datachainlab · bluele · Sep 11, 2024 · Sep 8, 2024 · Sep 8, 2024 · Sep 8, 2024
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -7,6 +7,7 @@ members = [
     "modules/types",
     "modules/ocall-handler",
     "modules/attestation-report",
+    "modules/remote-attestation",
     "modules/enclave-api",
     "modules/ecall-commands",
     "modules/ocall-commands",
@@ -30,25 +31,7 @@ exclude = [
     "enclave-modules/environment",
     "enclave-modules/store",
     "enclave-modules/utils",
-    "enclave-modules/remote-attestation",
     "enclave-modules/host-api",
     "enclave-modules/ecall-handler",
     "proto-compiler"
 ]
-
-[patch."https://github.com/apache/teaclave-sgx-sdk.git"]
-sgx_tstd = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
-sgx_urts = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
-sgx_tse = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
-sgx_alloc = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
-sgx_libc = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
-sgx_serialize = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
-sgx_serialize_derive = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
-sgx_serialize_derive_internals = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
-sgx_trts = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
-sgx_types = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
-sgx_tcrypto = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
-sgx_tcrypto_helper = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
-sgx_crypto_helper = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
-sgx_rand = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
-sgx_tseal = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
diff --git a/ImportRustSGXSDK.mk b/ImportRustSGXSDK.mk
diff --git a/Makefile b/Makefile
@@ -1,6 +1,3 @@
-######## Import SGX SDK ########
-include ImportRustSGXSDK.mk
-
 ######## SGX SDK Settings ########
 SGX_SDK ?= /opt/sgxsdk
 SGX_MODE ?= HW
@@ -9,7 +6,7 @@ SGX_DEBUG ?= 0
 SGX_PRERELEASE ?= 0
 SGX_PRODUCTION ?= 0
 
-include rust-sgx-sdk/buildenv.mk
+include buildenv.mk
 
 ifeq ($(shell getconf LONG_BIT), 32)
 	SGX_ARCH := x86
@@ -58,13 +55,12 @@ ifeq ($(SGX_PRODUCTION), 1)
 	SGX_ENCLAVE_MODE = "Production Mode"
 	SGX_ENCLAVE_CONFIG = $(SGX_ENCLAVE_CONFIG)
 	SGX_SIGN_KEY = $(SGX_COMMERCIAL_KEY)
-	ENCLAVE_CARGO_FEATURES = --features=production
 else
 	SGX_ENCLAVE_MODE = "Development Mode"
 	SGX_ENCLAVE_CONFIG = "enclave/Enclave.config.xml"
 	SGX_SIGN_KEY = "enclave/Enclave_private.pem"
 	ifneq ($(SGX_MODE), HW)
-		ENCLAVE_CARGO_FEATURES = --features=default,sgx-sw
+		ENCLAVE_CARGO_FEATURES = --features=default
 		APP_CARGO_FEATURES     = --features=default,sgx-sw
 	endif
 endif
@@ -73,8 +69,6 @@ endif
 
 CUSTOM_LIBRARY_PATH := ./lib
 CUSTOM_BIN_PATH := ./bin
-CUSTOM_EDL_PATH := ./rust-sgx-sdk/edl
-CUSTOM_COMMON_PATH := ./rust-sgx-sdk/common
 
 ######## EDL Settings ########
 
@@ -84,7 +78,7 @@ Enclave_EDL_Files := enclave/Enclave_t.c enclave/Enclave_t.h app/Enclave_u.c app
 
 App_Rust_Flags := $(CARGO_TARGET) $(APP_CARGO_FEATURES)
 App_SRC_Files := $(shell find app/ -type f -name '*.rs') $(shell find app/ -type f -name 'Cargo.toml')
-App_Include_Paths := -I ./app -I./include -I$(SGX_SDK)/include -I$(CUSTOM_EDL_PATH)
+App_Include_Paths := -I ./app -I./include -I$(SGX_SDK)/include
 App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)
 
 App_Rust_Path := ./target/$(OUTPUT_PATH)
@@ -103,12 +97,11 @@ else
 	Service_Library_Name := sgx_tservice
 endif
 Crypto_Library_Name := sgx_tcrypto
-KeyExchange_Library_Name := sgx_tkey_exchange
 ProtectedFs_Library_Name := sgx_tprotected_fs
 
 RustEnclave_C_Files := $(wildcard ./enclave/*.c)
 RustEnclave_C_Objects := $(RustEnclave_C_Files:.c=.o)
-RustEnclave_Include_Paths := -I$(CUSTOM_COMMON_PATH)/inc -I$(CUSTOM_EDL_PATH) -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
+RustEnclave_Include_Paths := -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SDK)/include/epid -I ./enclave -I./include
 
 RustEnclave_Link_Libs := -L$(CUSTOM_LIBRARY_PATH) -lenclave
 RustEnclave_Compile_Flags := $(SGX_COMMON_CFLAGS) $(ENCLAVE_CFLAGS) $(RustEnclave_Include_Paths)
@@ -124,8 +117,6 @@ Signed_RustEnclave_Name := bin/enclave.signed.so
 
 ######## Test Settings ########
 
-DOCKER        ?= docker
-DOCKER_BUILD  ?= $(DOCKER) build --rm --no-cache --pull
 GAIAD_VERSION ?= v7.0.3
 
 ######## Targets ########
@@ -142,8 +133,8 @@ clean:
 ######## EDL Objects ########
 
 $(Enclave_EDL_Files): $(SGX_EDGER8R) enclave/Enclave.edl
-	$(SGX_EDGER8R) --trusted enclave/Enclave.edl --search-path $(SGX_SDK)/include --search-path $(CUSTOM_EDL_PATH) --trusted-dir enclave
-	$(SGX_EDGER8R) --untrusted enclave/Enclave.edl --search-path $(SGX_SDK)/include --search-path $(CUSTOM_EDL_PATH) --untrusted-dir app
+	$(SGX_EDGER8R) --trusted enclave/Enclave.edl --search-path $(SGX_SDK)/include --trusted-dir enclave
+	$(SGX_EDGER8R) --untrusted enclave/Enclave.edl --search-path $(SGX_SDK)/include --untrusted-dir app
 	@echo "GEN  =>  $(Enclave_EDL_Files)"
 
 ######## App Objects ########
@@ -231,7 +222,3 @@ test-setup-nodes: bin/gaiad
 
 bin/gaiad:
 	curl -o ./bin/gaiad -LO https://github.com/cosmos/gaia/releases/download/$(GAIAD_VERSION)/gaiad-$(GAIAD_VERSION)-linux-amd64 && chmod +x ./bin/gaiad
-
-.PHONY: docker
-sgx-docker:
-	@cd rust-sgx-sdk/dockerfile && docker build --no-cache -t datachainlab/sgx-rust:2004-1.1.6 -f Dockerfile.2004.nightly .
diff --git a/app/Cargo.toml b/app/Cargo.toml
@@ -27,14 +27,13 @@ ecall-commands = { path = "../modules/ecall-commands" }
 crypto = { path = "../modules/crypto" }
 store = { path = "../modules/store", features = ["rocksdbstore"] }
 keymanager = { path = "../modules/keymanager" }
+remote-attestation = { path = "../modules/remote-attestation" }
 
 [build-dependencies]
 git2 = "0.17"
 
 [features]
 default = []
 sgx-sw = [
-    "enclave-api/sgx-sw",
-    "ecall-commands/sgx-sw",
-    "service/sgx-sw"
+    "remote-attestation/sgx-sw"
 ]
diff --git a/app/build.rs b/app/build.rs
@@ -11,8 +11,6 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     println!("cargo:rustc-link-search=native=./lib");
     println!("cargo:rustc-link-lib=static=Enclave_u");
     println!("cargo:rustc-link-search=native={}/lib64", sdk_dir);
-    println!("cargo:rustc-link-lib=static=sgx_uprotected_fs");
-    println!("cargo:rustc-link-lib=static=sgx_ukey_exchange");
 
     match sgx_mode.as_ref() {
         "SW" => {

diff --git a/app/src/commands/attestation.rs b/app/src/commands/attestation.rs
@@ -5,9 +5,9 @@ use crate::{
 use anyhow::{bail, Result};
 use clap::Parser;
 use crypto::Address;
-use ecall_commands::IASRemoteAttestationInput;
 use enclave_api::{Enclave, EnclaveCommandAPI, EnclaveProtoAPI};
 use log::info;
+use remote_attestation::{ias, IASMode};
 use store::transaction::CommitStore;
 
 /// `attestation` subcommand
@@ -70,6 +70,9 @@ pub struct IASRemoteAttestation {
         help = "An operator address to perform `registerEnclaveKey` transaction on-chain"
     )]
     pub operator: Option<String>,
+    /// IAS mode
+    #[clap(long = "development", help = "Use IAS development mode")]
+    pub is_dev: bool,
 }
 
 impl IASRemoteAttestation {
@@ -89,21 +92,30 @@ fn run_ias_remote_attestation<E: EnclaveCommandAPI<S>, S: CommitStore>(
     let spid = std::env::var("SPID")?;
     let ias_key = std::env::var("IAS_KEY")?;
     let target_enclave_key = Address::from_hex_string(&cmd.enclave_key)?;
-    match enclave.ias_remote_attestation(IASRemoteAttestationInput {
+    match ias::run_ias_ra(
+        &enclave,
         target_enclave_key,
-        operator: cmd.get_operator()?,
-        spid: spid.as_bytes().to_vec(),
-        ias_key: ias_key.as_bytes().to_vec(),
-    }) {
+        cmd.get_operator()?,
+        if cmd.is_dev {
+            IASMode::Development
+        } else {
+            IASMode::Production
+        },
+        spid,
+        ias_key,
+    ) {
         Ok(res) => {
-            info!("AVR: {:?}", res.report.avr);
+            info!("AVR: {:?}", res.avr);
             info!(
                 "report_data: {}",
-                res.report.get_avr()?.parse_quote()?.report_data()
+                res.get_avr()?.parse_quote()?.report_data()
             );
+            enclave
+                .get_key_manager()
+                .save_avr(target_enclave_key, res)?;
             Ok(())
         }
-        Err(e) => bail!("failed to perform IAS Remote Attestation: {:?}!", e),
+        Err(e) => bail!("failed to perform IAS Remote Attestation: {}", e),
     }
 }
 
@@ -183,10 +195,10 @@ fn run_simulate_remote_attestation<E: EnclaveCommandAPI<S>, S: CommitStore>(
     enclave: E,
     cmd: &SimulateRemoteAttestation,
 ) -> Result<()> {
-    use enclave_api::rsa::{
+    use remote_attestation::rsa::{
         pkcs1v15::SigningKey, pkcs8::DecodePrivateKey, traits::PublicKeyParts, RsaPrivateKey,
     };
-    use enclave_api::sha2::Sha256;
+    use remote_attestation::sha2::Sha256;
     use std::fs;
 
     let pk = RsaPrivateKey::read_pkcs8_pem_file(&cmd.signing_key_path)?;
@@ -227,21 +239,26 @@ fn run_simulate_remote_attestation<E: EnclaveCommandAPI<S>, S: CommitStore>(
     }
 
     let target_enclave_key = Address::from_hex_string(&cmd.enclave_key)?;
-    match enclave.simulate_remote_attestation(
-        ecall_commands::SimulateRemoteAttestationInput {
-            target_enclave_key,
-            operator: cmd.get_operator()?,
-            advisory_ids: cmd.advisory_ids.clone(),
-            isv_enclave_quote_status: cmd.isv_enclave_quote_status.clone(),
-        },
+    match remote_attestation::ias_simulation::run_ias_ra_simulation(
+        &enclave,
+        target_enclave_key,
+        cmd.get_operator()?,
+        cmd.advisory_ids.clone(),
+        cmd.isv_enclave_quote_status.clone(),
         signing_key,
         signing_cert,
     ) {
         Ok(res) => {
             info!("AVR: {:?}", res.avr);
-            info!("report_data: {}", res.avr.parse_quote()?.report_data());
+            info!(
+                "report_data: {}",
+                res.get_avr()?.parse_quote()?.report_data()
+            );
+            enclave
+                .get_key_manager()
+                .save_avr(target_enclave_key, res)?;
             Ok(())
         }
-        Err(e) => bail!("failed to simulate Remote Attestation: {:?}!", e),
+        Err(e) => bail!("failed to simulate Remote Attestation: {}", e),
     }
 }
diff --git a/app/src/commands/enclave.rs b/app/src/commands/enclave.rs
@@ -66,7 +66,7 @@ fn run_generate_key<E: EnclaveCommandAPI<S>, S: CommitStore>(
     _: &GenerateKey,
 ) -> Result<()> {
     let res = enclave
-        .generate_enclave_key(GenerateEnclaveKeyInput::default())
+        .generate_enclave_key(GenerateEnclaveKeyInput)
         .map_err(|e| anyhow!("failed to generate an enclave key: {:?}", e))?;
     println!("{}", res.pub_key.as_address());
     Ok(())

diff --git a/rust-sgx-sdk/buildenv.mk → buildenv.mk b/rust-sgx-sdk/buildenv.mk → buildenv.mk
diff --git a/enclave-modules/ecall-handler/Cargo.toml b/enclave-modules/ecall-handler/Cargo.toml
@@ -5,25 +5,15 @@ edition = "2021"
 
 [dependencies]
 sgx_types = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
-hex = { version = "0.4", default-features = false, features = ["alloc"] }
+sgx_tse = { rev = "v1.1.6", git = "https://github.com/apache/incubator-teaclave-sgx-sdk" }
 flex-error = { version = "0.4.4", default-features = false }
 
-enclave-remote-attestation = { path = "../remote-attestation" }
 crypto = { path = "../../modules/crypto", default-features = false, features = ["sgx"] }
-attestation-report = { path = "../../modules/attestation-report", default-features = false, features = ["sgx"] }
+attestation-report = { path = "../../modules/attestation-report", default-features = false }
 context = { path = "../../modules/context", default-features = false }
 enclave-environment = { path = "../environment", default-features = false }
 
 lcp-types = { path = "../../modules/types", default-features = false }
 ecall-commands = { path = "../../modules/ecall-commands", default-features = false }
 light-client = { path = "../../modules/light-client", default-features = false }
 store = { path = "../../modules/store", default-features = false }
-
-[features]
-sgx-sw = [
-    "ecall-commands/sgx-sw",
-    "enclave-remote-attestation/sgx-sw"
-]
-production = [
-    "enclave-remote-attestation/production"
-]
diff --git a/enclave-modules/ecall-handler/src/enclave_manage/attestation.rs b/enclave-modules/ecall-handler/src/enclave_manage/attestation.rs