v1.0.7 Upgrade (#140)

* feat: add migrations for v1.0.7 upgrade

* feat: add script for simulation of chain upgrade with 1 validator

* feat: add cli command to obtain verification holder by verification id

* fix: fix issue with upgrade handler

* feat: add hack to deploy Arachnid Proxy

* refactor: more meaningful error

* feat: add deployment of Arachnid Deterministic Deployer

* feat: add is_revoked to QueryVerificationsDetailsResponse

* feat: return only non-revoked verification details in x/compliance precompile

* refactor: remove redundant line

* refactor: return in precompile only verifications with active issuers

* refactor: prohibit to convert credential with inactive issuer

* feat: add ffi query to revoke verification

* feat: add precompile handler to revoke verification

* feat: update compliance proxy contract

* test: add test for revocation by issuer

* feat: provide caller address during credential revocation

* feat: add check for caller during credential revocation

* fix: fix issue with invalid non-revocation proof

* feat: add VT_BIOMETRIC verification type

* refactor: remove unused dependencies

* feat: add convertCredential function to precompile interface

* test: add test for converting credential

* feat: add convert credential function signature

* feat: add method to encode convert credential request

* feat: add precompile handler to convert credential

* feat: add cli command to get attached holder public key

* chore: intermediate commit

* feat: add convertCredential method to precompile

* test: fix test for converting v1 verification to v2

* fix: applying fix for pointer problem from CosmWasm/wasmvm#571

* test: add test for non-revocation proof

* refactor: remove unused consts and imports

* refactor: add index variable

* fix: fix build using `make build-docker-local`

* ci: use actions/upload-artifact@v4

* fix: add checks in keeper for max sizes of verification data fields

* test: add test for x/compliance keeper for case with huge original data

* fix: add checks for verification details sizes in compliance_bridge precompile

* feat: start refactoring self attestation to DCAP instead of deprecated EPID

* feat: add DCAP-based self attestation for mainnet / testnet checks

* chore: fix some clippy warnings

* chore: run cargo clippy --fix

.github/workflows/build-ci-multiplatform.yml

@@ -2,7 +2,7 @@ name: Build CI multiplatform
 
 on:
   push:
-    branches: [ develop, '**-release', 'feat/sdi-changes' ]
+    branches: [ develop, '**-release' ]
   workflow_dispatch:
 env:
   BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
@@ -19,7 +19,7 @@ jobs:
       - name: "Build linux-amd64"
         run: make build-linux-cli-amd
       - name: "Upload file"
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: swisstronikcli-linux-amd64
           path: build/swisstronikcli-linux-amd64
@@ -34,7 +34,7 @@ jobs:
       - name: "Build macos-amd64"
         run: make build-macos-cli-amd
       - name: "Upload file"
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: swisstronikcli-macos-amd64
           path: build/swisstronikcli-macos-amd64
@@ -49,7 +49,7 @@ jobs:
       - name: "Build macos-arm64"
         run: make build-macos-cli-arm
       - name: "Upload file"
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: swisstronikcli-macos-arm64
           path: build/swisstronikcli-macos-arm64
@@ -66,7 +66,7 @@ jobs:
       - name: "Build windows-amd64"
         run: make build-windows-cli
       - name: "Upload file"
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: swisstronikcli-windows
           path: build/swisstronikcli-windows

.gitignore

@@ -19,3 +19,9 @@ sgxvm/Enclave_private.pem
 # Other
 **target**
 *run.xml*
+
+# Upgrade testing
+scripts/upgrade/old/
+scripts/upgrade/pid
+scripts/upgrade/*.log
+scripts/upgrade/.swisstronik*

app/app.go

@@ -118,6 +118,7 @@ import (
 	"swisstronik/app/upgrades/v1_0_4"
 	"swisstronik/app/upgrades/v1_0_5"
 	"swisstronik/app/upgrades/v1_0_6"
+	"swisstronik/app/upgrades/v1_0_7"
 	"swisstronik/docs"
 	"swisstronik/encoding"
 	srvflags "swisstronik/server/flags"
@@ -1088,6 +1089,16 @@ func (app *App) setupUpgradeHandlers() {
 		),
 	)
 
+	app.UpgradeKeeper.SetUpgradeHandler(
+		v1_0_7.UpgradeName,
+		v1_0_7.CreateUpgradeHandler(
+			app.ModuleManager,
+			app.ComplianceKeeper,
+			app.EvmKeeper,
+			app.configurator,
+		),
+	)
+
 	// When a planned update height is reached, the old binary will panic
 	// writing on disk the height and name of the update that triggered it
 	// This will read that value, and execute the preparations for the upgrade.

app/upgrades/v1_0_7/constants.go

@@ -0,0 +1,5 @@
+package v1_0_7
+
+const (
+	UpgradeName = "v1.0.7"
+)

app/upgrades/v1_0_7/upgrades.go

@@ -0,0 +1,65 @@
+package v1_0_7
+
+import (
+	sdk "github.com/cosmos/cosmos-sdk/types"
+	"github.com/cosmos/cosmos-sdk/types/module"
+	upgradetypes "github.com/cosmos/cosmos-sdk/x/upgrade/types"
+	"github.com/ethereum/go-ethereum/common"
+	"github.com/ethereum/go-ethereum/common/hexutil"
+	compliancemoduletypes "swisstronik/x/compliance/types"
+	evmkeeper "swisstronik/x/evm/keeper"
+)
+
+func CreateUpgradeHandler(
+	mm *module.Manager,
+	complianceKeeper compliancemoduletypes.ComplianceKeeper,
+	evmkeeper *evmkeeper.Keeper,
+	configurator module.Configurator,
+) upgradetypes.UpgradeHandler {
+	return func(ctx sdk.Context, _ upgradetypes.Plan, vm module.VersionMap) (module.VersionMap, error) {
+		ctx.Logger().Info("Starting module migrations...")
+
+		var migrationError error
+
+		// Link verification id -> holder
+		complianceKeeper.IterateAddressDetails(ctx, func(addr sdk.AccAddress) (continue_ bool) {
+			addressDetails, err := complianceKeeper.GetAddressDetails(ctx, addr)
+			if err != nil {
+				migrationError = err
+				return false
+			}
+
+			for _, verification := range addressDetails.Verifications {
+				if err = complianceKeeper.LinkVerificationToHolder(ctx, addr, verification.VerificationId); err != nil {
+					migrationError = err
+					return false
+				}
+			}
+			return true
+		})
+		if migrationError != nil {
+			return vm, migrationError
+		}
+
+		// Set bytecode of Arachnid Deterministic Deployment Proxy
+		// We use this dirty hack since non-EIP-155 transactions are not allowed
+		// in Swisstronik Network
+		proxyAddress := common.HexToAddress("0x4e59b44847b379578588920cA78FbF26c0B4956C")
+		codeBytes, err := hexutil.Decode("0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe03601600081602082378035828234f58015156039578182fd5b8082525050506014600cf3")
+		if err != nil {
+			return vm, err
+		}
+
+		if err = evmkeeper.SetAccountCode(ctx, proxyAddress, codeBytes); err != nil {
+			return vm, err
+		}
+
+		vm, err = mm.RunMigrations(ctx, configurator, vm)
+		if err != nil {
+			return vm, err
+		}
+
+		ctx.Logger().Info("Upgrade complete")
+		return vm, err
+	}
+}

docker/node.Dockerfile

@@ -1,5 +1,5 @@
 ############ Install Intel SGX SDK & SGX PSW
-FROM ghcr.io/sigmagmbh/sgx:2.19-jammy as base
+FROM ghcr.io/sigmagmbh/sgx:2.23-jammy-554238b as base
 RUN wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add -
 RUN apt-get update
 
@@ -18,7 +18,7 @@ RUN curl https://sh.rustup.rs -sSf | bash -s -- -y > /dev/null 2>&1
 RUN cargo install protobuf-codegen --version "2.8.1" -f
 
 # Install golang
-ADD https://go.dev/dl/go1.19.linux-amd64.tar.gz go.linux-amd64.tar.gz
+ADD https://go.dev/dl/go1.22.11.linux-amd64.tar.gz go.linux-amd64.tar.gz
 RUN tar -C /usr/local -xzf go.linux-amd64.tar.gz && rm go.linux-amd64.tar.gz
 RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@latest && \
 	go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest > /dev/null 2>&1
@@ -46,7 +46,7 @@ FROM base as hw-node
 
 COPY --from=compile-chain /root/chain/build/swisstronikd /usr/local/bin/swisstronikd
 COPY --from=compile-chain /root/.swisstronik-enclave /root/.swisstronik-enclave
-COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.7.x86_64.so /lib/x86_64-linux-gnu/libsgx_wrapper_v1.0.5.x86_64.so
+COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.7.x86_64.so /lib/x86_64-linux-gnu/libsgx_wrapper_v1.0.7.x86_64.so
 COPY --from=compile-chain /opt/intel /opt/intel
 
 EXPOSE 26656 26657 1317 9090 8545 8546 8999
@@ -62,11 +62,11 @@ RUN rm -rf /var/lib/apt/lists/*
 
 COPY --from=compile-chain /root/chain/build/swisstronikd /usr/bin/swisstronikd
 COPY --from=compile-chain /root/.swisstronik-enclave /root/.swisstronik-enclave
-COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.7/x86_64.so /lib/x86_64-linux-gnu/libsgx_wrapper_v1.0.5.x86_64.so
+COPY --from=compile-chain /root/chain/go-sgxvm/internal/api/libsgx_wrapper_v1.0.7.x86_64.so /lib/x86_64-linux-gnu/libsgx_wrapper_v1.0.7.x86_64.so
 COPY --from=compile-chain /opt/intel/sgxsdk/sdk_libs/* /lib/x86_64-linux-gnu/
 COPY --from=compile-chain /root/chain/scripts/local-node.sh /root/local-node.sh
 
-RUN /bin/bash /root/local-node.sh
+RUN SWTR_BINARY="/usr/bin/swisstronikd" /bin/bash /root/local-node.sh
 
 EXPOSE 26656 26657 1317 9090 8545 8546 8999
 

go-sgxvm/lib.go

@@ -58,6 +58,10 @@ type QueryRevocationTreeRoot = types.QueryRevocationTreeRoot
 type QueryRevocationTreeRootResponse = types.QueryRevocationTreeRootResponse
 type QueryAddVerificationDetailsV2 = types.QueryAddVerificationDetailsV2
 type QueryAddVerificationDetailsV2Response = types.QueryAddVerificationDetailsV2Response
+type QueryRevokeVerification = types.QueryRevokeVerification
+type QueryRevokeVerificationResponse = types.QueryRevokeVerificationResponse
+type QueryConvertCredential = types.QueryConvertCredential
+type QueryConvertCredentialResponse = types.QueryConvertCredentialResponse
 
 // Storage requests
 type CosmosRequest_GetAccount = types.CosmosRequest_GetAccount
@@ -78,6 +82,8 @@ type CosmosRequest_InsertAccountNonce = types.CosmosRequest_InsertAccountNonce
 type CosmosRequest_IssuanceTreeRoot = types.CosmosRequest_IssuanceTreeRoot
 type CosmosRequest_RevocationTreeRoot = types.CosmosRequest_RevocationTreeRoot
 type CosmosRequest_AddVerificationDetailsV2 = types.CosmosRequest_AddVerificationDetailsV2
+type CosmosRequest_RevokeVerification = types.CosmosRequest_RevokeVerification
+type CosmosRequest_ConvertCredential = types.CosmosRequest_ConvertCredential
 
 // Backend requests
 type CosmosRequest_BlockHash = types.CosmosRequest_BlockHash

go-sgxvm/src/enclave/enclave_api.rs

@@ -6,9 +6,13 @@ use sgx_types::*;
 pub struct EnclaveApi;
 
 impl EnclaveApi {
+    #[cfg(feature = "hardware_mode")]
     pub fn check_node_status(eid: sgx_enclave_id_t) -> Result<(), Error> {
+        let qe_target_info = dcap_utils::get_qe_target_info()?;
+        let quote_size = dcap_utils::get_quote_size()?;
+
         let mut ret_val = sgx_status_t::SGX_ERROR_UNEXPECTED;
-        let res = unsafe { super::ecall_status(eid, &mut ret_val) };
+        let res = unsafe { super::ecall_status(eid, &mut ret_val, &qe_target_info, quote_size) };
 
         match (res, ret_val) {
             (sgx_status_t::SGX_SUCCESS, sgx_status_t::SGX_SUCCESS) => Ok(()),

go-sgxvm/src/enclave/mod.rs

@@ -66,7 +66,12 @@ extern "C" {
         socket_fd: c_int,
     ) -> sgx_status_t;
 
-    pub fn ecall_status(eid: sgx_enclave_id_t, retval: *mut sgx_status_t) -> sgx_status_t;
+    pub fn ecall_status(
+        eid: sgx_enclave_id_t,
+        retval: *mut sgx_status_t,
+        qe_target_info: &sgx_target_info_t,
+        quote_size: u32,
+    ) -> sgx_status_t;
 
     pub fn ecall_request_epoch_keys_dcap(
         eid: sgx_enclave_id_t,
@@ -151,6 +156,7 @@ pub unsafe extern "C" fn handle_initialization_request(
         let result = match request.req {
             Some(req) => {
                 match req {
+                    #[cfg(feature = "hardware_mode")]
                     node::SetupRequest_oneof_req::nodeStatus(_req) => {
                         enclave_api::EnclaveApi::check_node_status(evm_enclave.geteid())?;
                         let response = node::NodeStatusResponse::new();