Merge branch 'mrenclave3' into mrenclave4

.github/workflows/ci.yaml

@@ -126,7 +126,6 @@ jobs:
           docker run -v $PWD:/opt/mount --rm --entrypoint cp ghcr.io/scrtlabs/localsecret:v0.0.0 /usr/lib/libgo_cosmwasm.so /opt/mount/libgo_cosmwasm.so
           docker run -v $PWD:/opt/mount --rm --entrypoint cp ghcr.io/scrtlabs/localsecret:v0.0.0 /usr/lib/librust_cosmwasm_enclave.signed.so /opt/mount/librust_cosmwasm_enclave.signed.so
           docker run -v $PWD:/opt/mount --rm --entrypoint cp ghcr.io/scrtlabs/localsecret:v0.0.0 /usr/lib/librandom_api.so /opt/mount/librandom_api.so
-          docker run -v $PWD:/opt/mount --rm --entrypoint cp ghcr.io/scrtlabs/localsecret:v0.0.0 /usr/lib/tendermint_enclave.signed.so /opt/mount/tendermint_enclave.signed.so
       - uses: actions/download-artifact@v3
         with:
           name: contract.wasm
@@ -196,7 +195,6 @@ jobs:
           source "$HOME/.sgxsdk/sgxsdk/environment"
           export SGX_MODE=SW
           cp librust_cosmwasm_enclave.signed.so ./x/compute/internal/keeper
-          # cp tendermint_enclave.signed.so ./x/compute/internal/keeper
           mkdir -p ias_keys/develop
           mkdir -p /opt/secret/.sgx_secrets/
           echo "not_a_key" > ias_keys/develop/spid.txt

.github/workflows/release.yaml

@@ -455,12 +455,6 @@ jobs:
         name: Check Mitigation flags in Cosmwasm Enclave
         with:
           version: "v1.9.0"
-      - uses: ./.github/actions/check-objdump
-        name: Check Mitigation flags in TM Enclave
-        with:
-          filename: "tendermint_enclave.signed.so"
-          min-fence: "1000"
-          version: "v1.9.0"
 
   Release:
     needs: [

Makefile

@@ -168,7 +168,7 @@ _build-linux:
 	BUILD_PROFILE=$(BUILD_PROFILE) FEATURES="$(FEATURES)" FEATURES_U="$(FEATURES_U)  light-client-validation go-tests" SGX_MODE="$(SGX_MODE)" $(MAKE) -C go-cosmwasm build-rust
 
 build-tm-secret-enclave:
-	git clone https://github.com/scrtlabs/tm-secret-enclave.git /tmp/tm-secret-enclave || true
+	git clone --branch mrenclave1 https://github.com/scrtlabs/tm-secret-enclave.git /tmp/tm-secret-enclave || true
 	cd /tmp/tm-secret-enclave && git checkout main && git submodule init && git submodule update --remote
 	rustup component add rust-src
 	SGX_MODE=$(SGX_MODE) $(MAKE) -C /tmp/tm-secret-enclave build
@@ -190,7 +190,7 @@ deb-no-compile:
 	chmod +x /tmp/SecretNetwork/deb/$(DEB_BIN_DIR)/secretd /tmp/SecretNetwork/deb/$(DEB_BIN_DIR)/secretcli
 
 	mkdir -p /tmp/SecretNetwork/deb/$(DEB_LIB_DIR)
-	cp -f ./go-cosmwasm/tendermint_enclave.signed.so ./go-cosmwasm/librandom_api.so ./go-cosmwasm/api/libgo_cosmwasm.so ./go-cosmwasm/librust_cosmwasm_enclave.signed.so /tmp/SecretNetwork/deb/$(DEB_LIB_DIR)/
+	cp -f ./go-cosmwasm/librandom_api.so ./go-cosmwasm/api/libgo_cosmwasm.so ./go-cosmwasm/librust_cosmwasm_enclave.signed.so /tmp/SecretNetwork/deb/$(DEB_LIB_DIR)/
 	chmod +x /tmp/SecretNetwork/deb/$(DEB_LIB_DIR)/lib*.so
 
 	mkdir -p /tmp/SecretNetwork/deb/DEBIAN
@@ -468,15 +468,13 @@ prep-go-tests: build-test-contracts bin-data-sw
 
 go-tests: build-test-contracts bin-data-sw
 	# SGX_MODE=SW $(MAKE) build-tm-secret-enclave
-	# cp /tmp/tm-secret-enclave/tendermint_enclave.signed.so ./x/compute/internal/keeper
 	SGX_MODE=SW $(MAKE) build-linux
 	cp ./$(EXECUTE_ENCLAVE_PATH)/librust_cosmwasm_enclave.signed.so ./x/compute/internal/keeper
 	GOMAXPROCS=8 SGX_MODE=SW SCRT_SGX_STORAGE='./' SKIP_LIGHT_CLIENT_VALIDATION=TRUE go test -count 1 -failfast -timeout 90m -v ./x/compute/internal/... $(GO_TEST_ARGS)
 
 go-tests-hw: build-test-contracts bin-data
 	# empty BUILD_PROFILE means debug mode which compiles faster
 	# SGX_MODE=HW $(MAKE) build-tm-secret-enclave
-	# cp /tmp/tm-secret-enclave/tendermint_enclave.signed.so ./x/compute/internal/keeper
 	SGX_MODE=HW $(MAKE) build-linux
 	cp ./$(EXECUTE_ENCLAVE_PATH)/librust_cosmwasm_enclave.signed.so ./x/compute/internal/keeper
 	GOMAXPROCS=8 SGX_MODE=HW SCRT_SGX_STORAGE='./' SKIP_LIGHT_CLIENT_VALIDATION=TRUE go test -v ./x/compute/internal/... $(GO_TEST_ARGS)

README.md

@@ -202,7 +202,7 @@ Before you run your dev node, you need to point to the shared libraries needed b
 ```
 export SCRT_ENCLAVE_DIR=~/SecretNetwork/go-cosmwasm
 ```
-In order to run __secretd__ you need to have built _librust_cosmwasm_enclave.signed.so_ and _tendermint_enclave.so_.
+In order to run __secretd__ you need to have built _librust_cosmwasm_enclave.signed.so_.
 The latter can be built by cloning:
 ```
 git clone git@github.com:scrtlabs/tm-secret-enclave.git ~/tm-secret-enclave
@@ -212,12 +212,8 @@ This repo also uses submodules:
 cd tm-secret-enclave
 git submodule init
 git submodule update --remote
-```
-and build _tendermint_enclave.so_:
-```
 make build-rust
 ```
-You may want to copy _tendermint_enclave.so_ to ~/SecretNetwork/go-cosmwasm
 
 Run `./scripts/start-node.sh`
 

app/ante.go

@@ -2,11 +2,13 @@ package app
 
 import (
 	"cosmossdk.io/core/store"
+	"github.com/cosmos/cosmos-sdk/codec"
 	sdk "github.com/cosmos/cosmos-sdk/types"
 	sdkerrors "github.com/cosmos/cosmos-sdk/types/errors"
 	"github.com/cosmos/cosmos-sdk/x/auth/ante"
 	"github.com/cosmos/ibc-go/v8/modules/core/keeper"
 
+	govkeeper "github.com/cosmos/cosmos-sdk/x/gov/keeper"
 	"github.com/scrtlabs/SecretNetwork/x/compute"
 )
 
@@ -15,6 +17,8 @@ import (
 type HandlerOptions struct {
 	ante.HandlerOptions
 
+	appCodec              codec.Codec
+	govkeeper             govkeeper.Keeper // You'll need the keeper to access stored mrenclave hash
 	IBCKeeper             *keeper.Keeper
 	WasmConfig            *compute.WasmConfig
 	TXCounterStoreService store.KVStoreService
@@ -39,7 +43,7 @@ func NewAnteHandler(options HandlerOptions) (sdk.AnteHandler, error) {
 	}
 
 	anteDecorators := []sdk.AnteDecorator{
-		compute.NewCountTXDecorator(options.TXCounterStoreService),
+		compute.NewCountTXDecorator(options.appCodec, options.govkeeper, options.TXCounterStoreService),
 		ante.NewSetUpContextDecorator(), // outermost AnteDecorator. SetUpContext must be called first
 		ante.NewExtensionOptionsDecorator(nil),
 		ante.NewValidateBasicDecorator(),

app/app.go

@@ -42,6 +42,7 @@ import (
 	"github.com/cosmos/cosmos-sdk/types/module"
 	vestingtypes "github.com/cosmos/cosmos-sdk/x/auth/vesting/types"
 	"github.com/cosmos/cosmos-sdk/x/authz"
+	govkeeper "github.com/cosmos/cosmos-sdk/x/gov/keeper"
 	"github.com/cosmos/gogoproto/proto"
 	icatypes "github.com/cosmos/ibc-go/v8/modules/apps/27-interchain-accounts/types"
 	ibctransfertypes "github.com/cosmos/ibc-go/v8/modules/apps/transfer/types"
@@ -85,6 +86,7 @@ import (
 	upgradetypes "cosmossdk.io/x/upgrade/types"
 	abci "github.com/cometbft/cometbft/abci/types"
 	tmjson "github.com/cometbft/cometbft/libs/json"
+	cmtproto "github.com/cometbft/cometbft/proto/tendermint/types"
 	dbm "github.com/cosmos/cosmos-db"
 	stakingtypes "github.com/cosmos/cosmos-sdk/x/staking/types"
 	stakingkeeper "github.com/cosmos/ibc-go/v8/testing/types"
@@ -177,6 +179,10 @@ func (app *SecretNetworkApp) GetIBCKeeper() *ibckeeper.Keeper {
 	return app.AppKeepers.IbcKeeper
 }
 
+func (app *SecretNetworkApp) GetGovKeeper() *govkeeper.Keeper {
+	return app.AppKeepers.GovKeeper
+}
+
 func (app *SecretNetworkApp) GetScopedIBCKeeper() capabilitykeeper.ScopedKeeper {
 	return app.AppKeepers.ScopedIBCKeeper
 }
@@ -372,6 +378,8 @@ func NewSecretNetworkApp(
 			SignModeHandler: app.txConfig.SignModeHandler(),
 			SigGasConsumer:  ante.DefaultSigVerificationGasConsumer,
 		},
+		appCodec:              app.appCodec,
+		govkeeper:             *app.AppKeepers.GovKeeper,
 		IBCKeeper:             app.AppKeepers.IbcKeeper,
 		WasmConfig:            computeConfig,
 		TXCounterStoreService: app.AppKeepers.ComputeKeeper.GetStoreService(),
@@ -420,6 +428,16 @@ func NewSecretNetworkApp(
 	return app
 }
 
+func (app *SecretNetworkApp) Initialize() {
+
+	ms := app.BaseApp.CommitMultiStore() // cms is the CommitMultiStore in Cosmos SDK apps
+
+	ctx := sdk.NewContext(ms, cmtproto.Header{}, false, app.Logger())
+
+	_ = app.AppKeepers.ComputeKeeper.SetValidatorSetEvidence(ctx)
+	//nolint:errcheck
+}
+
 // Name returns the name of the App
 func (app *SecretNetworkApp) Name() string { return app.BaseApp.Name() }
 

app/upgrades/v1.13/upgrade.go

@@ -38,7 +38,7 @@ func createUpgradeHandler(mm *module.Manager, _ *keepers.SecretAppKeepers, confi
 
 		logger.Info(fmt.Sprintf("Running module migrations for %s...", upgradeName))
 
-		_, err := api.MigrateSealing()
+		_, err := api.MigrationOp(0)
 		if err != nil {
 			return nil, err
 		}

check-hw/src/enclave_api.rs

@@ -24,6 +24,8 @@ extern "C" {
         api_key: *const u8,
         api_key_len: u32,
     ) -> sgx_status_t;
+
+    pub fn ecall_migration_op(opcode: u32) -> sgx_status_t;
 }
 
 // ocalls

check-hw/src/main.rs

@@ -6,7 +6,9 @@ use clap::App;
 use lazy_static::lazy_static;
 use sgx_types::sgx_status_t;
 
-use crate::{enclave_api::ecall_check_patch_level, types::EnclaveDoorbell};
+use crate::{
+    enclave_api::ecall_check_patch_level, enclave_api::ecall_migration_op, types::EnclaveDoorbell,
+};
 
 use enclave_ffi_types::NodeAuthResult;
 
@@ -35,6 +37,13 @@ fn main() {
                 .long("testnet")
                 .help("Run in testnet mode"),
         )
+        .arg(
+            clap::Arg::with_name("migrate_op")
+                .long("migrate_op")
+                .value_name("NUMBER") // Describes the expected value
+                .help("Specify the migrate operation mode")
+                .takes_value(true), // Indicates this flag takes a value
+        )
         .get_matches();
 
     let is_testnet = matches.is_present("testnet");
@@ -68,29 +77,38 @@ fn main() {
     };
 
     let eid = enclave.unwrap().geteid();
-    let mut retval = NodeAuthResult::Success;
-    let status = unsafe {
-        ecall_check_patch_level(
-            eid,
-            &mut retval,
-            api_key_bytes.as_ptr(),
-            api_key_bytes.len() as u32,
-        )
-    };
 
-    if status != sgx_status_t::SGX_SUCCESS {
-        println!(
-            "Failed to run hardware verification test (is the correct enclave in the correct path?)"
-        );
-        return;
-    }
+    if let Some(migrate_op) = matches.value_of("migrate_op") {
+        let op = migrate_op.parse::<u32>().unwrap();
+
+        let status = unsafe { ecall_migration_op(op) };
 
-    if retval != NodeAuthResult::Success {
-        println!("Failed to verify platform. Please see errors above for more info on what needs to be fixed before you can run a mainnet node. \n\
-        If you require assistance or more information, please contact us on Discord or Telegram. In addition, you may use the documentation available at \
-        https://docs.scrt.network
-        ");
+        println!("Migration op reval: {}", status);
     } else {
-        println!("Platform verification successful! You are able to run a mainnet Secret node")
+        let mut retval = NodeAuthResult::Success;
+        let status = unsafe {
+            ecall_check_patch_level(
+                eid,
+                &mut retval,
+                api_key_bytes.as_ptr(),
+                api_key_bytes.len() as u32,
+            )
+        };
+
+        if status != sgx_status_t::SGX_SUCCESS {
+            println!(
+                "Failed to run hardware verification test (is the correct enclave in the correct path?)"
+            );
+            return;
+        }
+
+        if retval != NodeAuthResult::Success {
+            println!("Failed to verify platform. Please see errors above for more info on what needs to be fixed before you can run a mainnet node. \n\
+            If you require assistance or more information, please contact us on Discord or Telegram. In addition, you may use the documentation available at \
+            https://docs.scrt.network
+            ");
+        } else {
+            println!("Platform verification successful! You are able to run a mainnet Secret node")
+        }
     }
 }