microsoft · cjen1-msft · May 16, 2025 · Apr 7, 2025 · Apr 7, 2025 · Apr 7, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -190,6 +190,7 @@ jobs:
           rm -rf /github/home/.cache
           mkdir -p /github/home/.cache
           export ASAN_SYMBOLIZER_PATH=$(realpath /usr/bin/llvm-symbolizer-15)
+
           # Unit tests
           ./tests.sh --output-on-failure -L unit -j$(nproc --all)
 

@@ -437,6 +437,10 @@
                   "previous_service_identity_file": {
                     "type": "string",
                     "description": "Path to the previous service certificate (PEM) file"
+                  },
+                  "previous_sealed_ledger_secret_location": {
+                    "type": ["string"],
+                    "description": "Path to the sealed ledger secret file, if set alongside the --enable-auto-dr command line argument the unsealed ledger secret will be used instead of using recovery shares."
                   }
                 },
                 "required": ["previous_service_identity_file"],
@@ -670,6 +674,10 @@
         "rpc_addresses_file": {
           "type": "string",
           "description": "Path to file in which all RPC addresses (hostnames and ports) will be written to on startup. This option is particularly useful when binding to port 0 and getting auto-assigned a port by the OS. No file is created if this entry is not specified"
+        },
+        "sealed_ledger_secret_location": {
+          "type": "string",
+          "description": "Path to the sealed ledger secret file. This is used to recover the ledger secret from a previous service. It is disabled unless the --enable-auto-dr command line flag is passed"
         }
       },
       "description": "This section includes configuration for additional files output by the node",

@@ -105,6 +105,8 @@ namespace ccf
     std::string service_subject_name = "CN=CCF Service";
     ccf::COSESignaturesConfig cose_signatures;
 
+    std::optional<std::string> sealed_ledger_secret_location;
+
     nlohmann::json service_data = nullptr;
 
     nlohmann::json node_data = nullptr;
@@ -132,6 +134,8 @@ namespace ccf
     {
       std::optional<std::vector<uint8_t>> previous_service_identity =
         std::nullopt;
+      std::optional<std::string> previous_sealed_ledger_secret_location =
+        std::nullopt;
     };
     Recover recover = {};
   };

@@ -121,7 +121,9 @@ namespace ccf
 
   DECLARE_JSON_TYPE(StartupConfig::Recover);
   DECLARE_JSON_REQUIRED_FIELDS(
-    StartupConfig::Recover, previous_service_identity);
+    StartupConfig::Recover,
+    previous_service_identity,
+    previous_sealed_ledger_secret_location);
 
   DECLARE_JSON_TYPE_WITH_BASE(StartupConfig, CCFConfig);
   DECLARE_JSON_REQUIRED_FIELDS(
@@ -135,5 +137,6 @@ namespace ccf
     node_data,
     start,
     join,
-    recover);
+    recover,
+    sealed_ledger_secret_location);
 }
@@ -154,4 +154,15 @@ namespace files
         ec.message()));
     }
   }
+
+  static void create_directory(const fs::path& dir)
+  {
+    std::error_code ec;
+    fs::create_directory(dir, ec);
+    if (ec && ec != std::errc::file_exists)
+    {
+      throw std::logic_error(fmt::format(
+        "Could not create directory {}: {}", dir.string(), ec.message()));
+    }
+  }
 }
@@ -91,6 +91,8 @@ namespace host
       std::string node_to_node_address_file = "";
       std::string rpc_addresses_file = "";
 
+      std::optional<std::string> sealed_ledger_secret_location = std::nullopt;
+
       bool operator==(const OutputFiles&) const = default;
     };
     OutputFiles output_files = {};
@@ -157,6 +159,8 @@ namespace host
       {
         size_t initial_service_certificate_validity_days = 1;
         std::string previous_service_identity_file;
+        std::optional<std::string> previous_sealed_ledger_secret_location =
+          std::nullopt;
         bool operator==(const Recover&) const = default;
       };
       Recover recover = {};
@@ -175,7 +179,8 @@ namespace host
     node_certificate_file,
     pid_file,
     node_to_node_address_file,
-    rpc_addresses_file);
+    rpc_addresses_file,
+    sealed_ledger_secret_location);
 
   DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(CCHostConfig::Ledger);
   DECLARE_JSON_REQUIRED_FIELDS(CCHostConfig::Ledger);
@@ -214,7 +219,8 @@ namespace host
   DECLARE_JSON_OPTIONAL_FIELDS(
     CCHostConfig::Command::Recover,
     initial_service_certificate_validity_days,
-    previous_service_identity_file);
+    previous_service_identity_file,
+    previous_sealed_ledger_secret_location);
 
   DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(CCHostConfig::Command);
   DECLARE_JSON_REQUIRED_FIELDS(CCHostConfig::Command, type);

@@ -2,6 +2,7 @@
 // Licensed under the Apache 2.0 License.
 
 #include "ccf/crypto/pem.h"
+#include "ccf/crypto/symmetric_key.h"
 #include "ccf/ds/logger.h"
 #include "ccf/ds/logger_level.h"
 #include "ccf/ds/nonstd.h"
@@ -11,6 +12,7 @@
 #include "ccf/pal/attestation.h"
 #include "ccf/pal/attestation_sev_snp.h"
 #include "ccf/pal/platform.h"
+#include "ccf/pal/snp_ioctl.h"
 #include "ccf/service/node_info_network.h"
 #include "ccf/version.h"
 #include "common/configuration.h"
@@ -157,6 +159,13 @@ int main(int argc, char** argv) // NOLINT(bugprone-exception-escape)
     enclave_file_path,
     "Path to enclave application (security critical)");
 
+  bool enable_auto_dr = false;
+  app.add_flag(
+    "--enable-auto-dr",
+    enable_auto_dr,
+    "Enable automatic disaster recovery (DR) features: local sealing (security "
+    "critical)");
+
   try
   {
     app.parse(argc, argv);
@@ -709,6 +718,15 @@ int main(int argc, char** argv) // NOLINT(bugprone-exception-escape)
     startup_config.startup_host_time =
       ccf::ds::to_x509_time_string(startup_host_time);
 
+    if (enable_auto_dr)
+    {
+      CCF_ASSERT_FMT(
+        ccf::pal::platform == ccf::pal::Platform::SNP,
+        "Local sealing is only supported on SEV-SNP platforms");
+      startup_config.sealed_ledger_secret_location =
+        config.output_files.sealed_ledger_secret_location;
+    }
+
     if (config.command.type == StartType::Start)
     {
       for (auto const& member : config.command.start.members)
@@ -794,6 +812,15 @@ int main(int argc, char** argv) // NOLINT(bugprone-exception-escape)
       }
       LOG_INFO_FMT("Reading previous service identity from {}", idf);
       startup_config.recover.previous_service_identity = files::slurp(idf);
+
+      if (enable_auto_dr)
+      {
+        CCF_ASSERT_FMT(
+          ccf::pal::platform == ccf::pal::Platform::SNP,
+          "Local unsealing is only supported on SEV-SNP platforms");
+        startup_config.recover.previous_sealed_ledger_secret_location =
+          config.command.recover.previous_sealed_ledger_secret_location;
+      }
     }
     else
     {