Remove IAS_MODE (#3616)

Previously there was an IAS_MODE for talking to a production versus
development IAS attestation service. With the move to DCAP attestation
there is no longer an IAS attestation service.

.github/actions/setup-rust/action.yml

@@ -40,7 +40,6 @@ runs:
         [[ -f /opt/cargo/bin/cbindgen ]] && chmod 0755 /opt/cargo/bin/cbindgen
 
         # build config
-        echo 'IAS_MODE=DEV' >> $GITHUB_ENV
         echo 'SGX_MODE=SW' >> $GITHUB_ENV
         # test/run config
         echo 'RUST_BACKTRACE=1' >> $GITHUB_ENV

.github/workflows/ci.yml

@@ -31,7 +31,7 @@ jobs:
         uses: actions/checkout@v4
       - name: Setup Rust
         uses: ./.github/actions/setup-rust
-      - name: Cargo build (SW/IAS dev)
+      - name: Cargo build (SW)
         uses: actions-rs/cargo@v1
         with:
           command: build
@@ -49,10 +49,9 @@ jobs:
         uses: actions/checkout@v4
       - name: Setup Rust
         uses: ./.github/actions/setup-rust
-      - name: Cargo build (HW/IAS prod)
+      - name: Cargo build (HW)
         env:
           SGX_MODE: HW
-          IAS_MODE: PROD
         uses: actions-rs/cargo@v1
         with:
           command: build
@@ -73,7 +72,6 @@ jobs:
       - name: Build and test the wasm-test crate
         env:
           SGX_MODE: HW
-          IAS_MODE: PROD
         run: wasm-pack test --node wasm-test
 
   lint-rust:
@@ -119,7 +117,6 @@ jobs:
         working-directory: go-grpc-gateway/testing
         env:
           SGX_MODE: SW
-          IAS_MODE: DEV
         run: cargo build --locked
       - name: Run curl test
         working-directory: go-grpc-gateway

.github/workflows/dependent-repos.yml

@@ -54,4 +54,4 @@ jobs:
             curl -O https://enclave-distribution.test.mobilecoin.com/${CONSENSUS_SIGSTRUCT_URI}
           fi
 
-          SGX_MODE=SW IAS_MODE=DEV cargo test
+          SGX_MODE=SW cargo test

.github/workflows/mobilecoin-dev-cd.yaml

@@ -114,7 +114,6 @@ jobs:
         steps.rust_artifact_cache.outputs.cache-hit != 'true' &&
         ! contains(github.event.head_commit.message, '[skip build]')
       env:
-        IAS_MODE: DEV
         SGX_MODE: HW
         RUST_BACKTRACE: full
         MOB_RELEASE: 1

.internal-ci/README.md

@@ -78,19 +78,19 @@ This workflow is set up to trigger off certain branch patterns.
 
 Branches will trigger a build that will create a dynamic development environment and run integration tests against the environment.
 
-| Tags | SGX_MODE | IAS_MODE | Signer | Description |
-| --- | --- | --- | --- | --- |
-| `v0.0.0-my-awesome-feature.21.sha-abcd1234` | `HW` | `DEV` | CI Signed Development | For use in development environments. |
+| Tags | SGX_MODE | Signer | Description |
+| --- | --- | --- | --- |
+| `v0.0.0-my-awesome-feature.21.sha-abcd1234` | `HW` | CI Signed Development | For use in development environments. |
 
 ### Semver tags - `v2.0.0`
 
 Tags will trigger a build that will create a set of release artifacts.
 
 TBD: Automatically deploy/destroy this release to the development cluster.
 
-| Tags | SGX_MODE | IAS_MODE | Signer | Description |
-| --- | --- | --- | --- | --- |
-| `v2.0.0-dev` | `HW` | `DEV` | CI Signed Development | For use in development environments. |
+| Tags | SGX_MODE | Signer | Description |
+| --- | --- | --- | --- |
+| `v2.0.0-dev` | `HW` | CI Signed Development | For use in development environments. |
 
 ### Deployment Status & Environment Info
 

BUILD.md

@@ -55,15 +55,15 @@ A docker-less build also works fine for development:
 
 ## Build configuration
 
-There are two project-wide SGX-related configuration variables `SGX_MODE` and `IAS_MODE`.
+There is a project-wide SGX-related configuration variables `SGX_MODE`.
 
-These are set by environment variables, and they must be the same for all artifacts,
+It is set by an environment variable, and it must be the same for all artifacts,
 even those that don't depend directly on SGX. E.g. `mobilecoind` must have the same configuration
-as `consensus_service` for Intel Remote Attestation to work, otherwise an error will occur at runtime.
+as `consensus_service`, otherwise an error will occur at runtime.
 
-For local testing, you should usually use `SGX_MODE=SW` and `IAS_MODE=DEV`.
+For local testing, you should usually use `SGX_MODE=SW`.
 If you are seeking to build a client that you can test against MobileCoin's official testnet,
-you must use `SGX_MODE=HW` and `IAS_MODE=PROD`, because testnet is configured as a production environment.
+you must use `SGX_MODE=HW`, because testnet is configured as a production environment.
 
 #### SGX_MODE
 
@@ -78,34 +78,23 @@ This mode is required for Intel Remote Attestation to work and provide security.
 
 The clients and servers must all agree about this setting, or attestation will fail.
 
-#### IAS_MODE
-
-`IAS_MODE=DEV` means that we will hit the Intel provided "dev endpoints" during remote attestation.
-These won't require the real production signing key in connection to the MRENCLAVE measurements.
-
-`IAS_MODE=PROD` means that we will hit the real Intel provided endpoints for remote attestation.
-
-In code, this discrepancy is largely handled by the `attest-net` crate.
-
-The clients and servers must all agree about this setting, or attestation will fail.
-
 #### Why are these environment variables?
 
 `cargo` supports crate-level features, and feature unification across the build plan.
 `cargo` does not support any notion of "global project-wide configuration".
 
 In practice, it's too hard invoke cargo to get all the features enabled exactly correctly on
-all the right crates, if every crate has an `sgx_mode` and `ias_mode` feature.
+all the right crates, if every crate has an `sgx_mode` feature.
 
 Even if cargo had workspace-level features, which it doesn't, that wouldn't be good enough for us
 because our build requires using multiple workspaces. We must keep the cargo features on some
 targets separated and not unified.
 Unifying cargo features across enclave targets and server targets will break the enclave builds.
 This is because the enclave builds in a special `no_std` environment.
 
-Making `SGX_MODE` and `IAS_MODE` environment variables, and making `build.rs` scripts that read
-them and set features on these crates as needed, is the simplest way to make sure that there is
-one source of truth for these values for all of the artifacts in the whole build.
+Making `SGX_MODE` an environment variable, and making `build.rs` scripts that reads
+it and set features on these crates as needed, is the simplest way to make sure that there is
+one source of truth for this value for all of the artifacts in the whole build.
 
 The `SGX_MODE` environment variable configuration is also used throughout Intel SGX SDK examples.
 
@@ -133,9 +122,9 @@ To reproducibly build the enclave, (get exactly the right MRENCLAVE value), you
 in the container.
 
 For local testing, you don't need to get exactly the right MRENCLAVE value. You can set up
-test networks with whatever MRENCLAVE your build produces, and clients that check this value
-using the Remote Attestation process.
+test networks with whatever MRENCLAVE your build produces, and clients that check this value.
 
-If you want to download a prebuilt enclave, signed using the production signing key, in order use `IAS_MODE=PROD`
-and participate in a production-environment network, check out the `enclave-signing-material` instructions:
-https://github.com/mobilecoinfoundation/mobilecoin/blob/master/consensus/service/BUILD.md#enclave-signing-material
+If you want to download a prebuilt enclave, signed using the production signing key, you will need a PCCS, 
+<https://download.01.org/intel-sgx/sgx-dcap/1.10/linux/docs/SGX_DCAP_Caching_Service_Design_Guide.pdf>.
+Intel provides an example implementation
+<https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration/pccs>.

MAINNET.md

@@ -25,7 +25,7 @@ An example MainNet build and launch command for mobilecoind is:
 1. Build mobilecoind and mobilecoind-json
 
     ```
-    SGX_MODE=HW IAS_MODE=PROD CONSENSUS_ENCLAVE_CSS=$(pwd)/consensus-enclave.css cargo build --release -p mc-mobilecoind -p mc-mobilecoind-json
+    SGX_MODE=HW CONSENSUS_ENCLAVE_CSS=$(pwd)/consensus-enclave.css cargo build --release -p mc-mobilecoind -p mc-mobilecoind-json
     ```
 
 1. Run mobilecoind, connecting to one or multiple Consensus Validator Nodes:

attest/core/build.rs

@@ -1,7 +1,7 @@
 // Copyright (c) 2018-2022 The MobileCoin Foundation
 
 use mc_util_build_script::Environment;
-use mc_util_build_sgx::{IasMode, SgxEnvironment, SgxMode};
+use mc_util_build_sgx::{SgxEnvironment, SgxMode};
 
 fn main() {
     let env = Environment::default();
@@ -10,8 +10,4 @@ fn main() {
     if sgx.sgx_mode() == SgxMode::Simulation {
         cargo_emit::rustc_cfg!("feature=\"sgx-sim\"");
     }
-
-    if sgx.ias_mode() == IasMode::Development {
-        cargo_emit::rustc_cfg!("feature=\"ias-dev\"");
-    }
 }

attest/verifier/Cargo.toml

@@ -22,8 +22,6 @@ std = [
 
 # This means "use the fake SGX stuff where required"
 sgx-sim = []
-# This means "use the dev endpoint of Intel's Attestation Service"
-ias-dev = []
 
 [dependencies]
 mc-attest-core = { path = "../core", default-features = false }

attest/verifier/build.rs

@@ -13,7 +13,7 @@ use mbedtls_sys::types::{
     size_t,
 };
 use mc_util_build_script::Environment;
-use mc_util_build_sgx::{IasMode, SgxEnvironment, SgxMode};
+use mc_util_build_sgx::{SgxEnvironment, SgxMode};
 use p256::{
     ecdsa::{signature::Signer, Signature, SigningKey},
     pkcs8::{EncodePrivateKey, LineEnding},
@@ -93,10 +93,6 @@ fn main() {
         cargo_emit::rustc_cfg!("feature=\"sgx-sim\"");
     }
 
-    if sgx.ias_mode() == IasMode::Development {
-        cargo_emit::rustc_cfg!("feature=\"ias-dev\"");
-    }
-
     if should_generating_sim_files(&data_path) {
         generate_sim_files(&data_path);
     }

attest/verifier/src/lib.rs

@@ -44,13 +44,6 @@ cfg_if::cfg_if! {
         pub const IAS_SIGNING_ROOT_CERT_PEM: &str = SIM_ROOT_ANCHOR;
         /// Root anchor PEM file for use with DCAP
         pub const DCAP_ROOT_ANCHOR: &str = SIM_ROOT_ANCHOR;
-    } else if #[cfg(feature = "ias-dev")] {
-        /// Whether or not enclaves should be run and validated in debug mode
-        pub const DEBUG_ENCLAVE: bool = true;
-        /// Root anchor PEM file for use with IAS
-        pub const IAS_SIGNING_ROOT_CERT_PEM: &str = include_str!("../data/Dev_AttestationReportSigningCACert.pem");
-        /// Root anchor PEM file for use with DCAP
-        pub const DCAP_ROOT_ANCHOR: &str = include_str!("../data/DcapRootCACert.pem");
     } else {
         /// Debug enclaves in prod mode are not supported.
         pub const DEBUG_ENCLAVE: bool = false;
@@ -445,9 +438,7 @@ mod test {
     use mc_attestation_verifier::{Advisories, AdvisoryStatus};
     use mc_util_encodings::FromHex;
 
-    const TEST_ANCHORS: &[&str] = &[include_str!(
-        "../data/Dev_AttestationReportSigningCACert.pem"
-    )];
+    const TEST_ANCHORS: &[&str] = &[include_str!("../data/AttestationReportSigningCACert.pem")];
 
     /// This function provides a recorded response using SW_HARDENING_NEEDED for
     /// the INTEL-SA-00334 (LVI) advisory

consensus/enclave/measurement/build.rs

@@ -5,7 +5,7 @@
 use cargo_emit::{rerun_if_env_changed, rustc_cfg};
 use mc_util_build_enclave::Builder;
 use mc_util_build_script::Environment;
-use mc_util_build_sgx::{IasMode, SgxEnvironment, SgxMode, TcsPolicy};
+use mc_util_build_sgx::{SgxEnvironment, SgxMode, TcsPolicy};
 use std::{env::var, path::PathBuf};
 
 // Changing this version is a breaking change, you must update the crate version
@@ -73,11 +73,7 @@ fn main() {
     builder
         .target_dir(env.target_dir().join(CONSENSUS_ENCLAVE_NAME).as_path())
         .config_builder
-        .debug(
-            sgx.sgx_mode() == SgxMode::Simulation
-                || sgx.ias_mode() == IasMode::Development
-                || env.profile() != "release",
-        )
+        .debug(sgx.sgx_mode() == SgxMode::Simulation || env.profile() != "release")
         .prod_id(CONSENSUS_ENCLAVE_PRODUCT_ID)
         .isv_security_version(CONSENSUS_ENCLAVE_SECURITY_VERSION)
         .tcs_num(32)

consensus/enclave/trusted/Cargo.toml

@@ -17,9 +17,6 @@ crate-type = ["staticlib"]
 sgx-sim = [
     "mc-attest-verifier/sgx-sim"
 ]
-ias-dev = [
-    "mc-attest-verifier/ias-dev"
-]
 
 [dependencies]
 mc-attest-core = { path = "../../../attest/core", default-features = false }

consensus/service/BUILD.md

@@ -173,13 +173,12 @@ Then, when you build, you will provide both `CONSENSUS_ENCLAVE_SIGNED=$(pwd)/lib
 To build consensus, you will need to specify the following:
 
 * `SGX_MODE` (either `HW` for hardware or `SW` for simulation)
-* `IAS_MODE` (depending on which EPID policy you registered for, either `DEV` or `PROD`)
 * (Optional) Signing material, `CONSENSUS_ENCLAVE_SIGNED` and `CONSENSUS_ENCLAVE_CSS` (see [Enclave Signing Material](#enclave-signing-material) above)
 
 And then you can build with:
 
 ```
-SGX_MODE=HW IAS_MODE=DEV \
+SGX_MODE=HW \
     CONSENSUS_ENCLAVE_SIGNED=$(pwd)/libconsensus-enclave.signed.so \
     CONSENSUS_ENCLAVE_CSS=$(pwd)/consensus-enclave.css \
     cargo build --release -p mc-consensus-service

consensus/service/README.md

@@ -140,12 +140,10 @@ Follow the steps below:
 
 An example run command is the below.
 
->Note: The environment variables, `SGX_MODE`, `IAS_MODE`, `CONSENSUS_ENCLAVE_CSS` and `CONSENSUS_ENCLAVE_SIGNED` indicate important parameters to the SGX Enclave build. Please see [BUILD.md](./BUILD.md) for more details.
-
->Note: Running in `IAS_MODE=DEV` runs a debug enclave.
+>Note: The environment variables, `SGX_MODE`, `CONSENSUS_ENCLAVE_CSS` and `CONSENSUS_ENCLAVE_SIGNED` indicate important parameters to the SGX Enclave build. Please see [BUILD.md](./BUILD.md) for more details.
 
 ```
-SGX_MODE=HW IAS_MODE=DEV \
+SGX_MODE=HW \
     CONSENSUS_ENCLAVE_CSS=$(pwd)/consensus-enclave.css \
     CONSENSUS_ENCLAVE_SIGNED=$(pwd)/libconsensus-enclave.signed.so \
     cargo run --release -p mc-consensus-service -- \

deploy/03-node1.yaml

@@ -194,8 +194,6 @@ spec:
               value: "debug,rustls=warn,hyper=warn,tokio_reactor=warn,mio=warn,want=warn,reqwest=warn,rusoto_core=error,rusoto_signature=error,h2=error,rocket=warn,<unknown>=warn"
             - name: "SGX_MODE"
               value: "HW"
-            - name: "IAS_MODE"
-              value: "DEV"
             - name: LOCAL_NODE_ID
               value: "peer1.NETWORKNAME.mobilecoin.com:443"
             - name: MC_LOG_UDP_JSON

deploy/03-node3.yaml

@@ -194,8 +194,6 @@ spec:
               value: "debug,rustls=warn,hyper=warn,tokio_reactor=warn,mio=warn,want=warn,reqwest=warn,rusoto_core=error,rusoto_signature=error,h2=error,rocket=warn,<unknown>=warn"
             - name: "SGX_MODE"
               value: "HW"
-            - name: "IAS_MODE"
-              value: "DEV"
             - name: LOCAL_NODE_ID
               value: "peer3.NETWORKNAME.mobilecoin.com:443"
             - name: MC_LOG_UDP_JSON

deploy/03-node4.yaml

@@ -194,8 +194,6 @@ spec:
               value: "debug,rustls=warn,hyper=warn,tokio_reactor=warn,mio=warn,want=warn,reqwest=warn,rusoto_core=error,rusoto_signature=error,h2=error,rocket=warn,<unknown>=warn"
             - name: "SGX_MODE"
               value: "HW"
-            - name: "IAS_MODE"
-              value: "DEV"
             - name: LOCAL_NODE_ID
               value: "peer4.NETWORKNAME.mobilecoin.com:443"
             - name: MC_LOG_UDP_JSON

deploy/03-node5.yaml

@@ -194,8 +194,6 @@ spec:
               value: "debug,rustls=warn,hyper=warn,tokio_reactor=warn,mio=warn,want=warn,reqwest=warn,rusoto_core=error,rusoto_signature=error,h2=error,rocket=warn,<unknown>=warn"
             - name: "SGX_MODE"
               value: "HW"
-            - name: "IAS_MODE"
-              value: "DEV"
             - name: LOCAL_NODE_ID
               value: "peer5.NETWORKNAME.mobilecoin.com:443"
             - name: MC_LOG_UDP_JSON

fog/ingest/enclave/measurement/build.rs

@@ -5,7 +5,7 @@
 use cargo_emit::{rerun_if_env_changed, rustc_cfg};
 use mc_util_build_enclave::Builder;
 use mc_util_build_script::Environment;
-use mc_util_build_sgx::{IasMode, SgxEnvironment, SgxMode, TcsPolicy};
+use mc_util_build_sgx::{SgxEnvironment, SgxMode, TcsPolicy};
 use std::{env::var, path::PathBuf};
 
 // Changing this version is a breaking change, you must update the crate version
@@ -73,11 +73,7 @@ fn main() {
     builder
         .target_dir(env.target_dir().join(INGEST_ENCLAVE_NAME).as_path())
         .config_builder
-        .debug(
-            sgx.sgx_mode() == SgxMode::Simulation
-                || sgx.ias_mode() == IasMode::Development
-                || env.profile() != "release",
-        )
+        .debug(sgx.sgx_mode() == SgxMode::Simulation || env.profile() != "release")
         .prod_id(INGEST_ENCLAVE_PRODUCT_ID)
         .isv_security_version(INGEST_ENCLAVE_SECURITY_VERSION)
         .tcs_num(32)