diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 508c08d55..f7c9ac66d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -19,17 +19,17 @@ jobs: chmod +x "$SDK_BIN" echo yes | ./"$SDK_BIN" - name: Cache cargo registry - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.cargo/registry key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} - name: Cache xargo sysroot - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.xargo key: ${{ runner.os }}-xargo-sysroot - name: Cache build artifacts - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.cache/sccache key: ${{ runner.os }}-sccache @@ -193,17 +193,17 @@ jobs: chmod +x "$SDK_BIN" echo yes | ./"$SDK_BIN" - name: Cache cargo registry - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.cargo/registry key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} - name: Cache xargo sysroot - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.xargo key: ${{ runner.os }}-xargo-sysroot - name: Cache build artifacts - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.cache/sccache key: ${{ runner.os }}-sccache diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 140e3693d..c035330d9 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -31,7 +31,7 @@ jobs: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" echo "::set-output name=sha_short::$(git rev-parse --short HEAD)" - name: Cache build artifacts - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.cache/sccache key: ${{ runner.os }}-sccache diff --git a/Makefile b/Makefile index 81ad8d0a6..3e693a2ab 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,13 @@ -PACKAGES=$(shell go list ./... | grep -v '/simulation') VERSION ?= $(shell echo $(shell git describe --tags) | sed 's/^v//') COMMIT := $(shell git log -1 --format='%H') DOCKER := $(shell which docker) DOCKER_BUF := $(DOCKER) run --rm -v $(CURDIR):/workspace --workdir /workspace bufbuild/buf +# SPID and API_KEY are used for Intel SGX attestation SPID ?= 00000000000000000000000000000000 API_KEY ?= FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +# Environment variables and build tags setup LEDGER_ENABLED ?= true BINDIR ?= $(GOPATH)/bin BUILD_PROFILE ?= release @@ -22,24 +23,23 @@ DOCKER_TAG ?= latest TM_SGX ?= true +# Paths for contracts and modules CW_CONTRACTS_V010_PATH = ./cosmwasm/contracts/v010/ CW_CONTRACTS_V1_PATH = ./cosmwasm/contracts/v1/ - TEST_CONTRACT_V010_PATH = ./cosmwasm/contracts/v010/compute-tests TEST_CONTRACT_V1_PATH = ./cosmwasm/contracts/v1/compute-tests - TEST_COMPUTE_MODULE_PATH = ./x/compute/internal/keeper/testdata/ - ENCLAVE_PATH = cosmwasm/enclaves/ EXECUTE_ENCLAVE_PATH = $(ENCLAVE_PATH)/execute/ -DOCKER_BUILD_ARGS ?= +# Determine if Docker Buildx is available for multi-platform builds +DOCKER_BUILD_ARGS ?= DOCKER_BUILDX_CHECK = $(@shell docker build --load test) - ifeq (Building,$(findstring Building,$(DOCKER_BUILDX_CHECK))) DOCKER_BUILD_ARGS += "--load" endif +# Check and set the SGX_MODE to either HW or SW, error if not set ifeq ($(SGX_MODE), HW) ext := hw else ifeq ($(SGX_MODE), SW) @@ -48,6 +48,7 @@ else $(error SGX_MODE must be either HW or SW) endif +# Set CGO flags based on the selected database backend (unused - currently only cleveldb is supported) ifeq ($(DB_BACKEND), rocksdb) DB_BACKEND = rocksdb DOCKER_CGO_LDFLAGS = "-L/usr/lib/x86_64-linux-gnu/ -lrocksdb -lstdc++ -llz4 -lm -lz -lbz2 -lsnappy" @@ -63,6 +64,7 @@ endif CUR_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) +# Build tags setup for various configurations like ledger, database, etc. build_tags = netgo ifeq ($(LEDGER_ENABLED),true) ifeq ($(OS),Windows_NT) @@ -120,6 +122,7 @@ whitespace += $(whitespace) comma := , build_tags_comma_sep := $(subst $(whitespace),$(comma),$(build_tags)) +# Linker flags to embed version information and other metadata into the binaries ldflags = -X github.com/cosmos/cosmos-sdk/version.Name=SecretNetwork \ -X github.com/cosmos/cosmos-sdk/version.AppName=secretd \ -X github.com/scrtlabs/SecretNetwork/cmd/secretcli/version.ClientName=secretcli \ @@ -151,6 +154,7 @@ go.sum: go.mod @echo "--> Ensure dependencies have not been modified" GO111MODULE=on go mod verify +# Build the CLI tool build_cli: go build -o secretcli -mod=readonly -tags "$(filter-out sgx, $(GO_TAGS)) secretcli" -ldflags '$(LD_FLAGS)' ./cmd/secretd @@ -173,6 +177,7 @@ build-tm-secret-enclave: rustup component add rust-src SGX_MODE=$(SGX_MODE) $(MAKE) -C /tmp/tm-secret-enclave build +# Targets for building the cli on various platforms like Windows, macOS, Linux build_windows_cli: $(MAKE) xgo_build_secretcli XGO_TARGET=windows/amd64 sudo mv github.com/scrtlabs/SecretNetwork-windows-* secretcli-windows-amd64.exe @@ -195,6 +200,7 @@ build_linux_arm64_cli: build_all: build-linux build_windows_cli build_macos_cli build_linux_arm64_cli +# Build Debian package deb: build-linux deb-no-compile deb-no-compile: @@ -226,6 +232,7 @@ deb-no-compile: dpkg-deb --build /tmp/SecretNetwork/deb/ . -rm -rf /tmp/SecretNetwork +# Clean up generated files and reset the environment clean: -rm -rf /tmp/SecretNetwork -rm -f ./secretcli* @@ -247,6 +254,11 @@ clean: $(MAKE) -C $(TEST_CONTRACT_V1_PATH)/test-compute-contract clean $(MAKE) -C $(TEST_CONTRACT_V1_PATH)/test-compute-contract-v2 clean +############################################################################### +### Dockerized Build Targets ### +############################################################################### + +# Build localsecret - dockerized local chain for development and testing. In this version SGX is ran in software/simulation mode localsecret: DOCKER_BUILDKIT=1 docker build \ --build-arg FEATURES="${FEATURES},debug-print,random,light-client-validation" \ @@ -309,6 +321,7 @@ build-testnet: --target build-deb . docker run -e VERSION=${VERSION} -v $(CUR_DIR)/build:/build deb_build +# special targets for building a deb package that compiles a new secretd but takes the enclaves from the latest package - used for upgrades when we don't want to replace the enclave build-mainnet-upgrade: @mkdir build 2>&3 || true DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="verify-validator-whitelist,light-client-validation,production, ${FEATURES}" \ @@ -336,6 +349,8 @@ build-mainnet-upgrade: -t deb_build \ --target build-deb-mainnet . docker run -e VERSION=${VERSION} -v $(CUR_DIR)/build:/build deb_build + +# full mainnet build - will end up with a .deb package in the ./build folder build-mainnet: @mkdir build 2>&3 || true DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="verify-validator-whitelist,light-client-validation,production,random, ${FEATURES}" \ @@ -367,6 +382,7 @@ build-mainnet: --target build-deb . docker run -e VERSION=${VERSION} -v $(CUR_DIR)/build:/build deb_build +# Build the hardware compatability checker - this is a binary that just runs attestation and provides details on the result build-check-hw-tool: @mkdir build 2>&3 || true DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="${FEATURES}" \ @@ -383,23 +399,22 @@ build-check-hw-tool: -t compile-check-hw-tool \ --target compile-check-hw-tool . -# while developing: +############################################################################### +### Local Build Targets ### +############################################################################### + build-enclave: $(MAKE) -C $(EXECUTE_ENCLAVE_PATH) enclave -# while developing: check-enclave: $(MAKE) -C $(EXECUTE_ENCLAVE_PATH) check -# while developing: clippy-enclave: $(MAKE) -C $(EXECUTE_ENCLAVE_PATH) clippy -# while developing: clean-enclave: $(MAKE) -C $(EXECUTE_ENCLAVE_PATH) clean -# while developing: clippy: clippy-enclave $(MAKE) -C check-hw clippy diff --git a/README.md b/README.md index 513425643..bffb27535 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,8 @@
-[![version](https://img.shields.io/badge/version-1.3.1-blue)](https://github.com/scrtlabs/SecretNetwork/releases/tag/v1.3.1) -[![License: AGPL v3](https://img.shields.io/badge/License-AGPL%20v3-blue.svg)](https://www.gnu.org/licenses/agpl-3.0) [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-v2.0%20adopted-ff69b4.svg)](CODE_OF_CONDUCT.md) +[![version](https://img.shields.io/badge/version-1.12.1-blue)](https://github.com/scrtlabs/SecretNetwork/releases/tag/v1.12.1) +[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-v2.0%20adopted-ff69b4.svg)](CODE_OF_CONDUCT.md) Follow @@ -42,7 +42,16 @@ Click the button below to start a new development environment: ### Install prerequisite packages ``` -apt-get install -y --no-install-recommends g++ libtool autoconf clang +apt-get install -y --no-install-recommends g++ libtool automake autoconf clang +``` + +#### Ubuntu 22+ + +The build depends on libssl1.1. Install using: + +```bash +wget https://debian.mirror.ac.za/debian/pool/main/o/openssl/libssl1.1_1.1.1w-0%2Bdeb11u1_amd64.deb +dpkg -i libssl1.1_1.1.1w-0%2Bdeb11u1_amd64.deb ``` ### Clone Repo @@ -111,15 +120,11 @@ Use `make build-linux` to build the entire codebase. This will build both the Ru To build just the rust code, you can use `make build-linux`, while to build just the Go code, there is the aptly named `make build_local_no_rust`. - Tip: -```text For a production build the enclave must be copied from the most recent release. - This is due to non-reproducible builds, and the fact that enclaves must be signed with a specific key to be accepted on mainnet. - Still, the non-enclave code can be modified and ran on mainnet as long as there are no consensus-breaking changes -``` + # Running Something @@ -145,7 +150,3 @@ For the latest documentation, check out [https://docs.scrt.network](https://docs - Twitter: [https://twitter.com/SecretNetwork](https://twitter.com/SecretNetwork) - Community Telegram Channel: [https://t.me/SCRTnetwork](https://t.me/SCRTnetwork) - Community Secret Nodes Telegram: [https://t.me/secretnodes](https://t.me/secretnodes) - -# License - -SecretNetwork is free software: you can redistribute it and/or modify it under the terms of the [GNU Affero General Public License](LICENSE) as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. The GNU Affero General Public License is based on the GNU GPL, but has an additional term to allow users who interact with the licensed software over a network to receive the source for that program. diff --git a/cosmwasm/Cargo.lock b/cosmwasm/Cargo.lock index c7adc0ee7..84a3994e5 100644 --- a/cosmwasm/Cargo.lock +++ b/cosmwasm/Cargo.lock @@ -66,9 +66,9 @@ checksum = "b41b7ea54a0c9d92199de89e20e58d49f02f8e699814ef3fdf266f6f748d15c7" [[package]] name = "base64" -version = "0.21.5" +version = "0.21.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35636a1494ede3b646cc98f74f8e62c773a38a659ebc777a2cf26b9b74171df9" +checksum = "c79fed4cdb43e993fcdadc7e58a09fd0e3e649c4436fa11da71c9f1f3ee7feb9" [[package]] name = "bitflags" @@ -154,7 +154,7 @@ checksum = "6245d59a3e82a7fc217c5828a6692dbc6dfb63a0c8c90495621f7b9d79704a0e" name = "cosmwasm-sgx-vm" version = "0.10.0" dependencies = [ - "base64 0.21.5", + "base64 0.21.6", "enclave-ffi-types", "hex", "lazy_static", diff --git a/cosmwasm/packages/sgx-vm/Cargo.toml b/cosmwasm/packages/sgx-vm/Cargo.toml index c9b4334c1..16d8e059e 100644 --- a/cosmwasm/packages/sgx-vm/Cargo.toml +++ b/cosmwasm/packages/sgx-vm/Cargo.toml @@ -61,7 +61,7 @@ enclave-ffi-types = { path = "../../enclaves/ffi-types", features = [ sgx_types = { path = "../../../third_party/incubator-teaclave-sgx-sdk/sgx_types" } sgx_urts = { path = "../../../third_party/incubator-teaclave-sgx-sdk/sgx_urts" } log = "0.4.20" -base64 = "0.21.5" +base64 = "0.21.6" parking_lot = "0.11" num_cpus = "1.16.0" diff --git a/deployment/dockerfiles/README.md b/deployment/dockerfiles/README.md new file mode 100644 index 000000000..bee280b21 --- /dev/null +++ b/deployment/dockerfiles/README.md @@ -0,0 +1,46 @@ +The build process for SN is a bit complex, and can include some unexpected parts for those that have not been baptised in the waters of TEEs. + +### Build Targets Overview +1. **`release-image`**: Creates a full node Docker image. +2. **`build-deb`**: Generates a Debian (.deb) package +3. **`build-deb-mainnet`**: Similar to `build-deb`, but specifically for generating a Debian package for mainnet. +4. **`compile-secretd`**: Produces an image with the compiled enclave and `secretd`, a core component of the Secret Network - sometimes you don't need the whole image, just secretd. + +### Build Process Description + +#### 1. **Base Images and Environment Setup** +- Defines two base images: + * `SCRT_BASE_IMAGE_ENCLAVE` - Used as the base for building the enclave components, which are crucial for the secure execution of code in an SGX (Software Guard Extensions) environment. + * `SCRT_RELEASE_BASE_IMAGE` - Serves as the base for the final release image that contains all the necessary components to run a full node. +- Sets up the environment for subsequent stages, including installing dependencies like `clang-10`, setting `WORKDIR`, and other environment variables. + +#### 2. **Compilation of Enclaves** +- **`prepare-compile-enclave` & `compile-enclave`**: Prepares the environment and compiles the enclaves. +- **`compile-tendermint-enclave`**: Compiles the Tendermint enclave, which is a part of the blockchain consensus mechanism. + +#### 3. **Compilation of `secretd`** +- Sets up the Go environment and downloads specific Go packages. +- Copies source files and prepares the environment for building `secretd`. +- Uses the compiled enclaves from previous steps. + +#### 4. **Release Image Creation (`release-image`)** +- Creates the final node image with all necessary binaries and libraries. +- Installs additional dependencies like `jq`, `openssl`, and Node.js - these are used for the faucet and for debugging tools. +- Sets up environment variables and links libraries. + +#### 5. **Mainnet Upgrade (`mainnet-release`)** +- Upgrades the `release-image` with specific binaries and libraries for the mainnet. + +#### 6. **Debian Package Creation (`build-deb` and `build-deb-mainnet`)** +- Prepares an environment for building Debian packages. +- Copies necessary binaries and libraries from previous stages. +- Executes a script to build the Debian package. + +#### 7. **Compilation of `check-hw` Tool (`compile-check-hw-tool`)** +- Compiles a hardware check tool, necessary for validating the hardware running the Secret Network nodes - this is unrelated to the release image or the network node directly. + +#### 8. **LocalSecret Setup (`build-localsecret`)** +- A specialized setup for a local version of the Secret Network, including a faucet server and a health check mechanism for local development. + +### Summary +Each target in this Dockerfile serves a distinct purpose in the build and deployment pipeline of the Secret Network. From compiling essential components like `secretd` and the Tendermint enclave, to packaging these components for deployment in various environments (development, mainnet), the Dockerfile covers a comprehensive range of tasks necessary for maintaining and deploying a blockchain network. The use of multi-stage builds optimizes the process by reusing stages and minimizing the final image size. diff --git a/scripts/install-sgx.sh b/scripts/install-sgx.sh index 5876c4127..900909470 100755 --- a/scripts/install-sgx.sh +++ b/scripts/install-sgx.sh @@ -6,123 +6,108 @@ INSTALL_DEPS=${1:-"true"} INSTALL_SDK=${2:-"true"} INSTALL_PSW=${3:-"true"} INSTALL_DRIVER=${4:-"true"} -UBUNTUVERSION=$(lsb_release -r -s | cut -d '.' -f 1) +UBUNTUVERSION=$(grep 'VERSION_ID' /etc/os-release | cut -d '"' -f 2 | cut -d '.' -f 1) +# Check for root privileges if [ "$(id -u)" -ne 0 ]; then echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' exit 1 fi +# Check if the Ubuntu version is supported if (($UBUNTUVERSION < 16)); then - echo "Your version of Ubuntu is not supported. Must have Ubuntu 16.04 and up. Aborting installation script..." - exit 1 + echo "Your version of Ubuntu is not supported. Must have Ubuntu 16.04 and up. Aborting installation script..." + exit 1 elif (($UBUNTUVERSION < 18)); then - DISTRO='xenial' + DISTRO='xenial' elif (($UBUNTUVERSION < 20)); then - DISTRO='bionic' - OS='ubuntu18.04-server' + DISTRO='bionic' + OS='ubuntu18.04-server' elif (($UBUNTUVERSION < 22)); then - DISTRO='focal' - OS='ubuntu20.04-server' + DISTRO='focal' + OS='ubuntu20.04-server' else - DISTRO='jammy' - OS='ubuntu22.04-server' + DISTRO='jammy' + OS='ubuntu22.04-server' fi +# Function to install missing packages deps() { echo "\n\n#######################################" echo "##### Installing missing packages #####" echo "#######################################\n\n" - # Install needed packages for script - sudo apt install -y make wget + apt-get update + apt-get install -y make wget } +# Function to install the SDK install_sdk(){ - # Create a working directory to download and install the SDK inside - mkdir -p "$HOME/.sgxsdk" - - # In a new sub-shell cd into our working directory so to no pollute the - # original shell's working directory - cd "$HOME/.sgxsdk" - - wget -O sgx_linux_x64_sdk_2.13.100.4.bin https://download.01.org/intel-sgx/sgx-linux/2.17.1/distro/ubuntu20.04-server/sgx_linux_x64_sdk_2.17.101.1.bin + echo "\n\n############################################" + echo "##### Installing Intel SGX SDK #####" + echo "############################################\n\n" - # Make the driver and SDK installers executable - chmod +x ./sgx_linux_*.bin + mkdir -p "$HOME/.sgxsdk" + cd "$HOME/.sgxsdk" - # Install the SDK in /opt/intel/sgxsdk - (echo no; echo /opt/intel/) | ./sgx_linux_x64_sdk_2.13.100.4.bin - - # Setup the environment variables for every new shell - echo "source '/opt/intel/.sgxsdk/sgxsdk/environment'" | - tee -a "$HOME/.bashrc" "$HOME/.zshrc" > /dev/null + wget -O sgx_linux_x64_sdk_2.17.101.1.bin "https://download.01.org/intel-sgx/sgx-linux/2.17.1/distro/ubuntu20.04-server/sgx_linux_x64_sdk_2.17.101.1.bin" + chmod +x ./sgx_linux_x64_sdk_*.bin + (echo no; echo /opt/intel/) | ./sgx_linux_x64_sdk_2.17.101.1.bin + echo "source '/opt/intel/sgxsdk/environment'" | tee -a "$HOME/.bashrc" "$HOME/.zshrc" > /dev/null } +# Function to install the SGX driver install_sgx_driver(){ - echo "\n\n###############################################" - echo "##### Installing Intel SGX driver #####" - echo "###############################################\n\n" - - wget -O sgx_linux_x64_driver_2.11.0_0373e2e.bin https://download.01.org/intel-sgx/sgx-linux/2.13/distro/ubuntu20.04-server/sgx_linux_x64_driver_2.11.0_0373e2e.bin - - # Install the driver - sudo ./sgx_linux_x64_driver_*.bin - - # Remount /dev as exec, also at system startup - sudo tee /etc/systemd/system/remount-dev-exec.service >/dev/null < /etc/systemd/system/remount-dev-exec.service <