Save bootstrap details to JSON file

Dockerfile

@@ -23,15 +23,15 @@ RUN apt-get update && \
 RUN mkdir -p \
     ./bin \
     ./guests/sgx \
-    ./secrets \
-    /etc/opt/raiko \
+    /etc/opt/raiko/config \
+    /etc/opt/raiko/secrets \
     /tmp/sgx \
     /var/log/raiko
 
 COPY --from=builder /opt/raiko/target/release/raiko-guest ./guests/sgx/
 COPY --from=builder /opt/raiko/raiko-guest/config/raiko-guest.manifest.template ./guests/sgx/
 COPY --from=builder /opt/raiko/target/release/raiko-host ./bin
-COPY --from=builder /opt/raiko/raiko-host/config/config.toml /etc/opt/raiko/
+COPY --from=builder /opt/raiko/raiko-host/config/config.toml /etc/opt/raiko/config/
 COPY --from=builder /opt/raiko/docker/entrypoint.sh ./bin
 COPY ./sgx-ra/src/*.so /usr/lib/
 
@@ -41,4 +41,4 @@ RUN cd ./guests/sgx && \
     gramine-sgx-sign --manifest raiko-guest.manifest --output raiko-guest.manifest.sgx && \
     cd -
 
-ENTRYPOINT [ "/opt/raiko/bin/entrypoint.sh" ]
+# ENTRYPOINT [ "/opt/raiko/bin/entrypoint.sh" ]

README_Raiko.md

@@ -116,7 +116,7 @@ To run `raiko-guest` in _one-shot_ mode with SGX using Gramine:
    -----------------------------------------------------------------------------------------------------------------------
    Bootstrapping the app
    Next public key: 0x021d90eee5c402692fa3a3d3edd43a052367efbd6e4d26b9ca14099516525b9d09
-   Entry: /secrets/priv.key
+   Entry: /etc/opt/raiko/secrets/priv.key
    ```
 1. Run `raiko-guest` with the input file of your choice:
 

docker/docker-compose-pos.yml

@@ -3,14 +3,14 @@ services:
   raiko:
     image: gcr.io/evmchain/raiko:latest-pos
     container_name: raiko
-    command: --config-path=/etc/opt/raiko/config.toml
+    command: --config-path=/etc/opt/raiko/config/config.toml
     devices:
       - "/dev/sgx_enclave:/dev/sgx_enclave"
       - "/dev/sgx_provision:/dev/sgx_provision"
     volumes:
-      - ${HOME}/.config/raiko/secrets:/opt/raiko/secrets
       - /tmp/sgx:/tmp/sgx
       - /var/log/raiko:/var/log/raiko
       # - YOUR_CONFIG_PATH:/etc/opt/raiko/config.toml
+      - ${HOME}/.config/raiko:/etc/opt/raiko
     ports:
       - "8080:8080"

docker/docker-compose.yml

@@ -3,13 +3,13 @@ services:
   raiko:
     image: gcr.io/evmchain/raiko:latest
     container_name: raiko
-    command: --config-path=/etc/opt/raiko/config.toml
+    command: --config-path=/etc/opt/raiko/config/config.toml
     devices:
       - "/dev/sgx_enclave:/dev/sgx_enclave"
       - "/dev/sgx_provision:/dev/sgx_provision"
     volumes:
-      - ${HOME}/.config/raiko/secrets:/opt/raiko/secrets
       - /tmp/sgx:/tmp/sgx
       - /var/log/raiko:/var/log/raiko
+      - ${HOME}/.config/raiko:/etc/opt/raiko
     ports:
       - "8080:8080"

raiko-guest/Cargo.toml

@@ -23,6 +23,10 @@ ethers-core = { version = "2.0", features = ["optimism"] }
 zeth-primitives = { path = "../primitives", features = ["taiko"] }
 rand_core = "0.6.4"
 sha3 = "0.10.8"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+base64-serde = "0.7.0"
+base64 = "0.21.7"
 
 [features]
 sgx-ra = ["dep:sgx-ra"]

raiko-guest/config/raiko-guest.manifest.template

@@ -1,16 +1,5 @@
 # This is Gramine's manifest file.
 # To learn more see: https://gramine.readthedocs.io/en/stable/manifest-syntax.html
-#
-# How to use it?
-#
-# 1. Build the app with `cargo build`.
-# 2. Copy this file `target/debug`.
-# 3. Run:
-#     export SECRETS_DIR="./secrets"
-#     export INPUT_FILES_DIR="/tmp"
-#     gramine-manifest -Dlog_level=error -Darch_libdir=/lib/x86_64-linux-gnu/ raiko-guest.manifest.template raiko-guest.manifest
-#     gramine-sgx-sign --manifest raiko-guest.manifest --output raiko-guest.manifest.sgx
-#     gramine-sgx ./raiko-guest
 
 loader.entrypoint = "file:{{ gramine.libos }}"
 libos.entrypoint = "/raiko-guest"
@@ -24,7 +13,8 @@ fs.mounts = [
   { path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
   { path = "/usr/lib/ssl/certs/", uri = "file:/usr/lib/ssl/certs/" },
   { path = "/tmp", uri = "file:/tmp" },
-  { path = "/secrets/", uri = "file:{{ env.get('SECRETS_DIR', '../../secrets') }}", type = "encrypted", key_name = "_sgx_mrsigner" },
+  { path = "/etc/opt/raiko/config", uri = "file:/etc/opt/raiko/config" },
+  { path = "/etc/opt/raiko/secrets", uri = "file:{{ env.get('SECRETS_DIR', '/etc/opt/raiko/secrets') }}", type = "encrypted", key_name = "_sgx_mrsigner" },
 ]
 sys.insecure__allow_eventfd = true
 loader.insecure__use_cmdline_argv = true
@@ -47,4 +37,5 @@ sgx.remote_attestation = "dcap"
 
 sgx.allowed_files = [
   "file:{{ env.get('INPUT_FILES_DIR', '/tmp') }}",
+  "file:/etc/opt/raiko/config",
 ]

raiko-guest/src/app_args.rs

@@ -46,11 +46,16 @@ pub struct OneShotArgs {
 
 #[derive(Debug, Args)]
 pub struct GlobalOpts {
-    #[clap(short, long, default_value = "/secrets")]
+    #[clap(short, long, default_value = "/etc/opt/raiko/secrets")]
     /// Path to the directory with the encrypted private keys being used to sign the
-    /// blocks.
+    /// blocks. For more details on the encryption see:
+    /// https://gramine.readthedocs.io/en/stable/manifest-syntax.html#encrypted-files
     pub secrets_dir: PathBuf,
 
+    #[clap(short, long, default_value = "/etc/opt/raiko/config")]
+    /// Path to the directory with raiko configuration files.
+    pub config_dir: PathBuf,
+
     #[clap(long, short, global = true, action = ArgAction::Count)]
     /// Verbosity of the application. Use multiple times to increase verbosity.
     pub verbose: u8,

raiko-guest/src/one_shot.rs

@@ -2,11 +2,14 @@ use std::{
     fs::{self, File, OpenOptions},
     io::prelude::*,
     os::unix::fs::PermissionsExt,
-    path::Path,
+    path::{Path, PathBuf},
     str::FromStr,
 };
 
 use anyhow::{anyhow, bail, Context, Error, Result};
+use base64_serde::base64_serde_type;
+use secp256k1::KeyPair;
+use serde::Serialize;
 use zeth_lib::{
     consts::{get_taiko_chain_spec, ChainSpec, ETH_MAINNET_CHAIN_SPEC},
     host::Init,
@@ -18,6 +21,7 @@ use zeth_lib::{
     EthereumTxEssence,
 };
 use zeth_primitives::{taiko::EvidenceType, Address, B256};
+base64_serde_type!(Base64Standard, base64::engine::general_purpose::STANDARD);
 
 use crate::{
     app_args::{GlobalOpts, OneShotArgs},
@@ -27,21 +31,72 @@ use crate::{
 pub const ATTESTATION_QUOTE_DEVICE_FILE: &str = "/dev/attestation/quote";
 pub const ATTESTATION_TYPE_DEVICE_FILE: &str = "/dev/attestation/attestation_type";
 pub const ATTESTATION_USER_REPORT_DATA_DEVICE_FILE: &str = "/dev/attestation/user_report_data";
+pub const BOOTSTRAP_INFO_FILENAME: &str = "bootstrap.json";
 pub const PRIV_KEY_FILENAME: &str = "priv.key";
 
-pub fn bootstrap(global_opts: GlobalOpts) -> Result<()> {
-    let privkey_path = global_opts.secrets_dir.join(PRIV_KEY_FILENAME);
-    let key_pair = generate_key();
-    let mut file =
-        fs::File::create(&privkey_path).with_context(|| "Failed to create private key file")?;
+#[derive(Serialize)]
+struct BootstrapData {
+    public_key: String,
+    new_instance: Address,
+    #[serde(with = "Base64Standard")]
+    quote: Vec<u8>,
+}
+
+fn save_priv_key(key_pair: &KeyPair, privkey_path: &PathBuf) -> Result<()> {
+    let mut file = fs::File::create(privkey_path).with_context(|| {
+        format!(
+            "Failed to create private key file {}",
+            privkey_path.display()
+        )
+    })?;
     let permissions = std::fs::Permissions::from_mode(0o600);
     file.set_permissions(permissions)
-        .with_context(|| "Failed to set permissions to private key file")?;
+        .context("Failed to set restrictive permissions of the private key file")?;
     file.write_all(&key_pair.secret_bytes())
-        .with_context(|| format!("Failed to write to {}", privkey_path.display()))?;
+        .context("Failed to save encrypted private key file")?;
+    Ok(())
+}
+
+fn get_sgx_quote() -> Result<Vec<u8>> {
+    let mut quote_file = File::open(ATTESTATION_QUOTE_DEVICE_FILE)?;
+    let mut quote = Vec::new();
+    quote_file.read_to_end(&mut quote)?;
+    Ok(quote)
+}
+
+fn save_bootstrap_details(
+    key_pair: &KeyPair,
+    new_instance: Address,
+    quote: Vec<u8>,
+    bootstrap_details_file_path: &Path,
+) -> Result<(), Error> {
+    let bootstrap_details = BootstrapData {
+        public_key: key_pair.public_key().to_string(),
+        new_instance,
+        quote,
+    };
+    let json = serde_json::to_string_pretty(&bootstrap_details)?;
+    fs::write(bootstrap_details_file_path, json).context(format!(
+        "Saving bootstrap data file {} failed",
+        bootstrap_details_file_path.display()
+    ))?;
+    Ok(())
+}
+
+pub fn bootstrap(global_opts: GlobalOpts) -> Result<()> {
+    let key_pair = generate_key();
+    let privkey_path = global_opts.secrets_dir.join(PRIV_KEY_FILENAME);
+    save_priv_key(&key_pair, &privkey_path)?;
     println!("Public key: 0x{}", key_pair.public_key());
     let new_instance = public_key_to_address(&key_pair.public_key());
     println!("Instance address: {}", new_instance);
+    let quote = get_sgx_quote()?;
+    let bootstrap_details_file_path = global_opts.config_dir.join(BOOTSTRAP_INFO_FILENAME);
+    save_bootstrap_details(&key_pair, new_instance, quote, &bootstrap_details_file_path)?;
+    println!(
+        "Boostrap details saved in {}",
+        bootstrap_details_file_path.display()
+    );
     Ok(())
 }
 
@@ -68,11 +123,9 @@ pub async fn one_shot(global_opts: GlobalOpts, args: OneShotArgs) -> Result<()>
 
     let privkey_path = global_opts.secrets_dir.join(PRIV_KEY_FILENAME);
     let prev_privkey = load_private_key(&privkey_path)?;
-    // println!("Private key: {}", prev_privkey.display_secret());
     // let (new_privkey, new_pubkey) = generate_new_keypair()?;
     let new_pubkey = public_key(&prev_privkey);
     let new_instance = public_key_to_address(&new_pubkey);
-
     let l2_chain_spec = get_taiko_chain_spec(&args.l2_chain.unwrap());
 
     // fs::write(privkey_path, new_privkey.to_bytes())?;
@@ -180,9 +233,7 @@ fn print_sgx_info() -> Result<()> {
     let attestation_type = get_sgx_attestation_type()?;
     println!("Detected attestation type: {}", attestation_type.trim());
 
-    let mut quote_file = File::open(ATTESTATION_QUOTE_DEVICE_FILE)?;
-    let mut quote = Vec::new();
-    quote_file.read_to_end(&mut quote)?;
+    let quote = get_sgx_quote()?;
     println!(
         "Extracted SGX quote with size = {} and the following fields:",
         quote.len()