Merge upstream: add mrenclave publishing form CI #63
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ntegritee-network#1469) * [its-consensus-slots] fix flaky tests, which are due to parallelism * [its-consensus-slots] fix test compilation
…1470) * [GHA] refactor clippy CI and fix clippy OOM * [GHA] remove copy-pasted doc * [GHA] fix yaml syntax * [GHA] fix yaml syntax 2 * [GHA] fmt * [GHA] fix test matrix * [GHA] update test naming * [GHA] free diskspace before running clippy * [GHA] remove freeing diskspace as it doesn't have any effect * [GHA] is --release mode for clippy as the CI runs out of space otherwise.
* add design document with some mermaid diagrams * support enclave signing with changing keypairs at runtime * tame nervous polling of not yet finalized block * shard vault account creation works * prepare vault account getter. not working yet * fix build and add trusted_call dummy for unshielding * fix transfer call indexes * unshieldind dummy with real vault account and proxy call * await vault account creation before registering proxy * proxied unshielding call encodes correctly and would be executed if there were funds * start MU_RA doc diagrams and refactor namings for improved readability * refactoring MU RA functions for better readability. try to extract client pubkey form cert. builds but fails * logging pubkey of counterparty now during MU RA. but seems skip_ra won't behave as expected. punkeys don't match and fill all 64 bytes * add client account to MU RA request * starting to modularize vault logic * secondary worker is registered as a vault proxy now * cleanup * clippy * doc cleanup * doc pimp * cleanup * reverting polling fix which is solved in another PR * fix diagram bug * fix mock test * avoid panic if add_shard_vault_proxy fails * skip shard vault stuff for offchain-worker
* [GHA] introduce a variable for the docker image suffix, and add placeholder for creating the mrenclave stuff. * [GHA] upload mrenclave file * [GHA] transform sgx mode to lowercase for docker image suffix * [GHA] fix cmd * [docker] include sgx_sign utility in worker image and add `mrenclave` command to the `entry_point.sh` * [GHA] use docker run -t integritee-worker mrenclave to get the mrenclave * [GHA] use consistent capitalization * [docker] fix printing the mrenclave * [docker] add newline at the end of the script * [docker] fix printing mrenclave in docker command * [docker] extract the hex value of the mrenclave in entrypoint.sh * [docker] fix grep command * [GHA] grepping in entrypoint doesn't work for some reason, so you we do it in GHA.
# Conflicts: # .github/workflows/build_and_test.yml # Cargo.lock # app-libs/stf/src/trusted_call.rs # enclave-runtime/Cargo.lock
clangenb
commented
Oct 29, 2023
Comment on lines
+105
to
+114
| - name: Create Enclave Digest File | ||
| run: | | ||
| mrenclave_hex=$(docker run integritee-worker-${{ env.IMAGE_SUFFIX }} mrenclave | grep -oP ':\s*\K[a-fA-F0-9]+') | ||
| echo "$mrenclave_hex" > mrenclave-${{ env.IMAGE_SUFFIX }}.hex | ||
| - name: Upload Enclave Digest File | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: mrenclave-${{ env.IMAGE_SUFFIX }}.hex | ||
| path: mrenclave-${{ env.IMAGE_SUFFIX }}.hex |
There was a problem hiding this comment.
This is where the digest file is created.
| @@ -46,6 +46,8 @@ jobs: | |||
| run: | | |||
| fingerprint=$RANDOM | |||
| echo "FINGERPRINT=$fingerprint" >> $GITHUB_ENV | |||
| SGX_MODE_LOWERCASE=$(echo "${${{ matrix.sgx_mode }},,}") | |||
| echo "IMAGE_SUFFIX=$SGX_MODE_LOWERCASE-${{ matrix.flavor_id }}-${{ github.sha }}" >> $GITHUB_ENV | |||
There was a problem hiding this comment.
Introduce the IMAGE_SUFFIX environment variable to make the naming less verbose, and make it less error-prone to human errors. The image suffix does now also contain the sgx_mode: SW/HW.
Comment on lines
+49
to
+57
| // Group imports that are for OLI to make upstream merges easier. | ||
| use crate::best_energy_helpers::{ | ||
| storage::merkle_roots_map_key, write_orders, write_results, ORDERS_DIR, RESULTS_DIR, | ||
| }; | ||
| use binary_merkle_tree::merkle_root; | ||
| use itp_stf_primitives::types::OrdersString; | ||
| use simplyr_lib::{pay_as_bid_matching, MarketInput, MarketOutput, Order}; | ||
| use sp_runtime::traits::Keccak256; | ||
| use std::{fs, time::Instant}; |
There was a problem hiding this comment.
Re-organised the import here that are used in the OLI case only, such that upstream merges are a bit easier.
Comment on lines
+5
to
+19
| if [ "$1" = "mrenclave" ]; then | ||
| # If "mrenclave" is provided, execute the corresponding command | ||
| $SGX_ENCLAVE_SIGNER dump \ | ||
| -enclave /usr/local/bin/enclave.signed.so \ | ||
| -dumpfile df.out && \ | ||
| /usr/local/bin/extract_identity < df.out && rm df.out | grep -oP ':\s*\K[a-fA-F0-9]+' | ||
|
|
||
| exec /usr/local/bin/integritee-service "${@}" | ||
| else | ||
| # If no specific command is provided, execute the default unnamed command | ||
|
|
||
| # run aesmd in the background | ||
| /opt/intel/sgx-aesm-service/aesm/aesm_service | ||
|
|
||
| exec /usr/local/bin/integritee-service "${@}" | ||
| fi |
There was a problem hiding this comment.
The docker image has now a new command mrenclave, which will print the mrenclave. Otherwise, it will forward all inputs to the integritee-service and simply run that binary.
|
@m-yahya Some of the CI jobs have been renamed. Can you update the branch protection and remove those that no longer exist? |
m-yahya
approved these changes
Oct 31, 2023
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
After this PR we can add a job to the CI that also builds the worker in
SGX_MODE=HWmore. But I prefer to do this in a separate PR and this one should be a plain upstream merge PR.