fix mutual-remote-attestatoin

Cargo.lock

@@ -3771,7 +3771,7 @@ checksum = "d2a965994514ab35d3893e9260245f2947fd1981cdd4fffd2c6e6d1a9ce02e6a"
 
 [[package]]
 name = "substratee-client"
-version = "0.6.4-sub2.0.0-alpha.7"
+version = "0.6.5-sub2.0.0-alpha.7"
 dependencies = [
  "base58",
  "blake2-rfc",
@@ -3803,7 +3803,7 @@ dependencies = [
 
 [[package]]
 name = "substratee-node-primitives"
-version = "0.6.4-sub2.0.0-alpha.7"
+version = "0.6.5-sub2.0.0-alpha.7"
 dependencies = [
  "base58",
  "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -3851,7 +3851,7 @@ dependencies = [
 
 [[package]]
 name = "substratee-stf"
-version = "0.6.4-sub2.0.0-alpha.7"
+version = "0.6.5-sub2.0.0-alpha.7"
 dependencies = [
  "base58",
  "clap",
@@ -3876,7 +3876,7 @@ dependencies = [
 
 [[package]]
 name = "substratee-worker"
-version = "0.6.4-sub2.0.0-alpha.7"
+version = "0.6.5-sub2.0.0-alpha.7"
 dependencies = [
  "base58",
  "cid",
@@ -3915,7 +3915,7 @@ dependencies = [
 
 [[package]]
 name = "substratee-worker-api"
-version = "0.6.4-sub2.0.0-alpha.7"
+version = "0.6.5-sub2.0.0-alpha.7"
 dependencies = [
  "hex 0.4.2",
  "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)",

client/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "substratee-client"
-version = "0.6.4-sub2.0.0-alpha.7"
+version = "0.6.5-sub2.0.0-alpha.7"
 authors = ["Supercomputing Systems AG <[email protected]>"]
 edition = "2018"
 

enclave/Cargo.lock

@@ -172,7 +172,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
 name = "chain-relay"
-version = "0.6.4-sub2.0.0-alpha.7"
+version = "0.6.5-sub2.0.0-alpha.7"
 dependencies = [
  "derive_more 0.99.5 (registry+https://github.com/rust-lang/crates.io-index)",
  "finality-grandpa 0.11.2 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -2068,7 +2068,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
 name = "substratee-node-primitives"
-version = "0.6.4-sub2.0.0-alpha.7"
+version = "0.6.5-sub2.0.0-alpha.7"
 dependencies = [
  "parity-scale-codec 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "primitive-types 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -2078,7 +2078,7 @@ dependencies = [
 
 [[package]]
 name = "substratee-stf"
-version = "0.6.4-sub2.0.0-alpha.7"
+version = "0.6.5-sub2.0.0-alpha.7"
 dependencies = [
  "derive_more 0.99.5 (registry+https://github.com/rust-lang/crates.io-index)",
  "env_logger 0.7.1 (git+https://github.com/mesalock-linux/env_logger-sgx)",
@@ -2097,12 +2097,12 @@ dependencies = [
 
 [[package]]
 name = "substratee-worker-enclave"
-version = "0.6.4-sub2.0.0-alpha.7"
+version = "0.6.5-sub2.0.0-alpha.7"
 dependencies = [
  "aes 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "base64 0.10.1 (git+https://github.com/mesalock-linux/rust-base64-sgx)",
  "bit-vec 0.6.2 (registry+https://github.com/rust-lang/crates.io-index)",
- "chain-relay 0.6.4-sub2.0.0-alpha.7",
+ "chain-relay 0.6.5-sub2.0.0-alpha.7",
  "chrono 0.4.11 (git+https://github.com/mesalock-linux/chrono-sgx)",
  "env_logger 0.7.1 (git+https://github.com/mesalock-linux/env_logger-sgx)",
  "httparse 1.3.4 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -2136,8 +2136,8 @@ dependencies = [
  "sp-runtime 2.0.0-alpha.7 (registry+https://github.com/rust-lang/crates.io-index)",
  "sp-std 2.0.0-alpha.7 (registry+https://github.com/rust-lang/crates.io-index)",
  "substrate-api-client 0.4.6-sub2.0.0-alpha.7 (git+https://github.com/scs/substrate-api-client?tag=v0.4.6-sub2.0.0-alpha.7)",
- "substratee-node-primitives 0.6.4-sub2.0.0-alpha.7",
- "substratee-stf 0.6.4-sub2.0.0-alpha.7",
+ "substratee-node-primitives 0.6.5-sub2.0.0-alpha.7",
+ "substratee-stf 0.6.5-sub2.0.0-alpha.7",
  "webpki 0.21.2 (git+https://github.com/mesalock-linux/webpki?branch=mesalock_sgx)",
  "webpki-roots 0.19.0 (git+https://github.com/mesalock-linux/webpki-roots?branch=mesalock_sgx)",
  "yasna 0.3.1 (git+https://github.com/mesalock-linux/yasna.rs-sgx?rev=sgx_1.1.2)",

enclave/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "substratee-worker-enclave"
-version = "0.6.4-sub2.0.0-alpha.7"
+version = "0.6.5-sub2.0.0-alpha.7"
 authors = ["Supercomputing Systems AG <[email protected]>"]
 edition = "2018"
 

enclave/Enclave.edl

@@ -71,7 +71,7 @@ enclave {
 		public sgx_status_t dump_ra_to_disk();
 
 		public sgx_status_t run_key_provisioning_server(int fd,sgx_quote_sign_type_t quote_type);
-        public sgx_status_t request_key_provisioning(int fd,sgx_quote_sign_type_t quote_type);
+        public sgx_status_t request_key_provisioning(int fd, sgx_quote_sign_type_t quote_type);
 
 		public size_t test_main_entrance();
 	};

enclave/chain_relay/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "chain-relay"
-version = "0.6.4-sub2.0.0-alpha.7"
+version = "0.6.5-sub2.0.0-alpha.7"
 authors = ["Supercomputing Systems AG <[email protected]>"]
 edition = "2018"
 

enclave/src/cert.rs

@@ -402,10 +402,12 @@ fn verify_attn_report(report_raw: &[u8], pub_k: Vec<u8>) -> Result<(), sgx_statu
         // TODO: lack security check here
         let sgx_quote: sgx_quote_t = unsafe { ptr::read(quote.as_ptr() as *const _) };
 
-        let ti: sgx_target_info_t = sgx_target_info_t::default();
-
-        if sgx_quote.report_body.mr_enclave.m != ti.mr_enclave.m {
-            error!("mr_enclave is not equal to self");
+        let ti = crate::attestation::get_mrenclave_of_self().sgx_error()?;
+        if sgx_quote.report_body.mr_enclave.m != ti.m {
+            error!(
+                "mr_enclave is not equal to self {:?} != {:?}",
+                sgx_quote.report_body.mr_enclave.m, ti.m
+            );
             return Err(sgx_status_t::SGX_ERROR_UNEXPECTED);
         }
 

enclave/src/tls_ra.rs

@@ -12,11 +12,8 @@ use rustls::{ClientConfig, ClientSession, ServerConfig, ServerSession, Stream};
 use crate::aes;
 use crate::attestation::{create_ra_report_and_signature, DEV_HOSTNAME};
 use crate::cert;
-use crate::constants::ENCRYPTED_STATE_FILE;
-use crate::io;
 use crate::rsa3072;
 use crate::utils::UnwrapOrSgxErrorUnexpected;
-use crate::{ocall_read_ipfs, ocall_write_ipfs};
 
 struct ClientAuth {
     outdated_ok: bool,
@@ -37,7 +34,7 @@ impl rustls::ClientCertVerifier for ClientAuth {
         &self,
         _certs: &[rustls::Certificate],
     ) -> Result<rustls::ClientCertVerified, rustls::TLSError> {
-        info!("client cert: {:?}", _certs);
+        debug!("client cert: {:?}", _certs);
         // This call will automatically verify cert is properly signed
         match cert::verify_mra_cert(&_certs[0].0) {
             Ok(()) => Ok(rustls::ClientCertVerified::assertion()),
@@ -76,7 +73,7 @@ impl rustls::ServerCertVerifier for ServerAuth {
         _hostname: webpki::DNSNameRef,
         _ocsp: &[u8],
     ) -> Result<rustls::ServerCertVerified, rustls::TLSError> {
-        info!("server cert: {:?}", _certs);
+        debug!("server cert: {:?}", _certs);
         // This call will automatically verify cert is properly signed
         match cert::verify_mra_cert(&_certs[0].0) {
             Ok(()) => Ok(rustls::ServerCertVerified::assertion()),
@@ -117,13 +114,13 @@ pub unsafe extern "C" fn run_key_provisioning_server(
     let mut tls = rustls::Stream::new(&mut sess, &mut conn);
     println!("    [Enclave] (MU-RA-Server) MU-RA successful sending keys");
 
-    let (rsa_pair, aes, enc_state) = match read_files_to_send() {
-        Ok((r, a, s)) => (r, a, s),
+    let (rsa_pair, aes) = match read_files_to_send() {
+        Ok((r, a)) => (r, a),
         Err(e) => return e,
     };
 
-    match send_files(&mut tls, &rsa_pair, &aes, &enc_state) {
-        Ok(_) => println!("    [Enclave] (MU-RA-Server) Registration procedure successful!\n"),
+    match send_files(&mut tls, &rsa_pair, &aes) {
+        Ok(_) => println!("    [Enclave] (MU-RA-Server) Successfully provisioned keys!\n"),
         Err(e) => return e,
     }
 
@@ -151,61 +148,27 @@ fn tls_server_config(sign_type: sgx_quote_sign_type_t) -> SgxResult<ServerConfig
     Ok(cfg)
 }
 
-fn read_files_to_send() -> SgxResult<(Vec<u8>, aes::Aes, Vec<u8>)> {
+fn read_files_to_send() -> SgxResult<(Vec<u8>, aes::Aes)> {
     let shielding_key = rsa3072::unseal_pair().sgx_error()?;
     let aes = aes::read_sealed().sgx_error()?;
     let rsa_pair = serde_json::to_string(&shielding_key).sgx_error()?;
-    let enc_state = io::read(ENCRYPTED_STATE_FILE).sgx_error()?;
 
     let rsa_len = rsa_pair.as_bytes().len();
     info!("    [Enclave] Read Shielding Key: {:?}", rsa_len);
     info!("    [Enclave] Read AES key {:?}\nIV: {:?}\n", aes.0, aes.1);
 
-    Ok((rsa_pair.as_bytes().to_vec(), aes, enc_state))
+    Ok((rsa_pair.as_bytes().to_vec(), aes))
 }
 
 fn send_files(
     tls: &mut Stream<ServerSession, TcpStream>,
     rsa_pair: &[u8],
     aes: &(Vec<u8>, Vec<u8>),
-    enc_state: &[u8],
 ) -> SgxResult<()> {
     tls.write(&rsa_pair.len().to_le_bytes()).sgx_error()?;
     tls.write(&rsa_pair).sgx_error()?;
     tls.write(&aes.0[..]).sgx_error()?;
     tls.write(&aes.1[..]).sgx_error()?;
-
-    println!(
-        "    [Enclave] (MU-RA-Server) Keys sent, writing state to IPFS (= file hosting service)"
-    );
-    info!("    [Enclave] (MU-RA-Server) Sending encrypted state length");
-
-    tls.write(&enc_state.len().to_le_bytes()).sgx_error()?;
-    if enc_state.is_empty() {
-        println!(
-            "    [Enclave] (MU-RA-Server) No state has been written yet. Nothing to write to ipfs."
-        );
-        println!("    [Enclave] (MU-RA-Server) Registration procedure successful!\n");
-        return Ok(());
-    }
-    let mut rt: sgx_status_t = sgx_status_t::SGX_ERROR_UNEXPECTED;
-    let mut cid_buf: [u8; 46] = [0; 46];
-    let res = unsafe {
-        ocall_write_ipfs(
-            &mut rt as *mut sgx_status_t,
-            enc_state.as_ptr() as *const u8,
-            enc_state.len() as u32,
-            cid_buf.as_mut_ptr() as *mut u8,
-            cid_buf.len() as u32,
-        )
-    };
-
-    if res == sgx_status_t::SGX_ERROR_UNEXPECTED || rt == sgx_status_t::SGX_ERROR_UNEXPECTED {
-        return Err(sgx_status_t::SGX_ERROR_UNEXPECTED);
-    }
-
-    println!("    [Enclave] (MU-RA-Server) Write to IPFS successful, sending storage hash");
-    tls.write(&cid_buf).sgx_error()?;
     Ok(())
 }
 
@@ -276,49 +239,7 @@ fn receive_files(tls: &mut Stream<ClientSession, TcpStream>) -> SgxResult<()> {
 
     aes::seal(aes_key, aes_iv)?;
 
-    println!("    [Enclave] (MU-RA-Client) Received and stored keys, waiting for storage hash...");
-
-    let mut state_len_arr = [0u8; 8];
-    let state_len = tls
-        .read(&mut state_len_arr)
-        .map(|_| usize::from_le_bytes(state_len_arr))
-        .sgx_error_with_log("Error receiving state length")?;
-
-    if state_len == 0 {
-        println!("    [Enclave] (MU-RA-Client) No state has been written yet, nothing to fetch from IPFS");
-        println!("    [Enclave] (MU-RA-Client) Registration Procedure successful!\n");
-        return Ok(());
-    }
-
-    let mut cid = [0u8; 46];
-    tls.read(&mut cid)
-        .map(|_| {
-            info!(
-                "    [Enclave] (MU-RA-Client) Received ipfs CID: {:?}",
-                &cid[..]
-            )
-        })
-        .sgx_error_with_log("    [Enclave] (MU-RA-Client) Error receiving ipfs CID")?;
-
-    println!("    [Enclave] (MU-RA-Client) Received IPFS storage hash, reading from IPFS...");
-
-    let mut enc_state = vec![0u8; state_len];
-    let mut rt: sgx_status_t = sgx_status_t::SGX_ERROR_UNEXPECTED;
-    let _res = unsafe {
-        ocall_read_ipfs(
-            &mut rt as *mut sgx_status_t,
-            enc_state.as_mut_ptr(),
-            enc_state.len() as u32,
-            cid.as_ptr(),
-            cid.len() as u32,
-        )
-    };
-    println!(
-        "    [Enclave] (MU-RA-Client) Got encrypted state from ipfs: {:?}\n",
-        enc_state
-    );
-    io::write(&enc_state, ENCRYPTED_STATE_FILE)?;
-    println!("    [Enclave] (MU-RA-Client) Successfully read state from IPFS");
+    println!("    [Enclave] (MU-RA-Client) Successfully received keys.");
 
     Ok(())
 }

stf/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "substratee-stf"
-version = "0.6.4-sub2.0.0-alpha.7"
+version = "0.6.5-sub2.0.0-alpha.7"
 authors = ["Supercomputing Systems AG <[email protected]>"]
 edition = "2018"
 

substratee-node-primitives/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "substratee-node-primitives"
-version = "0.6.4-sub2.0.0-alpha.7"
+version = "0.6.5-sub2.0.0-alpha.7"
 authors = ["clangenbacher <[email protected]>"]
 edition = "2018"
 

substratee-node-primitives/src/lib.rs

@@ -43,11 +43,12 @@ pub mod calls {
     pub fn get_worker_for_shard<P: Pair>(
         api: &substrate_api_client::Api<P>,
         shard: &ShardIdentifier,
-    ) -> Option<u64>
+    ) -> Option<Enclave<AccountId, Vec<u8>>>
     where
         MultiSignature: From<P::Signature>,
     {
         api.get_storage_map("SubstrateeRegistry", "WorkerForShard", shard, None)
+            .and_then(|w| get_worker_info(&api, w))
     }
 
     pub fn get_worker_amount<P: Pair>(api: &substrate_api_client::Api<P>) -> Option<u64>
@@ -57,6 +58,22 @@ pub mod calls {
         api.get_storage_value("SubstrateeRegistry", "EnclaveCount", None)
     }
 
+    pub fn get_first_worker_that_is_not_equal_to_self<P: Pair>(
+        api: &substrate_api_client::Api<P>,
+        self_account: &AccountId,
+    ) -> Option<Enclave<AccountId, Vec<u8>>>
+    where
+        MultiSignature: From<P::Signature>,
+    {
+        for n in 0..api.get_storage_value("SubstrateeRegistry", "EnclaveCount", None)? {
+            let worker = get_worker_info(api, n)?;
+            if &worker.pubkey != self_account {
+                return Some(worker);
+            }
+        }
+        None
+    }
+
     pub fn get_latest_state<P: Pair>(
         api: &substrate_api_client::Api<P>,
         shard: &ShardIdentifier,

worker/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "substratee-worker"
-version = "0.6.4-sub2.0.0-alpha.7"
+version = "0.6.5-sub2.0.0-alpha.7"
 authors = ["Supercomputing Systems AG <[email protected]>"]
 build = "build.rs"
 edition = "2018"

worker/src/cli.yml

@@ -90,6 +90,10 @@ subcommands:
                     help: Run integration tests
                     takes_value: false
                 - provisioning-server:
+                    long: provisioning-server
                     help: Run TEE server for MU-RA key provisioning
+                    takes_value: false
                 - provisioning-client:
+                    long: provisioning-client
                     help: Run TEE client for MU-RA key provisioning
+                    takes_value: false

worker/src/enclave/tls_ra.rs

@@ -76,6 +76,7 @@ pub fn enclave_request_key_provisioning(
     info!("[MU-RA-Client] Requesting key provisioning from {}", addr);
     let socket = TcpStream::connect(addr).unwrap();
     let mut status = sgx_status_t::SGX_SUCCESS;
+
     let result =
         unsafe { request_key_provisioning(eid, &mut status, socket.as_raw_fd(), sign_type) };
     if status != sgx_status_t::SGX_SUCCESS {