feat: use nixsgx lib.mkSGXContainer

Signed-off-by: Harald Hoyer <[email protected]>
matter-labs · Jun 10, 2024 · b1991ca · b1991ca
1 parent 4d09d8c
commit b1991ca
Show file tree

Hide file tree

Showing 13 changed files with 147 additions and 347 deletions.
diff --git a/.envrc b/.envrc
@@ -0,0 +1 @@
+use flake .
diff --git a/.github/workflows/build_and_publish_tee.yaml b/.github/workflows/build_and_publish_tee.yaml
@@ -40,25 +40,37 @@ jobs:
       - name: Enable magic Nix cache
         uses: DeterminateSystems/magic-nix-cache-action@main
 
+      - name: nix build
+        run: nix run github:nixos/nixpkgs/nixos-23.11#nixci
+
       - name: Log in to Docker Hub
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Build base images
+      - name: Build and push Docker images to matterlabsrobot
+        id: build
         run: |
-          nix build -L .#docker-era-fee-withdrawer-azure
+          nix build -L .#container-era-fee-withdrawer-dcap
           export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')
-          echo "Pushing image ${IMAGE_TAG} to Docker Hub"
+          echo "Pushing image ${IMAGE_TAG} to matterlabsrobot Docker Hub"
           docker tag "${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG}"
           docker push matterlabsrobot/"${IMAGE_TAG}"
           docker tag matterlabsrobot/"${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG%:*}:latest"
           docker push matterlabsrobot/"${IMAGE_TAG%:*}:latest"
-          sed -i -e "s#FROM ${IMAGE_TAG%:*}:latest#FROM matterlabsrobot/${IMAGE_TAG%:*}:latest#g" Dockerfile
+
+          nix build -L .#container-era-fee-withdrawer-azure
+          export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')
+          echo "Pushing image ${IMAGE_TAG} to matterlabsrobot Docker Hub"
+          docker tag "${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG}"
+          docker push matterlabsrobot/"${IMAGE_TAG}"
+          docker tag matterlabsrobot/"${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG%:*}:latest"
+          docker push matterlabsrobot/"${IMAGE_TAG%:*}:latest"
+          echo "IMAGE_TAG=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
 
       - name: Generate build ID for Flux Image Automation
-        id: build
+        id: flux
         run: |
           sha=$(git rev-parse --short HEAD)
           ts=$(date +%s%N | cut -b1-13)
@@ -68,14 +80,10 @@ jobs:
         run: |
           gcloud auth configure-docker us-docker.pkg.dev -q
 
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+      - name: Push Docker image to matterlabs-infra
         if: ${{ !startsWith(github.ref, 'refs/tags') }}
-        with:
-          context: .
-          push: true
-          tags: |
-            "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:latest"
-            "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:${{ steps.build.outputs.BUILD_ID }}"
-          file: Dockerfile-azure
-          no-cache: true
+        run: |
+          docker tag "${{ steps.build.outputs.IMAGE_TAG}}" "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:latest"
+          docker push "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:latest"
+          docker tag "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:latest" "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:${{ steps.build.outputs.BUILD_ID }}"
+          docker push "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/fee-withdrawer-v2-tee:${{ steps.flux.outputs.BUILD_ID }}"
diff --git a/Dockerfile b/Dockerfile
diff --git a/Dockerfile-dcap b/Dockerfile-dcap
diff --git a/README.md b/README.md
@@ -12,22 +12,25 @@ Inside the container:
 $ echo 'experimental-features = nix-command flakes' >> /etc/nix/nix.conf
 $ echo 'sandbox = true' >> /etc/nix/nix.conf
 $ cd /mnt
-$ nix build -L .#docker-era-fee-withdrawer-azure
+$ nix build -L .#container-era-fee-withdrawer-azure
 $ cp result era-fee-withdrawer-azure.tar.gz
 $ exit
 ```
-## Build the Docker image
+## Load the Docker image
 ```bash
 $ docker load < era-fee-withdrawer-azure.tar.gz
-$ docker build --no-cache --progress=plain -t efw -f Dockerfile .
+$ docker run -v $(pwd):/mnt -i --init --rm era-fee-withdrawer-azure:latest "cp era-fee-withdrawer-azure.sig /mnt"
+$ gramine-sgx-sigstruct-view era-fee-withdrawer-azure.sig
 ```
 
 Should output something like:
 ```bash
-[...]
-
-#9 6.572 Measurement:
-#9 6.572     e3ea485757ad903e9a9a71c7363bf56d4cf47db1ccec549f5e98d917b0f34b27
-[...]
+Attributes:
+    mr_signer: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
+    mr_enclave: f496995ebf3428638858c315d6194e5578df0ed0cefbcaf67b24d5d9322965bc
+    isv_prod_id: 0
+    isv_svn: 0
+    debug_enclave: False
 ```
-as the github actions build does.
+
+with the same `mr_enclave` as the github actions build does.
diff --git a/container-era-fee-withdrawer.nix b/container-era-fee-withdrawer.nix
@@ -0,0 +1,53 @@
+{ pkgs
+, nixsgx-flake
+, efw
+, tag ? "latest"
+, isAzure ? true
+}:
+let
+  name = if isAzure then "era-fee-withdrawer-azure" else "era-fee-withdrawer-dcap";
+in
+pkgs.callPackage nixsgx-flake.lib.mkSGXContainer {
+  inherit name;
+  inherit tag;
+
+  packages = [ efw.era-fee-withdrawer ];
+  entrypoint = "${efw.era-fee-withdrawer}/bin/era-fee-withdrawer";
+
+  isAzure = true;
+
+  manifest = {
+    loader = {
+      log_level = "error";
+      env = {
+        UV_USE_IO_URING = "0";
+        MISC_FEE_ACCOUNT_PRIVATE_KEY.passthrough = true;
+        OPERATOR_ADDRESS.passthrough = true;
+        WITHDRAWAL_FINALIZER_ETH_ADDRESS.passthrough = true;
+        MISC_RESERVE_FEE_ACCUMULATOR_ADDRESS.passthrough = true;
+        L1_RPC_ADDRESS.passthrough = true;
+        ZKSYNC_WEB3_API_URL.passthrough = true;
+        MISC_MAX_LIQUIDATION_FEE_PERCENT.passthrough = true;
+        LOWER_BOUND_OPERATOR_THRESHOLD.passthrough = true;
+        UPPER_BOUND_OPERATOR_THRESHOLD.passthrough = true;
+        LOWER_BOUND_WITHDRAWER_THRESHOLD.passthrough = true;
+        UPPER_BOUND_WITHDRAWER_THRESHOLD.passthrough = true;
+        LOWER_BOUND_PAYMASTER_THRESHOLD.passthrough = true;
+        UPPER_BOUND_PAYMASTER_THRESHOLD.passthrough = true;
+        # optional env
+        WATCHDOG_ADDRESS.passthrough = true;
+        LOWER_BOUND_WATCHDOG_THRESHOLD.passthrough = true;
+        UPPER_BOUND_WATCHDOG_THRESHOLD.passthrough = true;
+        L1_ETH_TRANSFER_THRESHOLD.passthrough = true;
+        L2_ETH_TRANSFER_THRESHOLD.passthrough = true;
+        CONTRACTS_L2_TESTNET_PAYMASTER_ADDR.passthrough = true;
+      };
+    };
+
+    sgx = {
+      edmm_enable = false;
+      enclave_size = "8G";
+      max_threads = 64;
+    };
+  };
+}
diff --git a/docker-era-fee-withdrawer-azure.nix b/docker-era-fee-withdrawer-azure.nix
diff --git a/docker-era-fee-withdrawer-dcap.nix b/docker-era-fee-withdrawer-dcap.nix
diff --git a/enclave-key.pem b/enclave-key.pem