diff --git a/core/bin/zksync_tee_prover/Cargo.toml b/core/bin/zksync_tee_prover/Cargo.toml index d0565eee35a8..e6fa61fab705 100644 --- a/core/bin/zksync_tee_prover/Cargo.toml +++ b/core/bin/zksync_tee_prover/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "zksync_tee_prover" -version.workspace = true +version = "0.1.0" edition.workspace = true authors.workspace = true homepage.workspace = true diff --git a/flake.lock b/flake.lock index 8b345701bbc6..6fb7e623e749 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,75 @@ { "nodes": { + "crane": { + "inputs": { + "nixpkgs": [ + "teepot-flake", + "nixsgx-flake", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716156051, + "narHash": "sha256-TjUX7WWRcrhuUxDHsR8pDR2N7jitqZehgCVSy3kBeS8=", + "owner": "ipetkov", + "repo": "crane", + "rev": "7443df1c478947bf96a2e699209f53b2db26209d", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -18,10 +88,103 @@ "type": "github" } }, + "flake-utils-plus": { + "inputs": { + "flake-utils": "flake-utils_2" + }, + "locked": { + "lastModified": 1715533576, + "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + } + }, + "flake-utils-plus_2": { + "inputs": { + "flake-utils": "flake-utils_3" + }, + "locked": { + "lastModified": 1715533576, + "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + } + }, + "flake-utils-plus_3": { + "inputs": { + "flake-utils": "flake-utils_6" + }, + "locked": { + "lastModified": 1715533576, + "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + }, + "original": { + "owner": "gytis-ivaskevicius", + "repo": "flake-utils-plus", + "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", + "type": "github" + } + }, "flake-utils_2": { "inputs": { "systems": "systems_2" }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "inputs": { + "systems": "systems_4" + }, "locked": { "lastModified": 1705309234, "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", @@ -36,13 +199,49 @@ "type": "github" } }, + "flake-utils_5": { + "inputs": { + "systems": "systems_5" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_6": { + "inputs": { + "systems": "systems_6" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1717952948, - "narHash": "sha256-mJi4/gjiwQlSaxjA6AusXBN/6rQRaPCycR7bd8fydnQ=", + "lastModified": 1719956923, + "narHash": "sha256-nNJHJ9kfPdzYsCOlHOnbiiyKjZUW5sWbwx3cakg3/C4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2819fffa7fa42156680f0d282c60d81e8fb185b7", + "rev": "706eef542dec88cc0ed25b9075d3037564b2d164", "type": "github" }, "original": { @@ -54,11 +253,27 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1706487304, - "narHash": "sha256-LE8lVX28MV2jWJsidW13D2qrHU/RUUONendL2Q/WlJg=", + "lastModified": 1719707984, + "narHash": "sha256-RoxIr/fbndtuKqulGvNCcuzC6KdAib85Q8gXnjzA1dw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "7dca15289a1c2990efbe4680f0923ce14139b042", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1718428119, + "narHash": "sha256-WdWDpNaq6u1IPtxtYHHWpl5BmabtpmLnMAx0RdJ/vo8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "90f456026d284c22b3e3497be980b2e47d0b28ac", + "rev": "e6cea36f83499eb4e9cd184c8a8e823296b50ad5", "type": "github" }, "original": { @@ -68,24 +283,114 @@ "type": "github" } }, + "nixpkgs_4": { + "locked": { + "lastModified": 1719707984, + "narHash": "sha256-RoxIr/fbndtuKqulGvNCcuzC6KdAib85Q8gXnjzA1dw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "7dca15289a1c2990efbe4680f0923ce14139b042", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1717281328, + "narHash": "sha256-evZPzpf59oNcDUXxh2GHcxHkTEG4fjae2ytWP85jXRo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b3b2b28c1daa04fe2ae47c21bb76fd226eac4ca1", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixsgx-flake": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "snowfall-lib": "snowfall-lib" + }, + "locked": { + "lastModified": 1719923509, + "narHash": "sha256-3buuJSKCVT0o42jpreoflYA+Rlp/4eQKATEAY+pPeh8=", + "owner": "matter-labs", + "repo": "nixsgx", + "rev": "520ad6227523c5720468726f9e945cecdb7a37aa", + "type": "github" + }, + "original": { + "owner": "matter-labs", + "repo": "nixsgx", + "type": "github" + } + }, + "nixsgx-flake_2": { + "inputs": { + "nixpkgs": "nixpkgs_4", + "snowfall-lib": "snowfall-lib_2" + }, + "locked": { + "lastModified": 1719916365, + "narHash": "sha256-RzCFbGAHq6rTY4ctrmazGIx59qXtfrVfEnIe+L0leTo=", + "owner": "matter-labs", + "repo": "nixsgx", + "rev": "0309a20ee5bf12b7390aa6795409b448420e80f2", + "type": "github" + }, + "original": { + "owner": "matter-labs", + "repo": "nixsgx", + "type": "github" + } + }, + "nixsgx-flake_3": { + "inputs": { + "nixpkgs": "nixpkgs_5", + "snowfall-lib": "snowfall-lib_3" + }, + "locked": { + "lastModified": 1717758565, + "narHash": "sha256-yscuZ3ixjwTkqS6ew5cB3Uvy9e807szRlMoPSyQuRJM=", + "owner": "matter-labs", + "repo": "nixsgx", + "rev": "49a1ae79d92ccb6ed7cabfe5c5042b1399e3cd3e", + "type": "github" + }, + "original": { + "owner": "matter-labs", + "repo": "nixsgx", + "type": "github" + } + }, "root": { "inputs": { "flake-utils": "flake-utils", "nixpkgs": "nixpkgs", - "rust-overlay": "rust-overlay" + "nixsgx-flake": "nixsgx-flake", + "rust-overlay": "rust-overlay", + "teepot-flake": "teepot-flake" } }, "rust-overlay": { "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1718072316, - "narHash": "sha256-p33h73iQ1HkLalCplV5MH0oP3HXRaH3zufnFqb5//ps=", + "lastModified": 1720059535, + "narHash": "sha256-h/O3PoV3KvQG4tC5UpANBZOsptAZCzEGiwyi+3oSpYc=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "bedc47af18fc41bb7d2edc2b212d59ca36253f59", + "rev": "8deeed2dfa21837c7792b46b6a9b2e73f97b472b", "type": "github" }, "original": { @@ -94,6 +399,101 @@ "type": "github" } }, + "rust-overlay_2": { + "inputs": { + "flake-utils": "flake-utils_4", + "nixpkgs": [ + "teepot-flake", + "nixsgx-flake", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717985971, + "narHash": "sha256-24h/qKp0aeI+Ew13WdRF521kY24PYa5HOvw0mlrABjk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "abfe5b3126b1b7e9e4daafc1c6478d17f0b584e7", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "snowfall-lib": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils-plus": "flake-utils-plus", + "nixpkgs": [ + "nixsgx-flake", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719005984, + "narHash": "sha256-mpFl3Jv4fKnn+5znYXG6SsBjfXHJdRG5FEqNSPx0GLA=", + "owner": "snowfallorg", + "repo": "lib", + "rev": "c6238c83de101729c5de3a29586ba166a9a65622", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "lib", + "type": "github" + } + }, + "snowfall-lib_2": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils-plus": "flake-utils-plus_2", + "nixpkgs": [ + "teepot-flake", + "nixsgx-flake", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719005984, + "narHash": "sha256-mpFl3Jv4fKnn+5znYXG6SsBjfXHJdRG5FEqNSPx0GLA=", + "owner": "snowfallorg", + "repo": "lib", + "rev": "c6238c83de101729c5de3a29586ba166a9a65622", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "lib", + "type": "github" + } + }, + "snowfall-lib_3": { + "inputs": { + "flake-compat": "flake-compat_3", + "flake-utils-plus": "flake-utils-plus_3", + "nixpkgs": [ + "teepot-flake", + "vault-auth-tee-flake", + "nixsgx-flake", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1716675292, + "narHash": "sha256-7TFvVE4HR/b65/0AAhewYHEJzUXxIEJn82ow5bCkrDo=", + "owner": "snowfallorg", + "repo": "lib", + "rev": "5d6e9f235735393c28e1145bec919610b172a20f", + "type": "github" + }, + "original": { + "owner": "snowfallorg", + "repo": "lib", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -123,6 +523,121 @@ "repo": "default", "type": "github" } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_6": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "teepot-flake": { + "inputs": { + "crane": "crane", + "nixpkgs": [ + "teepot-flake", + "nixsgx-flake", + "nixpkgs" + ], + "nixsgx-flake": "nixsgx-flake_2", + "rust-overlay": "rust-overlay_2", + "snowfall-lib": [ + "teepot-flake", + "nixsgx-flake", + "snowfall-lib" + ], + "vault-auth-tee-flake": "vault-auth-tee-flake" + }, + "locked": { + "lastModified": 1720011517, + "narHash": "sha256-1oo9Z47CNdqDgtGNE1LC+6CQ+VXcy7TtFFnvifBnVLE=", + "owner": "matter-labs", + "repo": "teepot", + "rev": "8dadc1f76b7dd8a98be7781e8206fed5268dd0e6", + "type": "github" + }, + "original": { + "owner": "matter-labs", + "repo": "teepot", + "type": "github" + } + }, + "vault-auth-tee-flake": { + "inputs": { + "flake-utils": "flake-utils_5", + "nixpkgs": [ + "teepot-flake", + "nixsgx-flake", + "nixpkgs" + ], + "nixsgx-flake": "nixsgx-flake_3" + }, + "locked": { + "lastModified": 1718012107, + "narHash": "sha256-uKiUBaEOj9f3NCn6oTw5VqoZJxsTXSoAn2IWVB/LSS0=", + "owner": "matter-labs", + "repo": "vault-auth-tee", + "rev": "b10204436bc2fbad74c5716bd265fad74acc197c", + "type": "github" + }, + "original": { + "owner": "matter-labs", + "repo": "vault-auth-tee", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 0287d4cf09d1..f0eea632bc6e 100644 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,7 @@ ################################################################################################### # +# Because this repo does not natively support `cargo vendor` a workaround is needed: +# # To build the rust components with this flake, run: # $ nix build .#cargoDeps # set `cargoHash` below to the result of the build @@ -11,6 +13,9 @@ # $ nix build .#zksync_server.server # $ nix build .#zksync_server.snapshots_creator # $ nix build .#zksync_server.block_reverter +# $ nix build .#tee_prover +# $ nix build .#container-tee_prover-dcap +# $ nix build .#container-tee_prover-azure # # To enter the development shell, run: # $ nix develop @@ -21,108 +26,89 @@ ################################################################################################### { description = "ZKsync-era"; + + nixConfig = { + extra-substituters = [ "https://attic.teepot.org/tee-pot" ]; + extra-trusted-public-keys = [ "tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=" ]; + }; + inputs = { + teepot-flake.url = "github:matter-labs/teepot"; + nixsgx-flake.url = "github:matter-labs/nixsgx"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; flake-utils.url = "github:numtide/flake-utils"; rust-overlay.url = "github:oxalica/rust-overlay"; }; - outputs = { self, nixpkgs, flake-utils, rust-overlay }: - flake-utils.lib.eachDefaultSystem (system: - let - ########################################################################################### - # This changes every time `Cargo.lock` changes. Set to `null` to force re-vendoring - cargoHash = null; - # cargoHash = "sha256-LloF3jrvFkOlZ2lQXB+/sFthfJQLLu8BvHBE88gRvFc="; - ########################################################################################### - officialRelease = false; - - versionSuffix = - if officialRelease - then "" - else "pre${builtins.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101")}_${self.shortRev or "dirty"}"; - - pkgs = import nixpkgs { inherit system; overlays = [ rust-overlay.overlays.default ]; }; - - # patched version of cargo to support `cargo vendor` for vendoring dependencies - # see https://github.com/matter-labs/zksync-era/issues/1086 - # used as `cargo vendor --no-merge-sources` - cargo-vendor = pkgs.rustPlatform.buildRustPackage { - pname = "cargo-vendor"; - version = "0.78.0"; - src = pkgs.fetchFromGitHub { - owner = "haraldh"; - repo = "cargo"; - rev = "3ee1557d2bd95ca9d0224c5dbf1d1e2d67186455"; - hash = "sha256-A8xrOG+NmF8dQ7tA9I2vJSNHlYxsH44ZRXdptLblCXk="; + + outputs = { self, nixpkgs, teepot-flake, nixsgx-flake, flake-utils, rust-overlay }: + let + ########################################################################################### + # This changes every time `Cargo.lock` changes. Set to `null` to force re-vendoring + cargoHash = null; + # cargoHash = "sha256-S9RlLQhr+APry5PIqrdcqEV5w4exuzMPbtYnCDWZUM0="; + ########################################################################################### + officialRelease = false; + hardeningEnable = [ "fortify3" "pie" "relro" ]; + + out = system: + let + pkgs = import nixpkgs { + inherit system; + overlays = [ + rust-overlay.overlays.default + nixsgx-flake.overlays.default + teepot-flake.overlays.default + ]; }; - doCheck = false; - cargoHash = "sha256-LtuNtdoX+FF/bG5LQc+L2HkFmgCtw5xM/m0/0ShlX2s="; - nativeBuildInputs = [ - pkgs.pkg-config - pkgs.rustPlatform.bindgenHook - ]; - buildInputs = [ - pkgs.openssl - ]; - }; - # custom import-cargo-lock to import Cargo.lock file and vendor dependencies - # see https://github.com/matter-labs/zksync-era/issues/1086 - import-cargo-lock = { lib, cacert, runCommand }: { src, cargoHash ? null }: - runCommand "import-cargo-lock" - { - inherit src; - nativeBuildInputs = [ cargo-vendor cacert ]; - preferLocalBuild = true; - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = if cargoHash != null then cargoHash else lib.fakeSha256; - } - '' - mkdir -p $out/.cargo - mkdir -p $out/cargo-vendor-dir - - HOME=$(pwd) - pushd ${src} - HOME=$HOME cargo vendor --no-merge-sources $out/cargo-vendor-dir > $out/.cargo/config - sed -i -e "s#$out#import-cargo-lock#g" $out/.cargo/config - cp $(pwd)/Cargo.lock $out/Cargo.lock - popd - '' - ; - cargoDeps = pkgs.buildPackages.callPackage import-cargo-lock { } { inherit src; inherit cargoHash; }; - - rustVersion = pkgs.rust-bin.fromRustupToolchainFile ./rust-toolchain; - - stdenv = pkgs.stdenvAdapters.useMoldLinker pkgs.clangStdenv; - - rustPlatform = pkgs.makeRustPlatform { - cargo = rustVersion; - rustc = rustVersion; - inherit stdenv; - }; - zksync_server_cargoToml = builtins.fromTOML (builtins.readFile ./core/bin/zksync_server/Cargo.toml); - - hardeningEnable = [ "fortify3" "pie" "relro" ]; - - src = with pkgs.lib.fileset; toSource { - root = ./.; - fileset = unions [ - ./Cargo.lock - ./Cargo.toml - ./core - ./prover - ./.github/release-please/manifest.json - ]; - }; + appliedOverlay = self.overlays.default pkgs pkgs; + in + { + formatter = pkgs.nixpkgs-fmt; - zksync_server = with pkgs; stdenv.mkDerivation { - pname = "zksync"; - version = zksync_server_cargoToml.package.version + versionSuffix; + packages = { + # to ease potential cross-compilation, the overlay is used + inherit (appliedOverlay.zksync-era) zksync_server tee_prover container-tee_prover-azure container-tee_prover-dcap; + default = appliedOverlay.zksync-era.zksync_server; + }; - updateAutotoolsGnuConfigScriptsPhase = ":"; + devShells.default = appliedOverlay.zksync-era.devShell; + }; + in + flake-utils.lib.eachDefaultSystem out // { + overlays.default = final: prev: + # to ease potential cross-compilation, the overlay is used + let + pkgs = final; + + versionSuffix = + if officialRelease + then "" + else "pre${builtins.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101")}_${self.shortRev or "dirty"}"; + + rustVersion = pkgs.rust-bin.fromRustupToolchainFile ./rust-toolchain; + + stdenv = pkgs.stdenvAdapters.useMoldLinker pkgs.clangStdenv; + + rustPlatform = pkgs.makeRustPlatform { + cargo = rustVersion; + rustc = rustVersion; + inherit stdenv; + }; - nativeBuildInputs = [ + src = with pkgs.lib.fileset; toSource { + root = ./.; + fileset = unions [ + ./Cargo.lock + ./Cargo.toml + ./core + ./prover + ./zk_toolbox + ./.github/release-please/manifest.json + ]; + }; + + nativeBuildInputs = with pkgs;[ pkg-config rustPlatform.bindgenHook rustPlatform.cargoSetupHook @@ -130,100 +116,57 @@ rustPlatform.cargoInstallHook ]; - buildInputs = [ + buildInputs = with pkgs;[ libclang openssl snappy.dev lz4.dev bzip2.dev ]; - - inherit src; - cargoBuildFlags = "--all"; - cargoBuildType = "release"; - - inherit cargoDeps; - - inherit hardeningEnable; - - outputs = [ - "out" - "contract_verifier" - "external_node" - "server" - "snapshots_creator" - "block_reverter" - ]; - - postInstall = '' - mkdir -p $out/nix-support - for i in $outputs; do - [[ $i == "out" ]] && continue - mkdir -p "''${!i}/bin" - echo "''${!i}" >> $out/nix-support/propagated-user-env-packages - if [[ -e "$out/bin/zksync_$i" ]]; then - mv "$out/bin/zksync_$i" "''${!i}/bin" - else - mv "$out/bin/$i" "''${!i}/bin" - fi - done - - mkdir -p $external_node/nix-support - echo "block_reverter" >> $external_node/nix-support/propagated-user-env-packages - - mv $out/bin/merkle_tree_consistency_checker $server/bin - mkdir -p $server/nix-support - echo "block_reverter" >> $server/nix-support/propagated-user-env-packages - ''; - }; - in - { - formatter = pkgs.nixpkgs-fmt; - - packages = { - inherit zksync_server; - default = zksync_server; - inherit cargo-vendor; - inherit cargoDeps; - }; - - devShells = with pkgs; { - default = pkgs.mkShell.override { inherit stdenv; } { - inputsFrom = [ zksync_server ]; - - packages = [ - docker-compose - nodejs - yarn - axel - postgresql - python3 - solc - sqlx-cli - mold - ]; - - inherit hardeningEnable; - - shellHook = '' - export ZKSYNC_HOME=$PWD - export PATH=$ZKSYNC_HOME/bin:$PATH - export RUSTFLAGS='-C link-arg=-fuse-ld=${pkgs.mold}/bin/mold' - export CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER="clang" - - if [ "x$NIX_LD" = "x" ]; then - export NIX_LD="$(<${clangStdenv.cc}/nix-support/dynamic-linker)" - fi - if [ "x$NIX_LD_LIBRARY_PATH" = "x" ]; then - export NIX_LD_LIBRARY_PATH="$ZK_NIX_LD_LIBRARY_PATH" - else - export NIX_LD_LIBRARY_PATH="$NIX_LD_LIBRARY_PATH:$ZK_NIX_LD_LIBRARY_PATH" - fi - ''; - - ZK_NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [ ]; + cargo-vendor = pkgs.callPackage ./nix/cargo-vendor.nix { }; + cargoDeps = pkgs.callPackage ./nix/import-cargo-lock.nix { + inherit src; + inherit cargoHash; + inherit cargo-vendor; + }; + in + { + zksync-era = rec{ + devShell = pkgs.callPackage ./nix/devshell.nix { + inherit stdenv; + inherit zksync_server; + inherit hardeningEnable; + }; + + zksync_server = pkgs.callPackage ./nix/zksync-server.nix { + inherit src; + inherit nativeBuildInputs; + inherit buildInputs; + inherit hardeningEnable; + inherit versionSuffix; + inherit cargoDeps; + }; + tee_prover = pkgs.callPackage ./nix/tee-prover.nix { + inherit src; + inherit nativeBuildInputs; + inherit buildInputs; + inherit hardeningEnable; + inherit versionSuffix; + inherit cargoDeps; + }; + + container-tee_prover-azure = pkgs.callPackage ./nix/container-tee-prover.nix { + inherit tee_prover; + isAzure = true; + container-name = "zksync-tee_prover-azure"; + }; + container-tee_prover-dcap = pkgs.callPackage ./nix/container-tee-prover.nix { + inherit tee_prover; + isAzure = false; + container-name = "zksync-tee_prover-dcap"; + }; }; }; - }); + }; } diff --git a/nix/cargo-vendor.nix b/nix/cargo-vendor.nix new file mode 100644 index 000000000000..f216667d1e41 --- /dev/null +++ b/nix/cargo-vendor.nix @@ -0,0 +1,27 @@ +# patched version of cargo to support `cargo vendor` for vendoring dependencies +# see https://github.com/matter-labs/zksync-era/issues/1086 +# used as `cargo vendor --no-merge-sources` +{ pkgs +, pkg-config +, rustPlatform +, openssl +}: +pkgs.rustPlatform.buildRustPackage { + pname = "cargo-vendor"; + version = "0.78.0"; + src = pkgs.fetchFromGitHub { + owner = "haraldh"; + repo = "cargo"; + rev = "3ee1557d2bd95ca9d0224c5dbf1d1e2d67186455"; + hash = "sha256-A8xrOG+NmF8dQ7tA9I2vJSNHlYxsH44ZRXdptLblCXk="; + }; + doCheck = false; + cargoHash = "sha256-LtuNtdoX+FF/bG5LQc+L2HkFmgCtw5xM/m0/0ShlX2s="; + nativeBuildInputs = [ + pkg-config + rustPlatform.bindgenHook + ]; + buildInputs = [ + openssl + ]; +} diff --git a/nix/container-tee-prover.nix b/nix/container-tee-prover.nix new file mode 100644 index 000000000000..ab2b12c48db0 --- /dev/null +++ b/nix/container-tee-prover.nix @@ -0,0 +1,48 @@ +{ pkgs +, nixsgxLib +, teepot +, tee_prover +, container-name +, isAzure ? true +, tag ? null +}: +let + name = container-name; + entrypoint = "${teepot.teepot.tee_key_preexec}/bin/tee-key-preexec"; +in +nixsgxLib.mkSGXContainer { + inherit name; + inherit tag; + + packages = [ teepot.teepot.tee_key_preexec tee_prover ]; + inherit entrypoint; + inherit isAzure; + + manifest = { + loader = { + argv = [ + entrypoint + "${tee_prover}/bin/zksync_tee_prover" + ]; + + log_level = "error"; + + env = { + TEE_API_URL.passthrough = true; + API_PROMETHEUS_LISTENER_PORT.passthrough = true; + API_PROMETHEUS_PUSHGATEWAY_URL.passthrough = true; + API_PROMETHEUS_PUSH_INTERVAL_MS.passthrough = true; + + ### DEBUG ### + RUST_BACKTRACE = "1"; + RUST_LOG = "warning,zksync_tee_prover=debug"; + }; + }; + + sgx = { + edmm_enable = false; + enclave_size = "32G"; + max_threads = 128; + }; + }; +} diff --git a/nix/devshell.nix b/nix/devshell.nix new file mode 100644 index 000000000000..bccf58e50e75 --- /dev/null +++ b/nix/devshell.nix @@ -0,0 +1,41 @@ +{ pkgs +, stdenv +, zksync_server +, hardeningEnable +}: +with pkgs; mkShell.override { inherit stdenv; } { + inputsFrom = [ zksync_server ]; + + packages = [ + docker-compose + nodejs + yarn + axel + postgresql + python3 + solc + sqlx-cli + mold + ]; + + inherit hardeningEnable; + + shellHook = '' + export ZKSYNC_HOME=$PWD + export PATH=$ZKSYNC_HOME/bin:$PATH + export RUSTFLAGS='-C link-arg=-fuse-ld=${pkgs.mold}/bin/mold' + export CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER="clang" + + if [ "x$NIX_LD" = "x" ]; then + export NIX_LD=$(<${clangStdenv.cc}/nix-support/dynamic-linker) + fi + if [ "x$NIX_LD_LIBRARY_PATH" = "x" ]; then + export NIX_LD_LIBRARY_PATH="$ZK_NIX_LD_LIBRARY_PATH" + else + export NIX_LD_LIBRARY_PATH="$NIX_LD_LIBRARY_PATH:$ZK_NIX_LD_LIBRARY_PATH" + fi + ''; + + ZK_NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [ ]; +} + diff --git a/nix/import-cargo-lock.nix b/nix/import-cargo-lock.nix new file mode 100644 index 000000000000..228979ea7f50 --- /dev/null +++ b/nix/import-cargo-lock.nix @@ -0,0 +1,27 @@ +{ lib +, cacert +, runCommand +, src +, cargo-vendor +, cargoHash ? null +}: +runCommand "import-cargo-lock" +{ + inherit src; + nativeBuildInputs = [ cargo-vendor cacert ]; + preferLocalBuild = true; + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = if cargoHash != null then cargoHash else lib.fakeSha256; +} + '' + mkdir -p $out/.cargo + mkdir -p $out/cargo-vendor-dir + + HOME=$(pwd) + pushd $src + HOME=$HOME cargo vendor --no-merge-sources $out/cargo-vendor-dir > $out/.cargo/config + sed -i -e "s#$out#import-cargo-lock#g" $out/.cargo/config + cp Cargo.lock $out/Cargo.lock + popd + '' diff --git a/nix/tee-prover.nix b/nix/tee-prover.nix new file mode 100644 index 000000000000..9ff383513562 --- /dev/null +++ b/nix/tee-prover.nix @@ -0,0 +1,24 @@ +{ pkgs +, stdenv +, nativeBuildInputs +, buildInputs +, src +, cargoDeps +, hardeningEnable +, versionSuffix +}: +stdenv.mkDerivation { + pname = "zksync_tee_prover"; + version = (builtins.fromTOML (builtins.readFile ../core/bin/zksync_tee_prover/Cargo.toml)).package.version + versionSuffix; + + updateAutotoolsGnuConfigScriptsPhase = ":"; + + inherit nativeBuildInputs; + inherit buildInputs; + inherit src; + inherit cargoDeps; + inherit hardeningEnable; + + cargoBuildFlags = "--bin zksync_tee_prover"; + cargoBuildType = "release"; +} diff --git a/nix/zksync-server.nix b/nix/zksync-server.nix new file mode 100644 index 000000000000..3199dc42ab8d --- /dev/null +++ b/nix/zksync-server.nix @@ -0,0 +1,54 @@ +{ pkgs +, stdenv +, nativeBuildInputs +, buildInputs +, src +, cargoDeps +, hardeningEnable +, versionSuffix +}: +stdenv.mkDerivation { + pname = "zksync"; + version = (builtins.fromTOML (builtins.readFile ../core/bin/zksync_server/Cargo.toml)).package.version + versionSuffix; + + updateAutotoolsGnuConfigScriptsPhase = ":"; + + inherit nativeBuildInputs; + inherit buildInputs; + inherit src; + inherit cargoDeps; + inherit hardeningEnable; + + cargoBuildFlags = "--all"; + cargoBuildType = "release"; + + outputs = [ + "out" + "contract_verifier" + "external_node" + "server" + "snapshots_creator" + "block_reverter" + ]; + + postInstall = '' + mkdir -p $out/nix-support + for i in $outputs; do + [[ $i == "out" ]] && continue + mkdir -p "''${!i}/bin" + echo "''${!i}" >> $out/nix-support/propagated-user-env-packages + if [[ -e "$out/bin/zksync_$i" ]]; then + mv "$out/bin/zksync_$i" "''${!i}/bin" + else + mv "$out/bin/$i" "''${!i}/bin" + fi + done + + mkdir -p $external_node/nix-support + echo "block_reverter" >> $external_node/nix-support/propagated-user-env-packages + + mv $out/bin/merkle_tree_consistency_checker $server/bin + mkdir -p $server/nix-support + echo "block_reverter" >> $server/nix-support/propagated-user-env-packages + ''; +}