feat: add zksync_tee_prover and container to nix

``` $ nix build -L .#tee_prover $ nix build -L .#container-tee_prover-dcap $ nix build -L .#container-tee_prover-azure $ export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*') $ docker run -i --env GRAMINE_DIRECT=1 --env TEE_API_URL="http://127.0.0.1:3320" --privileged --init $IMAGE_TAG ``` Signed-off-by: Harald Hoyer <[email protected]>
matter-labs · Jul 9, 2024 · 58c1c5d · 58c1c5d
1 parent e652e4d
commit 58c1c5d
Show file tree

Hide file tree

Showing 10 changed files with 969 additions and 209 deletions.
diff --git a/core/bin/zksync_tee_prover/Cargo.toml b/core/bin/zksync_tee_prover/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "zksync_tee_prover"
-version.workspace = true
+version = "0.1.0"
 edition.workspace = true
 authors.workspace = true
 homepage.workspace = true

diff --git a/etc/nix/README.md b/etc/nix/README.md
@@ -0,0 +1,100 @@
+# Declarative and Reproducible builds with Nix
+
+This directory contains the nix build recipes for various components of this project.
+
+## Prerequisites
+
+Install [nix](https://zero-to-nix.com/start/install).
+
+In `~/.config/nix/nix.conf`
+
+```ini
+experimental-features = nix-command flakes
+sandbox = true
+```
+
+or on nixos in `/etc/nixos/configuration.nix` add the following lines:
+
+```nix
+{
+  nix = {
+    extraOptions = ''
+      experimental-features = nix-command flakes
+      sandbox = true
+    '';
+  };
+}
+```
+
+## Build
+
+Build various components of this project with `nix`.
+
+### Prerequisites
+
+Because this repo does not yet natively support `cargo vendor` a workaround is needed:
+
+```
+$ nix build -L .#cargoDeps
+[...]
+import-cargo-lock> To use vendored sources, add this to your .cargo/config.toml for this project:
+import-cargo-lock> ~
+error: hash mismatch in fixed-output derivation '/nix/store/ph988y4kywfxkxslvvs4amzymfn0nv0w-import-cargo-lock.drv':
+         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+            got:    sha256-S9RlLQhr+APry5PIqrdcqEV5w4exuzMPbtYnCDWZUM0=
+```
+
+set `cargoHash` in `flake.nix` to the result of the build (here `sha256-S9RlLQhr+APry5PIqrdcqEV5w4exuzMPbtYnCDWZUM0=`).
+
+### Build as the CI would
+
+```shell
+$ nix run github:nixos/nixpkgs/nixos-23.11#nixci
+```
+
+### Build individual parts
+
+```shell
+$ nix build .#zksync_server
+```
+
+or
+
+```shell
+$ nix build .#zksync_server.contract_verifier
+$ nix build .#zksync_server.external_node
+$ nix build .#zksync_server.server
+$ nix build .#zksync_server.snapshots_creator
+$ nix build .#zksync_server.block_reverter
+```
+
+or
+
+```shell
+$ nix build .#tee_prover
+$ nix build .#container-tee_prover-dcap
+$ nix build .#container-tee_prover-azure
+```
+
+## Develop
+
+`nix` can provide the build environment for this project.
+
+```shell
+$ nix develop
+```
+
+optionally create `.envrc` for `direnv` to automatically load the environment when entering the main directory:
+
+```shell
+$ cat <<EOF > .envrc
+use flake .#
+EOF
+$ direnv allow
+```
+
+### Format for commit
+
+```shell
+$ nix run .#fmt
+```
diff --git a/etc/nix/cargo-vendor.nix b/etc/nix/cargo-vendor.nix
@@ -0,0 +1,27 @@
+# patched version of cargo to support `cargo vendor` for vendoring dependencies
+# see https://github.com/matter-labs/zksync-era/issues/1086
+# used as `cargo vendor --no-merge-sources`
+{ pkgs
+, pkg-config
+, rustPlatform
+, openssl
+}:
+pkgs.rustPlatform.buildRustPackage {
+  pname = "cargo-vendor";
+  version = "0.78.0";
+  src = pkgs.fetchFromGitHub {
+    owner = "haraldh";
+    repo = "cargo";
+    rev = "3ee1557d2bd95ca9d0224c5dbf1d1e2d67186455";
+    hash = "sha256-A8xrOG+NmF8dQ7tA9I2vJSNHlYxsH44ZRXdptLblCXk=";
+  };
+  doCheck = false;
+  cargoHash = "sha256-LtuNtdoX+FF/bG5LQc+L2HkFmgCtw5xM/m0/0ShlX2s=";
+  nativeBuildInputs = [
+    pkg-config
+    rustPlatform.bindgenHook
+  ];
+  buildInputs = [
+    openssl
+  ];
+}
diff --git a/etc/nix/container-tee-prover.nix b/etc/nix/container-tee-prover.nix
@@ -0,0 +1,48 @@
+{ pkgs
+, nixsgxLib
+, teepot
+, tee_prover
+, container-name
+, isAzure ? true
+, tag ? null
+}:
+let
+  name = container-name;
+  entrypoint = "${teepot.teepot.tee_key_preexec}/bin/tee-key-preexec";
+in
+nixsgxLib.mkSGXContainer {
+  inherit name;
+  inherit tag;
+
+  packages = [ teepot.teepot.tee_key_preexec tee_prover ];
+  inherit entrypoint;
+  inherit isAzure;
+
+  manifest = {
+    loader = {
+      argv = [
+        entrypoint
+        "${tee_prover}/bin/zksync_tee_prover"
+      ];
+
+      log_level = "error";
+
+      env = {
+        TEE_API_URL.passthrough = true;
+        API_PROMETHEUS_LISTENER_PORT.passthrough = true;
+        API_PROMETHEUS_PUSHGATEWAY_URL.passthrough = true;
+        API_PROMETHEUS_PUSH_INTERVAL_MS.passthrough = true;
+
+        ### DEBUG ###
+        RUST_BACKTRACE = "1";
+        RUST_LOG = "warning,zksync_tee_prover=debug";
+      };
+    };
+
+    sgx = {
+      edmm_enable = false;
+      enclave_size = "32G";
+      max_threads = 128;
+    };
+  };
+}
diff --git a/etc/nix/devshell.nix b/etc/nix/devshell.nix
@@ -0,0 +1,41 @@
+{ pkgs
+, stdenv
+, zksync_server
+, hardeningEnable
+}:
+with pkgs; mkShell.override { inherit stdenv; } {
+  inputsFrom = [ zksync_server ];
+
+  packages = [
+    docker-compose
+    nodejs
+    yarn
+    axel
+    postgresql
+    python3
+    solc
+    sqlx-cli
+    mold
+  ];
+
+  inherit hardeningEnable;
+
+  shellHook = ''
+    export ZKSYNC_HOME=$PWD
+    export PATH=$ZKSYNC_HOME/bin:$PATH
+    export RUSTFLAGS='-C link-arg=-fuse-ld=${pkgs.mold}/bin/mold'
+    export CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER="clang"
+
+    if [ "x$NIX_LD" = "x" ]; then
+      export NIX_LD=$(<${clangStdenv.cc}/nix-support/dynamic-linker)
+    fi
+    if [ "x$NIX_LD_LIBRARY_PATH" = "x" ]; then
+      export NIX_LD_LIBRARY_PATH="$ZK_NIX_LD_LIBRARY_PATH"
+    else
+      export NIX_LD_LIBRARY_PATH="$NIX_LD_LIBRARY_PATH:$ZK_NIX_LD_LIBRARY_PATH"
+    fi
+  '';
+
+  ZK_NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [ ];
+}
+
diff --git a/etc/nix/import-cargo-lock.nix b/etc/nix/import-cargo-lock.nix
@@ -0,0 +1,27 @@
+{ lib
+, cacert
+, runCommand
+, src
+, cargo-vendor
+, cargoHash ? null
+}:
+runCommand "import-cargo-lock"
+{
+  inherit src;
+  nativeBuildInputs = [ cargo-vendor cacert ];
+  preferLocalBuild = true;
+  outputHashMode = "recursive";
+  outputHashAlgo = "sha256";
+  outputHash = if cargoHash != null then cargoHash else lib.fakeSha256;
+}
+  ''
+    mkdir -p $out/.cargo
+    mkdir -p $out/cargo-vendor-dir
+
+    HOME=$(pwd)
+    pushd $src
+    HOME=$HOME cargo vendor --no-merge-sources $out/cargo-vendor-dir > $out/.cargo/config
+    sed -i -e "s#$out#import-cargo-lock#g" $out/.cargo/config
+    cp Cargo.lock $out/Cargo.lock
+    popd
+  ''
diff --git a/etc/nix/tee-prover.nix b/etc/nix/tee-prover.nix
@@ -0,0 +1,24 @@
+{ pkgs
+, stdenv
+, nativeBuildInputs
+, buildInputs
+, src
+, cargoDeps
+, hardeningEnable
+, versionSuffix
+}:
+stdenv.mkDerivation {
+  pname = "zksync_tee_prover";
+  version = (builtins.fromTOML (builtins.readFile ../../core/bin/zksync_tee_prover/Cargo.toml)).package.version + versionSuffix;
+
+  updateAutotoolsGnuConfigScriptsPhase = ":";
+
+  inherit nativeBuildInputs;
+  inherit buildInputs;
+  inherit src;
+  inherit cargoDeps;
+  inherit hardeningEnable;
+
+  cargoBuildFlags = "--bin zksync_tee_prover";
+  cargoBuildType = "release";
+}
diff --git a/etc/nix/zksync-server.nix b/etc/nix/zksync-server.nix
@@ -0,0 +1,54 @@
+{ pkgs
+, stdenv
+, nativeBuildInputs
+, buildInputs
+, src
+, cargoDeps
+, hardeningEnable
+, versionSuffix
+}:
+stdenv.mkDerivation {
+  pname = "zksync";
+  version = (builtins.fromTOML (builtins.readFile ../../core/bin/zksync_server/Cargo.toml)).package.version + versionSuffix;
+
+  updateAutotoolsGnuConfigScriptsPhase = ":";
+
+  inherit nativeBuildInputs;
+  inherit buildInputs;
+  inherit src;
+  inherit cargoDeps;
+  inherit hardeningEnable;
+
+  cargoBuildFlags = "--all";
+  cargoBuildType = "release";
+
+  outputs = [
+    "out"
+    "contract_verifier"
+    "external_node"
+    "server"
+    "snapshots_creator"
+    "block_reverter"
+  ];
+
+  postInstall = ''
+    mkdir -p $out/nix-support
+    for i in $outputs; do
+      [[ $i == "out" ]] && continue
+      mkdir -p "''${!i}/bin"
+      echo "''${!i}" >> $out/nix-support/propagated-user-env-packages
+      if [[ -e "$out/bin/zksync_$i" ]]; then
+        mv "$out/bin/zksync_$i" "''${!i}/bin"
+      else
+        mv "$out/bin/$i" "''${!i}/bin"
+      fi
+    done
+
+    mkdir -p $external_node/nix-support
+    echo "block_reverter" >> $external_node/nix-support/propagated-user-env-packages
+
+    mv $out/bin/merkle_tree_consistency_checker $server/bin
+    mkdir -p $server/nix-support
+    echo "block_reverter" >> $server/nix-support/propagated-user-env-packages
+  '';
+}