Provisioning scheduled_enclave_sealed.bin file (#2628)

litentry · Apr 8, 2024 · 97368e0 · 97368e0
1 parent 3f51af0
commit 97368e0
Show file tree

Hide file tree

Showing 12 changed files with 171 additions and 14 deletions.
diff --git a/tee-worker/enclave-runtime/Cargo.lock b/tee-worker/enclave-runtime/Cargo.lock
diff --git a/tee-worker/enclave-runtime/Cargo.toml b/tee-worker/enclave-runtime/Cargo.toml
@@ -121,6 +121,7 @@ itp-rpc = { path = "../core-primitives/rpc", default-features = false, features
 itp-settings = { path = "../core-primitives/settings" }
 itp-sgx-crypto = { path = "../core-primitives/sgx/crypto", default-features = false, features = ["sgx"] }
 itp-sgx-externalities = { path = "../core-primitives/substrate-sgx/externalities", default-features = false, features = ["sgx"] }
+itp-sgx-io = { path = "../core-primitives/sgx/io", default-features = false, features = ["sgx"] }
 itp-stf-executor = { path = "../core-primitives/stf-executor", default-features = false, features = ["sgx"] }
 itp-stf-interface = { path = "../core-primitives/stf-interface", default-features = false }
 itp-stf-primitives = { path = "../core-primitives/stf-primitives", default-features = false }

diff --git a/tee-worker/enclave-runtime/src/initialization/global_components.rs b/tee-worker/enclave-runtime/src/initialization/global_components.rs
@@ -92,6 +92,7 @@ use its_sidechain::{
 };
 use lazy_static::lazy_static;
 use lc_data_providers::DataProviderConfig;
+use lc_scheduled_enclave::ScheduledEnclaveSeal as EnclaveScheduledEnclaveSeal;
 use litentry_primitives::BroadcastedRequest;
 use sgx_crypto_helper::rsa3072::Rsa3072KeyPair;
 use sgx_tstd::vec::Vec;
@@ -352,6 +353,7 @@ pub type EnclaveSealHandler = SealHandler<
 	EnclaveStateKeyRepository,
 	EnclaveStateHandler,
 	EnclaveLightClientSeal,
+	EnclaveScheduledEnclaveSeal,
 >;
 pub type EnclaveOffchainWorkerExecutor = itc_offchain_worker_executor::executor::Executor<
 	ParentchainBlock,

diff --git a/tee-worker/enclave-runtime/src/tls_ra/mocks.rs b/tee-worker/enclave-runtime/src/tls_ra/mocks.rs
@@ -29,6 +29,7 @@ pub struct SealHandlerMock {
 	pub state_key: Arc<RwLock<Vec<u8>>>,
 	pub state: Arc<RwLock<Vec<u8>>>,
 	pub light_client_state: Arc<RwLock<Vec<u8>>>,
+	pub scheduled_enclave_state: Arc<RwLock<Vec<u8>>>,
 }
 
 impl SealHandlerMock {
@@ -37,8 +38,9 @@ impl SealHandlerMock {
 		state_key: Arc<RwLock<Vec<u8>>>,
 		state: Arc<RwLock<Vec<u8>>>,
 		light_client_state: Arc<RwLock<Vec<u8>>>,
+		scheduled_enclave_state: Arc<RwLock<Vec<u8>>>,
 	) -> Self {
-		Self { shielding_key, state_key, state, light_client_state }
+		Self { shielding_key, state_key, state, light_client_state, scheduled_enclave_state }
 	}
 }
 
@@ -66,6 +68,11 @@ impl SealStateAndKeys for SealHandlerMock {
 		*self.light_client_state.write().unwrap() = bytes.to_vec();
 		Ok(())
 	}
+
+	fn seal_scheduled_enclave_state(&self, bytes: &[u8]) -> EnclaveResult<()> {
+		*self.scheduled_enclave_state.write().unwrap() = bytes.to_vec();
+		Ok(())
+	}
 }
 
 impl UnsealStateAndKeys for SealHandlerMock {
@@ -84,4 +91,8 @@ impl UnsealStateAndKeys for SealHandlerMock {
 	fn unseal_light_client_state(&self) -> EnclaveResult<Vec<u8>> {
 		Ok(self.light_client_state.read().unwrap().clone())
 	}
+
+	fn unseal_scheduled_enclave_state(&self) -> EnclaveResult<Vec<u8>> {
+		Ok(self.scheduled_enclave_state.read().unwrap().clone())
+	}
 }
diff --git a/tee-worker/enclave-runtime/src/tls_ra/mod.rs b/tee-worker/enclave-runtime/src/tls_ra/mod.rs
@@ -53,6 +53,7 @@ pub enum Opcode {
 	StateKey,
 	State,
 	LightClient,
+	ScheduledEnclave,
 }
 
 impl From<u8> for Opcode {
@@ -62,6 +63,7 @@ impl From<u8> for Opcode {
 			1 => Opcode::StateKey,
 			2 => Opcode::State,
 			3 => Opcode::LightClient,
+			4 => Opcode::ScheduledEnclave,
 			_ => unimplemented!("Unsupported/unknown Opcode for MU-RA exchange"),
 		}
 	}

diff --git a/tee-worker/enclave-runtime/src/tls_ra/seal_handler.rs b/tee-worker/enclave-runtime/src/tls_ra/seal_handler.rs
@@ -27,31 +27,59 @@ use itp_sgx_crypto::{
 	Aes,
 };
 use itp_sgx_externalities::SgxExternalitiesTrait;
+use itp_sgx_io::SealedIO;
 use itp_stf_state_handler::handle_state::HandleState;
 use itp_types::ShardIdentifier;
+use lc_scheduled_enclave::ScheduledEnclaveMap;
 use log::*;
 use sgx_crypto_helper::rsa3072::Rsa3072KeyPair;
 use std::{sync::Arc, vec::Vec};
 
 /// Handles the sealing and unsealing of the shielding key, state key and the state.
 #[derive(Default)]
-pub struct SealHandler<ShieldingKeyRepository, StateKeyRepository, StateHandler, LightClientSeal> {
+pub struct SealHandler<
+	ShieldingKeyRepository,
+	StateKeyRepository,
+	StateHandler,
+	LightClientSeal,
+	ScheduledEnclaveSeal,
+> {
 	state_handler: Arc<StateHandler>,
 	state_key_repository: Arc<StateKeyRepository>,
 	shielding_key_repository: Arc<ShieldingKeyRepository>,
 	light_client_seal: Arc<LightClientSeal>,
+	scheduled_enclave_seal: Arc<ScheduledEnclaveSeal>,
 }
 
-impl<ShieldingKeyRepository, StateKeyRepository, StateHandler, LightClientSeal>
-	SealHandler<ShieldingKeyRepository, StateKeyRepository, StateHandler, LightClientSeal>
+impl<
+		ShieldingKeyRepository,
+		StateKeyRepository,
+		StateHandler,
+		LightClientSeal,
+		ScheduledEnclaveSeal,
+	>
+	SealHandler<
+		ShieldingKeyRepository,
+		StateKeyRepository,
+		StateHandler,
+		LightClientSeal,
+		ScheduledEnclaveSeal,
+	>
 {
 	pub fn new(
 		state_handler: Arc<StateHandler>,
 		state_key_repository: Arc<StateKeyRepository>,
 		shielding_key_repository: Arc<ShieldingKeyRepository>,
 		light_client_seal: Arc<LightClientSeal>,
+		scheduled_enclave_seal: Arc<ScheduledEnclaveSeal>,
 	) -> Self {
-		Self { state_handler, state_key_repository, shielding_key_repository, light_client_seal }
+		Self {
+			state_handler,
+			state_key_repository,
+			shielding_key_repository,
+			light_client_seal,
+			scheduled_enclave_seal,
+		}
 	}
 }
 
@@ -61,23 +89,37 @@ pub trait SealStateAndKeys {
 	fn seal_state(&self, bytes: &[u8], shard: &ShardIdentifier) -> EnclaveResult<()>;
 	fn seal_new_empty_state(&self, shard: &ShardIdentifier) -> EnclaveResult<()>;
 	fn seal_light_client_state(&self, bytes: &[u8]) -> EnclaveResult<()>;
+	fn seal_scheduled_enclave_state(&self, bytes: &[u8]) -> EnclaveResult<()>;
 }
 
 pub trait UnsealStateAndKeys {
 	fn unseal_shielding_key(&self) -> EnclaveResult<Vec<u8>>;
 	fn unseal_state_key(&self) -> EnclaveResult<Vec<u8>>;
 	fn unseal_state(&self, shard: &ShardIdentifier) -> EnclaveResult<Vec<u8>>;
 	fn unseal_light_client_state(&self) -> EnclaveResult<Vec<u8>>;
+	fn unseal_scheduled_enclave_state(&self) -> EnclaveResult<Vec<u8>>;
 }
 
-impl<ShieldingKeyRepository, StateKeyRepository, StateHandler, LightClientSeal> SealStateAndKeys
-	for SealHandler<ShieldingKeyRepository, StateKeyRepository, StateHandler, LightClientSeal>
-where
+impl<
+		ShieldingKeyRepository,
+		StateKeyRepository,
+		StateHandler,
+		LightClientSeal,
+		ScheduledEnclaveSeal,
+	> SealStateAndKeys
+	for SealHandler<
+		ShieldingKeyRepository,
+		StateKeyRepository,
+		StateHandler,
+		LightClientSeal,
+		ScheduledEnclaveSeal,
+	> where
 	ShieldingKeyRepository: AccessKey<KeyType = Rsa3072KeyPair> + MutateKey<Rsa3072KeyPair>,
 	StateKeyRepository: AccessKey<KeyType = Aes> + MutateKey<Aes>,
 	StateHandler: HandleState<StateT = StfState>,
 	LightClientSeal: LightClientSealing,
 	LightClientSeal::LightClientState: Decode,
+	ScheduledEnclaveSeal: SealedIO<Unsealed = ScheduledEnclaveMap>,
 {
 	fn seal_shielding_key(&self, bytes: &[u8]) -> EnclaveResult<()> {
 		let key: Rsa3072KeyPair = serde_json::from_slice(bytes).map_err(|e| {
@@ -112,6 +154,16 @@ where
 		Ok(())
 	}
 
+	fn seal_scheduled_enclave_state(&self, mut bytes: &[u8]) -> EnclaveResult<()> {
+		let state: <ScheduledEnclaveSeal as SealedIO>::Unsealed = Decode::decode(&mut bytes)?;
+		self.scheduled_enclave_seal.seal(&state).map_err(|e| {
+			error!("    [Enclave] Failed to seal scheduled enclave: {:?}", e);
+			EnclaveError::Other(format!("{:?}", e).into())
+		})?;
+		info!("Successfully sealed scheduled enclave");
+		Ok(())
+	}
+
 	/// Seal an empty, newly initialized state.
 	///
 	/// Requires the shielding key to be sealed and updated before calling this.
@@ -126,14 +178,26 @@ where
 	}
 }
 
-impl<ShieldingKeyRepository, StateKeyRepository, StateHandler, LightClientSeal> UnsealStateAndKeys
-	for SealHandler<ShieldingKeyRepository, StateKeyRepository, StateHandler, LightClientSeal>
-where
+impl<
+		ShieldingKeyRepository,
+		StateKeyRepository,
+		StateHandler,
+		LightClientSeal,
+		ScheduledEnclaveSeal,
+	> UnsealStateAndKeys
+	for SealHandler<
+		ShieldingKeyRepository,
+		StateKeyRepository,
+		StateHandler,
+		LightClientSeal,
+		ScheduledEnclaveSeal,
+	> where
 	ShieldingKeyRepository: AccessKey<KeyType = Rsa3072KeyPair> + MutateKey<Rsa3072KeyPair>,
 	StateKeyRepository: AccessKey<KeyType = Aes> + MutateKey<Aes>,
 	StateHandler: HandleState<StateT = StfState>,
 	LightClientSeal: LightClientSealing,
 	LightClientSeal::LightClientState: Encode,
+	ScheduledEnclaveSeal: SealedIO<Unsealed = ScheduledEnclaveMap>,
 {
 	fn unseal_shielding_key(&self) -> EnclaveResult<Vec<u8>> {
 		let shielding_key = self
@@ -157,6 +221,14 @@ where
 	fn unseal_light_client_state(&self) -> EnclaveResult<Vec<u8>> {
 		Ok(self.light_client_seal.unseal()?.encode())
 	}
+
+	fn unseal_scheduled_enclave_state(&self) -> EnclaveResult<Vec<u8>> {
+		let scheduled_enclave = self.scheduled_enclave_seal.unseal().map_err(|e| {
+			error!("    [Enclave] Failed to unseal scheduled enclave: {:?}", e);
+			EnclaveError::Other(format!("{:?}", e).into())
+		})?;
+		Ok(Encode::encode(&scheduled_enclave))
+	}
 }
 
 #[cfg(feature = "test")]
@@ -165,6 +237,7 @@ pub mod test {
 	use itc_parentchain::light_client::mocks::validator_mock_seal::LightValidationStateSealMock;
 	use itp_sgx_crypto::mocks::KeyRepositoryMock;
 	use itp_test::mock::handle_state_mock::HandleStateMock;
+	use lc_scheduled_enclave::mock::ScheduledEnclaveSealMock;
 
 	type StateKeyRepositoryMock = KeyRepositoryMock<Aes>;
 	type ShieldingKeyRepositoryMock = KeyRepositoryMock<Rsa3072KeyPair>;
@@ -174,6 +247,7 @@ pub mod test {
 		StateKeyRepositoryMock,
 		HandleStateMock,
 		LightValidationStateSealMock,
+		ScheduledEnclaveSealMock,
 	>;
 
 	pub fn seal_shielding_key_works() {

diff --git a/tee-worker/enclave-runtime/src/tls_ra/tests.rs b/tee-worker/enclave-runtime/src/tls_ra/tests.rs
@@ -34,6 +34,7 @@ use itp_stf_primitives::types::AccountId;
 use itp_stf_state_handler::handle_state::HandleState;
 use itp_test::mock::handle_state_mock::HandleStateMock;
 use itp_types::ShardIdentifier;
+use lc_scheduled_enclave::mock::ScheduledEnclaveSealMock;
 use sgx_crypto_helper::{rsa3072::Rsa3072KeyPair, RsaKeyPair};
 use sgx_types::{sgx_quote_sign_type_t, sgx_target_info_t};
 use std::{
@@ -77,12 +78,17 @@ pub fn test_tls_ra_server_client_networking() {
 	let state_key_encoded = vec![5, 2, 3, 7];
 	let state_encoded = Vec::from([1u8; 26000]); // Have a decently sized state, so read() must be called multiple times.
 	let light_client_state_encoded = Vec::from([1u8; 10000]); // Have a decently sized state, so read() must be called multiple times.
+	let scheduled_enclave_state_encoded = vec![
+		4, 0, 0, 0, 0, 0, 0, 0, 0, 51, 162, 48, 234, 94, 231, 35, 92, 167, 183, 221, 185, 208, 147,
+		215, 100, 27, 7, 66, 47, 78, 248, 110, 91, 83, 225, 121, 14, 125, 180, 231, 175,
+	];
 
 	let server_seal_handler = SealHandlerMock::new(
 		Arc::new(RwLock::new(shielding_key_encoded.clone())),
 		Arc::new(RwLock::new(state_key_encoded.clone())),
 		Arc::new(RwLock::new(state_encoded.clone())),
 		Arc::new(RwLock::new(light_client_state_encoded.clone())),
+		Arc::new(RwLock::new(scheduled_enclave_state_encoded.clone())),
 	);
 	let initial_client_state = vec![0, 0, 1];
 	let initial_client_state_key = vec![0, 0, 2];
@@ -91,12 +97,14 @@ pub fn test_tls_ra_server_client_networking() {
 	let client_state_key = Arc::new(RwLock::new(initial_client_state_key.clone()));
 	let client_state = Arc::new(RwLock::new(initial_client_state.clone()));
 	let client_light_client_state = Arc::new(RwLock::new(initial_client_light_client_state));
+	let scheduled_enclave_state = Arc::new(RwLock::new(Vec::new()));
 
 	let client_seal_handler = SealHandlerMock::new(
 		client_shielding_key.clone(),
 		client_state_key.clone(),
 		client_state.clone(),
 		client_light_client_state.clone(),
+		scheduled_enclave_state.clone(),
 	);
 
 	let port: u16 = 3149;
@@ -186,6 +194,13 @@ fn create_seal_handler(
 	let state_handler = Arc::new(HandleStateMock::default());
 	state_handler.reset(state, shard).unwrap();
 	let seal = Arc::new(LightValidationStateSealMock::new());
-
-	SealHandler::new(state_handler, state_key_repository, shielding_key_repository, seal)
+	let scheduled_enclave_seal = Arc::new(ScheduledEnclaveSealMock::new());
+
+	SealHandler::new(
+		state_handler,
+		state_key_repository,
+		shielding_key_repository,
+		seal,
+		scheduled_enclave_seal,
+	)
 }
diff --git a/tee-worker/enclave-runtime/src/tls_ra/tls_ra_client.rs b/tee-worker/enclave-runtime/src/tls_ra/tls_ra_client.rs
@@ -32,6 +32,8 @@ use crate::{
 };
 use codec::Encode;
 
+use lc_scheduled_enclave::{ScheduledEnclaveSeal, GLOBAL_SCHEDULED_ENCLAVE};
+
 use itp_attestation_handler::{RemoteAttestationType, DEV_HOSTNAME};
 use itp_component_container::ComponentGetter;
 
@@ -138,6 +140,7 @@ where
 			Opcode::StateKey => self.seal_handler.seal_state_key(&bytes)?,
 			Opcode::State => self.seal_handler.seal_state(&bytes, &self.shard)?,
 			Opcode::LightClient => self.seal_handler.seal_light_client_state(&bytes)?,
+			Opcode::ScheduledEnclave => self.seal_handler.seal_scheduled_enclave_state(&bytes)?,
 		};
 		Ok(Some(header.opcode))
 	}
@@ -212,11 +215,15 @@ pub unsafe extern "C" fn request_state_provisioning(
 		},
 	};
 
+	let scheduled_enclave_seal =
+		Arc::new(ScheduledEnclaveSeal::new(GLOBAL_SCHEDULED_ENCLAVE.seal_path.clone()));
+
 	let seal_handler = EnclaveSealHandler::new(
 		state_handler,
 		state_key_repository,
 		shielding_key_repository,
 		light_client_seal,
+		scheduled_enclave_seal,
 	);
 
 	let signing_key_repository = match GLOBAL_SIGNING_KEY_REPOSITORY_COMPONENT.get() {