perf(contract): contract should not store full attestation submission

crates/contract-interface/src/lib.rs

@@ -3,6 +3,7 @@
 pub mod types {
     pub use attestation::{
         AppCompose, Attestation, Collateral, DstackAttestation, EventLog, MockAttestation, TcbInfo,
+        VerifiedAttestation, VerifiedDstackAttestation,
     };
     pub use config::{Config, InitConfig};
     pub use crypto::{

crates/contract-interface/src/types/attestation.rs

@@ -29,6 +29,54 @@ pub enum Attestation {
     Mock(MockAttestation),
 }
 
+#[derive(
+    Clone,
+    Debug,
+    Eq,
+    PartialEq,
+    Ord,
+    PartialOrd,
+    Hash,
+    Serialize,
+    Deserialize,
+    BorshSerialize,
+    BorshDeserialize,
+)]
+#[cfg_attr(
+    all(feature = "abi", not(target_arch = "wasm32")),
+    derive(schemars::JsonSchema)
+)]
+pub enum VerifiedAttestation {
+    Dtack(VerifiedDstackAttestation),
+    Mock(MockAttestation),
+}
+
+#[derive(
+    Clone,
+    Debug,
+    Eq,
+    PartialEq,
+    Ord,
+    PartialOrd,
+    Hash,
+    Serialize,
+    Deserialize,
+    BorshSerialize,
+    BorshDeserialize,
+)]
+#[cfg_attr(
+    all(feature = "abi", not(target_arch = "wasm32")),
+    derive(schemars::JsonSchema)
+)]
+pub struct VerifiedDstackAttestation {
+    /// The digest of the MPC image running.
+    pub mpc_image_hash: [u8; 32],
+    /// The digest of the MPC image running.
+    pub launcher_compose_hash: [u8; 32],
+    /// Unix timestamp for when the attestation was created.
+    pub creation_time_stamp_seonds: u64,
+}
+
 #[derive(
     Clone,
     Eq,
@@ -78,8 +126,8 @@ pub enum MockAttestation {
     WithConstraints {
         mpc_docker_image_hash: Option<Sha256Digest>,
         launcher_docker_compose_hash: Option<Sha256Digest>,
-        /// Unix time stamp for when this attestation expires.  
-        expiry_time_stamp_seconds: Option<u64>,
+        /// Unix time stamp for when this attestation was created.  
+        creation_time_stamp_seconds: Option<u64>,
     },
 }
 

crates/contract-interface/src/types/config.rs

@@ -43,6 +43,10 @@ pub struct InitConfig {
     pub cleanup_orphaned_node_migrations_tera_gas: Option<u64>,
     /// Prepaid gas for a `remove_non_participant_update_votes` call.
     pub remove_non_participant_update_votes_tera_gas: Option<u64>,
+    /// Contract defined time to live for node attestations. Participants
+    /// must refresh their attestations before `attestation_max_validity_duration_seconds`
+    /// to avoid their attestation being invalidated.
+    pub attestation_max_validity_duration_seconds: Option<u64>,
 }
 
 /// Configuration parameters of the contract.
@@ -87,6 +91,10 @@ pub struct Config {
     pub cleanup_orphaned_node_migrations_tera_gas: u64,
     /// Prepaid gas for a `remove_non_participant_update_votes` call.
     pub remove_non_participant_update_votes_tera_gas: u64,
+    /// Contract defined time to live for node attestations. Participants
+    /// must refresh their attestations before `attestation_max_validity_duration_seconds`
+    /// to avoid their attestation being invalidated.
+    pub attestation_max_validity_duration_seconds: u64,
 }
 
 #[cfg(test)]
@@ -108,6 +116,7 @@ mod tests {
             clean_tee_status_tera_gas: Some(10),
             cleanup_orphaned_node_migrations_tera_gas: Some(3),
             remove_non_participant_update_votes_tera_gas: Some(5),
+            attestation_max_validity_duration_seconds: Some(1912312),
         };
         let json = serde_json::to_string(&original_config).unwrap();
         let serialized_and_deserialized_config: InitConfig = serde_json::from_str(&json).unwrap();
@@ -155,6 +164,7 @@ mod tests {
             clean_tee_status_tera_gas: None,
             cleanup_orphaned_node_migrations_tera_gas: None,
             remove_non_participant_update_votes_tera_gas: None,
+            attestation_max_validity_duration_seconds: None,
         };
 
         assert_eq!(default_config, config_with_all_values_as_none);

crates/contract/src/config.rs

@@ -29,6 +29,10 @@ const DEFAULT_CLEANUP_ORPHANED_NODE_MIGRATIONS_TERA_GAS: u64 = 3;
 /// Prepaid gas for a `remove_non_participant_update_votes` call
 const DEFAULT_REMOVE_NON_PARTICIPANT_UPDATE_VOTES_TERA_GAS: u64 = 5;
 
+// --- TEE configs --
+/// The maximum duration a given attestation will be considered valid by the contract.
+const DEFDAULT_ATTESTATION_MAX_VALIDITY_DURATION_SECONDS: u64 = 60 * 60 * 24 * 7; // 7 days
+
 /// Config for V2 of the contract.
 #[near(serializers=[borsh, json])]
 #[derive(Clone, Debug, PartialEq, Eq)]
@@ -38,6 +42,10 @@ pub(crate) struct Config {
     pub(crate) key_event_timeout_blocks: u64,
     /// The grace period duration for expiry of old mpc image hashes once a new one is added.
     pub(crate) tee_upgrade_deadline_duration_seconds: u64,
+    /// Contract defined time to live for node attestations. Participants
+    /// must refresh their attestations before `attestation_max_validity_duration_seconds`
+    /// to avoid their attestation being invalidated.
+    pub(crate) attestation_max_validity_duration_seconds: u64,
     /// Amount of gas to deposit for contract and config updates.
     pub(crate) contract_upgrade_deposit_tera_gas: u64,
     /// Gas required for a sign request.
@@ -78,6 +86,8 @@ impl Default for Config {
                 DEFAULT_CLEANUP_ORPHANED_NODE_MIGRATIONS_TERA_GAS,
             remove_non_participant_update_votes_tera_gas:
                 DEFAULT_REMOVE_NON_PARTICIPANT_UPDATE_VOTES_TERA_GAS,
+            attestation_max_validity_duration_seconds:
+                DEFDAULT_ATTESTATION_MAX_VALIDITY_DURATION_SECONDS,
         }
     }
 }

crates/contract/src/dto_mapping.rs

@@ -6,7 +6,7 @@
 
 use contract_interface::types as dtos;
 use mpc_attestation::{
-    attestation::{Attestation, DstackAttestation, MockAttestation},
+    attestation::{Attestation, DstackAttestation, MockAttestation, VerifiedAttestation},
     collateral::{Collateral, QuoteCollateralV3},
     EventLog, TcbInfo,
 };
@@ -70,11 +70,11 @@ impl IntoContractType<MockAttestation> for dtos::MockAttestation {
             dtos::MockAttestation::WithConstraints {
                 mpc_docker_image_hash,
                 launcher_docker_compose_hash,
-                expiry_time_stamp_seconds,
+                creation_time_stamp_seconds,
             } => MockAttestation::WithConstraints {
                 mpc_docker_image_hash: mpc_docker_image_hash.map(Into::into),
                 launcher_docker_compose_hash: launcher_docker_compose_hash.map(Into::into),
-                expiry_time_stamp_seconds,
+                creation_time_stamp_seconds,
             },
         }
     }
@@ -179,14 +179,21 @@ impl IntoContractType<EventLog> for dtos::EventLog {
     }
 }
 
-impl IntoInterfaceType<dtos::Attestation> for Attestation {
-    fn into_dto_type(self) -> dtos::Attestation {
+impl IntoInterfaceType<dtos::VerifiedAttestation> for VerifiedAttestation {
+    fn into_dto_type(self) -> dtos::VerifiedAttestation {
         match self {
-            Attestation::Dstack(dstack_attestation) => {
-                dtos::Attestation::Dstack(dstack_attestation.into_dto_type())
+            VerifiedAttestation::Mock(mock_attestation) => {
+                dtos::VerifiedAttestation::Mock(mock_attestation.into_dto_type())
             }
-            Attestation::Mock(mock_attestation) => {
-                dtos::Attestation::Mock(mock_attestation.into_dto_type())
+            VerifiedAttestation::Dstack(validated_dstack_attestation) => {
+                dtos::VerifiedAttestation::Dtack(dtos::VerifiedDstackAttestation {
+                    mpc_image_hash: validated_dstack_attestation.mpc_image_hash.into(),
+                    launcher_compose_hash: validated_dstack_attestation
+                        .launcher_compose_hash
+                        .into(),
+                    creation_time_stamp_seonds: validated_dstack_attestation
+                        .creation_time_stamp_seonds,
+                })
             }
         }
     }
@@ -200,116 +207,16 @@ impl IntoInterfaceType<dtos::MockAttestation> for MockAttestation {
             MockAttestation::WithConstraints {
                 mpc_docker_image_hash,
                 launcher_docker_compose_hash,
-                expiry_time_stamp_seconds,
+                creation_time_stamp_seconds,
             } => dtos::MockAttestation::WithConstraints {
                 mpc_docker_image_hash: mpc_docker_image_hash.map(Into::into),
                 launcher_docker_compose_hash: launcher_docker_compose_hash.map(Into::into),
-                expiry_time_stamp_seconds,
+                creation_time_stamp_seconds,
             },
         }
     }
 }
 
-impl IntoInterfaceType<dtos::DstackAttestation> for DstackAttestation {
-    fn into_dto_type(self) -> dtos::DstackAttestation {
-        let DstackAttestation {
-            quote,
-            collateral,
-            tcb_info,
-        } = self;
-
-        dtos::DstackAttestation {
-            quote: quote.into(),
-            collateral: collateral.into_dto_type(),
-            tcb_info: tcb_info.into_dto_type(),
-        }
-    }
-}
-
-impl IntoInterfaceType<dtos::Collateral> for Collateral {
-    fn into_dto_type(self) -> dtos::Collateral {
-        // Collateral is a newtype wrapper around QuoteCollateralV3
-        let QuoteCollateralV3 {
-            pck_crl_issuer_chain,
-            root_ca_crl,
-            pck_crl,
-            tcb_info_issuer_chain,
-            tcb_info,
-            tcb_info_signature,
-            qe_identity_issuer_chain,
-            qe_identity,
-            qe_identity_signature,
-        } = self.into();
-
-        dtos::Collateral {
-            pck_crl_issuer_chain,
-            root_ca_crl,
-            pck_crl,
-            tcb_info_issuer_chain,
-            tcb_info,
-            tcb_info_signature,
-            qe_identity_issuer_chain,
-            qe_identity,
-            qe_identity_signature,
-        }
-    }
-}
-
-impl IntoInterfaceType<dtos::TcbInfo> for TcbInfo {
-    fn into_dto_type(self) -> dtos::TcbInfo {
-        let TcbInfo {
-            mrtd,
-            rtmr0,
-            rtmr1,
-            rtmr2,
-            rtmr3,
-            os_image_hash,
-            compose_hash,
-            device_id,
-            app_compose,
-            event_log,
-        } = self;
-
-        let event_log = event_log
-            .into_iter()
-            .map(IntoInterfaceType::into_dto_type)
-            .collect();
-
-        dtos::TcbInfo {
-            mrtd,
-            rtmr0,
-            rtmr1,
-            rtmr2,
-            rtmr3,
-            os_image_hash,
-            compose_hash,
-            device_id,
-            app_compose,
-            event_log,
-        }
-    }
-}
-
-impl IntoInterfaceType<dtos::EventLog> for EventLog {
-    fn into_dto_type(self) -> dtos::EventLog {
-        let EventLog {
-            imr,
-            event_type,
-            digest,
-            event,
-            event_payload,
-        } = self;
-
-        dtos::EventLog {
-            imr,
-            event_type,
-            digest,
-            event,
-            event_payload,
-        }
-    }
-}
-
 impl IntoInterfaceType<dtos::Secp256k1PublicKey> for &k256_types::PublicKey {
     fn into_dto_type(self) -> dtos::Secp256k1PublicKey {
         let mut bytes = [0u8; 64];
@@ -480,6 +387,9 @@ impl From<contract_interface::types::InitConfig> for Config {
         if let Some(v) = config_ext.remove_non_participant_update_votes_tera_gas {
             config.remove_non_participant_update_votes_tera_gas = v;
         }
+        if let Some(v) = config_ext.attestation_max_validity_duration_seconds {
+            config.attestation_max_validity_duration_seconds = v;
+        }
 
         config
     }
@@ -505,6 +415,8 @@ impl From<&Config> for contract_interface::types::Config {
                 .cleanup_orphaned_node_migrations_tera_gas,
             remove_non_participant_update_votes_tera_gas: value
                 .remove_non_participant_update_votes_tera_gas,
+            attestation_max_validity_duration_seconds: value
+                .attestation_max_validity_duration_seconds,
         }
     }
 }
@@ -529,6 +441,8 @@ impl From<contract_interface::types::Config> for Config {
                 .cleanup_orphaned_node_migrations_tera_gas,
             remove_non_participant_update_votes_tera_gas: value
                 .remove_non_participant_update_votes_tera_gas,
+            attestation_max_validity_duration_seconds: value
+                .attestation_max_validity_duration_seconds,
         }
     }
 }