From 71da3981df4f04e76c256265a256477ccae2e37a Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Wed, 25 Oct 2023 14:00:24 -0700 Subject: [PATCH 1/5] Update .gitignore to ignore IDE files --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index d9a833e..a52d9df 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ *~ *.manifest -*.manifest.sgx \ No newline at end of file +*.manifest.sgx +.idea/ From 4f2eec1f2a3f8c35a565840cf20d5bbc049b6817 Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Wed, 25 Oct 2023 14:09:44 -0700 Subject: [PATCH 2/5] Move mtcs enclave into a sub-directory --- Dockerfile | 32 -------------------------------- README.md | 40 ---------------------------------------- data/micro-set-offs.csv | 5 ----- mtcs | 1 - mtcs.manifest.template | 35 ----------------------------------- 5 files changed, 113 deletions(-) delete mode 100644 Dockerfile delete mode 100644 README.md delete mode 100644 data/micro-set-offs.csv delete mode 160000 mtcs delete mode 100644 mtcs.manifest.template diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 4012028..0000000 --- a/Dockerfile +++ /dev/null @@ -1,32 +0,0 @@ -FROM gramineproject/gramine:v1.5 - -RUN apt-get update && apt-get install -y jq build-essential - -WORKDIR /workdir - -RUN curl https://sh.rustup.rs -sSf | bash -s -- -y -ENV PATH="/root/.cargo/bin:${PATH}" -RUN rustup toolchain install 1.72.0 - -RUN gramine-sgx-gen-private-key - -# This should be associated with an acive IAS SPID in order for -# gramine tools like gramine-sgx-ias-request and gramine-sgx-ias-verify -ENV RA_CLIENT_SPID=51CAF5A48B450D624AEFE3286D314894 -ENV RA_CLIENT_LINKABLE=1 - -# Copy the mtcs directory and build -COPY mtcs ./mtcs -WORKDIR /workdir/mtcs -RUN cargo build --release - -WORKDIR /workdir -COPY mtcs.manifest.template ./ - -COPY data/micro-set-offs.csv mtcs/data - -# Make and sign the gramine manifest -RUN gramine-manifest -Dlog_level="error" -Dhome=${HOME} -Darch_libdir="/lib/$(gcc -dumpmachine)" -Dmtcs_dir="$(pwd)/mtcs" -Dtestname="micro-set-offs" mtcs.manifest.template mtcs.manifest -RUN gramine-sgx-sign --manifest mtcs.manifest --output mtcs.manifest.sgx - -CMD [ "gramine-sgx-sigstruct-view mtcs.sig" ] diff --git a/README.md b/README.md deleted file mode 100644 index 63c2b44..0000000 --- a/README.md +++ /dev/null @@ -1,40 +0,0 @@ -## Gramine experiments using MTCS - -This is a Dockerfile for replaying the mtcs experiment in gramine, starting from the manifest file from https://github.com/informalsystems/cofi-private/issues/104 -The starting point for the Dockerfile is the Gramine-based from Revm Relay hackathon. https://github.com/amiller/gramine-sgx-revm/ - -The point of this is to emphasize the verification process that can be completed even without SGX, by reproducing the MRENCLAVE and inspecting remote attestation quotes. - -## Init the git submodules - -This repo references mtcs as a submodule, but the Dockerfile simply copies mtcs from the current directory. -So don't forget to have git apply the submodules when cloning the repo -```bash -git submodule update --init --recursive -``` -## Replicating the MRENCLAVE build (no SGX required - -The following will build mtcs, then freeze all dependencies from the docker environment into the gramine manifest, and finally display the resulting MRENCLAVE -```bash -docker build . --tag mtcs -docker run mtcs -``` - -Let's see how long this remains reproducible: -``` - mr_enclave: fa9149158c693b09e83480b48c2e7344c941aadca6d5829834f2af9f2690435e -``` - -## Execution on an SGX machine - -This is tested on a local SGX machine, not Azure - -```bash -docker run -it --device /dev/sgx_enclave \ - -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \ - -v ./data:/workdir/data \ - mtcs bash -is-sgx-available -gramine-sgx ./mtcs -cat mtcs/data/micro-set-offs.out -``` \ No newline at end of file diff --git a/data/micro-set-offs.csv b/data/micro-set-offs.csv deleted file mode 100644 index e0274cc..0000000 --- a/data/micro-set-offs.csv +++ /dev/null @@ -1,5 +0,0 @@ -id,debtor,creditor,amount,set_off,remainder -1,10,20,100,100,0 -2,20,30,100,100,0 -3,30,10,200,100,100 -4,40,30,100,0,100 diff --git a/mtcs b/mtcs deleted file mode 160000 index 3f13e5c..0000000 --- a/mtcs +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 3f13e5c0fd0623a9dc7f4b4227be4678fa947531 diff --git a/mtcs.manifest.template b/mtcs.manifest.template deleted file mode 100644 index 1bbf5a1..0000000 --- a/mtcs.manifest.template +++ /dev/null @@ -1,35 +0,0 @@ -# MTCS manifest file example - -loader.entrypoint = "file:{{ gramine.libos }}" -libos.entrypoint = "{{ mtcs_dir }}/target/release/mtcs-cli" - -loader.log_level = "{{ log_level }}" - -loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/{{ arch_libdir }}" -loader.env.HOME = "{{ home }}" - -loader.argv = ["-v", "-i", "{{ mtcs_dir }}/data/{{ testname }}.csv", "-o", "{{ mtcs_dir }}/data/{{ testname }}.out"] - -fs.mounts = [ - { uri = "file:{{ gramine.runtimedir() }}", path = "/lib" }, - { uri = "file:{{ arch_libdir }}", path = "{{ arch_libdir }}" }, - { uri = "file:/usr/{{ arch_libdir }}", path = "/usr{{ arch_libdir }}" }, - { uri = "file:{{ mtcs_dir }}", path = "{{ mtcs_dir }}" }, -] - -sgx.enclave_size = "512M" -sgx.max_threads = 4 -sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} - -sgx.trusted_files = [ - "file:{{ gramine.libos }}", - "file:{{ mtcs_dir }}/target/release/mtcs-cli", - "file:{{ mtcs_dir }}/data/{{ testname }}.csv", - "file:{{ gramine.runtimedir() }}/", - "file:{{ arch_libdir }}/", - "file:/usr/{{ arch_libdir }}/", -] - -sgx.allowed_files = [ - "file:{{ mtcs_dir }}/data/{{ testname }}.out", -] From 5d0ebdee66796378daad1db5f792dc9eb0a0a324 Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Mon, 6 Nov 2023 02:22:21 -0800 Subject: [PATCH 3/5] Add root level README.md --- README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..e9573bc --- /dev/null +++ b/README.md @@ -0,0 +1,18 @@ +# The Tendermint light client enclave + +This enclave runs tendermint/CometBFT light client verification on a given 'verification trace' using a user specified +root-of-trust. It outputs the new root-of-trust to a sealed file so that it can be used for future instantiations. + +## Execution on an SGX machine + +This is tested on a local SGX machine, not Azure + +```bash +docker build . --tag tmdocker build . --tag tm \ +docker run -it --device /dev/sgx_enclave \ + -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \ + -v ./tests:/workdir/tests \ + tm bash +is-sgx-available +gramine-sgx ./tm +``` From 91a5f623664d819e2c57ded085a1cbafb5cc8376 Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Mon, 6 Nov 2023 02:26:21 -0800 Subject: [PATCH 4/5] Fix README.md --- README.md | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index e9573bc..5ac0946 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,10 @@ -# The Tendermint light client enclave +# tee-mtcs -This enclave runs tendermint/CometBFT light client verification on a given 'verification trace' using a user specified -root-of-trust. It outputs the new root-of-trust to a sealed file so that it can be used for future instantiations. +Collection of tools and utilities to help run MTCS on TEEs. -## Execution on an SGX machine +## Enclaves -This is tested on a local SGX machine, not Azure +Gramine applications and accompanying Dockerfiles for ease-of-usage. -```bash -docker build . --tag tmdocker build . --tag tm \ -docker run -it --device /dev/sgx_enclave \ - -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \ - -v ./tests:/workdir/tests \ - tm bash -is-sgx-available -gramine-sgx ./tm -``` +* [enclaves/mtcs](enclaves/mtcs) - Runs MTCS on a given set of obligations specified as an input file. +* [enclaves/tm](enclaves/tm) - Runs (stateless) Tendermint light client verification on a given block. From efa8fe486666991216b6b9438b28e5902d182f1a Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Tue, 7 Nov 2023 12:41:36 -0800 Subject: [PATCH 5/5] Update .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index a52d9df..818dd45 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ *.manifest *.manifest.sgx .idea/ +enclaves/tm/target/