Merge branch 'main' into upgrade-polkadot-sdk

Cargo.toml

@@ -8,6 +8,7 @@ members = [
     "pallets/mq/runtime-api",
     "standalone/chain/*",
     "standalone/teeworker/cifrost",
+    "standalone/teeworker/handover",
 ]
 
 resolver = "2"
@@ -402,6 +403,7 @@ webpki = { git = "https://github.com/rustls/webpki", version = "=0.102.0-alpha.3
     "alloc",
     "ring",
 ], rev = "2ed9a4324f48c2c46ffdd7dc9d3eb315af25fce2" } # Release version no-std has bug
+walkdir = "2.5.0"
 # webpki = { version = "0.102.0", package = "rustls-webpki", default-features = false, features = ["alloc", "ring"] }
 # ---- Generic crates end ----
 

Makefile

@@ -18,6 +18,8 @@ node:
 	cargo build -p cess-node ${XARGS}
 cifrost:
 	cargo build -p cifrost ${XARGS}
+handover:
+	cargo build -p handover --release
 ceseal:
 	make -C standalone/teeworker/ceseal
 test:

crates/cestory/src/ceseal_service.rs

@@ -379,8 +379,8 @@ impl<Platform: pal::Platform + Serialize + DeserializeOwned> CesealApi for RpcSe
                 .get_ceseal_bin_added_at(&runtime_hash)
                 .ok_or_else(|| from_display("Client ceseal not allowed on chain"))?;
 
-            if my_runtime_timestamp >= req_runtime_timestamp {
-                return Err(Status::internal("No handover for old ceseal"))
+                if my_runtime_timestamp >= req_runtime_timestamp {
+                return Err(Status::internal("Same ceseal version or rollback ,No local handover provided"))
             }
         } else {
             info!("Skip ceseal timestamp check in dev mode");
@@ -696,6 +696,7 @@ impl<Platform: pal::Platform + Serialize + DeserializeOwned> Ceseal<Platform> {
         Ok(pb::SyncedTo { synced_to: last_block })
     }
 
+    //Check whether checkpoint file is used and save it regularly
     fn maybe_take_checkpoint(&mut self) -> anyhow::Result<()> {
         if !self.args.enable_checkpoint {
             return Ok(())

scripts/docker/ceseal/gramine/handover.Dockerfile

@@ -22,7 +22,7 @@ RUN <<EOF
   mkdir prebuilt
 EOF
 
-COPY ./scripts/docker/cargo-config.toml /usr/local/cargo/config
+# COPY ./scripts/docker/cargo-config.toml /usr/local/cargo/config
 COPY pallets ./cess-code/pallets
 COPY crates ./cess-code/crates
 COPY standalone ./cess-code/standalone
@@ -32,8 +32,11 @@ ENV VERGEN_GIT_SHA=${GIT_SHA}
 
 RUN <<EOF
   set -e
-  cd cess-code/standalone/teeworker/ceseal/gramine-build
   PATH=$PATH:/root/.cargo/bin
+  cd /root/cess-code
+  make handover
+  cp ./target/release/handover /root/prebuilt
+  cd /root/cess-code/standalone/teeworker/ceseal/gramine-build
   make dist PREFIX=/root/prebuilt
   make clean
   rm -rf /root/.cargo/registry
@@ -42,7 +45,7 @@ EOF
 
 # ====== runtime ======
 
-FROM cesslab/intel-sgx-deno-env:latest AS runtime
+FROM cesslab/intel-sgx-env:latest AS runtime
 
 ARG https_proxy
 ARG http_proxy
@@ -56,15 +59,14 @@ ARG REAL_CESEAL_DATA_DIR=${CESEAL_HOME}/data/${CESEAL_VERSION}
 COPY --from=builder /root/prebuilt/ ${CESEAL_DIR}
 ADD --chmod=0755 ./scripts/docker/ceseal/gramine/start.sh ${CESEAL_DIR}/start.sh
 ADD --chmod=0755 ./scripts/docker/ceseal/gramine/start-with-handover.sh ${CESEAL_HOME}/start.sh
-ADD ./scripts/docker/ceseal/gramine/handover.ts ${CESEAL_HOME}/handover.ts
+
 
 RUN <<EOF
   set -e
   ln -s ${CESEAL_DIR} ${CESEAL_HOME}/releases/current
   mkdir -p ${REAL_CESEAL_DATA_DIR}
   rm -rf ${CESEAL_DIR}/data
   ln -s ${REAL_CESEAL_DATA_DIR} ${CESEAL_DIR}/data
-  deno cache --reload ${CESEAL_HOME}/handover.ts
 EOF
 
 WORKDIR ${CESEAL_HOME}/releases/current

scripts/docker/ceseal/gramine/handover.ts

@@ -126,7 +126,7 @@ if (await exists(path.join(currentPath, "data/protected_files/runtime-data.seal"
 }
 
 let previousVersion: number | undefined = await confirmPreviousVersion();
-
+//Otherwise, confirm whether a previous version exists. If there is no previous version, no handover is required, back up the current version to the backup directory and exit.
 if (previousVersion === undefined) {
   log("No previous version, no need to handover!");
 
@@ -135,7 +135,7 @@ if (previousVersion === undefined) {
 
   Deno.exit(0);
 }
-
+//If the current version is the same as the previous version, there is no need to hand over and exit directly.
 if (currentVersion == previousVersion) {
   log("same version, no need to handover")
   Deno.exit(0);

scripts/docker/ceseal/gramine/start-with-handover.sh

@@ -21,10 +21,5 @@ if [ "$SGX" -eq 1 ] && [ "$SKIP_AESMD" -eq 0 ]; then
   fi
 fi
 
-cd /opt/ceseal && deno run --allow-all handover.ts
-if [ $? -eq 0 ]
-then
-  cd /opt/ceseal/releases/current && SKIP_AESMD=1 ./start.sh
-else
-  exit 1
-fi
+./handover
+cd /opt/ceseal/releases/current && SKIP_AESMD=1 ./start.sh

standalone/teeworker/handover/Cargo.toml

@@ -0,0 +1,11 @@
+[package]
+name = "handover"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+clap = { workspace = true, features = ["derive"] }
+tokio = { workspace = true, features = ["full"] }
+walkdir = { workspace = true }

standalone/teeworker/handover/src/arg.rs

@@ -0,0 +1,65 @@
+use clap::Parser;
+
+#[derive(Parser, Debug)]
+#[command(
+    about = "xxx",
+    version,
+    author
+)]
+pub struct Args {
+    #[arg(
+        long,
+        help = "The backup path of the each version of ceseal",
+        default_value = "/opt/ceseal/backups"
+    )]
+    pub previous_version_ceseal_path: String,
+
+    #[arg(
+        long,
+        help = "The backup path of the current version of ceseal",
+        default_value = "/opt/ceseal/releases/current"
+    )]
+    pub current_version_ceseal_path: String,
+
+    #[arg(
+        long,
+        help = "ceseal home",
+        default_value = "/opt/ceseal/data"
+    )]
+    pub ceseal_data_path: String,
+
+    #[arg(
+        long,
+        help = "Ceseal log path for detect the status of previous ceseal",
+        default_value = "/tmp/pre_ceseal.log"
+    )]
+    pub previous_ceseal_log_path: String,
+
+    #[arg(
+        long,
+        help = "Ceseal log path for detect the status of new ceseal",
+        default_value = "/tmp/new_ceseal.log"
+    )]
+    pub new_ceseal_log_path: String,
+
+    #[arg(
+        long,
+        help = "The relative path where each version of ceseal stores protected files",
+        default_value = "data/protected_files"
+    )]
+    pub ceseal_protected_files_path: String,
+
+    #[arg(
+        long,
+        help = "the relative path where each version of ceseal stores checkpoint file",
+        default_value = "data/storage_files"
+    )]
+    pub ceseal_storage_files_path: String,
+
+    #[arg(
+        long,
+        help = "old ceseal start on this port",
+        default_value = "1888"
+    )]
+    pub previous_ceseal_port: u64,
+}

standalone/teeworker/handover/src/error.rs

@@ -0,0 +1,24 @@
+use std::{error, fmt};
+
+#[derive(Debug)]
+pub enum Error {
+	StartCesealFailed(String),
+    RedirectCesealLogFailed(String),
+    DetectCesealRunningStatueFailed(String),
+    PreviousVersionFailed(String),
+	CopyDirectory(String)
+}
+
+impl fmt::Display for Error {
+	fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+		match self {
+			Error::StartCesealFailed(e) => write!(f, "{:?}", e),
+            Error::RedirectCesealLogFailed(e) => write!(f, "{:?}", e),
+            Error::DetectCesealRunningStatueFailed(e) => write!(f, "{:?}", e),
+			Error::PreviousVersionFailed(e) => write!(f, "{:?}", e),
+			Error::CopyDirectory(e) => write!(f, "{:?}", e),
+		}
+	}
+}
+
+impl error::Error for Error {}