feat: Add pcr0 gen (#72)

chunter-cb · web-flow · commit c9244d24f641 · 2025-02-18T08:50:49.000-05:00
* Add pcr0 output

* Fixes and update readme

* clean up

* rename

* readme
diff --git a/README.md b/README.md
@@ -14,7 +14,7 @@ This removes the need for the 7-day challenge period, and allows for immediate w
 ├── <a href="./op-enclave">op-enclave</a>: Stateless transition function, for running in an AWS Nitro TEE
 ├── <a href="./op-proposer">op-proposer</a>: L2-Output Submitter, communicates with op-enclave and submits proposals to L1
 ├── <a href="./op-withdrawer">op-withdrawer</a>: Withdrawal utility for submitting withdrawals to L1
-├── <a href="./register-signer">register-signer</a>: Registers an enclave signer key from a Nitro attestation with the SystemConfigGlobal contract
+├── <a href="./tools">tools</a>: Tools for registering enclave signer keys with SystemConfigGlobal and verifying PCR0s
 ├── <a href="./testnet">testnet</a>: Dockerized testnet for running the op-enclave stack
 </pre>
 
diff --git a/tools/pcr0-verifier/Dockerfile b/tools/pcr0-verifier/Dockerfile
@@ -0,0 +1,47 @@
+# Build skopeo
+FROM golang@sha256:367bb5295d3103981a86a572651d8297d6973f2ec8b62f716b007860e22cbc25 AS skopeo
+WORKDIR /app
+ENV REPO=https://github.com/containers/skopeo.git
+# v1.12.0
+ENV COMMIT=a55290973794d93f602a027e795bf510bd3cad01
+RUN git init && \
+    git remote add origin $REPO && \
+    git fetch --depth=1 origin $COMMIT && \
+    git reset --hard FETCH_HEAD
+RUN CGO_ENABLED=0 DISABLE_DOCS=1 make BUILDTAGS=containers_image_openpgp GO_DYN_FLAGS=
+
+# Build umoci
+FROM golang@sha256:367bb5295d3103981a86a572651d8297d6973f2ec8b62f716b007860e22cbc25 AS umoci
+WORKDIR /app
+ENV REPO=https://github.com/opencontainers/umoci.git
+# v0.4.7
+ENV COMMIT=17f38511d61846e2fb8ec01a1532f3ef5525e71d
+RUN git init && \
+    git remote add origin $REPO && \
+    git fetch --depth=1 origin $COMMIT && \
+    git reset --hard FETCH_HEAD
+RUN go build -o bin/umoci ./cmd/umoci
+
+# Get the EIF
+FROM golang@sha256:367bb5295d3103981a86a572651d8297d6973f2ec8b62f716b007860e22cbc25 AS op-enclave
+WORKDIR /app
+COPY --from=skopeo /app/bin/skopeo /app/bin/skopeo
+COPY --from=umoci /app/bin/umoci /app/bin/umoci
+
+ENV TAG=v0.0.1-rc5
+RUN bin/skopeo --insecure-policy copy docker://ghcr.io/base/op-enclave:$TAG oci:op-enclave:latest
+RUN bin/umoci unpack --image op-enclave bundle
+
+# Extract PCR0
+FROM amazonlinux:2
+RUN amazon-linux-extras enable aws-nitro-enclaves-cli && \
+    yum clean metadata && \
+    yum update -y && \
+    yum install -y aws-nitro-enclaves-cli aws-nitro-enclaves-cli-devel jq && \
+    yum clean all
+
+COPY --from=op-enclave /app/bundle/rootfs/build/eif.bin /app/eif.bin
+COPY extract-pcr0.sh /extract-pcr0.sh
+RUN chmod +x /extract-pcr0.sh
+
+ENTRYPOINT ["/extract-pcr0.sh"] 
diff --git a/tools/pcr0-verifier/README.md b/tools/pcr0-verifier/README.md
@@ -0,0 +1,51 @@
+# PCR0 Extractor
+
+This tool extracts the PCR0 measurement from an op-enclave EIF (Enclave Image Format) file. The PCR0 measurement is a cryptographic hash that represents the initial state of the enclave, which is crucial for attestation and verification purposes.
+
+## Prerequisites
+
+- Docker installed on your system
+- [cast](https://book.getfoundry.sh/cast/) (for contract verification)
+
+## Building and Running
+
+1. Build the PCR0 extractor container:
+```bash
+docker build -t pcr0-extractor .
+```
+
+2. Run the container to extract the PCR0:
+```bash
+docker run --rm pcr0-extractor
+```
+
+The tool will:
+1. Download the specified op-enclave EIF
+2. Extract it using AWS Nitro CLI tools
+3. Output the PCR0 measurement
+4. Generate a cast command to verify the PCR0 against the SystemConfigGlobal contract
+
+## Verifying PCR0 Against SystemConfigGlobal Contract
+
+The tool will output a `cast` command that you can use to verify if the PCR0 is registered in the SystemConfigGlobal contract. The command will look like:
+
+```bash
+export SYSTEM_CONFIG_GLOBAL_ADDRESS=<contract_address>
+cast call $SYSTEM_CONFIG_GLOBAL_ADDRESS 'validPCR0s(bytes32)' <keccak256_hash_of_pcr0>
+```
+
+Note that the contract stores the keccak256 hash of the PCR0 value, not the raw PCR0 measurement. The tool automatically converts the PCR0 to the correct format for verification.
+
+## How it Works
+
+The tool uses a multi-stage Docker build to:
+1. Build required tools (skopeo and umoci)
+2. Download and extract the op-enclave EIF
+3. Use AWS Nitro CLI tools to extract the PCR0 measurement
+4. Convert the PCR0 to a keccak256 hash for contract verification
+
+The output will include both the raw PCR0 measurement and instructions for verifying it against the contract.
+
+## Note
+
+The PCR0 measurement is specific to the version of the op-enclave EIF being examined. The current version being used is specified in the Dockerfile as `TAG=v0.0.1-rc5`.
diff --git a/tools/pcr0-verifier/entrypoint.sh b/tools/pcr0-verifier/entrypoint.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+echo "Starting PCR0 extraction..."
+echo "Checking if EIF file exists:"
+ls -l /app/eif.bin
+
+echo "Command used: nitro-cli describe-eif --eif-path /app/eif.bin"
+echo "PCR0 measurement:"
+PCR0=$(nitro-cli describe-eif --eif-path /app/eif.bin | tee /dev/stderr | jq -r ".Measurements.PCR0")
+PCR0_WITH_PREFIX="0x${PCR0}"
+
+echo -e "\nTo verify against SystemConfigGlobal contract, run:"
+echo "# First set your environment variables:"
+echo "export SYSTEM_CONFIG_GLOBAL_ADDRESS=<contract_address>"
+echo "export RPC_URL=<rpc_url>"
+echo -e "\n# Then run these commands to verify:"
+echo "# To register a new PCR0 (requires owner access):"
+echo "cast send \$SYSTEM_CONFIG_GLOBAL_ADDRESS 'registerPCR0(bytes)' ${PCR0_WITH_PREFIX} --rpc-url \$RPC_URL"
+echo -e "\n# To check if a PCR0 is valid:"
+echo "cast call \$SYSTEM_CONFIG_GLOBAL_ADDRESS 'validPCR0s(bytes32)' \$(cast keccak ${PCR0_WITH_PREFIX}) --rpc-url \$RPC_URL"
diff --git a/tools/register-signer/README.md b/tools/register-signer/README.md
diff --git a/tools/register-signer/main.go b/tools/register-signer/main.go
