refactor(attestation): move TCB measurement extraction to build.rs and remove runtime parsing path

barakeinav1 · barakeinav1 · commit 7753737ea6b3 · 2025-12-10T16:34:40.000Z
diff --git a/crates/mpc-attestation/Cargo.toml b/crates/mpc-attestation/Cargo.toml
@@ -3,6 +3,7 @@ name = "mpc-attestation"
 version = { workspace = true }
 license = { workspace = true }
 edition = { workspace = true }
+build = "build.rs"
 
 [dependencies]
 attestation = { workspace = true }
@@ -19,3 +20,8 @@ sha3 = { workspace = true }
 dcap-qvl = { workspace = true }
 rstest = { workspace = true }
 test_utils = { workspace = true }
+
+[build-dependencies]
+serde = { workspace = true }
+serde_json = { workspace = true }
+hex = { workspace = true }
diff --git a/crates/mpc-attestation/build.rs b/crates/mpc-attestation/build.rs
@@ -0,0 +1,96 @@
+use std::env;
+use std::fs::{self, File};
+use std::io::Write;
+use std::path::PathBuf;
+
+fn main() {
+    // Location of assets/*.json
+    let manifest_dir = env::var("CARGO_MANIFEST_DIR").unwrap();
+    let assets_dir = PathBuf::from(manifest_dir).join("assets");
+
+    // Find all tcb_info*.json files (prod, dev, future ones)
+    let mut measurement_files = Vec::new();
+    for entry in fs::read_dir(&assets_dir).unwrap() {
+        let entry = entry.unwrap();
+        let path = entry.path();
+
+        if path.extension().and_then(|x| x.to_str()) == Some("json")
+            && path.file_name().unwrap().to_str().unwrap().starts_with("tcb_info")
+        {
+            measurement_files.push(path);
+        }
+    }
+
+    // Output file
+    let out_dir = PathBuf::from(env::var("OUT_DIR").unwrap());
+    let out_file = out_dir.join("measurements_generated.rs");
+    let mut f = File::create(out_file).unwrap();
+
+    // Write prelude
+    writeln!(
+        f,
+        "// AUTO-GENERATED FILE. DO NOT EDIT.\n\
+        use attestation::measurements::*;
+        pub const EXPECTED_MEASUREMENTS: &[ExpectedMeasurements] = &[\n"
+    )
+    .unwrap();
+
+    // Process each file
+    for path in measurement_files {
+        let json_str = fs::read_to_string(&path).unwrap();
+        let tcb: serde_json::Value = serde_json::from_str(&json_str).unwrap();
+
+        // extract 4 RTMRs + MRTD
+        let mrtd = decode_hex(&tcb["mrtd"].as_str().unwrap());
+        let rtmr0 = decode_hex(&tcb["rtmr0"].as_str().unwrap());
+        let rtmr1 = decode_hex(&tcb["rtmr1"].as_str().unwrap());
+        let rtmr2 = decode_hex(&tcb["rtmr2"].as_str().unwrap());
+
+        // extract key-provider digest
+        let mut key_provider_digest = None;
+        if let Some(events) = tcb["event_log"].as_array() {
+            for event in events {
+                if event["event"].as_str().unwrap() == "key-provider" {
+                    key_provider_digest =
+                        Some(decode_hex(event["digest"].as_str().unwrap()));
+                    break;
+                }
+            }
+        }
+
+        let key_provider_digest =
+            key_provider_digest.expect("key-provider event not found");
+
+        // Emit Rust struct
+        writeln!(
+            f,
+            "    ExpectedMeasurements {{ \
+                 rtmrs: Measurements {{ \
+                     mrtd: {:?}, \
+                     rtmr0: {:?}, \
+                     rtmr1: {:?}, \
+                     rtmr2: {:?} \
+                 }}, \
+                 key_provider_event_digest: {:?}, \
+             }},",
+            mrtd, rtmr0, rtmr1, rtmr2, key_provider_digest
+        )
+        .unwrap();
+    }
+
+    // Close the array
+    writeln!(f, "];").unwrap();
+}
+
+/// Decode a hex string into a fixed 48-byte array
+fn decode_hex(hex: &str) -> [u8; 48] {
+    let bytes = hex::decode(hex).expect("invalid hex");
+    assert!(
+        bytes.len() == 48,
+        "expected 48-byte measurement, got {} bytes",
+        bytes.len()
+    );
+    let mut arr = [0u8; 48];
+    arr.copy_from_slice(&bytes);
+    arr
+}
diff --git a/crates/mpc-attestation/measurements_build.md b/crates/mpc-attestation/measurements_build.md
@@ -0,0 +1,84 @@
+# 📘 TCB Measurements Build Guide
+
+## 📁 Location of JSON Files
+TCB measurement JSON files now live in:
+
+```
+crates/mpc-attestation/assets/
+```
+
+Typical files:
+
+```
+tcb_info.json
+tcb_info_dev.json
+```
+
+json format is taken directly from the node `/public_data` endpoint.
+
+You can add more files in the future (e.g., staging, new image versions).  
+Every file matching the prefix:
+
+```
+tcb_info*
+```
+
+will be automatically included at build time.
+
+---
+
+## 🔄 How to Update Measurements
+1. Replace or edit the JSON files under:
+
+   ```
+   crates/mpc-attestation/assets/
+   ```
+
+2. Run a rebuild:
+
+   ```bash
+   cargo clean -p mpc-attestation
+   cargo build -p mpc-attestation
+   ```
+
+The build script will:
+
+- parse the JSON files  
+- decode the measurements  
+- generate Rust static byte arrays  
+- embed them into the final WASM contract  
+
+No runtime parsing and no JSON reading inside the contract.
+
+---
+
+
+## 🧬 Location of the Generated Measurements File
+During build, Cargo produces:
+
+```
+target/debug/build/mpc-attestation-*/out/measurements_generated.rs
+```
+
+or in release mode:
+
+```
+target/release/build/mpc-attestation-*/out/measurements_generated.rs
+```
+
+This file contains:
+
+```rust
+pub const EXPECTED_MEASUREMENTS: &[ExpectedMeasurements] = &[
+    ExpectedMeasurements { … },
+    ExpectedMeasurements { … },
+];
+```
+
+And is included into the crate via:
+
+```rust
+include!(concat!(env!("OUT_DIR"), "/measurements_generated.rs"));
+```
+
+This file is **auto-generated** and should **not be committed** to the repo.
diff --git a/crates/mpc-attestation/src/attestation.rs b/crates/mpc-attestation/src/attestation.rs
@@ -6,6 +6,16 @@ use attestation::{
     report_data::ReportData,
 };
 
+include!(concat!(env!("OUT_DIR"), "/measurements_generated.rs"));
+
+pub struct ExpectedMeasurementsSet;
+
+impl ExpectedMeasurementsSet {
+    pub fn all() -> &'static [ExpectedMeasurements] {
+        EXPECTED_MEASUREMENTS
+    }
+}
+
 pub use attestation::attestation::{DstackAttestation, VerificationError};
 
 use mpc_primitives::hash::{LauncherDockerComposeHash, MpcDockerImageHash};
@@ -70,16 +80,20 @@ impl Attestation {
             }
         };
 
+        //todo remove this
         // Embedded JSON assets
-        const TCB_INFO_STRING_PROD: &str = include_str!("../assets/tcb_info.json");
+        // const TCB_INFO_STRING_PROD: &str = include_str!("../assets/tcb_info.json");
         // TODO Security #1433 - remove dev measurements from production builds after testing is complete.
-        const TCB_INFO_STRING_DEV: &str = include_str!("../assets/tcb_info_dev.json");
+        // TCB_INFO_STRING_DEV: &str = include_str!("../assets/tcb_info_dev.json");
+
+        //todo remove this
+        //let accepted_measurements = ExpectedMeasurements::from_embedded_tcb_info(&[
+        //    TCB_INFO_STRING_PROD,
+        //    TCB_INFO_STRING_DEV,
+        //])
+        // .map_err(VerificationError::EmbeddedMeasurementsParsing)?;
 
-        let accepted_measurements = ExpectedMeasurements::from_embedded_tcb_info(&[
-            TCB_INFO_STRING_PROD,
-            TCB_INFO_STRING_DEV,
-        ])
-        .map_err(VerificationError::EmbeddedMeasurementsParsing)?;
+        let accepted_measurements = ExpectedMeasurementsSet::all();
 
         attestation.verify(
             expected_report_data,
