Skip to content

Sgx whitelist #1730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 83 commits into from
Oct 30, 2025
Merged

Sgx whitelist #1730

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
83 commits
Select commit Hold shift + click to select a range
4d520ef
check-hw - log recipients of new seed
Sep 9, 2025
676b742
misc
Sep 9, 2025
ddff3df
attestation: fetching PPID from sgx quote
Sep 10, 2025
bfa3405
build fix
Sep 10, 2025
40123c1
migrate_op added metadata
Sep 10, 2025
92544bb
check-hw - log recipients of new seed
Sep 9, 2025
5d8e02a
check_hw log request (modified)
Sep 10, 2025
946d8c3
check-hw request log parser
Sep 14, 2025
5105feb
Merge branch 'master' into sgx_whitelist
Sep 14, 2025
ac16be3
check-hw: printing PPID
Sep 15, 2025
86fd03d
key_manager: keeping arr of consensus_io_exchange_keypair
Sep 15, 2025
4f09464
added method to get network pubkeys
Sep 15, 2025
9888ecc
Getting pubkeys from enclave, rather than from files
Sep 15, 2025
8770987
enclave: allow validator set height jump forward
Sep 15, 2025
8a0b6e8
rot_seed: make sure imported seed can't be re-exported
Sep 15, 2025
9606fd7
check-hw - exclude EPID attestation
Sep 15, 2025
0b51f81
disabled EPID attestation
Sep 15, 2025
5a2821a
build fix
Sep 15, 2025
85c66d0
dcap quote ppid whitelist WIP
Sep 15, 2025
8234bee
ppid whitelist test
Sep 16, 2025
3254049
ppid whitelist updated
Sep 16, 2025
f5b40fc
Merge branch 'v1.21.6-tweaks' into sgx_whitelist
Sep 16, 2025
5ef07ee
check-hw: downloading allow-list
Sep 16, 2025
65175da
chec-hw seed_server wrt allow list WIP
Sep 16, 2025
619e1f5
check-hw server_seed fix
Sep 16, 2025
0766f20
added upgrade handler v1.22
Sep 16, 2025
8a9c971
removed full PPID print
Sep 16, 2025
567dcb3
cosmetic
Sep 17, 2025
91692ca
check-hw logging machine-id
Sep 17, 2025
f42977b
ecall_get_network_pubkey support for rot-seed
Sep 18, 2025
d443eaf
support up to 4 seeds
Sep 18, 2025
b085470
check-hw: printing rot seed network config
Sep 18, 2025
59cddc4
added migrate_op 10 print_key_config
Sep 18, 2025
2568bd3
check-hw - app return code wrt sgx status
Sep 18, 2025
0b94311
Revert "added migrate_op 10 print_key_config"
Sep 18, 2025
8e4d7e6
Revert "check-hw: printing rot seed network config"
Sep 18, 2025
4836213
Revert "ecall_get_network_pubkey support for rot-seed"
Sep 18, 2025
4761bc2
more allowed machine IDs
Sep 18, 2025
64d4721
KeyChain refactor, storing only last seed/io-xchg keys
Sep 21, 2025
90c0470
added migrate_op 10, print key config
Sep 21, 2025
c4da2c7
rot_seed: print config
Sep 21, 2025
c278dad
updated allow-list
Sep 21, 2025
95cfd32
allow-list extended
Sep 24, 2025
4cadcce
check-hw: appended cpu info to remote migration report
Sep 24, 2025
208ab37
compute hadler_plugin fix
Sep 25, 2025
85f1c4a
extracting fmspc from dcap collateral
Oct 2, 2025
3500174
add authorized admin-update flow
cboh4 Oct 2, 2025
498c357
remove force setting of require_governance after proposal passed
cboh4 Oct 6, 2025
3f37c0d
feat: add governance-controlled machine whitelist system
cboh4 Oct 8, 2025
49eb570
set debug level of logs instead of warn
cboh4 Oct 22, 2025
4911471
attestation: checking fmspc
Oct 15, 2025
0e4bf9b
removed outdated seed_service support
Oct 15, 2025
8889196
(HUGE change) removed EPID attestation support
Oct 16, 2025
e476d83
attestation serialization: flexible format
Oct 16, 2025
816defd
Attestation WIP
Oct 16, 2025
900cd05
Attestation: WIP(2)
Oct 16, 2025
762b8f2
Attestation: decoding jwt token
Oct 19, 2025
2463c3e
Attestation: checking jwt token wrt quote
Oct 19, 2025
1258995
Attestation: fix jwt verification, added script to obtain and embed a…
Oct 20, 2025
269ee17
embed_azure_attestation.sh adjusted
Oct 20, 2025
5a1b117
on-chain machine-id WIP
Oct 22, 2025
4c813de
on-chain machine-id WIP(2)
Oct 23, 2025
fd24587
on-chain machine-id WIP(4)
Oct 23, 2025
1895e86
attestation/jwt: more keys
Oct 23, 2025
bd21079
attestation/jwt: misc
Oct 23, 2025
3b51c31
Aded update-machine-whitelist command
Oct 27, 2025
da241cd
generate protofiles
cboh4 Oct 27, 2025
c3f8e4b
build fix
Oct 27, 2025
c687921
on-chain machine-id WIP(1)
Oct 28, 2025
70b93b0
on-chain machine-id WIP(2)
Oct 28, 2025
3dc2b15
Use CacheContext in queries
iKapitonau Oct 9, 2025
55648f1
Update cometbft
iKapitonau Oct 16, 2025
2123217
on-chain machine-id WIP(3)
Oct 28, 2025
87c8533
modify machine_id to string
cboh4 Oct 29, 2025
052cffe
machine_id as string (fixes)
Oct 29, 2025
1ddf7ca
fixed combined attestation parsing in go code (support for newer format)
Oct 29, 2025
8ca5244
Merge branch 'master' into sgx_whitelist
Oct 29, 2025
0fc27af
added v1.23 upgrade handler (empty)
Oct 29, 2025
afe0434
local_secret build fix
Oct 29, 2025
07099bf
removed unneeded func
Oct 29, 2025
22787d9
build fix(1)
Oct 29, 2025
fff96df
misc
Oct 29, 2025
cfebc16
clippy fixes
Oct 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 35 additions & 13 deletions app/app.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ import (
ibcfeetypes "github.com/cosmos/ibc-go/v8/modules/apps/29-fee/types"
ibcswitchtypes "github.com/scrtlabs/SecretNetwork/x/emergencybutton/types"

cosmwasm_api "github.com/scrtlabs/SecretNetwork/go-cosmwasm/api"

"cosmossdk.io/client/v2/autocli"
"cosmossdk.io/core/appmodule"
circuittypes "cosmossdk.io/x/circuit/types"
Expand Down Expand Up @@ -67,6 +69,8 @@ import (
v1_20 "github.com/scrtlabs/SecretNetwork/app/upgrades/v1.20"
v1_21 "github.com/scrtlabs/SecretNetwork/app/upgrades/v1.21"
v1_21_7 "github.com/scrtlabs/SecretNetwork/app/upgrades/v1.21.7"
v1_22 "github.com/scrtlabs/SecretNetwork/app/upgrades/v1.22"
v1_23 "github.com/scrtlabs/SecretNetwork/app/upgrades/v1.23"
v1_4 "github.com/scrtlabs/SecretNetwork/app/upgrades/v1.4"
v1_5 "github.com/scrtlabs/SecretNetwork/app/upgrades/v1.5"
v1_6 "github.com/scrtlabs/SecretNetwork/app/upgrades/v1.6"
Expand Down Expand Up @@ -144,6 +148,8 @@ var (
v1_20.Upgrade,
v1_21.Upgrade,
v1_21_7.Upgrade,
v1_22.Upgrade,
v1_23.Upgrade,
}
)

Expand Down Expand Up @@ -448,41 +454,57 @@ func (app *SecretNetworkApp) RotateStore() {
}
}

func (app *SecretNetworkApp) UpdateOneKey(ctx sdk.Context, filePath string, keyID string) {
keyB64, err := os.ReadFile(filePath)
if err != nil {
return
}

keyBz, err := base64.StdEncoding.DecodeString(string(keyB64))
if err != nil {
func (app *SecretNetworkApp) UpdateOneKey(ctx sdk.Context, keyID string, value []byte) {
if len(value) == 0 {
return
}

keyNew := reg.MasterKey{Bytes: keyBz}
keyNew := reg.MasterKey{Bytes: value}
ctx2 := sdk.UnwrapSDKContext(ctx)

keyOld := app.AppKeepers.RegKeeper.GetMasterKey(ctx2, keyID)
if (keyOld == nil) || !bytes.Equal(keyOld.Bytes, keyNew.Bytes) {
app.AppKeepers.RegKeeper.SetMasterKey(ctx2, keyNew, keyID)
fmt.Printf("%s set to %s\n", keyID, keyB64)

value_b64 := base64.StdEncoding.EncodeToString(value)
fmt.Printf("%s set to %s\n", keyID, value_b64)
}
}

func (app *SecretNetworkApp) UpdateNetworkKeys() {
ms := app.BaseApp.CommitMultiStore() // cms is the CommitMultiStore in Cosmos SDK apps
ctx := sdk.NewContext(ms, cmtproto.Header{}, false, app.Logger())

app.UpdateOneKey(ctx, reg.NodeExchMasterKeyPath, reg.MasterNodeKeyId)
app.UpdateOneKey(ctx, reg.IoExchMasterKeyPath, reg.MasterIoKeyId)
var node_pk, io_pk []byte

for i := 0; ; i++ {
{
next_node_pk, next_io_pk := cosmwasm_api.GetNetworkPubkey(uint32(i))

// Stop when both buffers are empty
if len(next_node_pk) == 0 && len(next_io_pk) == 0 {
break
}

node_pk = next_node_pk
io_pk = next_io_pk
}

// node_pk_b64 := base64.StdEncoding.EncodeToString(node_pk)
// io_pk_b64 := base64.StdEncoding.EncodeToString(io_pk)
// fmt.Printf("iSeed=%d, nodePK=%s, ioPK=%s\n", i, node_pk_b64, io_pk_b64)
}

app.UpdateOneKey(ctx, reg.MasterNodeKeyId, node_pk)
app.UpdateOneKey(ctx, reg.MasterIoKeyId, io_pk)
}

func (app *SecretNetworkApp) Initialize() {
ms := app.BaseApp.CommitMultiStore() // cms is the CommitMultiStore in Cosmos SDK apps

ctx := sdk.NewContext(ms, cmtproto.Header{}, false, app.Logger())

_ = app.AppKeepers.ComputeKeeper.SetValidatorSetEvidence(ctx)
_ = app.AppKeepers.ComputeKeeper.SetEnclaveColdEvidences(ctx)
app.UpdateNetworkKeys()
}

Expand Down
39 changes: 39 additions & 0 deletions app/upgrades/v1.22/upgrade.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
package v1_22

import (
"context"
"fmt"
"os"

"cosmossdk.io/log"
store "cosmossdk.io/store/types"
upgradetypes "cosmossdk.io/x/upgrade/types"
"github.com/cosmos/cosmos-sdk/types/module"
"github.com/scrtlabs/SecretNetwork/app/keepers"
"github.com/scrtlabs/SecretNetwork/app/upgrades"
)

const upgradeName = "v1.22"

var Upgrade = upgrades.Upgrade{
UpgradeName: upgradeName,
CreateUpgradeHandler: createUpgradeHandler,
StoreUpgrades: store.StoreUpgrades{},
}

func createUpgradeHandler(mm *module.Manager, _ *keepers.SecretAppKeepers, configurator module.Configurator,
) upgradetypes.UpgradeHandler {
return func(ctx context.Context, _ upgradetypes.Plan, vm module.VersionMap) (module.VersionMap, error) {
logger := log.NewLogger(os.Stderr)
logger.Info(` _ _ _____ _____ _____ _____ ______ `)
logger.Info(`| | | | __ \ / ____| __ \ /\ | __ \| ____|`)
logger.Info(`| | | | |__) | | __| |__) | / \ | | | | |__ `)
logger.Info(`| | | | ___/| | |_ | _ / / /\ \ | | | | __| `)
logger.Info(`| |__| | | | |__| | | \ \ / ____ \| |__| | |____ `)
logger.Info(` \____/|_| \_____|_| \_\/_/ \_\_____/|______|`)

logger.Info(fmt.Sprintf("Running module migrations for %s...", upgradeName))

return mm.RunMigrations(ctx, configurator, vm)
}
}
39 changes: 39 additions & 0 deletions app/upgrades/v1.23/upgrade.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
package v1_23

import (
"context"
"fmt"
"os"

"cosmossdk.io/log"
store "cosmossdk.io/store/types"
upgradetypes "cosmossdk.io/x/upgrade/types"
"github.com/cosmos/cosmos-sdk/types/module"
"github.com/scrtlabs/SecretNetwork/app/keepers"
"github.com/scrtlabs/SecretNetwork/app/upgrades"
)

const upgradeName = "v1.23"

var Upgrade = upgrades.Upgrade{
UpgradeName: upgradeName,
CreateUpgradeHandler: createUpgradeHandler,
StoreUpgrades: store.StoreUpgrades{},
}

func createUpgradeHandler(mm *module.Manager, _ *keepers.SecretAppKeepers, configurator module.Configurator,
) upgradetypes.UpgradeHandler {
return func(ctx context.Context, _ upgradetypes.Plan, vm module.VersionMap) (module.VersionMap, error) {
logger := log.NewLogger(os.Stderr)
logger.Info(` _ _ _____ _____ _____ _____ ______ `)
logger.Info(`| | | | __ \ / ____| __ \ /\ | __ \| ____|`)
logger.Info(`| | | | |__) | | __| |__) | / \ | | | | |__ `)
logger.Info(`| | | | ___/| | |_ | _ / / /\ \ | | | | __| `)
logger.Info(`| |__| | | | |__| | | \ \ / ____ \| |__| | |____ `)
logger.Info(` \____/|_| \_____|_| \_\/_/ \_\_____/|______|`)

logger.Info(fmt.Sprintf("Running module migrations for %s...", upgradeName))

return mm.RunMigrations(ctx, configurator, vm)
}
}
Loading
Loading