Warning
This repository is a work in progress, and for now only functions as a showcase. This code is not intended to secure any valuable information.
This is a gramine environment for running Andromeda REVM in a TEE.
The TEE service (gramine-sirrah) uses stdin and stdout for passing data in and out of the REVM, which currently supports two commands:
advance [height], which advances the suave chain to requested height (or to latest if no height provided)execute tx_data, which executes the requested data. For data format see Andromeda REVM.
The TEE service is stateless, so make sure that you have suave-geth running. TEE will connect to http://localhost:8545 by default, which you can override by passing --rpc flag. The RPC is used for fetching chain data along with their proofs.
We also provide a simple http and tpc server for handling requests to and from the TEE service, for example usage see andromeda-sirrah-contracts.
mr_signer: f0365ce7081fda379914c703fe08648db1cce3747e8c10f74ff742926399f15a
mr_enclave: a9956056f8f39fffbe148eeb0285be7dc8a9034fd393d5f62a7b058c6ad5e82b
The Andromeda revm-andromeda relies on gramine features for the precompiles, specifically /dev/attestation/quote and /dev/urandom/.
Running outside of an enclave, we can still simulate this. For example /dev/urandom works anyway. The other Andromeda precompiles, volatile{Get/Set} are directly managed in-memory by suave-andromeda-revm.
cargo build
cargo runTo build and print the MRENCLAVE:
docker build --tag gramine-andromeda-revm .
docker run --rm gramine-andromeda-revmdocker build --output=. -f=binaries.Dockerfile .Alternatively, run make docker-binaries which does the same. Note that the binaries will be pulled from dockerhub as opposed to local image. This ensures the MRSIGNER is matching.
The above will output sgx-revm.sig, sgx-revm.manifest, sgx-revm.manifest.sgx into the main directory, and gramine-sirrah into target/release directory. Continue as if you just ran SGX=1 make all. Since we are outputing the binaries, you might encounter errors if you are not using the same OS as the docker target (ubuntu 22.04).
For now we are still checking the mr_signer, if you want to connect to one of the predeployed Andromeda contracts without configuring your mr_signer you can pull binaries from ruteri/gramine-andromeda-revm:latest.
docker run -it --device /dev/sgx_enclave \
-v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \
gramine-andromeda-revm "gramine-sgx ./sgx-revm"The code in this project is free software under the MIT license.