feat(protocol): put automata dcap v3 ra behind proxy (#16867)

Co-authored-by: Keszey Dániel <[email protected]> Co-authored-by: David <[email protected]> Co-authored-by: Daniel Wang <[email protected]>
taikoxyz · Apr 29, 2024 · 1282113 · 1282113
1 parent 6f1194f
commit 1282113
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 30 deletions.
diff --git a/packages/protocol/contracts/automata-attestation/AutomataDcapV3Attestation.sol b/packages/protocol/contracts/automata-attestation/AutomataDcapV3Attestation.sol
@@ -17,14 +17,13 @@ import { BytesUtils } from "./utils/BytesUtils.sol";
 // External Libraries
 import { ISigVerifyLib } from "./interfaces/ISigVerifyLib.sol";
 
+import { EssentialContract } from "../common/EssentialContract.sol";
+
 /// @title AutomataDcapV3Attestation
 /// @custom:security-contact [email protected]
-contract AutomataDcapV3Attestation is IAttestation {
+contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
     using BytesUtils for bytes;
 
-    ISigVerifyLib public immutable sigVerifyLib;
-    IPEMCertChainLib public immutable pemCertLib;
-
     // https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/e7604e02331b3377f3766ed3653250e03af72d45/QuoteVerification/QVL/Src/AttestationLibrary/src/CertVerification/X509Constants.h#L64
     uint256 internal constant CPUSVN_LENGTH = 16;
 
@@ -35,31 +34,40 @@ contract AutomataDcapV3Attestation is IAttestation {
 
     uint8 internal constant INVALID_EXIT_CODE = 255;
 
-    bool private _checkLocalEnclaveReport;
-    mapping(bytes32 enclave => bool trusted) private _trustedUserMrEnclave;
-    mapping(bytes32 signer => bool trusted) private _trustedUserMrSigner;
+    ISigVerifyLib public sigVerifyLib; // slot 1
+    IPEMCertChainLib public pemCertLib; // slot 2
+
+    bool private _checkLocalEnclaveReport; // slot 3
+    mapping(bytes32 enclave => bool trusted) private _trustedUserMrEnclave; // slot 4
+    mapping(bytes32 signer => bool trusted) private _trustedUserMrSigner; // slot 5
 
     // Quote Collateral Configuration
 
     // Index definition:
     // 0 = Quote PCKCrl
     // 1 = RootCrl
-    mapping(uint256 idx => mapping(bytes serialNum => bool revoked)) private _serialNumIsRevoked;
+    mapping(uint256 idx => mapping(bytes serialNum => bool revoked)) private _serialNumIsRevoked; // slot
+        // 6
     // fmspc => tcbInfo
-    mapping(string fmspc => TCBInfoStruct.TCBInfo tcbInfo) public tcbInfo;
-    EnclaveIdStruct.EnclaveId public qeIdentity;
-
-    address public immutable owner;
-
-    constructor(address sigVerifyLibAddr, address pemCertLibAddr) {
+    mapping(string fmspc => TCBInfoStruct.TCBInfo tcbInfo) public tcbInfo; // slot 7
+    EnclaveIdStruct.EnclaveId public qeIdentity; // takes 4 slots, slot 8,9,10,11
+
+    uint256[39] __gap;
+
+    // @notice Initializes the contract.
+    /// @param sigVerifyLibAddr Address of the signature verification library.
+    /// @param pemCertLibAddr Address of certificate library.
+    function init(
+        address owner,
+        address sigVerifyLibAddr,
+        address pemCertLibAddr
+    )
+        external
+        initializer
+    {
+        __Essential_init(owner);
         sigVerifyLib = ISigVerifyLib(sigVerifyLibAddr);
         pemCertLib = PEMCertChainLib(pemCertLibAddr);
-        owner = msg.sender;
-    }
-
-    modifier onlyOwner() {
-        require(msg.sender == owner, "onlyOwner");
-        _;
     }
 
     function setMrSigner(bytes32 _mrSigner, bool _trusted) external onlyOwner {

diff --git a/packages/protocol/contracts/automata-attestation/lib/EnclaveIdStruct.sol b/packages/protocol/contracts/automata-attestation/lib/EnclaveIdStruct.sol
@@ -5,13 +5,13 @@ pragma solidity 0.8.24;
 /// @custom:security-contact [email protected]
 library EnclaveIdStruct {
     struct EnclaveId {
-        bytes4 miscselect;
+        bytes4 miscselect; // Slot 1:
         bytes4 miscselectMask;
         uint16 isvprodid;
-        bytes16 attributes;
+        bytes16 attributes; // Slot 2
         bytes16 attributesMask;
-        bytes32 mrsigner;
-        TcbLevel[] tcbLevels;
+        bytes32 mrsigner; // Slot 3
+        TcbLevel[] tcbLevels; // Slot 4
     }
 
     struct TcbLevel {

diff --git a/packages/protocol/script/DeployOnL1.s.sol b/packages/protocol/script/DeployOnL1.s.sol
@@ -323,15 +323,22 @@ contract DeployOnL1 is DeployCapability {
         P256Verifier p256Verifier = new P256Verifier();
         SigVerifyLib sigVerifyLib = new SigVerifyLib(address(p256Verifier));
         PEMCertChainLib pemCertChainLib = new PEMCertChainLib();
-        AutomataDcapV3Attestation automateDcapV3Attestation =
-            new AutomataDcapV3Attestation(address(sigVerifyLib), address(pemCertChainLib));
+        address automateDcapV3AttestationImpl = address(new AutomataDcapV3Attestation());
+
+        address automataProxy = deployProxy({
+            name: "automata_dcap_attestation",
+            impl: automateDcapV3AttestationImpl,
+            data: abi.encodeCall(
+                AutomataDcapV3Attestation.init,
+                (timelock, address(sigVerifyLib), address(pemCertChainLib))
+                ),
+            registerTo: rollupAddressManager
+        });
 
         // Log addresses for the user to register sgx instance
         console2.log("SigVerifyLib", address(sigVerifyLib));
         console2.log("PemCertChainLib", address(pemCertChainLib));
-        register(
-            rollupAddressManager, "automata_dcap_attestation", address(automateDcapV3Attestation)
-        );
+        console2.log("AutomataDcapVaAttestation", automataProxy);
     }
 
     function deployTierProvider(string memory tierProviderName) private returns (address) {

diff --git a/packages/protocol/test/automata-attestation/common/AttestationBase.t.sol b/packages/protocol/test/automata-attestation/common/AttestationBase.t.sol
@@ -17,6 +17,8 @@ import { Base64 } from "solady/src/utils/Base64.sol";
 import "../utils/DcapTestUtils.t.sol";
 import "../utils/V3QuoteParseUtils.t.sol";
 
+import "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
+
 contract AttestationBase is Test, DcapTestUtils, V3QuoteParseUtils {
     using BytesUtils for bytes;
     using stdJson for string;
@@ -50,7 +52,18 @@ contract AttestationBase is Test, DcapTestUtils, V3QuoteParseUtils {
         p256Verifier = new P256Verifier();
         sigVerifyLib = new SigVerifyLib(address(p256Verifier));
         pemCertChainLib = new PEMCertChainLib();
-        attestation = new AutomataDcapV3Attestation(address(sigVerifyLib), address(pemCertChainLib));
+
+        address automateDcapV3AttestationImpl = address(new AutomataDcapV3Attestation());
+
+        attestation = AutomataDcapV3Attestation(
+            deployProxy({
+                impl: automateDcapV3AttestationImpl,
+                data: abi.encodeCall(
+                    AutomataDcapV3Attestation.init,
+                    (admin, address(sigVerifyLib), address(pemCertChainLib))
+                    )
+            })
+        );
 
         setMrEnclave(address(attestation), mrEnclave);
         setMrSigner(address(attestation), mrSigner);
@@ -127,4 +140,8 @@ contract AttestationBase is Test, DcapTestUtils, V3QuoteParseUtils {
         uint256 sgxIdx = SgxVerifier(_sgxVerifier).registerInstance(v3quote);
         console.log("[log] register sgx instance index: %s", sgxIdx);
     }
+
+    function deployProxy(address impl, bytes memory data) internal returns (address proxy) {
+        proxy = address(new ERC1967Proxy(impl, data));
+    }
 }