Remove IAS SPID and IAS API KEY

.github/workflows/mobilecoin-workflow-dev-setup-environment.yaml

@@ -34,12 +34,6 @@ on:
       DEV_FOG_REPORT_SIGNING_CERT_KEY:
         description: "Fog Report signing cert key"
         required: true
-      DEV_IAS_KEY:
-        description: "IAS"
-        required: true
-      DEV_IAS_SPID:
-        description: "IAS"
-        required: true
       DEV_KEYS_SEED_FOG:
         description: "static wallet seed"
         required: true
@@ -103,24 +97,12 @@ on:
       IP_INFO_TOKEN:
         description: "ipinfo.io token for authenticated access"
         required: true
-      MAIN_IAS_KEY:
-        description: "MainNet IAS"
-        required: true
-      MAIN_IAS_SPID:
-        description: "MainNet IAS"
-        required: true
       MAIN_TOKENS_CONFIG_V1_JSON:
         description: "MainNet signed tokens config json"
         required: true
       MAIN_TOKENS_CONFIG_V2_JSON:
         description: "MainNet signed tokens config json"
         required: true
-      TEST_IAS_KEY:
-        description: "TestNet IAS"
-        required: true
-      TEST_IAS_SPID:
-        description: "TestNet IAS"
-        required: true
       TEST_TOKENS_CONFIG_V1_JSON:
         description: "TestNet signed tokens config json"
         required: true
@@ -224,15 +206,8 @@ jobs:
 
     # We're only deploying to the dev cluster here.
     # We want to still point at dev values for buckets and certs.
-    # We need "production" IAS creds to start up test/main enclaves.
     - name: Generate environment values file
       env:
-        DEV_IAS_KEY: ${{ secrets.DEV_IAS_KEY }}
-        DEV_IAS_SPID: ${{ secrets.DEV_IAS_SPID }}
-        MAIN_IAS_KEY: ${{ secrets.MAIN_IAS_KEY }}
-        MAIN_IAS_SPID: ${{ secrets.MAIN_IAS_SPID }}
-        TEST_IAS_KEY: ${{ secrets.TEST_IAS_KEY }}
-        TEST_IAS_SPID: ${{ secrets.TEST_IAS_SPID }}
         LEDGER_AWS_ACCESS_KEY_ID: ${{ secrets.DEV_LEDGER_AWS_ACCESS_KEY_ID }}
         LEDGER_AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_LEDGER_AWS_SECRET_ACCESS_KEY }}
         FOG_REPORT_SIGNING_CERT: ${{ secrets.DEV_FOG_REPORT_SIGNING_CERT }}

.internal-ci/docker/entrypoints/node_hw.sh

@@ -18,8 +18,6 @@
 # MC_CLIENT_RESPONDER_ID - fully qualified name:port that fronts the client port
 #   example client1.test.mobilecoin.com:443
 # MC_MSG_SIGNER_KEY - private key for signing messages
-# MC_IAS_API_KEY - Intel IAS API key
-# MC_IAS_SPID - Intel IAS spid
 
 # Optional Vars consensus-service
 # MC_TX_SOURCE_URL - http url to retrieve archive (s3) blocks for node
@@ -105,8 +103,6 @@ then
     is_set MC_PEER_RESPONDER_ID
     is_set MC_CLIENT_RESPONDER_ID
     is_set MC_MSG_SIGNER_KEY
-    is_set MC_IAS_API_KEY
-    is_set MC_IAS_SPID
     is_set MC_DEST
     is_set AWS_ACCESS_KEY_ID
     is_set AWS_SECRET_ACCESS_KEY

.internal-ci/docker/support/node_hw/bin/wrapper-consensus-service.sh

@@ -28,8 +28,6 @@ is_set MC_BRANCH
 is_set MC_PEER_RESPONDER_ID
 is_set MC_CLIENT_RESPONDER_ID
 is_set MC_MSG_SIGNER_KEY
-is_set MC_IAS_API_KEY
-is_set MC_IAS_SPID
 
 # Default vars
 export MC_PEER_LISTEN_URI=${MC_PEER_LISTEN_URI:-"insecure-mcp://0.0.0.0:8443/"}

.internal-ci/helm/consensus-node/templates/node-deployment.yaml

@@ -97,8 +97,6 @@ spec:
             name: {{ include "consensusNode.ledgerDistribution.secret.name" . }}
         - secretRef:
             name: {{ include "consensusNode.msgSignerKey.secret.name" . }}
-        - secretRef:
-            name: ias
         - configMapRef:
             name: {{ include "consensusNode.nodeConfig.configMap.name" . }}
         - secretRef:

.internal-ci/helm/consensus-node/values.yaml

@@ -53,9 +53,6 @@ mcCoreCommonConfig:
   enabled: false
   # clientAuth:
   #   token: ''
-  # ias:
-  #   key: ''
-  #   spid: ''
   # mobileCoinNetwork:
   #   network: ''
   #   partner: ''

.internal-ci/helm/fog-ingest/README.md

@@ -24,21 +24,6 @@ The peer list generation happens when the chart is generated.  In order to scale
 
 Configure a `values.yaml` file or pre-populate your namespace with the following ConfigMaps and Secrets.
 
-- `ias`
-
-    Intel spid and primary or secondary key.
-
-    ```yaml
-    apiVersion: v1
-    kind: Secret
-    metadata:
-      name: ias
-    type: Opaque
-    stringData:
-      key: <primary or secondary key>
-      spid: <spid>
-    ```
-
 - `sentry`
 
     Sentry service alert and error monitoring

.internal-ci/helm/fog-ingest/templates/fog-ingest-statefulset.yaml

@@ -67,8 +67,6 @@ spec:
         envFrom:
         - configMapRef:
             name: fog-ingest
-        - secretRef:
-            name: ias
         - secretRef:
             name: ipinfo
             optional: true

.internal-ci/helm/fog-ingest/templates/supervisord-fog-ingest-configmap.yaml

@@ -14,8 +14,6 @@ data:
       --pubkey-expiry-window %(ENV_FOG_PUBKEY_EXPIRY_WINDOW)s
       --peers {{ include "fogIngest.peerURLs" . }}
       --local-node-id %(ENV_LOCAL_NODE_ID)s
-      --ias-spid %(ENV_IAS_SPID)s
-      --ias-api-key %(ENV_IAS_API_KEY)s
       --ledger-db /fog-data/ledger
       --watcher-db /fog-data/watcher
       --client-listen-uri insecure-fog-ingest://0.0.0.0:3226/

.internal-ci/helm/fog-services/README.md

@@ -26,21 +26,6 @@ Configure a `values.yaml` file or pre-populate your namespace with the following
       network: testnet
     ```
 
-- `ias`
-
-    Intel spid and primary or secondary key.
-
-    ```yaml
-    apiVersion: v1
-    kind: Secret
-    metadata:
-      name: ias
-    type: Opaque
-    stringData:
-      key: <primary or secondary key>
-      spid: <spid>
-    ```
-
 - `sentry`
 
     Sentry service alert and error monitoring

.internal-ci/helm/fog-services/templates/fog-ledger-fogshardrangegenerator.yaml

@@ -102,8 +102,6 @@ spec:
               - name: mgmt-http
                 containerPort: 8000
               envFrom:
-              - secretRef:
-                  name: ias
               - configMapRef:
                   # This is installed from the fog-services-config chart or Terraform
                   name: fog-ledger
@@ -349,8 +347,6 @@ spec:
             - name: mgmt-http
               containerPort: 8000
             envFrom:
-            - secretRef:
-                name: ias
             - configMapRef:
                 # Configmap is created by fog-services chart, or Terraform
                 name: fog-ledger

.internal-ci/helm/fog-services/templates/fog-view-fogshardrangegenerator.yaml

@@ -113,8 +113,6 @@ spec:
               - configMapRef:
                   # This is pre-installed from the fog-services-config chart or Terraform
                   name: fog-view
-              - secretRef:
-                  name: ias
               startupProbe:
                 grpc:
                   port: 3225
@@ -304,8 +302,6 @@ spec:
             envFrom:
             - configMapRef:
                 name: fog-view
-            - secretRef:
-                name: ias
             env:
             - name: RUST_BACKTRACE
               value: {{ $.Values.fogView.rust.backtrace | quote }}

.internal-ci/helm/fog-services/templates/supervisord-fog-ledger-router-configmap.yaml

@@ -19,8 +19,6 @@ data:
       --client-auth-token-secret "%(ENV_CLIENT_AUTH_TOKEN_SECRET)s"
       --client-auth-token-max-lifetime 31536000
 {{- end }}
-      --ias-spid %(ENV_IAS_SPID)s
-      --ias-api-key %(ENV_IAS_API_KEY)s
       --admin-listen-uri insecure-mca://127.0.0.1:8001/
 
     stdout_logfile=/dev/fd/1

.internal-ci/helm/fog-services/templates/supervisord-fog-ledger-store-configmap.yaml

@@ -15,8 +15,6 @@ data:
       --watcher-db /fog-data/watcher
       --client-responder-id "%(ENV_HOSTNAME)s.{{ include "fogServices.fullname" . }}-fog-ledger-store.{{ .Release.Namespace }}.svc.cluster.local:3228"
       --client-listen-uri insecure-key-image-store://0.0.0.0:3228/?responder-id="%(ENV_HOSTNAME)s.{{ include "fogServices.fullname" . }}-fog-ledger-store.{{ .Release.Namespace }}.svc.cluster.local:3228"
-      --ias-spid %(ENV_IAS_SPID)s
-      --ias-api-key %(ENV_IAS_API_KEY)s
       --admin-listen-uri insecure-mca://127.0.0.1:8001/
 
     stdout_logfile=/dev/fd/1

.internal-ci/helm/fog-services/templates/supervisord-fog-view-store-configmap.yaml

@@ -13,8 +13,6 @@ data:
     command=/usr/bin/fog_view_server
       --client-listen-uri insecure-fog-view-store://0.0.0.0:3225/?responder-id=%(ENV_HOSTNAME)s.{{ include "fogServices.fullname" . }}-fog-view-store.{{ .Release.Namespace }}:3225
       --client-responder-id "%(ENV_HOSTNAME)s.{{ include "fogServices.fullname" . }}-fog-view-store.{{ .Release.Namespace }}:3225"
-      --ias-spid %(ENV_IAS_SPID)s
-      --ias-api-key %(ENV_IAS_API_KEY)s
       --admin-listen-uri insecure-mca://127.0.0.1:8001/
 
     stdout_logfile=/dev/fd/1

.internal-ci/helm/mc-core-common-config/values.yaml

@@ -2,10 +2,6 @@
 clientAuth:
   token: ''
 
-ias:
-  key: ''
-  spid: ''
-
 mobileCoinNetwork:
   network: ''
   partner: ''

.internal-ci/helm/watcher/templates/_helpers.tpl

@@ -63,17 +63,6 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
-{{/*
-IAS Secret Name
-*/}}
-{{- define "chart.iasSecretName" -}}
-  {{- if .Values.ias.secret.external }}
-    {{- .Values.ias.secret.name }}
-  {{- else }}
-    {{- include "chart.fullname" . }}-{{ .Values.ias.secret.name }}
-  {{- end }}
-{{- end }}
-
 {{/*
 Sentry ConfigMap Name
 */}}

.internal-ci/util/generate_dev_values.sh

@@ -31,28 +31,6 @@ then
   tokens_signed_json=$(cat "${TOKENS_PATH}")
 fi
 
-echo "Get config for network based semver tag" >&2
-network=$(get_network_tier "${1}")
-case "${network}" in
-  test)
-    IAS_KEY=${TEST_IAS_KEY}
-    IAS_SPID=${TEST_IAS_SPID}
-  ;;
-  main)
-    IAS_KEY=${MAIN_IAS_KEY}
-    IAS_SPID=${MAIN_IAS_SPID}
-  ;;
-  dev)
-    IAS_KEY=${DEV_IAS_KEY}
-    IAS_SPID=${DEV_IAS_SPID}
-  ;;
-  *)
-    echo "ERROR: Unknown network ${network}"
-    exit 1;
-  ;;
-esac
-
-
 cat << EOF
 global:
   node:
@@ -76,9 +54,6 @@ $(echo -n "${tokens_signed_json}" | sed 's/^/        /')
 mcCoreCommonConfig:
   ipinfo:
     token: '${IP_INFO_TOKEN}'
-  ias:
-    key: '${IAS_KEY}'
-    spid: '${IAS_SPID}'
   clientAuth:
     token: '${CLIENT_AUTH_TOKEN}'
   sentry:

consensus/service/README.md

@@ -47,15 +47,6 @@ Follow the steps below:
     '{"threshold":3,"members":[{"type":"Node","args":"node1.test.mobilecoin.com:8443"},{"type":"Node","args":"node2.test.mobilecoin.com:8443"},{"type":"Node","args":"node3.test.mobilecoin.com:8443"},{"type":"Node","args":"node5.test.mobilecoin.com:8443"}]}'
     ```
 
-1. Obtain SPID key.
-
-    Attestation with Intel's Attestation Service (IAS) requires the nodes making the request to be linked to a developer account on their platform. When running the consensus service, you will provide both the `IAS_API_KEY` and `IAS_SPID`, which you can obtain by registering with the [Intel SGX Portal](https://api.portal.trustedservices.intel.com/EPID-attestation).
-
-    * Choose Dev for a developer network, or Prod for the TestNet.
-    * Choose Linkable (name base mode). This allows other nodes in the network to blocklist nodes who are misbehaving by submitting too many attestation requests. If you choose Unlinkable, your node will be denied peer connections.
-
-    >Note: You will provide the access qualifier when you run consensus, to indicate which Attestation endpoint to hit, via `IAS_MODE=DEV` or `IAS_MODE=PROD`
-
 1. Generate your ed25519 message-signing key.
 
     ```
@@ -161,8 +152,6 @@ SGX_MODE=HW IAS_MODE=DEV \
     --client-responder-id my_node.my_domain.com:443 \
     --peer-responder-id node1.my_domain.com:8443 \
     --network /etc/mc-network.toml \
-    --ias-api-key="${IAS_API_KEY}" \
-    --ias-spid="${IAS_SPID}" \
     --ledger-path /tmp/ledger-db-1 \
     --peer-listen-uri='mcp://0.0.0.0:8443/' \
     --msg-signer-key MC4CAQAwBQYDK2VwBCIEIGz4xR7wuPKjwM1EK0MKrc9ukTjiDqvKKREITPXPkNku \

consensus/service/config/src/lib.rs

@@ -17,7 +17,6 @@ pub use crate::{
 
 use base64::{engine::general_purpose::STANDARD as BASE64_ENGINE, Engine};
 use clap::Parser;
-use mc_attest_core::ProviderId;
 use mc_common::{NodeID, ResponderId};
 use mc_crypto_keys::{DistinguishedEncoding, Ed25519Pair, Ed25519Private};
 use mc_transaction_core::BlockVersion;
@@ -61,14 +60,6 @@ pub struct Config {
     #[clap(long = "network", env = "MC_NETWORK")]
     pub network_path: PathBuf,
 
-    /// Your Intel IAS API key.
-    #[clap(long, env = "MC_IAS_API_KEY")]
-    pub ias_api_key: String,
-
-    /// The Service Provider ID (SPID) associated with your Intel IAS API Key.
-    #[clap(long, env = "MC_IAS_SPID")]
-    pub ias_spid: ProviderId,
-
     /// The location on which to listen for peer traffic.
     ///
     /// The local node id is derived from the peer_listen_uri.
@@ -210,8 +201,6 @@ mod tests {
             )
             .unwrap(),
             network_path: PathBuf::from("network.toml"),
-            ias_api_key: "".to_string(),
-            ias_spid: ProviderId::from_str("22222222222222222222222222222222").unwrap(),
             peer_listen_uri: PeerUri::from_str("insecure-mcp://0.0.0.0:8081/").unwrap(),
             client_listen_uri: ClientUri::from_str("insecure-mc://0.0.0.0:3223/").unwrap(),
             admin_listen_uri: Some(AdminUri::from_str("insecure-mca://0.0.0.0:9090/").unwrap()),
@@ -279,8 +268,6 @@ mod tests {
                 "MC4CAQAwBQYDK2VwBCIEIC50QXQll2Y9qxztvmsUgcBBIxkmk7EQjxzQTa926bKo",
             ) .unwrap(),
             network_path: PathBuf::from("network.toml"),
-            ias_api_key: "".to_string(),
-            ias_spid: ProviderId::from_str("22222222222222222222222222222222").unwrap(),
             peer_listen_uri: PeerUri::from_str("mcp://0.0.0.0:8443/?tls-chain=./public/attest/test_certs/selfsigned_mobilecoin.crt&tls-key=./public/attest/test_certs/selfsigned_mobilecoin.key").unwrap(),
             client_listen_uri: ClientUri::from_str("insecure-mc://0.0.0.0:3223/").unwrap(),
             admin_listen_uri: Some(AdminUri::from_str("insecure-mca://0.0.0.0:9090/").unwrap()),

consensus/service/src/api/client_api_service.rs

@@ -491,8 +491,6 @@ mod client_api_tests {
             "--admin-listen-uri=insecure-mca://0.0.0.0:9090/",
             "--sealed-block-signing-key=/tmp/key",
             "--ledger-path=/tmp/ledger",
-            "--ias-spid=22222222222222222222222222222222",
-            "--ias-api-key=asdf",
         ])
         .unwrap()
     }