Skip to content

moved tm-secret-enclave functionality into our enclave #5996

moved tm-secret-enclave functionality into our enclave

moved tm-secret-enclave functionality into our enclave #5996

Workflow file for this run

name: Tests
on: [push]
jobs:
Enclave-Unit-Tests:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
name: Pull git submodules
- name: Install Intel's SGX SDK
run: |
mkdir -p "$HOME/.sgxsdk"
cd "$HOME/.sgxsdk"
SDK_BIN=sgx_linux_x64_sdk_2.20.100.4.bin
wget https://download.01.org/intel-sgx/sgx-linux/2.20/distro/ubuntu22.04-server/"$SDK_BIN"
chmod +x "$SDK_BIN"
echo yes | ./"$SDK_BIN"
- name: Cache cargo registry
uses: actions/cache@v4
with:
path: ~/.cargo/registry
key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
- name: Cache xargo sysroot
uses: actions/cache@v4
with:
path: ~/.xargo
key: ${{ runner.os }}-xargo-sysroot
- name: Cache build artifacts
uses: actions/cache@v4
with:
path: ~/.cache/sccache
key: ${{ runner.os }}-sccache
- run: |
rustup component add rust-src clippy
cd cosmwasm/enclaves/execute/
rustup component add rust-src clippy
- name: Install xargo
run: |
cargo --version
rustc --version
cargo +stable install xargo --version 0.3.25
xargo --version
- name: Test enclave
run: |
source "$HOME/.sgxsdk/sgxsdk/environment"
export SGX_MODE=SW
make enclave-tests
make clean-enclave
Build-Contracts:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Install Requirements
run: |
rustup target add wasm32-unknown-unknown
chmod +x ./scripts/install-wasm-tools.sh
./scripts/install-wasm-tools.sh
- name: Build Contracts
run: |
make build-test-contracts
cp x/compute/internal/keeper/testdata/erc20.wasm .
- uses: actions/upload-artifact@v3
with:
name: erc20.wasm
path: erc20.wasm
- uses: actions/upload-artifact@v3
with:
name: contract.wasm
path: cosmwasm/contracts/v010/compute-tests/test-compute-contract/contract.wasm
- uses: actions/upload-artifact@v3
with:
name: contract-v2.wasm
path: cosmwasm/contracts/v010/compute-tests/test-compute-contract-v2/contract-v2.wasm
- uses: actions/upload-artifact@v3
with:
name: v1-contract.wasm
path: cosmwasm/contracts/v1/compute-tests/test-compute-contract/v1-contract.wasm
- uses: actions/upload-artifact@v3
with:
name: ibc.wasm
path: cosmwasm/contracts/v1/compute-tests/ibc-test-contract/ibc.wasm
- uses: actions/upload-artifact@v3
with:
name: contract_with_floats.wasm
path: cosmwasm/contracts/v010/compute-tests/test-compute-contract/contract_with_floats.wasm
- uses: actions/upload-artifact@v3
with:
name: too-high-initial-memory.wasm
path: cosmwasm/contracts/v010/compute-tests/test-compute-contract/too-high-initial-memory.wasm
- uses: actions/upload-artifact@v3
with:
name: static-too-high-initial-memory.wasm
path: cosmwasm/contracts/v010/compute-tests/test-compute-contract/static-too-high-initial-memory.wasm
Go-Tests:
runs-on: ubuntu-22.04
needs: [Build-Contracts, Build-LocalSecret]
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- uses: actions/setup-go@v5
with:
go-version: 1.21 # The Go version to download (if necessary) and use.
- name: Install Intel's SGX SDK
run: |
mkdir -p "$HOME/.sgxsdk"
cd "$HOME/.sgxsdk"
SDK_BIN=sgx_linux_x64_sdk_2.20.100.4.bin
wget https://download.01.org/intel-sgx/sgx-linux/2.20/distro/ubuntu20.04-server/"$SDK_BIN"
chmod +x "$SDK_BIN"
echo yes | ./"$SDK_BIN"
- name: Download LocalSecret
uses: actions/download-artifact@v3
with:
name: localsecret
path: /tmp
- name: Load images
run: |
docker load --input /tmp/localsecret.tar
docker run -v $PWD:/opt/mount --rm --entrypoint cp ghcr.io/scrtlabs/localsecret:v0.0.0 /usr/bin/secretd /opt/mount/secretd
docker run -v $PWD:/opt/mount --rm --entrypoint cp ghcr.io/scrtlabs/localsecret:v0.0.0 /usr/lib/libgo_cosmwasm.so /opt/mount/libgo_cosmwasm.so
docker run -v $PWD:/opt/mount --rm --entrypoint cp ghcr.io/scrtlabs/localsecret:v0.0.0 /usr/lib/librust_cosmwasm_enclave.signed.so /opt/mount/librust_cosmwasm_enclave.signed.so
docker run -v $PWD:/opt/mount --rm --entrypoint cp ghcr.io/scrtlabs/localsecret:v0.0.0 /usr/lib/librandom_api.so /opt/mount/librandom_api.so
docker run -v $PWD:/opt/mount --rm --entrypoint cp ghcr.io/scrtlabs/localsecret:v0.0.0 /usr/lib/tendermint_enclave.signed.so /opt/mount/tendermint_enclave.signed.so
- uses: actions/download-artifact@v3
with:
name: contract.wasm
path: ./x/compute/internal/keeper/testdata/
- uses: actions/download-artifact@v3
with:
name: contract-v2.wasm
path: ./x/compute/internal/keeper/testdata/
- uses: actions/download-artifact@v3
with:
name: v1-contract.wasm
path: ./x/compute/internal/keeper/testdata/
- uses: actions/download-artifact@v3
with:
name: ibc.wasm
path: ./x/compute/internal/keeper/testdata/
- uses: actions/download-artifact@v3
with:
name: contract_with_floats.wasm
path: ./x/compute/internal/keeper/testdata/
- uses: actions/download-artifact@v3
with:
name: too-high-initial-memory.wasm
path: ./x/compute/internal/keeper/testdata/
- uses: actions/download-artifact@v3
with:
name: static-too-high-initial-memory.wasm
path: ./x/compute/internal/keeper/testdata/
- name: Setup Files
run: |
find "$(pwd)" -name \*.wasm
cp libgo_cosmwasm.so ./go-cosmwasm/api/libgo_cosmwasm.so
cp librust_cosmwasm_enclave.signed.so ./go-cosmwasm/librust_cosmwasm_enclave.signed.so
find "$(pwd)" -name \*.wasm
- name: Install Quote library SDK
run: |
curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
sudo add-apt-repository "deb https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main"
DCAP_VERSION=1.17.100.4-jammy1
PSW_VERSION=2.20.100.4-jammy1
sudo apt-get update
sudo apt-get install -y \
libsgx-aesm-launch-plugin=$PSW_VERSION \
libsgx-enclave-common=$PSW_VERSION \
libsgx-epid=$PSW_VERSION \
libsgx-launch=$PSW_VERSION \
libsgx-quote-ex=$PSW_VERSION \
libsgx-uae-service=$PSW_VERSION \
libsgx-qe3-logic=$DCAP_VERSION \
libsgx-pce-logic=$DCAP_VERSION \
libsgx-aesm-ecdsa-plugin=$PSW_VERSION \
libsgx-aesm-pce-plugin=$PSW_VERSION \
libsgx-dcap-ql=$DCAP_VERSION \
libsgx-dcap-quote-verify=$DCAP_VERSION \
libsgx-dcap-default-qpl=$DCAP_VERSION \
libsgx-urts=$PSW_VERSION
LIB_PATH=/usr/lib/x86_64-linux-gnu
sudo ln -s $LIB_PATH/libsgx_dcap_ql.so.1 $LIB_PATH/libsgx_dcap_ql.so
sudo ln -s $LIB_PATH/libsgx_dcap_quoteverify.so.1 $LIB_PATH/libsgx_dcap_quoteverify.so
- name: Test x/registration
run: |
source "$HOME/.sgxsdk/sgxsdk/environment"
go test -v -tags "secretcli" ./x/registration/internal/...
- name: Test x/compute
run: |
source "$HOME/.sgxsdk/sgxsdk/environment"
export SGX_MODE=SW
cp librust_cosmwasm_enclave.signed.so ./x/compute/internal/keeper
# cp tendermint_enclave.signed.so ./x/compute/internal/keeper
mkdir -p ias_keys/develop
mkdir -p /opt/secret/.sgx_secrets/
echo "not_a_key" > ias_keys/develop/spid.txt
echo "not_a_key" > ias_keys/develop/api_key.txt
LOG_LEVEL=ERROR go test -v -tags "test" ./x/compute/client/...
LOG_LEVEL=ERROR SKIP_LIGHT_CLIENT_VALIDATION=TRUE go test -p 1 -timeout 90m -v -tags "test" ./x/compute/internal/...
Clippy:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Install Intel's SGX SDK
run: |
mkdir -p "$HOME/.sgxsdk"
cd "$HOME/.sgxsdk"
SDK_BIN=sgx_linux_x64_sdk_2.17.101.1.bin
wget https://download.01.org/intel-sgx/sgx-linux/2.17.1/distro/ubuntu20.04-server/"$SDK_BIN"
chmod +x "$SDK_BIN"
echo yes | ./"$SDK_BIN"
- name: Cache cargo registry
uses: actions/cache@v4
with:
path: ~/.cargo/registry
key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
- name: Cache xargo sysroot
uses: actions/cache@v4
with:
path: ~/.xargo
key: ${{ runner.os }}-xargo-sysroot
- name: Cache build artifacts
uses: actions/cache@v4
with:
path: ~/.cache/sccache
key: ${{ runner.os }}-sccache
- run: |
rustup component add rust-src clippy
cd cosmwasm/enclaves/execute/
rustup component add rust-src clippy
cd - && cd check-hw
rustup component add rust-src clippy
- name: Install xargo
run: |
cd cosmwasm/enclaves/execute/
cargo --version
rustc --version
cargo +stable install xargo --version 0.3.25
xargo --version
- name: Clippy
run: |
source "$HOME/.sgxsdk/sgxsdk/environment"
mkdir -p ias_keys/production
cp ias_keys/develop/api_key.txt ias_keys/production/api_key.txt
SGX_MODE=SW make clippy
SGX_MODE=HW make clippy
MacOS-ARM64-CLI:
runs-on: macos-12-large
strategy:
fail-fast: false
timeout-minutes: 90
steps:
- uses: actions/checkout@v4
with:
name: checkout
submodules: recursive
- uses: actions/setup-go@v5
with:
name: set up go
go-version: 1.23 # The Go version to download (if necessary) and use.
- name: Build macos darwin/arm64
run: make build_cli
- uses: actions/upload-artifact@v3
with:
name: secretcli-macos-arm64
path: secretcli
Build-LocalSecret:
runs-on: ubuntu-22.04
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
driver-opts: network=host
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Build LocalSecret
uses: docker/build-push-action@v4
with:
file: deployment/dockerfiles/Dockerfile
context: .
load: true
tags: ghcr.io/scrtlabs/localsecret:v0.0.0
secrets: |
API_KEY=00000000000000000000000000000000
SPID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
build-args: |
SECRET_NODE_TYPE=BOOTSTRAP
CHAIN_ID=secretdev-1
FEATURES_U=debug-print,random,light-client-validation,go-tests
SGX_MODE=SW
target: build-localsecret
# cache-from: type=gha
# cache-to: type=gha,mode=max
outputs: type=docker,dest=/tmp/localsecret.tar
- name: Upload Image
uses: actions/upload-artifact@v3
with:
name: localsecret
path: /tmp/localsecret.tar
Build-Hermes:
runs-on: ubuntu-22.04
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- uses: actions/checkout@v4
- name: Build Hermes Image
uses: docker/build-push-action@v4
with:
file: deployment/dockerfiles/ibc/hermes.Dockerfile
context: deployment/dockerfiles/ibc
load: true
tags: hermes:v0.0.0
build-args: |
SECRET_NODE_TYPE=BOOTSTRAP
CHAIN_ID=secretdev-1
outputs: type=docker,dest=/tmp/hermes.tar
- name: Upload Image
uses: actions/upload-artifact@v3
with:
name: hermes
path: /tmp/hermes.tar
Integration-Tests:
runs-on: ubuntu-22.04
needs: [Build-LocalSecret, Build-Hermes]
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
- name: Download Hermes
uses: actions/download-artifact@v3
with:
name: hermes
path: /tmp
- name: Download LocalSecret
uses: actions/download-artifact@v3
with:
name: localsecret
path: /tmp
- name: Load images
run: |
docker load --input /tmp/localsecret.tar
docker load --input /tmp/hermes.tar
- name: Run integration tests
run: |
cd integration-tests
yarn
perl -i -pe 's/localsecret:.+?"/localsecret:v0.0.0"/' ../deployment/dockerfiles/ibc/docker-compose.yml
docker compose -f ../deployment/dockerfiles/ibc/docker-compose.yml up -d > docker-compose.log 2>&1
yarn test || { cat docker-compose.log; exit 1; }
make kill-localsecret # next step needs the localsecret ports
- name: Run secret.js tests
run: |
git clone --depth 1 --branch cosmos-sdk-upgrade https://github.com/scrtlabs/secret.js
cd secret.js
# Use the docker images that we built just a few steps above
perl -i -pe 's/localsecret:.+?"/localsecret:v0.0.0"/' ./test/docker-compose.yml
yarn
docker compose -f ./test/docker-compose.yml up -d > docker-compose.log 2>&1
sleep 10
yarn test-ci || { cat docker-compose.log; exit 1; }
make kill-localsecret