Deploy SGX Prover
Prerequisites
- Machine with SGX support
- L1 Accounts with funds (One for the Prover, One for Prover Registry)
- L1 RPC URL
- L1 Account Private Key
1. Fetch Collateral Information
First, fetch the collateral information from Intel:
FMSPC="00906ED50000"
TCB_FILE="tcb.json"
QE_IDENTITY_FILE="qe_identity.json"
curl -X GET "https://api.trustedservices.intel.com/sgx/certification/v3/tcb?fmspc=${FMSPC}" > ${TCB_FILE}
curl -X GET "https://api.trustedservices.intel.com/sgx/certification/v3/qe/identity" > ${QE_IDENTITY_FILE}
jq '.tcbInfo.fmspc |= ascii_downcase' ${TCB_FILE} > temp.json && mv temp.json ${TCB_FILE}
2. Build and Initialize Image
Follow the instructions at Raiko Docker and RA Documentation to build and initialize the image.
3. Get Quote and Measurement Values
Retrieve the quote, MRENCLAVE, and MRSIGNER values:
# Get quote
cat ~/.config/raiko/config/bootstrap.json | jq -r '.quote'
# Get MRENCLAVE and MRSIGNER
cat ~/.config/raiko/config/bootstrap.json | jq -r '.quote' | xxd -r -p > quote.bin
gramine-sgx-quote-view quote.bin
The output will contain important measurement values including:
- MRENCLAVE:
14c4362d5dd0af9721ef9bdea2c92bf84b67fe34a102c892182ce2be7a81f2c5 - MRSIGNER:
ca0583a715534a8c981b914589a7f0dc5d60959d9ae79fb5353299a4231673d5
4. Register Collaterals
Skip if Using Kurtosis
If you're using the Kurtosis Package to deploy L1, you can skip this section.
Use config_dcap_sgx_verifier.sh or the script below to register the collaterals and the instance. For more information, see the following:
Details
Set Environment Variables
export FOUNDRY_PROFILE=layer1
export MR_ENCLAVE=14c4362d5dd0af9721ef9bdea2c92bf84b67fe34a102c892182ce2be7a81f2c5
export MR_SIGNER=ca0583a715534a8c981b914589a7f0dc5d60959d9ae79fb5353299a4231673d5
export QEID_PATH="/test/qe_identity"
export TCB_INFO_PATH="/test/tcb"
export V3_QUOTE_BYTES=${Quote}
export SGX_VERIFIER_ADDRESS=0xaE37C7A711bcab9B0f8655a97B738d6ccaB6560B
export ATTESTATION_ADDRESS=0xaE37C7A711bcab9B0f8655a97B738d6ccaB6560B
export PEM_CERTCHAIN_ADDRESS=0x303CB317624c74bB20Acbb9E13c8D745C6379826
export FMSPC=00906ED50000
SGX TCB Setup Script
docker run \
-e TASK_ENABLE="[1,1,1,1,1,1]" \
-e MR_ENCLAVE=${MR_ENCLAVE} \
-e MR_SIGNER=${MR_SIGNER} \
-e QEID_PATH=${QEID_PATH} \
-e TCB_INFO_PATH=${TCB_INFO_PATH} \
-e V3_QUOTE_BYTES=${V3_QUOTE_BYTES} \
-e SGX_VERIFIER_ADDRESS=${SGX_VERIFIER_ADDRESS} \
-e ATTESTATION_ADDRESS=${ATTESTATION_ADDRESS} \
-e PEM_CERTCHAIN_ADDRESS=${PEM_CERTCHAIN_ADDRESS} \
-e FMSPC=${FMSPC} \
-e TCB_FILE=${TCB_FILE} \
-e QE_IDENTITY_FILE=${QE_IDENTITY_FILE} \
-e PRIVATE_KEY=${PRIVATE_KEY} \
nethsurge/taiko-contract:surge-devnet \
sh -c 'curl -X GET "https://api.trustedservices.intel.com/sgx/certification/v3/tcb?fmspc=${FMSPC}" > ${TCB_FILE} && \
curl -X GET "https://api.trustedservices.intel.com/sgx/certification/v3/qe/identity" > ${QE_IDENTITY_FILE} && \
jq ".tcbInfo.fmspc |= ascii_downcase" ${TCB_FILE} > temp.json && \
mv temp.json ${TCB_FILE} && \
forge script ./script/layer1/SetDcapParams.s.sol:SetDcapParams \
--private-key ${PRIVATE_KEY} \
--fork-url ${L1_RPC_URL} \
--broadcast --evm-version cancun --ffi -vvvv --block-gas-limit 100000000 --legacy'
5. Configure and Run Raiko
Set up the following environment variables:
export SGX_INSTANCE_ID=0
export L1_NETWORK=surge_dev_l1
export NETWORK=surge_dev
export SGX_VERIFIER_ADDRESS=0xaE37C7A711bcab9B0f8655a97B738d6ccaB6560B
export ATTESTATION_ADDRESS=0xaE37C7A711bcab9B0f8655a97B738d6ccaB6560B
export PEM_CERTCHAIN_ADDRESS=0x303CB317624c74bB20Acbb9E13c8D745C6379826
export PROVER_PRIVATE_KEY=0x53321db7c1e331d93a11a41d16f004d7ff63972ec8ec7c25db329728ceeb1710
export PRIVATE_KEY=0x53321db7c1e331d93a11a41d16f004d7ff63972ec8ec7c25db329728ceeb1710
export FORK_URL=https://placeholder:32002
Then run Raiko following the configuration instructions in the Raiko Docker and RA Documentation.