From 097eed3a2b0ed8b18d9fad273ffab98d975df738 Mon Sep 17 00:00:00 2001 From: Reuven Podmazo Date: Thu, 18 Nov 2021 18:01:51 +0200 Subject: [PATCH 1/7] put enclave access behind a reentrant mutex --- cosmwasm/Cargo.lock | 83 +++++++++++++++++-- cosmwasm/packages/sgx-vm/Cargo.toml | 1 + cosmwasm/packages/sgx-vm/src/attestation.rs | 4 +- cosmwasm/packages/sgx-vm/src/enclave.rs | 79 ++++++++++++++++-- .../packages/sgx-vm/src/errors/enclave.rs | 2 + cosmwasm/packages/sgx-vm/src/instance.rs | 4 +- cosmwasm/packages/sgx-vm/src/seed.rs | 8 +- cosmwasm/packages/sgx-vm/src/wasmi/exports.rs | 9 +- cosmwasm/packages/sgx-vm/src/wasmi/mod.rs | 2 +- cosmwasm/packages/sgx-vm/src/wasmi/wrapper.rs | 33 ++------ go-cosmwasm/Cargo.lock | 83 +++++++++++++++++-- 11 files changed, 247 insertions(+), 61 deletions(-) diff --git a/cosmwasm/Cargo.lock b/cosmwasm/Cargo.lock index c4507555c..5d733ff1a 100644 --- a/cosmwasm/Cargo.lock +++ b/cosmwasm/Cargo.lock @@ -42,7 +42,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "46254cf2fdcdf1badb5934448c1bcbe046a56537b3987d96c51a7afc5d03f293" dependencies = [ "addr2line", - "cfg-if", + "cfg-if 0.1.10", "libc", "miniz_oxide", "object", @@ -105,6 +105,12 @@ version = "0.1.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822" +[[package]] +name = "cfg-if" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" + [[package]] name = "clap" version = "2.33.2" @@ -149,6 +155,7 @@ dependencies = [ "log", "memmap", "parity-wasm", + "parking_lot", "schemars", "serde", "serde_json", @@ -238,7 +245,7 @@ version = "0.1.14" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7abc8dd8451921606d809ba32e95b6111925cd2906060d2dcc29c070220503eb" dependencies = [ - "cfg-if", + "cfg-if 0.1.10", "libc", "wasi", ] @@ -270,6 +277,15 @@ version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "644f9158b2f133fd50f5fb3242878846d9eb792e445c893805ff0e3824006e35" +[[package]] +name = "instant" +version = "0.1.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c" +dependencies = [ + "cfg-if 1.0.0", +] + [[package]] name = "itoa" version = "0.4.6" @@ -288,13 +304,22 @@ version = "0.2.74" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a2f02823cf78b754822df5f7f268fb59822e7296276d3e069d8e8cb26a14bd10" +[[package]] +name = "lock_api" +version = "0.4.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "712a4d093c9976e24e7dbca41db895dabcbac38eb5f4045393d17a95bdfb1109" +dependencies = [ + "scopeguard", +] + [[package]] name = "log" version = "0.4.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b" dependencies = [ - "cfg-if", + "cfg-if 0.1.10", ] [[package]] @@ -334,6 +359,31 @@ version = "0.41.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ddfc878dac00da22f8f61e7af3157988424567ab01d9920b962ef7dcbd7cd865" +[[package]] +name = "parking_lot" +version = "0.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6d7744ac029df22dca6284efe4e898991d28e3085c706c972bcd7da4a27a15eb" +dependencies = [ + "instant", + "lock_api", + "parking_lot_core", +] + +[[package]] +name = "parking_lot_core" +version = "0.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fa7a782938e745763fe6907fc6ba86946d72f49fe7e21de074e08128a99fb018" +dependencies = [ + "cfg-if 1.0.0", + "instant", + "libc", + "redox_syscall 0.2.10", + "smallvec", + "winapi", +] + [[package]] name = "ppv-lite86" version = "0.2.8" @@ -405,6 +455,15 @@ version = "0.1.57" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "41cc0f7e4d5d4544e8861606a285bb08d3e70712ccc7d2b84d7c0ccfaf4b05ce" +[[package]] +name = "redox_syscall" +version = "0.2.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8383f39639269cde97d255a32bdb68c047337295414940c68bdd30c2e13203ff" +dependencies = [ + "bitflags", +] + [[package]] name = "remove_dir_all" version = "0.5.3" @@ -449,6 +508,12 @@ dependencies = [ "syn", ] +[[package]] +name = "scopeguard" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" + [[package]] name = "serde" version = "1.0.117" @@ -521,12 +586,18 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2933378ddfeda7ea26f48c555bdad8bb446bf8a3d17832dc83e380d444cfb8c1" dependencies = [ "block-buffer", - "cfg-if", + "cfg-if 0.1.10", "cpuid-bool", "digest", "opaque-debug", ] +[[package]] +name = "smallvec" +version = "1.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ecab6c735a6bb4139c0caafd0cc3635748bbb3acf4550e8138122099251f309" + [[package]] name = "snafu" version = "0.6.8" @@ -572,10 +643,10 @@ version = "3.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7a6e24d9338a0a5be79593e2fa15a648add6138caa803e2d5bc782c371732ca9" dependencies = [ - "cfg-if", + "cfg-if 0.1.10", "libc", "rand", - "redox_syscall", + "redox_syscall 0.1.57", "remove_dir_all", "winapi", ] diff --git a/cosmwasm/packages/sgx-vm/Cargo.toml b/cosmwasm/packages/sgx-vm/Cargo.toml index 4afc14da7..b25cd55bf 100644 --- a/cosmwasm/packages/sgx-vm/Cargo.toml +++ b/cosmwasm/packages/sgx-vm/Cargo.toml @@ -64,6 +64,7 @@ sgx_types = { git = "https://github.com/apache/teaclave-sgx-sdk.git", rev = "a37 sgx_urts = { git = "https://github.com/apache/teaclave-sgx-sdk.git", rev = "a37ffb9449ba6d5b6e4a9d586bbab864ae732269" } log = "0.4.8" base64 = "0.12.0" +parking_lot = "0.11" [dev-dependencies] tempfile = "3.1.0" diff --git a/cosmwasm/packages/sgx-vm/src/attestation.rs b/cosmwasm/packages/sgx-vm/src/attestation.rs index e23052fe9..04f77fa80 100644 --- a/cosmwasm/packages/sgx-vm/src/attestation.rs +++ b/cosmwasm/packages/sgx-vm/src/attestation.rs @@ -127,7 +127,7 @@ pub extern "C" fn ocall_get_update_info( } pub fn create_attestation_report_u(spid: &[u8], api_key: &[u8]) -> SgxResult<()> { - let enclave = get_enclave()?; + let enclave = get_enclave()?.ok_or(sgx_status_t::SGX_ERROR_OUT_OF_TCS)?; let eid = enclave.geteid(); let mut retval = sgx_status_t::SGX_SUCCESS; @@ -156,7 +156,7 @@ pub fn create_attestation_report_u(spid: &[u8], api_key: &[u8]) -> SgxResult<()> pub fn untrusted_get_encrypted_seed( cert: &[u8], ) -> SgxResult> { - let enclave = get_enclave()?; + let enclave = get_enclave()?.ok_or(sgx_status_t::SGX_ERROR_OUT_OF_TCS)?; let eid = enclave.geteid(); let mut retval = NodeAuthResult::Success; let mut seed = [0u8; ENCRYPTED_SEED_SIZE]; diff --git a/cosmwasm/packages/sgx-vm/src/enclave.rs b/cosmwasm/packages/sgx-vm/src/enclave.rs index 730ad6895..382ac2fd3 100644 --- a/cosmwasm/packages/sgx-vm/src/enclave.rs +++ b/cosmwasm/packages/sgx-vm/src/enclave.rs @@ -1,6 +1,9 @@ -use std::{env, path::Path, sync::Mutex}; +use enclave_ffi_types::{EnclaveBuffer, RuntimeConfiguration}; +use std::env; +use std::ops::Deref; +use std::path::Path; +use std::time::Duration; -use enclave_ffi_types::RuntimeConfiguration; use sgx_types::{ sgx_attributes_t, sgx_enclave_id_t, sgx_launch_token_t, sgx_misc_attribute_t, sgx_status_t, SgxResult, @@ -9,6 +12,9 @@ use sgx_urts::SgxEnclave; use lazy_static::lazy_static; use log::*; +use parking_lot::{Mutex, ReentrantMutex, ReentrantMutexGuard}; + +use crate::wasmi::imports; static ENCLAVE_FILE: &str = "librust_cosmwasm_enclave.signed.so"; @@ -18,6 +24,34 @@ const ENCLAVE_DEBUG: i32 = 0; #[cfg(not(feature = "production"))] const ENCLAVE_DEBUG: i32 = 1; +struct EnclaveMutex { + enclave: ReentrantMutex, +} + +impl EnclaveMutex { + fn new() -> SgxResult { + let enclave = ReentrantMutex::new(init_enclave()?); + Ok(Self { enclave }) + } + + fn get_enclave(&'static self, timeout: Duration) -> Option { + let guard = self.enclave.try_lock_for(timeout); + guard.map(|guard| EnclaveGuard { guard }) + } +} + +pub struct EnclaveGuard { + guard: ReentrantMutexGuard<'static, SgxEnclave>, +} + +impl Deref for EnclaveGuard { + type Target = SgxEnclave; + + fn deref(&self) -> &Self::Target { + self.guard.deref() + } +} + fn init_enclave() -> SgxResult { let mut launch_token: sgx_launch_token_t = [0; 1024]; let mut launch_token_updated: i32 = 0; @@ -68,7 +102,8 @@ fn init_enclave() -> SgxResult { #[allow(clippy::mutex_atomic)] lazy_static! { - static ref SGX_ENCLAVE: SgxResult = init_enclave(); + static ref SGX_ENCLAVE_MUTEX: SgxResult = EnclaveMutex::new(); + /// This variable indicates if the enclave configuration has already been set static ref SGX_ENCLAVE_CONFIGURED: Mutex = Mutex::new(false); } @@ -76,8 +111,10 @@ lazy_static! { /// Use this method when trying to get access to the enclave. /// You can unwrap the result when you are certain that the enclave /// must have been initialized if you even reached that point in the code. -pub fn get_enclave() -> SgxResult<&'static SgxEnclave> { - SGX_ENCLAVE.as_ref().map_err(|status| *status) +pub fn get_enclave() -> SgxResult> { + let mutex = SGX_ENCLAVE_MUTEX.as_ref().map_err(|status| *status)?; + let maybe_guard = mutex.get_enclave(Duration::from_secs(2)); + Ok(maybe_guard) } extern "C" { @@ -101,14 +138,15 @@ impl EnclaveRuntimeConfig { } pub fn configure_enclave(config: EnclaveRuntimeConfig) -> SgxResult<()> { - let mut configured = SGX_ENCLAVE_CONFIGURED.lock().unwrap(); + let mut configured = SGX_ENCLAVE_CONFIGURED.lock(); if *configured { return Ok(()); } *configured = true; drop(configured); - let enclave = get_enclave()?; + let enclave = get_enclave()? + .expect("This function should only be called once when the node is initializing"); let mut retval = sgx_status_t::SGX_SUCCESS; @@ -125,3 +163,30 @@ pub fn configure_enclave(config: EnclaveRuntimeConfig) -> SgxResult<()> { Ok(()) } + +/// This is a safe wrapper for allocating buffers inside the enclave. +/// +/// It must be called after the enclave has been initialized, and can not be called +/// while another thread is using the enclave, or it will panic. +pub(super) fn allocate_enclave_buffer(buffer: &[u8]) -> SgxResult { + let ptr = buffer.as_ptr(); + let len = buffer.len(); + let mut enclave_buffer = EnclaveBuffer::default(); + + let enclave_id = crate::enclave::get_enclave() + .expect("If we got here, surely the enclave has been loaded") + .expect("If we got here, surely we are the thread that holds the enclave") + .geteid(); + + trace!( + target: module_path!(), + "allocate_enclave_buffer() called with len: {:?} enclave_id: {:?}", + len, + enclave_id, + ); + + match unsafe { imports::ecall_allocate(enclave_id, &mut enclave_buffer, ptr, len) } { + sgx_status_t::SGX_SUCCESS => Ok(enclave_buffer), + failure_status => Err(failure_status), + } +} diff --git a/cosmwasm/packages/sgx-vm/src/errors/enclave.rs b/cosmwasm/packages/sgx-vm/src/errors/enclave.rs index f63f49d80..7b430a32a 100644 --- a/cosmwasm/packages/sgx-vm/src/errors/enclave.rs +++ b/cosmwasm/packages/sgx-vm/src/errors/enclave.rs @@ -15,6 +15,8 @@ pub enum EnclaveError { status: sgx_types::sgx_status_t, backtrace: Backtrace, }, + #[snafu(display("Too many queries, please try again"))] + EnclaveBusy {}, } impl EnclaveError { diff --git a/cosmwasm/packages/sgx-vm/src/instance.rs b/cosmwasm/packages/sgx-vm/src/instance.rs index e8b383c28..f980bf4b6 100644 --- a/cosmwasm/packages/sgx-vm/src/instance.rs +++ b/cosmwasm/packages/sgx-vm/src/instance.rs @@ -87,7 +87,9 @@ where let module = compile(code)?; Instance::from_module(&module, deps, gas_limit) */ - let enclave = get_enclave().map_err(EnclaveError::sdk_err)?; + let enclave = get_enclave() + .map_err(EnclaveError::sdk_err)? + .ok_or(EnclaveError::EnclaveBusy {})?; let module = Module::::new( code.to_vec(), gas_limit, diff --git a/cosmwasm/packages/sgx-vm/src/seed.rs b/cosmwasm/packages/sgx-vm/src/seed.rs index 39b75a75c..ab8e836fb 100644 --- a/cosmwasm/packages/sgx-vm/src/seed.rs +++ b/cosmwasm/packages/sgx-vm/src/seed.rs @@ -40,7 +40,7 @@ extern "C" { pub fn untrusted_health_check() -> SgxResult { //info!("Initializing enclave.."); - let enclave = get_enclave()?; + let enclave = get_enclave()?.ok_or(sgx_status_t::SGX_ERROR_OUT_OF_TCS)?; //debug!("Initialized enclave successfully!"); let eid = enclave.geteid(); @@ -57,7 +57,7 @@ pub fn untrusted_health_check() -> SgxResult { pub fn untrusted_init_node(master_cert: &[u8], encrypted_seed: &[u8]) -> SgxResult<()> { info!("Initializing enclave.."); - let enclave = get_enclave()?; + let enclave = get_enclave()?.ok_or(sgx_status_t::SGX_ERROR_OUT_OF_TCS)?; info!("Initialized enclave successfully!"); let eid = enclave.geteid(); @@ -87,7 +87,7 @@ pub fn untrusted_init_node(master_cert: &[u8], encrypted_seed: &[u8]) -> SgxResu pub fn untrusted_key_gen() -> SgxResult<[u8; 32]> { info!("Initializing enclave.."); - let enclave = get_enclave()?; + let enclave = get_enclave()?.ok_or(sgx_status_t::SGX_ERROR_OUT_OF_TCS)?; info!("Initialized enclave successfully!"); let eid = enclave.geteid(); @@ -109,7 +109,7 @@ pub fn untrusted_key_gen() -> SgxResult<[u8; 32]> { pub fn untrusted_init_bootstrap(spid: &[u8], api_key: &[u8]) -> SgxResult<[u8; 32]> { info!("Hello from just before initializing - untrusted_init_bootstrap"); - let enclave = get_enclave()?; + let enclave = get_enclave()?.ok_or(sgx_status_t::SGX_ERROR_OUT_OF_TCS)?; info!("Hello from just after initializing - untrusted_init_bootstrap"); let eid = enclave.geteid(); diff --git a/cosmwasm/packages/sgx-vm/src/wasmi/exports.rs b/cosmwasm/packages/sgx-vm/src/wasmi/exports.rs index d39116442..9c481ed55 100644 --- a/cosmwasm/packages/sgx-vm/src/wasmi/exports.rs +++ b/cosmwasm/packages/sgx-vm/src/wasmi/exports.rs @@ -2,6 +2,7 @@ use enclave_ffi_types::{Ctx, EnclaveBuffer, OcallReturn, UntrustedVmError, UserS use std::ffi::c_void; use crate::context::{with_querier_from_context, with_storage_from_context}; +use crate::enclave::allocate_enclave_buffer; use crate::{Querier, Storage, VmError, VmResult}; use cosmwasm_std::{Binary, StdResult, SystemResult}; @@ -48,9 +49,7 @@ pub extern "C" fn ocall_read_db( Ok((value, gas_cost)) => { unsafe { *gas_used = gas_cost }; value - .map(|val| { - super::allocate_enclave_buffer(&val).map_err(|_| OcallReturn::Failure) - }) + .map(|val| allocate_enclave_buffer(&val).map_err(|_| OcallReturn::Failure)) .unwrap_or_else(|| Ok(EnclaveBuffer::default())) } Err(err) => { @@ -98,9 +97,7 @@ pub extern "C" fn ocall_query_chain( // see CosmWasm's implementation https://github.com/enigmampc/SecretNetwork/blob/508e99c990dd656eb61f456584dab054487ba178/cosmwasm/packages/sgx-vm/src/imports.rs#L124 crate::serde::to_vec(&system_result) - .map(|val| { - super::allocate_enclave_buffer(&val).map_err(|_| OcallReturn::Failure) - }) + .map(|val| allocate_enclave_buffer(&val).map_err(|_| OcallReturn::Failure)) .unwrap_or_else(|_| Ok(EnclaveBuffer::default())) } Err(err) => { diff --git a/cosmwasm/packages/sgx-vm/src/wasmi/mod.rs b/cosmwasm/packages/sgx-vm/src/wasmi/mod.rs index fd47bf82a..e4e16fb33 100644 --- a/cosmwasm/packages/sgx-vm/src/wasmi/mod.rs +++ b/cosmwasm/packages/sgx-vm/src/wasmi/mod.rs @@ -1,5 +1,5 @@ mod exports; -mod imports; +pub(crate) mod imports; mod results; mod utils; mod wrapper; diff --git a/cosmwasm/packages/sgx-vm/src/wasmi/wrapper.rs b/cosmwasm/packages/sgx-vm/src/wasmi/wrapper.rs index 66530493a..e83d69ddd 100644 --- a/cosmwasm/packages/sgx-vm/src/wasmi/wrapper.rs +++ b/cosmwasm/packages/sgx-vm/src/wasmi/wrapper.rs @@ -7,10 +7,9 @@ use std::mem::MaybeUninit; use crate::errors::{EnclaveError, VmResult}; use crate::{Querier, Storage}; -use enclave_ffi_types::{Ctx, EnclaveBuffer, HandleResult, InitResult, QueryResult}; +use enclave_ffi_types::{Ctx, HandleResult, InitResult, QueryResult}; -use sgx_types::{sgx_status_t, SgxResult}; -use sgx_urts::SgxEnclave; +use sgx_types::sgx_status_t; use log::*; @@ -20,29 +19,7 @@ use super::results::{ handle_result_to_vm_result, init_result_to_vm_result, query_result_to_vm_result, HandleSuccess, InitSuccess, QuerySuccess, }; - -/// This is a safe wrapper for allocating buffers inside the enclave. -pub(super) fn allocate_enclave_buffer(buffer: &[u8]) -> SgxResult { - let ptr = buffer.as_ptr(); - let len = buffer.len(); - let mut enclave_buffer = EnclaveBuffer::default(); - - let enclave_id = crate::enclave::get_enclave() - .expect("If we got here, surely the enclave has been loaded") - .geteid(); - - trace!( - target: module_path!(), - "allocate_enclave_buffer() called with len: {:?} enclave_id: {:?}", - len, - enclave_id, - ); - - match unsafe { imports::ecall_allocate(enclave_id, &mut enclave_buffer, ptr, len) } { - sgx_status_t::SGX_SUCCESS => Ok(enclave_buffer), - failure_status => Err(failure_status), - } -} +use crate::enclave::EnclaveGuard; pub struct Module where @@ -52,7 +29,7 @@ where bytecode: Vec, gas_limit: u64, used_gas: u64, - enclave: &'static SgxEnclave, + enclave: EnclaveGuard, ctx: Ctx, finalizer: fn(*mut c_void), @@ -69,7 +46,7 @@ where pub fn new( bytecode: Vec, gas_limit: u64, - enclave: &'static SgxEnclave, + enclave: EnclaveGuard, (data, finalizer): (*mut c_void, fn(*mut c_void)), ) -> Self { // TODO add validation of this bytecode? diff --git a/go-cosmwasm/Cargo.lock b/go-cosmwasm/Cargo.lock index ddc466d92..67a5e1bd6 100644 --- a/go-cosmwasm/Cargo.lock +++ b/go-cosmwasm/Cargo.lock @@ -48,7 +48,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "46254cf2fdcdf1badb5934448c1bcbe046a56537b3987d96c51a7afc5d03f293" dependencies = [ "addr2line", - "cfg-if", + "cfg-if 0.1.10", "libc", "miniz_oxide", "object", @@ -123,6 +123,12 @@ version = "0.1.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822" +[[package]] +name = "cfg-if" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" + [[package]] name = "chrono" version = "0.4.15" @@ -172,6 +178,7 @@ dependencies = [ "log", "memmap", "parity-wasm", + "parking_lot", "schemars", "serde", "serde_json", @@ -286,7 +293,7 @@ version = "0.1.14" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7abc8dd8451921606d809ba32e95b6111925cd2906060d2dcc29c070220503eb" dependencies = [ - "cfg-if", + "cfg-if 0.1.10", "libc", "wasi", ] @@ -339,6 +346,15 @@ version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "644f9158b2f133fd50f5fb3242878846d9eb792e445c893805ff0e3824006e35" +[[package]] +name = "instant" +version = "0.1.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c" +dependencies = [ + "cfg-if 1.0.0", +] + [[package]] name = "itoa" version = "0.4.6" @@ -357,13 +373,22 @@ version = "0.2.74" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a2f02823cf78b754822df5f7f268fb59822e7296276d3e069d8e8cb26a14bd10" +[[package]] +name = "lock_api" +version = "0.4.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "712a4d093c9976e24e7dbca41db895dabcbac38eb5f4045393d17a95bdfb1109" +dependencies = [ + "scopeguard", +] + [[package]] name = "log" version = "0.4.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b" dependencies = [ - "cfg-if", + "cfg-if 0.1.10", ] [[package]] @@ -422,6 +447,31 @@ version = "0.41.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ddfc878dac00da22f8f61e7af3157988424567ab01d9920b962ef7dcbd7cd865" +[[package]] +name = "parking_lot" +version = "0.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6d7744ac029df22dca6284efe4e898991d28e3085c706c972bcd7da4a27a15eb" +dependencies = [ + "instant", + "lock_api", + "parking_lot_core", +] + +[[package]] +name = "parking_lot_core" +version = "0.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fa7a782938e745763fe6907fc6ba86946d72f49fe7e21de074e08128a99fb018" +dependencies = [ + "cfg-if 1.0.0", + "instant", + "libc", + "redox_syscall 0.2.10", + "smallvec", + "winapi", +] + [[package]] name = "ppv-lite86" version = "0.2.8" @@ -493,6 +543,15 @@ version = "0.1.57" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "41cc0f7e4d5d4544e8861606a285bb08d3e70712ccc7d2b84d7c0ccfaf4b05ce" +[[package]] +name = "redox_syscall" +version = "0.2.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8383f39639269cde97d255a32bdb68c047337295414940c68bdd30c2e13203ff" +dependencies = [ + "bitflags", +] + [[package]] name = "remove_dir_all" version = "0.5.3" @@ -537,6 +596,12 @@ dependencies = [ "syn", ] +[[package]] +name = "scopeguard" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" + [[package]] name = "serde" version = "1.0.117" @@ -614,7 +679,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2933378ddfeda7ea26f48c555bdad8bb446bf8a3d17832dc83e380d444cfb8c1" dependencies = [ "block-buffer", - "cfg-if", + "cfg-if 0.1.10", "cpuid-bool", "digest", "opaque-debug", @@ -633,6 +698,12 @@ dependencies = [ "winapi", ] +[[package]] +name = "smallvec" +version = "1.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ecab6c735a6bb4139c0caafd0cc3635748bbb3acf4550e8138122099251f309" + [[package]] name = "snafu" version = "0.6.8" @@ -678,10 +749,10 @@ version = "3.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7a6e24d9338a0a5be79593e2fa15a648add6138caa803e2d5bc782c371732ca9" dependencies = [ - "cfg-if", + "cfg-if 0.1.10", "libc", "rand", - "redox_syscall", + "redox_syscall 0.1.57", "remove_dir_all", "winapi", ] From 8876181b458d8dd37020c14515412939430c4df9 Mon Sep 17 00:00:00 2001 From: Reuven Podmazo Date: Thu, 18 Nov 2021 18:17:15 +0200 Subject: [PATCH 2/7] fixed enclave_tests.rs --- cosmwasm/packages/sgx-vm/src/enclave_tests.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cosmwasm/packages/sgx-vm/src/enclave_tests.rs b/cosmwasm/packages/sgx-vm/src/enclave_tests.rs index 4a2f9f72a..f4c666694 100644 --- a/cosmwasm/packages/sgx-vm/src/enclave_tests.rs +++ b/cosmwasm/packages/sgx-vm/src/enclave_tests.rs @@ -8,7 +8,7 @@ extern "C" { } pub fn run_tests() -> SgxResult { - let enclave = get_enclave()?; + let enclave = get_enclave()?.ok_or(sgx_status_t::SGX_ERROR_OUT_OF_TCS)?; let mut failed_tests = 0; let status = unsafe { ecall_run_tests(enclave.geteid(), &mut failed_tests) }; match status { From c4f2b5c3f6e365cba5d5742d5e95b7f2a55d7af9 Mon Sep 17 00:00:00 2001 From: Reuven Podmazo Date: Thu, 18 Nov 2021 21:25:47 +0200 Subject: [PATCH 3/7] added printing of original error when querying fails --- x/compute/client/utils/utils.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x/compute/client/utils/utils.go b/x/compute/client/utils/utils.go index 94f1bf699..aefbd66d7 100644 --- a/x/compute/client/utils/utils.go +++ b/x/compute/client/utils/utils.go @@ -252,7 +252,7 @@ var re = regexp.MustCompile("encrypted: (.+?):") func (ctx WASMContext) DecryptError(errString string, msgType string, nonce []byte) (json.RawMessage, error) { regexMatch := re.FindStringSubmatch(errString) if len(regexMatch) != 2 { - return nil, fmt.Errorf("Got an error finding base64 of the error: regexMatch '%v' should have a length of 2", regexMatch) + return nil, fmt.Errorf("Got an error finding base64 of the error: regexMatch '%v' should have a length of 2. error: %v", regexMatch, errString) } errorCipherB64 := regexMatch[1] From 046522afb97b78163e33363e89e2ca0cdb0fd787 Mon Sep 17 00:00:00 2001 From: Reuven Podmazo Date: Sun, 21 Nov 2021 11:42:22 +0200 Subject: [PATCH 4/7] updated timeout of queries to enclave --- cosmwasm/packages/sgx-vm/src/enclave.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cosmwasm/packages/sgx-vm/src/enclave.rs b/cosmwasm/packages/sgx-vm/src/enclave.rs index 382ac2fd3..d0f72382b 100644 --- a/cosmwasm/packages/sgx-vm/src/enclave.rs +++ b/cosmwasm/packages/sgx-vm/src/enclave.rs @@ -113,7 +113,7 @@ lazy_static! { /// must have been initialized if you even reached that point in the code. pub fn get_enclave() -> SgxResult> { let mutex = SGX_ENCLAVE_MUTEX.as_ref().map_err(|status| *status)?; - let maybe_guard = mutex.get_enclave(Duration::from_secs(2)); + let maybe_guard = mutex.get_enclave(Duration::from_secs(6)); Ok(maybe_guard) } From 345a2fa25b6daf95823bc46539d976c46d59b9b5 Mon Sep 17 00:00:00 2001 From: Reuven Podmazo Date: Sun, 21 Nov 2021 16:33:36 +0200 Subject: [PATCH 5/7] updated changelog --- CHANGELOG.md | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 41c16cc6f..3a50cec7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,14 +1,30 @@ # CHANGELOG -# 1.2.0-beta1 +# 1.2.2 -Version 1.2.0-beta1 has been released - Supernova upgrade testnet v1! +## Secretd + +* Fixed issue where queries would try to access the Enclave in parallel from multiple threads, + causing `SGX_ERROR_OUT_OF_TCS` to be returned to users when a node was under sufficient load. + Queries now access the enclave one-at-a-time again. + +# 1.2.1 + +This is a minor non-breaking version release. + +## SecretCLI + +- Migrate the `secretcli tx sign-doc` command from v1. See [this](https://github.com/enigmampc/snip20-reference-impl/pull/22) for more info. + +# 1.2.0 + +Version 1.2.0 has been released - the Supernova upgrade! ## Highlights -* Upgraded to Cosmos SDK 0.43. Full changelog can be found [here](https://github.com/cosmos/cosmos-sdk/blob/v0.43.0/CHANGELOG.md) +* Upgraded to Cosmos SDK 0.44.3. Full changelog can be found [here](https://github.com/cosmos/cosmos-sdk/blob/v0.44.3/CHANGELOG.md) -* Gas prices are lower - as a result of performance upgrades and optimizations, gas amounts required will be much lower. We will be monitoring these metrics during the testnet period, so the numbers may not be final +* Gas prices are lower - as a result of performance upgrades and optimizations, gas amounts required will be much lower. * GRPC for cosmos-sdk modules in addition to legacy REST API. See API [here](http://bootstrap.supernova.enigma.co/swagger/) * New modules: @@ -44,7 +60,7 @@ modifying /home/\/.secretd/config/app.toml and looking for the `api` c ## SecretJS -Version 0.17.0-beta1 has been released! +Version 0.17.3 has been released! SecretJS has been upgraded to support the Supernova upgrade. All APIs remain unchanged, although the versions are NOT backwards compatible. @@ -57,7 +73,7 @@ Secret-CosmWasm remains in a version that is compatabile with the v0.10 of vanil A new feature has been added - plaintext logs. To send an unencrypted log (contract output), use `plaintext_log` instead of `log`. This allows contracts to emit public events, and attach websockets to listen to specific events. To take advantage of this feature, compile contracts with -`cosmwasm-std = { git = "https://github.com/enigmampc/SecretNetwork", tag = "v1.2.0-beta1" }` +`cosmwasm-std = { git = "https://github.com/enigmampc/SecretNetwork", tag = "v1.2.0" }` ## Known Issues From 6667793a8007e6b15611641ab063ebd4728418be Mon Sep 17 00:00:00 2001 From: Reuven Podmazo Date: Sun, 21 Nov 2021 18:09:14 +0200 Subject: [PATCH 6/7] cleanup and comments --- cosmwasm/packages/sgx-vm/src/enclave.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cosmwasm/packages/sgx-vm/src/enclave.rs b/cosmwasm/packages/sgx-vm/src/enclave.rs index d0f72382b..69e2b32d9 100644 --- a/cosmwasm/packages/sgx-vm/src/enclave.rs +++ b/cosmwasm/packages/sgx-vm/src/enclave.rs @@ -111,6 +111,7 @@ lazy_static! { /// Use this method when trying to get access to the enclave. /// You can unwrap the result when you are certain that the enclave /// must have been initialized if you even reached that point in the code. +/// If `Ok(None)` is returned, that means that the enclave is currently busy. pub fn get_enclave() -> SgxResult> { let mutex = SGX_ENCLAVE_MUTEX.as_ref().map_err(|status| *status)?; let maybe_guard = mutex.get_enclave(Duration::from_secs(6)); @@ -173,7 +174,7 @@ pub(super) fn allocate_enclave_buffer(buffer: &[u8]) -> SgxResult let len = buffer.len(); let mut enclave_buffer = EnclaveBuffer::default(); - let enclave_id = crate::enclave::get_enclave() + let enclave_id = get_enclave() .expect("If we got here, surely the enclave has been loaded") .expect("If we got here, surely we are the thread that holds the enclave") .geteid(); From 7538fb2717acfc79e3f20d44a64168d48190553b Mon Sep 17 00:00:00 2001 From: Reuven Podmazo Date: Sun, 21 Nov 2021 18:27:26 +0200 Subject: [PATCH 7/7] refactored the enclave lock timeout to a const --- cosmwasm/packages/sgx-vm/src/enclave.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cosmwasm/packages/sgx-vm/src/enclave.rs b/cosmwasm/packages/sgx-vm/src/enclave.rs index 69e2b32d9..7c47964de 100644 --- a/cosmwasm/packages/sgx-vm/src/enclave.rs +++ b/cosmwasm/packages/sgx-vm/src/enclave.rs @@ -108,13 +108,17 @@ lazy_static! { static ref SGX_ENCLAVE_CONFIGURED: Mutex = Mutex::new(false); } +/// This const determines how many seconds we wait when trying to get access to the enclave +/// before giving up. +const ENCLAVE_LOCK_TIMEOUT: u64 = 6; + /// Use this method when trying to get access to the enclave. /// You can unwrap the result when you are certain that the enclave /// must have been initialized if you even reached that point in the code. /// If `Ok(None)` is returned, that means that the enclave is currently busy. pub fn get_enclave() -> SgxResult> { let mutex = SGX_ENCLAVE_MUTEX.as_ref().map_err(|status| *status)?; - let maybe_guard = mutex.get_enclave(Duration::from_secs(6)); + let maybe_guard = mutex.get_enclave(Duration::from_secs(ENCLAVE_LOCK_TIMEOUT)); Ok(maybe_guard) }