Enable Remote Attesation (EPID) in the CI

.github/workflows/build_and_test.yml

@@ -179,6 +179,8 @@ jobs:
       WORKER_IMAGE_TAG: integritee-worker:dev
       CLIENT_IMAGE_TAG: integritee-cli:dev
       COINMARKETCAP_KEY: ${{ secrets.COINMARKETCAP_KEY }}
+      IAS_EPID_SPID: ${{ secrets.IAS_SPID }}
+      IAS_EPID_KEY: ${{ secrets.IAS_PRIMARY_KEY }}
       TEERACLE_INTERVAL_SECONDS: 10
 
     strategy:
@@ -236,7 +238,7 @@ jobs:
           echo "PROJECT=${{ matrix.flavor_id }}-${{ matrix.demo_name }}" >> $GITHUB_ENV
           echo "VERSION=dev.$version" >> $GITHUB_ENV
           echo "WORKER_IMAGE_TAG=integritee-worker:dev.$version" >> $GITHUB_ENV
-          echo "INTEGRITEE_NODE=integritee-node-dev:1.0.33.$version" >> $GITHUB_ENV
+          echo "INTEGRITEE_NODE=integritee-node-dev-ias:1.0.34.$version" >> $GITHUB_ENV
           echo "CLIENT_IMAGE_TAG=integritee-cli:dev.$version" >> $GITHUB_ENV
           if [[ ${{ matrix.sgx_mode }} == 'HW' ]]; then
              echo "SGX_PROVISION=/dev/sgx/provision" >> $GITHUB_ENV
@@ -280,8 +282,8 @@ jobs:
           fi
           docker tag integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} ${{ env.WORKER_IMAGE_TAG }}
           docker tag integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} ${{ env.CLIENT_IMAGE_TAG }}
-          docker pull integritee/integritee-node-dev:1.0.33
-          docker tag integritee/integritee-node-dev:1.0.33 ${{ env.INTEGRITEE_NODE }}
+          docker pull integritee/integritee-node-dev-ias:1.0.34
+          docker tag integritee/integritee-node-dev-ias:1.0.34 ${{ env.INTEGRITEE_NODE }}
           docker images --all
 
       ##

core-primitives/attestation-handler/src/attestation_handler.rs

@@ -54,7 +54,7 @@ use sgx_types::{
 use sp_core::Pair;
 use std::{
 	borrow::ToOwned,
-	format,
+	env, format,
 	io::{Read, Write},
 	net::TcpStream,
 	prelude::v1::*,
@@ -629,8 +629,9 @@ where
 	}
 
 	fn load_spid(filename: &str) -> SgxResult<sgx_spid_t> {
-		match io::read_to_string(filename).map(|contents| decode_spid(&contents)) {
-			Ok(r) => r,
+		// Check if set as an environment variable
+		match env::var("IAS_EPID_SPID").or_else(|_| io::read_to_string(filename)) {
+			Ok(spid) => decode_spid(&spid),
 			Err(e) => {
 				error!("Failed to load SPID: {:?}", e);
 				Err(sgx_status_t::SGX_ERROR_UNEXPECTED)
@@ -639,7 +640,9 @@ where
 	}
 
 	fn get_ias_api_key() -> EnclaveResult<String> {
-		io::read_to_string(RA_API_KEY_FILE)
+		// Check if set as an environment variable
+		env::var("IAS_EPID_KEY")
+			.or_else(|_| io::read_to_string(RA_API_KEY_FILE))
 			.map(|key| key.trim_end().to_owned())
 			.map_err(|e| EnclaveError::Other(e.into()))
 	}

core-primitives/attestation-handler/src/cert.rs

@@ -366,6 +366,7 @@ where
 		debug!("isvEnclaveQuoteStatus = {}", quote_status);
 		match quote_status.as_ref() {
 			"OK" => (),
+			"SW_HARDENING_NEEDED" => info!("Status in attestation report is SW_HARDENING_NEEDED, which is considered acceptable."),
 			"GROUP_OUT_OF_DATE" | "GROUP_REVOKED" | "CONFIGURATION_NEEDED" => {
 				// Verify platformInfoBlob for further info if status not OK
 				if let Value::String(pib) = &attn_report["platformInfoBlob"] {

docker/demo-teeracle-generic.yml

@@ -2,6 +2,8 @@
 #
 # The demo is parameterized with the interval that the teeracle uses to query its sources.
 # Set the `TEERACLE_INTERVAL_SECONDS` variable when invoking, e.g. `TEERACLE_INTERVAL_SECONDS=4 docker compose -f docker-compose.yml -f demo-teeracle-generic.yml up --exit-code-from demo-teeracle-generic`
+# Set the `ADDITIONAL_RUNTIME_FLAGS` variable to for additional flags.
+# To skip remote attestation: `export ADDITIONAL_RUNTIME_FLAG="--skip-ra"`
 services:
   integritee-teeracle-worker-${VERSION}:
     image: integritee-worker:${VERSION:-dev}
@@ -20,6 +22,8 @@ services:
         condition: service_healthy
     environment:
       - RUST_LOG=warn,ws=warn,sp_io=warn,substrate_api_client=warn,jsonrpsee_ws_client=warn,jsonrpsee_ws_server=warn,enclave_runtime=warn,integritee_service=info,integritee_service::teeracle=debug,ita_stf=warn,ita_oracle=debug
+      - IAS_EPID_SPID
+      - IAS_EPID_KEY
     networks:
       - integritee-test-network
     healthcheck:
@@ -30,7 +34,7 @@ services:
     entrypoint:
         "/usr/local/bin/integritee-service --clean-reset --ws-external -M integritee-teeracle-worker -T wss://integritee-teeracle-worker
         -u ws://integritee-node -U ws://integritee-teeracle-worker -P 2011 -w 2101 -p 9912 -h 4645
-        run --dev --skip-ra --teeracle-interval ${TEERACLE_INTERVAL_SECONDS}s"
+        run --dev ${ADDITIONAL_RUNTIME_FLAGS} --teeracle-interval ${TEERACLE_INTERVAL_SECONDS}s"
     restart: always
   demo-teeracle-generic:
     image: integritee-cli:${VERSION:-dev}
@@ -61,4 +65,4 @@ services:
     restart: "no"
 networks:
   integritee-test-network:
-    driver: bridge
+    driver: bridge

docker/demo-teeracle.yml

@@ -4,6 +4,8 @@
 # Set the `TEERACLE_INTERVAL_SECONDS` variable when invoking, e.g. `TEERACLE_INTERVAL_SECONDS=4 docker compose -f docker-compose.yml -f demo-teeracle.yml up --exit-code-from demo-teeracle`
 # This setup requires an API key for CoinMarketCap
 # Add the API key to the environment variable `COINMARKETCAP_KEY`, with `export COINMARKETCAP_KEY=<your_key>`
+# Set the `ADDITIONAL_RUNTIME_FLAGS` variable to for additional flags.
+# To skip remote attestation: `export ADDITIONAL_RUNTIME_FLAG="--skip-ra"`
 services:
   integritee-teeracle-worker-${VERSION}:
     image: integritee-worker:${VERSION:-dev}
@@ -23,6 +25,8 @@ services:
     environment:
       - RUST_LOG=warn,ws=warn,sp_io=warn,substrate_api_client=warn,jsonrpsee_ws_client=warn,jsonrpsee_ws_server=warn,enclave_runtime=warn,integritee_service=info,integritee_service::teeracle=debug,ita_stf=warn,ita_exchange_oracle=debug
       - COINMARKETCAP_KEY
+      - IAS_EPID_SPID
+      - IAS_EPID_KEY
     networks:
       - integritee-test-network
     healthcheck:
@@ -33,7 +37,7 @@ services:
     entrypoint:
         "/usr/local/bin/integritee-service --clean-reset --ws-external -M integritee-teeracle-worker -T wss://integritee-teeracle-worker
         -u ws://integritee-node -U ws://integritee-teeracle-worker -P 2011 -w 2101 -p 9912 -h 4645
-        run --dev --skip-ra --teeracle-interval ${TEERACLE_INTERVAL_SECONDS}s"
+        run --dev ${ADDITIONAL_RUNTIME_FLAGS} --teeracle-interval ${TEERACLE_INTERVAL_SECONDS}s"
     restart: always
   demo-teeracle:
     image: integritee-cli:${VERSION:-dev}
@@ -64,4 +68,4 @@ services:
     restart: "no"
 networks:
   integritee-test-network:
-    driver: bridge
+    driver: bridge

docker/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
-  integritee-node-${VERSION}:
-    image: "${INTEGRITEE_NODE:-integritee/integritee-node-dev:1.0.33}"
+  "integritee-node-${VERSION}":
+    image: "${INTEGRITEE_NODE:-integritee/integritee-node-dev-ias:1.0.34}"
     hostname: integritee-node
     devices:
       - "${SGX_PROVISION:-/dev/null}:/dev/sgx/provision"
@@ -10,22 +10,22 @@ services:
     networks:
       - integritee-test-network
     healthcheck:
-      test: ["CMD", "nc", "-z", "integritee-node", "9912"]
+      test: [ "CMD", "nc", "-z", "integritee-node", "9912" ]
       interval: 10s
       timeout: 10s
       retries: 6
     command: --dev --rpc-methods unsafe --ws-external --rpc-external --ws-port 9912
     #logging:
-      #driver: local
-  integritee-worker-1-${VERSION}:
+    #driver: local
+  "integritee-worker-1-${VERSION}":
     image: integritee-worker:${VERSION:-dev}
     hostname: integritee-worker-1
     build:
       context: ${PWD}/..
       dockerfile: build.Dockerfile
       target: deployed-worker
     depends_on:
-      integritee-node-${VERSION}:
+      "integritee-node-${VERSION}":
         condition: service_healthy
     devices:
       - "${SGX_PROVISION:-/dev/null}:/dev/sgx/provision"
@@ -34,29 +34,28 @@ services:
       - "${AESMD:-/dev/null}:/var/run/aesmd"
     environment:
       - RUST_LOG=warn,ws=warn,sp_io=warn,substrate_api_client=warn,jsonrpsee_ws_client=warn,jsonrpsee_ws_server=warn,enclave_runtime=warn,integritee_service=warn,ita_stf=warn
+      - IAS_EPID_SPID
+      - IAS_EPID_KEY
     networks:
       - integritee-test-network
     healthcheck:
       test: curl -s -f http://integritee-worker-1:4645/is_initialized || exit 1
       interval: 10s
       timeout: 10s
       retries: 25
-    entrypoint:
-      "/usr/local/bin/integritee-service --clean-reset --ws-external -M integritee-worker-1 -T wss://integritee-worker-1
-      -u ws://integritee-node -U ws://integritee-worker-1 -P 2011 -w 2101 -p 9912 -h 4645
-      run --dev --skip-ra"
+    entrypoint: "/usr/local/bin/integritee-service --clean-reset --ws-external -M integritee-worker-1 -T wss://integritee-worker-1 -u ws://integritee-node -U ws://integritee-worker-1 -P 2011 -w 2101 -p 9912 -h 4645 run --dev"
     restart: "no"
-  integritee-worker-2-${VERSION}:
+  "integritee-worker-2-${VERSION}":
     image: integritee-worker:${VERSION:-dev}
     hostname: integritee-worker-2
     build:
       context: ${PWD}/..
       dockerfile: build.Dockerfile
       target: deployed-worker
     depends_on:
-      integritee-node-${VERSION}:
+      "integritee-node-${VERSION}":
         condition: service_healthy
-      integritee-worker-1-${VERSION}:
+      "integritee-worker-1-${VERSION}":
         condition: service_healthy
     devices:
       - "${SGX_PROVISION:-/dev/null}:/dev/sgx/provision"
@@ -65,18 +64,17 @@ services:
       - "${AESMD:-/dev/null}:/var/run/aesmd"
     environment:
       - RUST_LOG=warn,ws=warn,sp_io=warn,substrate_api_client=warn,jsonrpsee_ws_client=warn,jsonrpsee_ws_server=warn,enclave_runtime=warn,integritee_service=warn,ita_stf=warn
+      - IAS_EPID_SPID
+      - IAS_EPID_KEY
     networks:
       - integritee-test-network
     healthcheck:
       test: curl -s -f http://integritee-worker-2:4646/is_initialized || exit 1
       interval: 10s
       timeout: 10s
       retries: 25
-    entrypoint:
-      "/usr/local/bin/integritee-service --clean-reset --ws-external -M integritee-worker-2 -T wss://integritee-worker-2
-      -u ws://integritee-node -U ws://integritee-worker-2 -P 2012 -w 2102 -p 9912 -h 4646
-      run --dev --skip-ra --request-state"
+    entrypoint: "/usr/local/bin/integritee-service --clean-reset --ws-external -M integritee-worker-2 -T wss://integritee-worker-2 -u ws://integritee-node -U ws://integritee-worker-2 -P 2012 -w 2102 -p 9912 -h 4646 run --dev --request-state"
     restart: "no"
 networks:
   integritee-test-network:
-    driver: bridge
+    driver: bridge