ )
+ };
+
+ if status != sgx_status_t::SGX_SUCCESS {
+ return Err(status);
+ }
+
+ if ret != sgx_status_t::SGX_SUCCESS {
+ return Err(ret);
+ }
+
+ Ok(proof.to_vec())
+}
+
 pub fn untrusted_key_gen() -> SgxResult<[u8; 32]> {
  info!("Initializing enclave..");
 

go-cosmwasm/api/bindings.h

@@ -222,6 +222,8 @@ Buffer migrate(cache_t *cache,
 
 bool migration_op(uint32_t opcode);
 
+bool onchain_approve_machine_id(Buffer machine_id, Buffer *proof);
+
 bool onchain_approve_upgrade(Buffer msg);
 
 Buffer query(cache_t *cache,

go-cosmwasm/api/lib.go

@@ -205,6 +205,23 @@ func OnUpgradeProposalPassed(mrEnclaveHash []byte) error {
 return nil
 }
 
+func OnUpdateMachineID(machineID []byte) (error, []byte) {
+msgBuf := sendSlice(machineID)
+defer freeAfterSend(msgBuf)
+
+proof := C.Buffer{}
+
+ret, err := C.onchain_approve_machine_id(msgBuf, &proof)
+if err != nil {
+return err, nil
+}
+if !ret {
+return errors.New("onchain_approve_machine_id failed"), nil
+}
+
+return nil, receiveVector(proof)
+}
+
 func Create(cache Cache, wasm []byte) ([]byte, error) {
 code := sendSlice(wasm)
 defer freeAfterSend(code)

go-cosmwasm/api/lib_mock.go

@@ -315,3 +315,7 @@ func GetEncryptedGenesisSeed(cert []byte) ([]byte, error) {
 func OnUpgradeProposalPassed(mrEnclaveHash []byte) error {
 return nil
 }
+
+func OnUpdateMachineID(machineID []byte) (error, []byte) {
+return nil, nil
+}

go-cosmwasm/src/lib.rs

@@ -12,8 +12,8 @@ pub use api::GoApi;
 use base64;
 use cosmwasm_sgx_vm::{
  call_handle_raw, call_init_raw, call_migrate_raw, call_query_raw, call_update_admin_raw,
- create_attestation_report_u, features_from_csv, untrusted_approve_upgrade,
- untrusted_get_encrypted_genesis_seed, untrusted_get_encrypted_seed,
+ create_attestation_report_u, features_from_csv, untrusted_approve_machine_id,
+ untrusted_approve_upgrade, untrusted_get_encrypted_genesis_seed, untrusted_get_encrypted_seed,
  untrusted_get_network_pubkey, untrusted_health_check, untrusted_init_bootstrap,
  untrusted_init_node, untrusted_key_gen, untrusted_migration_op, untrusted_rotate_store,
  untrusted_submit_validator_set_evidence, Checksum, CosmCache, Extern,
@@ -992,3 +992,27 @@ pub extern "C" fn onchain_approve_upgrade(msg: Buffer) -> bool {
  }
  }
 }
+
+#[no_mangle]
+#[allow(deprecated)]
+pub extern "C" fn onchain_approve_machine_id(machine_id: Buffer, proof: &mut Buffer) -> bool {
+ let machine_id_slice = match unsafe { machine_id.read() } {
+ None => {
+ return false;
+ }
+ Some(r) => r,
+ };
+
+ match untrusted_approve_machine_id(&machine_id_slice) {
+ Err(e) => {
+ set_error(Error::enclave_err(e.to_string()), None);
+ false
+ }
+ Ok(x) => {
+ clear_error();
+
+ *proof = Buffer::from_vec(x);
+ true
+ }
+ }
+}

x/compute/internal/keeper/msg_server.go

@@ -349,5 +349,17 @@ func (m msgServer) UpdateMachineWhitelist(goCtx context.Context, msg *types.MsgU
 sdk.NewAttribute(sdk.AttributeKeySender, msg.Sender),
 ))
 
+store := m.keeper.storeService.OpenKVStore(ctx)
+
+for _, id := range msg.MachineIds {
+if err, proof := api.OnUpdateMachineID(id); err != nil {
+return nil, err
+
+key := append(types.MachineIDEvidencePrefix, id...)
+_ = store.Set(key, proof)
+
+}
+}
+
 return &types.MsgUpdateMachineWhitelistResponse{}, nil
 }

x/compute/internal/types/keys.go

@@ -38,6 +38,7 @@ var (
 UpdateAdminPrefix = []byte{0x0D}
 RandomPrefix = []byte{0xFF}
 ValidatorSetEvidencePrefix = []byte{0xFE}
+MachineIDEvidencePrefix = []byte{0xFD}
 
 KeyLastCodeID = append(SequenceKeyPrefix, []byte("lastCodeId")...)
 KeyLastInstanceID = append(SequenceKeyPrefix, []byte("lastContractId")...)