Deploy SGX Prover

Prerequisites

• Machine with SGX support
• L1 Accounts with funds (One for the Prover, One for Prover Registry)
• L1 RPC URL
• L1 Account Private Key

1. Fetch Collateral Information

First, fetch the collateral information from Intel:

FMSPC="00906ED50000"

TCB_FILE="tcb.json"
QE_IDENTITY_FILE="qe_identity.json"

curl -X GET "https://api.trustedservices.intel.com/sgx/certification/v3/tcb?fmspc=${FMSPC}" > ${TCB_FILE}
curl -X GET "https://api.trustedservices.intel.com/sgx/certification/v3/qe/identity" > ${QE_IDENTITY_FILE}

jq '.tcbInfo.fmspc |= ascii_downcase' ${TCB_FILE} > temp.json && mv temp.json ${TCB_FILE}

2. Build and Initialize Image

Follow the instructions at Raiko Docker and RA Documentation to build and initialize the image.

3. Get Quote and Measurement Values

Retrieve the quote, MRENCLAVE, and MRSIGNER values:

# Get quote
cat ~/.config/raiko/config/bootstrap.json | jq -r '.quote'

# Get MRENCLAVE and MRSIGNER
cat ~/.config/raiko/config/bootstrap.json | jq -r '.quote' | xxd -r -p > quote.bin
gramine-sgx-quote-view quote.bin

The output will contain important measurement values including:

• MRENCLAVE: 14c4362d5dd0af9721ef9bdea2c92bf84b67fe34a102c892182ce2be7a81f2c5
• MRSIGNER: ca0583a715534a8c981b914589a7f0dc5d60959d9ae79fb5353299a4231673d5

4. Register Collaterals

Use config_dcap_sgx_verifier.sh or the script below to register the collaterals and the instance. For more information, see the following:

Details

Set Environment Variables

export FOUNDRY_PROFILE=layer1
export MR_ENCLAVE=14c4362d5dd0af9721ef9bdea2c92bf84b67fe34a102c892182ce2be7a81f2c5
export MR_SIGNER=ca0583a715534a8c981b914589a7f0dc5d60959d9ae79fb5353299a4231673d5
export QEID_PATH="/test/qe_identity"
export TCB_INFO_PATH="/test/tcb"
export V3_QUOTE_BYTES=${Quote}
export SGX_VERIFIER_ADDRESS=0x86A0679C7987B5BA9600affA994B78D0660088ff
export ATTESTATION_ADDRESS=0xdFb2fAc1519eDA2b3ee1Edf578ee0509DC8633f7
export PEM_CERTCHAIN_ADDRESS=0x86B28E406738f2928bE33D111A0B821BBC5610A2
export FMSPC=00906ED50000

SGX TCB Setup Script

docker run \
  -e TASK_ENABLE="[1,1,1,1,1,1]" \
  -e MR_ENCLAVE=${MR_ENCLAVE} \
  -e MR_SIGNER=${MR_SIGNER} \
  -e QEID_PATH=${QEID_PATH} \
  -e TCB_INFO_PATH=${TCB_INFO_PATH} \
  -e V3_QUOTE_BYTES=${V3_QUOTE_BYTES} \
  -e SGX_VERIFIER_ADDRESS=${SGX_VERIFIER_ADDRESS} \
  -e ATTESTATION_ADDRESS=${ATTESTATION_ADDRESS} \
  -e PEM_CERTCHAIN_ADDRESS=${PEM_CERTCHAIN_ADDRESS} \
  -e FMSPC=${FMSPC} \
  -e TCB_FILE=${TCB_FILE} \
  -e QE_IDENTITY_FILE=${QE_IDENTITY_FILE} \
  -e PRIVATE_KEY=${PRIVATE_KEY} \
  nethsurge/taiko-contract:surge-devnet \
  sh -c 'curl -X GET "https://api.trustedservices.intel.com/sgx/certification/v3/tcb?fmspc=${FMSPC}" > ${TCB_FILE} && \
        curl -X GET "https://api.trustedservices.intel.com/sgx/certification/v3/qe/identity" > ${QE_IDENTITY_FILE} && \
        jq ".tcbInfo.fmspc |= ascii_downcase" ${TCB_FILE} > temp.json && \
        mv temp.json ${TCB_FILE} && \
        forge script ./script/layer1/SetDcapParams.s.sol:SetDcapParams \
        --private-key ${PRIVATE_KEY} \
        --fork-url ${L1_RPC_URL} \
        --broadcast --evm-version cancun --ffi -vvvv --block-gas-limit 100000000 --legacy'

5. Configure and Run Raiko

Set up the following environment variables:

export SGX_INSTANCE_ID=0
export L1_NETWORK=surge_dev_l1
export NETWORK=surge_dev
export SGX_VERIFIER_ADDRESS=0x86A0679C7987B5BA9600affA994B78D0660088ff
export ATTESTATION_ADDRESS=0xdFb2fAc1519eDA2b3ee1Edf578ee0509DC8633f7
export PEM_CERTCHAIN_ADDRESS=0x86B28E406738f2928bE33D111A0B821BBC5610A2
export PROVER_PRIVATE_KEY=0x53321db7c1e331d93a11a41d16f004d7ff63972ec8ec7c25db329728ceeb1710
export PRIVATE_KEY=0x53321db7c1e331d93a11a41d16f004d7ff63972ec8ec7c25db329728ceeb1710
export FORK_URL=https://placeholder:32002

Then run Raiko following the configuration instructions in the Raiko Docker and RA Documentation.