diff --git a/Cargo.lock b/Cargo.lock index b618db11e8..bd2b391846 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3771,7 +3771,7 @@ checksum = "d2a965994514ab35d3893e9260245f2947fd1981cdd4fffd2c6e6d1a9ce02e6a" [[package]] name = "substratee-client" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "base58", "blake2-rfc", @@ -3803,7 +3803,7 @@ dependencies = [ [[package]] name = "substratee-node-primitives" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "base58", "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)", @@ -3851,7 +3851,7 @@ dependencies = [ [[package]] name = "substratee-stf" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "base58", "clap", @@ -3876,7 +3876,7 @@ dependencies = [ [[package]] name = "substratee-worker" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "base58", "cid", @@ -3915,7 +3915,7 @@ dependencies = [ [[package]] name = "substratee-worker-api" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "hex 0.4.2", "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)", diff --git a/client/Cargo.toml b/client/Cargo.toml index 0be8e5c130..9ead5b19e2 100644 --- a/client/Cargo.toml +++ b/client/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "substratee-client" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" authors = ["Supercomputing Systems AG "] edition = "2018" diff --git a/enclave/Cargo.lock b/enclave/Cargo.lock index 3fe0998449..abb58e4452 100644 --- a/enclave/Cargo.lock +++ b/enclave/Cargo.lock @@ -172,7 +172,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" [[package]] name = "chain-relay" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "derive_more 0.99.5 (registry+https://github.com/rust-lang/crates.io-index)", "finality-grandpa 0.11.2 (registry+https://github.com/rust-lang/crates.io-index)", @@ -2068,7 +2068,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" [[package]] name = "substratee-node-primitives" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "parity-scale-codec 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)", "primitive-types 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)", @@ -2078,7 +2078,7 @@ dependencies = [ [[package]] name = "substratee-stf" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "derive_more 0.99.5 (registry+https://github.com/rust-lang/crates.io-index)", "env_logger 0.7.1 (git+https://github.com/mesalock-linux/env_logger-sgx)", @@ -2097,12 +2097,12 @@ dependencies = [ [[package]] name = "substratee-worker-enclave" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" dependencies = [ "aes 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)", "base64 0.10.1 (git+https://github.com/mesalock-linux/rust-base64-sgx)", "bit-vec 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)", - "chain-relay 0.6.4-sub2.0.0-alpha.7", + "chain-relay 0.6.5-sub2.0.0-alpha.7", "chrono 0.4.11 (git+https://github.com/mesalock-linux/chrono-sgx)", "env_logger 0.7.1 (git+https://github.com/mesalock-linux/env_logger-sgx)", "httparse 1.3.4 (registry+https://github.com/rust-lang/crates.io-index)", @@ -2136,8 +2136,8 @@ dependencies = [ "sp-runtime 2.0.0-alpha.7 (registry+https://github.com/rust-lang/crates.io-index)", "sp-std 2.0.0-alpha.7 (registry+https://github.com/rust-lang/crates.io-index)", "substrate-api-client 0.4.6-sub2.0.0-alpha.7 (git+https://github.com/scs/substrate-api-client?tag=v0.4.6-sub2.0.0-alpha.7)", - "substratee-node-primitives 0.6.4-sub2.0.0-alpha.7", - "substratee-stf 0.6.4-sub2.0.0-alpha.7", + "substratee-node-primitives 0.6.5-sub2.0.0-alpha.7", + "substratee-stf 0.6.5-sub2.0.0-alpha.7", "webpki 0.21.2 (git+https://github.com/mesalock-linux/webpki?branch=mesalock_sgx)", "webpki-roots 0.19.0 (git+https://github.com/mesalock-linux/webpki-roots?branch=mesalock_sgx)", "yasna 0.3.1 (git+https://github.com/mesalock-linux/yasna.rs-sgx?rev=sgx_1.1.2)", diff --git a/enclave/Cargo.toml b/enclave/Cargo.toml index bfd1b308a4..b97af1ccc1 100644 --- a/enclave/Cargo.toml +++ b/enclave/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "substratee-worker-enclave" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" authors = ["Supercomputing Systems AG "] edition = "2018" diff --git a/enclave/Enclave.edl b/enclave/Enclave.edl index d793f194ef..e907602247 100644 --- a/enclave/Enclave.edl +++ b/enclave/Enclave.edl @@ -71,7 +71,7 @@ enclave { public sgx_status_t dump_ra_to_disk(); public sgx_status_t run_key_provisioning_server(int fd,sgx_quote_sign_type_t quote_type); - public sgx_status_t request_key_provisioning(int fd,sgx_quote_sign_type_t quote_type); + public sgx_status_t request_key_provisioning(int fd, sgx_quote_sign_type_t quote_type); public size_t test_main_entrance(); }; diff --git a/enclave/chain_relay/Cargo.toml b/enclave/chain_relay/Cargo.toml index 0a961e4984..33b3a5edb3 100644 --- a/enclave/chain_relay/Cargo.toml +++ b/enclave/chain_relay/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "chain-relay" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" authors = ["Supercomputing Systems AG "] edition = "2018" diff --git a/enclave/src/cert.rs b/enclave/src/cert.rs index afedf7c450..9cccbe7fb5 100644 --- a/enclave/src/cert.rs +++ b/enclave/src/cert.rs @@ -402,10 +402,12 @@ fn verify_attn_report(report_raw: &[u8], pub_k: Vec) -> Result<(), sgx_statu // TODO: lack security check here let sgx_quote: sgx_quote_t = unsafe { ptr::read(quote.as_ptr() as *const _) }; - let ti: sgx_target_info_t = sgx_target_info_t::default(); - - if sgx_quote.report_body.mr_enclave.m != ti.mr_enclave.m { - error!("mr_enclave is not equal to self"); + let ti = crate::attestation::get_mrenclave_of_self().sgx_error()?; + if sgx_quote.report_body.mr_enclave.m != ti.m { + error!( + "mr_enclave is not equal to self {:?} != {:?}", + sgx_quote.report_body.mr_enclave.m, ti.m + ); return Err(sgx_status_t::SGX_ERROR_UNEXPECTED); } diff --git a/enclave/src/tls_ra.rs b/enclave/src/tls_ra.rs index 4019658a2f..f0b9b0799c 100644 --- a/enclave/src/tls_ra.rs +++ b/enclave/src/tls_ra.rs @@ -12,11 +12,8 @@ use rustls::{ClientConfig, ClientSession, ServerConfig, ServerSession, Stream}; use crate::aes; use crate::attestation::{create_ra_report_and_signature, DEV_HOSTNAME}; use crate::cert; -use crate::constants::ENCRYPTED_STATE_FILE; -use crate::io; use crate::rsa3072; use crate::utils::UnwrapOrSgxErrorUnexpected; -use crate::{ocall_read_ipfs, ocall_write_ipfs}; struct ClientAuth { outdated_ok: bool, @@ -37,7 +34,7 @@ impl rustls::ClientCertVerifier for ClientAuth { &self, _certs: &[rustls::Certificate], ) -> Result { - info!("client cert: {:?}", _certs); + debug!("client cert: {:?}", _certs); // This call will automatically verify cert is properly signed match cert::verify_mra_cert(&_certs[0].0) { Ok(()) => Ok(rustls::ClientCertVerified::assertion()), @@ -76,7 +73,7 @@ impl rustls::ServerCertVerifier for ServerAuth { _hostname: webpki::DNSNameRef, _ocsp: &[u8], ) -> Result { - info!("server cert: {:?}", _certs); + debug!("server cert: {:?}", _certs); // This call will automatically verify cert is properly signed match cert::verify_mra_cert(&_certs[0].0) { Ok(()) => Ok(rustls::ServerCertVerified::assertion()), @@ -117,13 +114,13 @@ pub unsafe extern "C" fn run_key_provisioning_server( let mut tls = rustls::Stream::new(&mut sess, &mut conn); println!(" [Enclave] (MU-RA-Server) MU-RA successful sending keys"); - let (rsa_pair, aes, enc_state) = match read_files_to_send() { - Ok((r, a, s)) => (r, a, s), + let (rsa_pair, aes) = match read_files_to_send() { + Ok((r, a)) => (r, a), Err(e) => return e, }; - match send_files(&mut tls, &rsa_pair, &aes, &enc_state) { - Ok(_) => println!(" [Enclave] (MU-RA-Server) Registration procedure successful!\n"), + match send_files(&mut tls, &rsa_pair, &aes) { + Ok(_) => println!(" [Enclave] (MU-RA-Server) Successfully provisioned keys!\n"), Err(e) => return e, } @@ -151,61 +148,27 @@ fn tls_server_config(sign_type: sgx_quote_sign_type_t) -> SgxResult SgxResult<(Vec, aes::Aes, Vec)> { +fn read_files_to_send() -> SgxResult<(Vec, aes::Aes)> { let shielding_key = rsa3072::unseal_pair().sgx_error()?; let aes = aes::read_sealed().sgx_error()?; let rsa_pair = serde_json::to_string(&shielding_key).sgx_error()?; - let enc_state = io::read(ENCRYPTED_STATE_FILE).sgx_error()?; let rsa_len = rsa_pair.as_bytes().len(); info!(" [Enclave] Read Shielding Key: {:?}", rsa_len); info!(" [Enclave] Read AES key {:?}\nIV: {:?}\n", aes.0, aes.1); - Ok((rsa_pair.as_bytes().to_vec(), aes, enc_state)) + Ok((rsa_pair.as_bytes().to_vec(), aes)) } fn send_files( tls: &mut Stream, rsa_pair: &[u8], aes: &(Vec, Vec), - enc_state: &[u8], ) -> SgxResult<()> { tls.write(&rsa_pair.len().to_le_bytes()).sgx_error()?; tls.write(&rsa_pair).sgx_error()?; tls.write(&aes.0[..]).sgx_error()?; tls.write(&aes.1[..]).sgx_error()?; - - println!( - " [Enclave] (MU-RA-Server) Keys sent, writing state to IPFS (= file hosting service)" - ); - info!(" [Enclave] (MU-RA-Server) Sending encrypted state length"); - - tls.write(&enc_state.len().to_le_bytes()).sgx_error()?; - if enc_state.is_empty() { - println!( - " [Enclave] (MU-RA-Server) No state has been written yet. Nothing to write to ipfs." - ); - println!(" [Enclave] (MU-RA-Server) Registration procedure successful!\n"); - return Ok(()); - } - let mut rt: sgx_status_t = sgx_status_t::SGX_ERROR_UNEXPECTED; - let mut cid_buf: [u8; 46] = [0; 46]; - let res = unsafe { - ocall_write_ipfs( - &mut rt as *mut sgx_status_t, - enc_state.as_ptr() as *const u8, - enc_state.len() as u32, - cid_buf.as_mut_ptr() as *mut u8, - cid_buf.len() as u32, - ) - }; - - if res == sgx_status_t::SGX_ERROR_UNEXPECTED || rt == sgx_status_t::SGX_ERROR_UNEXPECTED { - return Err(sgx_status_t::SGX_ERROR_UNEXPECTED); - } - - println!(" [Enclave] (MU-RA-Server) Write to IPFS successful, sending storage hash"); - tls.write(&cid_buf).sgx_error()?; Ok(()) } @@ -276,49 +239,7 @@ fn receive_files(tls: &mut Stream) -> SgxResult<()> { aes::seal(aes_key, aes_iv)?; - println!(" [Enclave] (MU-RA-Client) Received and stored keys, waiting for storage hash..."); - - let mut state_len_arr = [0u8; 8]; - let state_len = tls - .read(&mut state_len_arr) - .map(|_| usize::from_le_bytes(state_len_arr)) - .sgx_error_with_log("Error receiving state length")?; - - if state_len == 0 { - println!(" [Enclave] (MU-RA-Client) No state has been written yet, nothing to fetch from IPFS"); - println!(" [Enclave] (MU-RA-Client) Registration Procedure successful!\n"); - return Ok(()); - } - - let mut cid = [0u8; 46]; - tls.read(&mut cid) - .map(|_| { - info!( - " [Enclave] (MU-RA-Client) Received ipfs CID: {:?}", - &cid[..] - ) - }) - .sgx_error_with_log(" [Enclave] (MU-RA-Client) Error receiving ipfs CID")?; - - println!(" [Enclave] (MU-RA-Client) Received IPFS storage hash, reading from IPFS..."); - - let mut enc_state = vec![0u8; state_len]; - let mut rt: sgx_status_t = sgx_status_t::SGX_ERROR_UNEXPECTED; - let _res = unsafe { - ocall_read_ipfs( - &mut rt as *mut sgx_status_t, - enc_state.as_mut_ptr(), - enc_state.len() as u32, - cid.as_ptr(), - cid.len() as u32, - ) - }; - println!( - " [Enclave] (MU-RA-Client) Got encrypted state from ipfs: {:?}\n", - enc_state - ); - io::write(&enc_state, ENCRYPTED_STATE_FILE)?; - println!(" [Enclave] (MU-RA-Client) Successfully read state from IPFS"); + println!(" [Enclave] (MU-RA-Client) Successfully received keys."); Ok(()) } diff --git a/stf/Cargo.toml b/stf/Cargo.toml index 31aac7c9d2..9c64711c29 100644 --- a/stf/Cargo.toml +++ b/stf/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "substratee-stf" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" authors = ["Supercomputing Systems AG "] edition = "2018" diff --git a/substratee-node-primitives/Cargo.toml b/substratee-node-primitives/Cargo.toml index 77839e51fc..046f5601cb 100644 --- a/substratee-node-primitives/Cargo.toml +++ b/substratee-node-primitives/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "substratee-node-primitives" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" authors = ["clangenbacher "] edition = "2018" diff --git a/substratee-node-primitives/src/lib.rs b/substratee-node-primitives/src/lib.rs index ba3584b72f..59a294be47 100644 --- a/substratee-node-primitives/src/lib.rs +++ b/substratee-node-primitives/src/lib.rs @@ -43,11 +43,12 @@ pub mod calls { pub fn get_worker_for_shard( api: &substrate_api_client::Api

, shard: &ShardIdentifier, - ) -> Option + ) -> Option>> where MultiSignature: From, { api.get_storage_map("SubstrateeRegistry", "WorkerForShard", shard, None) + .and_then(|w| get_worker_info(&api, w)) } pub fn get_worker_amount(api: &substrate_api_client::Api

) -> Option @@ -57,6 +58,22 @@ pub mod calls { api.get_storage_value("SubstrateeRegistry", "EnclaveCount", None) } + pub fn get_first_worker_that_is_not_equal_to_self( + api: &substrate_api_client::Api

, + self_account: &AccountId, + ) -> Option>> + where + MultiSignature: From, + { + for n in 0..api.get_storage_value("SubstrateeRegistry", "EnclaveCount", None)? { + let worker = get_worker_info(api, n)?; + if &worker.pubkey != self_account { + return Some(worker); + } + } + None + } + pub fn get_latest_state( api: &substrate_api_client::Api

, shard: &ShardIdentifier, diff --git a/worker/Cargo.toml b/worker/Cargo.toml index 546dea79c9..70ef8295ba 100644 --- a/worker/Cargo.toml +++ b/worker/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "substratee-worker" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" authors = ["Supercomputing Systems AG "] build = "build.rs" edition = "2018" diff --git a/worker/src/cli.yml b/worker/src/cli.yml index c9f23be39e..5bd8940507 100644 --- a/worker/src/cli.yml +++ b/worker/src/cli.yml @@ -90,6 +90,10 @@ subcommands: help: Run integration tests takes_value: false - provisioning-server: + long: provisioning-server help: Run TEE server for MU-RA key provisioning + takes_value: false - provisioning-client: + long: provisioning-client help: Run TEE client for MU-RA key provisioning + takes_value: false diff --git a/worker/src/enclave/tls_ra.rs b/worker/src/enclave/tls_ra.rs index 0fecf1b6bd..181042e5f3 100644 --- a/worker/src/enclave/tls_ra.rs +++ b/worker/src/enclave/tls_ra.rs @@ -76,6 +76,7 @@ pub fn enclave_request_key_provisioning( info!("[MU-RA-Client] Requesting key provisioning from {}", addr); let socket = TcpStream::connect(addr).unwrap(); let mut status = sgx_status_t::SGX_SUCCESS; + let result = unsafe { request_key_provisioning(eid, &mut status, socket.as_raw_fd(), sign_type) }; if status != sgx_status_t::SGX_SUCCESS { diff --git a/worker/src/main.rs b/worker/src/main.rs index 3f6bf7529c..cdd5336568 100644 --- a/worker/src/main.rs +++ b/worker/src/main.rs @@ -18,6 +18,7 @@ use std::fs::{self, File}; use std::io::stdin; use std::io::Write; use std::path::Path; +use std::slice; use std::str; use std::sync::mpsc::{channel, Sender}; use std::thread; @@ -47,8 +48,7 @@ use enclave::api::{ }; use enclave::tls_ra::{enclave_request_key_provisioning, enclave_run_key_provisioning_server}; use sp_finality_grandpa::{AuthorityList, VersionedAuthorityList, GRANDPA_AUTHORITIES_KEY}; -use std::slice; -use substratee_node_primitives::calls::{get_worker_for_shard, get_worker_info}; +use substratee_node_primitives::calls::get_first_worker_that_is_not_equal_to_self; use substratee_worker_api::Api as WorkerApi; use ws_server::start_ws_server; @@ -186,7 +186,7 @@ fn main() { println!("[+] Done!"); enclave.destroy(); } else if _matches.is_present("provisioning-client") { - println!("*** Running Enclave MU-RA TLS server\n"); + println!("*** Running Enclave MU-RA TLS client\n"); let enclave = enclave_init().unwrap(); enclave_request_key_provisioning( enclave.geteid(), @@ -209,6 +209,7 @@ fn worker(node_url: &str, w_ip: &str, w_port: &str, mu_ra_port: &str, shard: &Sh // ------------------------------------------------------------------------ // check for required files check_files(); + ensure_shard_initialized(shard); // ------------------------------------------------------------------------ // initialize the enclave #[cfg(feature = "production")] @@ -251,7 +252,6 @@ fn worker(node_url: &str, w_ip: &str, w_port: &str, mu_ra_port: &str, shard: &Sh info!("Enclave nonce = {:?}", nonce); let uxt = enclave_perform_ra(eid, genesis_hash, nonce, w_url.as_bytes().to_vec()).unwrap(); - let mut latest_head = init_chain_relay(eid, &api); let ue = UncheckedExtrinsic::decode(&mut uxt.as_slice()).unwrap(); let mut _xthex = hex::encode(ue.encode()); @@ -263,37 +263,29 @@ fn worker(node_url: &str, w_ip: &str, w_port: &str, mu_ra_port: &str, shard: &Sh println!("[<] Extrinsic got finalized. Hash: {:?}\n", tx_hash); // browse enclave registry - match get_worker_for_shard(&api, shard) { + match get_first_worker_that_is_not_equal_to_self(&api, &tee_accountid) { Some(w) => { - let master_worker = get_worker_info(&api, w).unwrap(); - if master_worker.pubkey == tee_accountid { - info!("the most recently active worker is myself"); - ensure_shard_initialized(shard); - } else { - let _url = String::from_utf8_lossy(&master_worker.url[..]).to_string(); - let _w_api = WorkerApi::new(_url.clone()); - let _url_split: Vec<_> = _url.split(':').collect(); - let mura_url = format!("{}:{}", _url_split[0], _w_api.get_mu_ra_port().unwrap()); - - info!("Requesting key provisioning from worker at {}", mura_url); - enclave_request_key_provisioning( - eid, - sgx_quote_sign_type_t::SGX_UNLINKABLE_SIGNATURE, - &mura_url, - ) - .unwrap(); - debug!("key provisioning successfully performed"); - } + let _url = String::from_utf8_lossy(&w.url[..]).to_string(); + let _w_api = WorkerApi::new(_url.clone()); + let _url_split: Vec<_> = _url.split(':').collect(); + let mura_url = format!("{}:{}", _url_split[0], _w_api.get_mu_ra_port().unwrap()); + + info!("Requesting key provisioning from worker at {}", mura_url); + enclave_request_key_provisioning( + eid, + sgx_quote_sign_type_t::SGX_UNLINKABLE_SIGNATURE, + &mura_url, + ) + .unwrap(); + debug!("key provisioning successfully performed"); } None => { - info!( - "no worker has ever published a state update for shard {}", - shard.encode().to_base58() - ); - ensure_shard_initialized(shard); + info!("there are no other workers"); } } + let mut latest_head = init_chain_relay(eid, &api); + // ------------------------------------------------------------------------ // subscribe to events and react on firing println!("*** Subscribing to events"); diff --git a/worker/worker-api/Cargo.toml b/worker/worker-api/Cargo.toml index 80ad3c4386..48195f0041 100644 --- a/worker/worker-api/Cargo.toml +++ b/worker/worker-api/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "substratee-worker-api" -version = "0.6.4-sub2.0.0-alpha.7" +version = "0.6.5-sub2.0.0-alpha.7" authors = ["Supercomputing Systems AG "] edition = "2018"