calc MRENCLAVE from the enclaves and save it to a file

toshihiko-okubo · toshihiko-okubo · commit 09c81a99a907 · 2025-06-23T16:45:43.000+09:00
diff --git a/.dockerignore b/.dockerignore
@@ -18,4 +18,7 @@
 **/enclave/Enclave_t.c
 **/*_t.h
 
-**/*.Dockerfile
+##test data
+enclaves/**/mrenclaves/*/*
+!enclaves/**/mrenclaves/*/MRENCLAVE
+tests
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -3,7 +3,7 @@ on:
   pull_request:
 
 jobs:
-  detect-changes:
+  get-enclaves:
     runs-on: ubuntu-24.04
     outputs:
       enclaves: ${{ steps.changed.outputs.enclaves }}
@@ -13,32 +13,19 @@ jobs:
           fetch-depth: 0
       - id: changed
         run: |
-          diff=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }})
-          
-          # 1. If there are changes other than the enclaves dir, execute the build for all elcs.
-          # 2. If only the enclaves dir have changed, build only the elc where the changes occurred.
-          if echo $diff | grep -v '^enclaves/' > /dev/null; then
-            enclaves=$(find enclaves -maxdepth 1 -mindepth 1 -type d -printf '%f\n' | jq -R . | jq -s -c .)
-          else
-            enclaves=$(echo $diff \
-              | grep '^enclaves/' \
-              | awk -F'/' '$2 !~/\./ {print $2}' \
-              | sort -u \
-              | jq -R . | jq -s -c .)
-          fi
-    
+          enclaves=$(find enclaves -maxdepth 1 -mindepth 1 -type d -printf '%f\n' | jq -R . | jq -s -c .)
           echo "enclaves=$enclaves" >> "$GITHUB_OUTPUT"
   build:
-    needs: detect-changes
-    if: needs.detect-changes.outputs.enclaves != '[]'
+    needs: get-enclaves
+    if: needs.get-enclaves.outputs.enclaves != '[]'
     runs-on: ubuntu-24.04
     strategy:
       matrix:
-        enclave: ${{ fromJson(needs.detect-changes.outputs.enclaves) }}
+        enclave: ${{ fromJson(needs.get-enclaves.outputs.enclaves) }}
         network: [testnet, mainnet]
     permissions:
       contents: read # For checkout repo
-      packages: write # For Push Image to ghcr.io
+      packages: write # For Push Image for buildCache to ghcr.io
     steps:
       - uses: actions/checkout@v4
       - uses: docker/setup-buildx-action@v3
@@ -53,19 +40,37 @@ jobs:
         with:
           images: ghcr.io/${{ github.repository }}/${{ matrix.enclave }}/${{ matrix.network }}
           tags: ${{ github.event.pull_request.head.sha }}
+      - name: Set UID and GID as env
+        run: |
+          echo "UID=$(id -u)" >> "$GITHUB_ENV"
+          echo "GID=$(id -g)" >> "$GITHUB_ENV"
       - uses: docker/build-push-action@v5
         with:
           context: .
           push: false
-          load: true
           build-args: |
             LCP_ELC_TYPE=${{ matrix.enclave }}
             DEPLOYMENT_NETWORK=${{ matrix.network }}
+            UID=${{ env.UID }}
+            GID=${{ env.GID }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=registry,ref=ghcr.io/${{ github.repository }}/${{ matrix.enclave }}/${{ matrix.network }}:buildCache
           cache-to: type=registry,ref=ghcr.io/${{ github.repository }}/${{ matrix.enclave }}/${{ matrix.network }}:buildCache,mode=max
-      - name: Output MRENCLAVE
+          outputs: type=docker # save the image locally
+      - name: Test
         run: |
-          docker run --rm -t ghcr.io/${{ github.repository }}/${{ matrix.enclave }}/${{ matrix.network }}:${{ github.event.pull_request.head.sha }} \
-          bash -c "/app/scripts/mrenclave.sh /out /tests/mrenclave > mrenclave.log 2>&1 && cat /tests/mrenclave/mrenclave.txt || { cat mrenclave.log; exit 1; }"
+          # Check whether the MRENCLAVE calculated locally when updating the enclave and 
+          # the MRENCLAVE derived from the Image created in the test case are the same value.
+          
+          mkdir -p tests/${{ matrix.enclave }}/mrenclaves/${{ matrix.network }}
+          docker run --rm -v $(pwd)/tests/${{ matrix.enclave }}/mrenclaves/${{ matrix.network }}:/app/tests/mrenclave \
+          ghcr.io/${{ github.repository }}/${{ matrix.enclave }}/${{ matrix.network }}:${{ github.event.pull_request.head.sha }} \
+          bash -c "/app/scripts/mrenclave.sh /out /app/tests/mrenclave > mrenclave.log 2>&1 || { cat mrenclave.log; exit 1; }"
+          
+          echo "Local:$(cat enclaves/${{ matrix.enclave }}/mrenclaves/${{ matrix.network }}/MRENCLAVE)"
+          echo "Test: $(cat tests/${{ matrix.enclave }}/mrenclaves/${{ matrix.network }}/MRENCLAVE)"
+          
+          diff \
+          enclaves/${{ matrix.enclave }}/mrenclaves/${{ matrix.network }}/MRENCLAVE \
+          tests/${{ matrix.enclave }}/mrenclaves/${{ matrix.network }}/MRENCLAVE
diff --git a/.gitignore b/.gitignore
@@ -14,6 +14,7 @@
 enclave/Enclave_t.c
 *_t.h
 
-materials/
-remote-signer/remote-signer
 target/
+tests/
+enclaves/**/mrenclaves/*/*
+!enclaves/**/mrenclaves/*/MRENCLAVE
diff --git a/Dockerfile b/Dockerfile
@@ -11,16 +11,37 @@ LABEL finance.toki.lcp.enclave.network=$DEPLOYMENT_NETWORK
 
 ENV DEBIAN_FRONTEND=noninteractive
 
+ARG UID=1000
+ARG GID=1000
+ARG USERNAME=app
+
+RUN set -eux; \
+    # If a user with the same ID exists, delete and create.
+    if getent passwd "$UID" > /dev/null; then \
+        OLD_USER=$(getent passwd "$UID" | cut -d: -f1); \
+        echo "Removing existing user: $OLD_USER"; \
+        userdel -r "$OLD_USER" || true; \
+    fi; \
+    # If group does not exist, create group.
+    if ! getent group "$GID" > /dev/null; then \
+        groupadd -g "$GID" "$USERNAME"; \
+    fi; \
+    useradd -u "$UID" -g "$GID" -m "$USERNAME";
+
+RUN mkdir -p /app && chown $UID:$GID /app
+RUN mkdir -p /out && chown $UID:$GID /out
+
+USER $USERNAME
 WORKDIR /app
 
-ADD ./scripts ./scripts
+ADD --chown=$UID:$GID ./scripts ./scripts
 ENV rust_toolchain=$RUST_TOOLCHAIN_VERSION
 RUN bash ./scripts/install_rust.sh
 
 SHELL ["/bin/bash", "-c", "-l"]
 
-ADD ./buildenv.mk ./buildenv.mk
-ADD ./enclaves/$LCP_ELC_TYPE ./enclaves/$LCP_ELC_TYPE
+ADD --chown=$UID:$GID ./buildenv.mk ./buildenv.mk
+ADD --chown=$UID:$GID ./enclaves/$LCP_ELC_TYPE ./enclaves/$LCP_ELC_TYPE
 
 ARG SGX_MODE=HW
 ENV SGX_MODE=$SGX_MODE
@@ -29,8 +50,7 @@ ENV DEPLOYMENT_NETWORK=$DEPLOYMENT_NETWORK
 
 RUN make -C enclaves/$LCP_ELC_TYPE enclave/enclave_sig.dat
 
-RUN mkdir -p /out && \
-    cp enclaves/$LCP_ELC_TYPE/enclave/enclave.so \
+RUN cp enclaves/$LCP_ELC_TYPE/enclave/enclave.so \
     enclaves/$LCP_ELC_TYPE/enclave/Enclave.config.xml \
     enclaves/$LCP_ELC_TYPE/enclave/enclave_sig.dat \
     /out/
diff --git a/Makefile b/Makefile
@@ -0,0 +1,37 @@
+DOCKER ?= docker
+
+ENCLAVES_DIRS := $(shell find enclaves -mindepth 1 -maxdepth 1 -type d -exec basename {} \;)
+NETWORKS      := testnet mainnet
+ENCLAVES      := $(foreach e,$(ENCLAVES_DIRS),$(foreach n,$(NETWORKS),$(e)/$(n)))
+
+# docker image
+REPOSITORY ?= ghcr.io/datachainlab/toki-bridge-enclaves
+TAG ?= $(shell git rev-parse HEAD)
+
+# docker build parameter
+UID ?= $(shell id -u)
+GID ?= $(shell id -g)
+
+.PHONY: all
+all:
+	make $(ENCLAVES)
+
+.PHONY: $(ENCLAVES)
+$(ENCLAVES):
+	enclave=$(word 1,$(subst /, ,$@)); \
+	deployment_network=$(word 2,$(subst /, ,$@)); \
+	make mrenclave LCP_ELC_TYPE=$$enclave DEPLOYMENT_NETWORK=$$deployment_network
+
+.PHONY: build
+build:
+	$(DOCKER) build -t $(REPOSITORY)/$(LCP_ELC_TYPE)/$(DEPLOYMENT_NETWORK):$(TAG) \
+	--build-arg LCP_ELC_TYPE=$(LCP_ELC_TYPE) \
+	--build-arg DEPLOYMENT_NETWORK=$(DEPLOYMENT_NETWORK) \
+	--build-arg UID=$(UID) --build-arg GID=$(GID) \
+	.
+
+.PHONY: mrenclave
+mrenclave: build
+	$(DOCKER) run --rm --volume $(PWD)/enclaves/$(LCP_ELC_TYPE)/mrenclaves/$(DEPLOYMENT_NETWORK):/app/tests/mrenclave \
+	$(REPOSITORY)/$(LCP_ELC_TYPE)/$(DEPLOYMENT_NETWORK):$(TAG) \
+    bash -c "/app/scripts/mrenclave.sh /out /app/tests/mrenclave > mrenclave.log 2>&1 && cat /app/tests/mrenclave/MRENCLAVE || { cat mrenclave.log; exit 1; }"
diff --git a/enclaves/ethereum/mrenclaves/mainnet/MRENCLAVE b/enclaves/ethereum/mrenclaves/mainnet/MRENCLAVE
@@ -0,0 +1 @@
+0x7d482431489d09bbed44616c5efaecc2c5c11247adc936740bf2a75e35acb966
diff --git a/enclaves/ethereum/mrenclaves/testnet/MRENCLAVE b/enclaves/ethereum/mrenclaves/testnet/MRENCLAVE
@@ -0,0 +1 @@
+0x22c8edc97db80e50b8bbe487af96bf35a1c5d2f1e92d2115807b9a807f2af1fe
diff --git a/enclaves/optimism/mrenclaves/mainnet/MRENCLAVE b/enclaves/optimism/mrenclaves/mainnet/MRENCLAVE
@@ -0,0 +1 @@
+0x1398ceb16f4205244f76d2a2d57eb2bb15a4f6be11ebc29ba9ae4d5c626eab61
diff --git a/enclaves/optimism/mrenclaves/testnet/MRENCLAVE b/enclaves/optimism/mrenclaves/testnet/MRENCLAVE
@@ -0,0 +1 @@
+0x278f78446360b2cfebae0531b572a132a23ae0f322e34ad9e4c0b48f06106d07
diff --git a/enclaves/parlia/mrenclaves/mainnet/MRENCLAVE b/enclaves/parlia/mrenclaves/mainnet/MRENCLAVE
@@ -0,0 +1 @@
+0x688ced342e4545fcfad1e5274d1e034b96bbeaf31fbea6df97e7b7088a741acd
diff --git a/enclaves/parlia/mrenclaves/testnet/MRENCLAVE b/enclaves/parlia/mrenclaves/testnet/MRENCLAVE
@@ -0,0 +1 @@
+0x51a3cd7fb8c0bcc3e91f922bec95ad197d50644cab3f664e13a3608e42114dea
diff --git a/scripts/install_rust.sh b/scripts/install_rust.sh
@@ -1,8 +1,8 @@
-cd /root && \
-curl 'https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init' --output /root/rustup-init && \
-chmod +x /root/rustup-init && \
-echo '1' | /root/rustup-init --default-toolchain ${rust_toolchain} && \
-echo 'source /root/.cargo/env' >> /root/.bashrc && \
-/root/.cargo/bin/rustup component add rust-src rls rust-analysis clippy rustfmt && \
-/root/.cargo/bin/cargo install xargo && \
-rm /root/rustup-init && rm -rf /root/.cargo/registry && rm -rf /root/.cargo/git
+cd $HOME && \
+curl 'https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init' --output $HOME/rustup-init && \
+chmod +x $HOME/rustup-init && \
+echo '1' | $HOME/rustup-init --default-toolchain ${rust_toolchain} && \
+echo 'source $HOME/.cargo/env' >> $HOME/.bashrc && \
+$HOME/.cargo/bin/rustup component add rust-src rls rust-analysis clippy rustfmt && \
+$HOME/.cargo/bin/cargo install xargo && \
+rm $HOME/rustup-init && rm -rf $HOME/.cargo/registry && rm -rf $HOME/.cargo/git
diff --git a/scripts/mrenclave.sh b/scripts/mrenclave.sh
@@ -15,7 +15,7 @@ openssl genrsa -out $OUTPUT_DIR/private_key.pem -3 3072
 output=$(cat $OUTPUT_DIR/metadata_info.txt | awk '/enclave_css.body.enclave_hash.m:/ {f=1; next} f && /^0x/ {gsub(/0x| /,""); printf $0; next} f && !/^0x/ {exit}')
 if [ -n "$output" ]; then
   if [[ $output =~ ^[0-9a-fA-F]{64}$ ]]; then
-      echo "0x$output" > $OUTPUT_DIR/mrenclave.txt
+      echo "0x$output" > $OUTPUT_DIR/MRENCLAVE
   else
       echo "Invalid format: ${output}" >&2
       exit 1
diff --git a/sgxsdk/Dockerfile b/sgxsdk/Dockerfile
@@ -5,7 +5,7 @@ LABEL com.intel.sgx.sdk.version=$INTEL_SGX_SDK_VERSION
 
 ENV DEBIAN_FRONTEND=noninteractive
 
-WORKDIR /app
+WORKDIR /sgxsdk
 
 # ref: https://github.com/intel/linux-sgx/blob/sgx_2.25/README.md#install-the-intelr-sgx-sdk
 RUN apt update && apt install -y \
diff --git a/sgxsdk/scripts/install_sgx_sdk.sh b/sgxsdk/scripts/install_sgx_sdk.sh
@@ -8,6 +8,4 @@ cd /root && \
 curl -o sdk.sh $SDK_URL && \
 chmod a+x /root/sdk.sh && \
 echo -e 'no\n/opt' | ./sdk.sh && \
-echo 'source /opt/sgxsdk.yml/environment' >> /root/.bashrc && \
-cd /root && \
-rm ./sdk.sh
+echo 'source /opt/sgxsdk/environment' >> /root/.bashrc

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+0x7d482431489d09bbed44616c5efaecc2c5c11247adc936740bf2a75e35acb966`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+0x22c8edc97db80e50b8bbe487af96bf35a1c5d2f1e92d2115807b9a807f2af1fe`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+0x1398ceb16f4205244f76d2a2d57eb2bb15a4f6be11ebc29ba9ae4d5c626eab61`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+0x278f78446360b2cfebae0531b572a132a23ae0f322e34ad9e4c0b48f06106d07`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+0x688ced342e4545fcfad1e5274d1e034b96bbeaf31fbea6df97e7b7088a741acd`