Skip to content

flashbots/gramine-andromeda-revm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

54 Commits

data

data

 
 

src

src

 
 

.gitignore

.gitignore

 
 

Cargo.lock

Cargo.lock

 
 

Cargo.toml

Cargo.toml

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

binaries.Dockerfile

binaries.Dockerfile

 
 

server.py

server.py

 
 

sgx-revm.manifest.template

sgx-revm.manifest.template

 
 

Repository files navigation

Warning

This repository is a work in progress, and for now only functions as a showcase. This code is not intended to secure any valuable information.

Andromeda MEVM in Gramine

This is a gramine environment for running Andromeda REVM in a TEE.

The TEE service (gramine-sirrah) uses stdin and stdout for passing data in and out of the REVM, which currently supports two commands:

  • advance [height], which advances the suave chain to requested height (or to latest if no height provided)
  • execute tx_data, which executes the requested data. For data format see Andromeda REVM.

The TEE service is stateless, so make sure that you have suave-geth running. TEE will connect to http://localhost:8545 by default, which you can override by passing --rpc flag. The RPC is used for fetching chain data along with their proofs.

We also provide a simple http and tpc server for handling requests to and from the TEE service, for example usage see andromeda-sirrah-contracts.

Current measurement

mr_signer: f0365ce7081fda379914c703fe08648db1cce3747e8c10f74ff742926399f15a
mr_enclave: a9956056f8f39fffbe148eeb0285be7dc8a9034fd393d5f62a7b058c6ad5e82b

Run locally

The Andromeda revm-andromeda relies on gramine features for the precompiles, specifically /dev/attestation/quote and /dev/urandom/.
Running outside of an enclave, we can still simulate this. For example /dev/urandom works anyway. The other Andromeda precompiles, volatile{Get/Set} are directly managed in-memory by suave-andromeda-revm.

cargo build
cargo run

Replicate build using Docker (no SGX Required)

To build and print the MRENCLAVE:

docker build --tag gramine-andromeda-revm .
docker run --rm gramine-andromeda-revm

Extract reproducible binaries built using docker

docker build --output=. -f=binaries.Dockerfile .

Alternatively, run make docker-binaries which does the same. Note that the binaries will be pulled from dockerhub as opposed to local image. This ensures the MRSIGNER is matching.

The above will output sgx-revm.sig, sgx-revm.manifest, sgx-revm.manifest.sgx into the main directory, and gramine-sirrah into target/release directory. Continue as if you just ran SGX=1 make all. Since we are outputing the binaries, you might encounter errors if you are not using the same OS as the docker target (ubuntu 22.04).

For now we are still checking the mr_signer, if you want to connect to one of the predeployed Andromeda contracts without configuring your mr_signer you can pull binaries from ruteri/gramine-andromeda-revm:latest.

How to replicate the execution on an SGX-enabled environment (still using Docker)

docker run -it --device /dev/sgx_enclave \
       -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \
       gramine-andromeda-revm "gramine-sgx ./sgx-revm"

License

The code in this project is free software under the MIT license.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

3 stars

Watchers

12 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages