rebase

crates/sui-framework/packages/sui-framework/sources/crypto/nitro_attestation.move

@@ -15,6 +15,8 @@ const EParseError: u64 = 1;
 /// Error that the attestation failed to be verified. 
 const EVerifyError: u64 = 2;
 #[allow(unused_const)]
+/// Error that the PCRs are invalid.
+const EInvalidPCRsError: u64 = 3;
 
 /// Represents a PCR entry with an index and value.
 public struct PCREntry has drop {
@@ -48,10 +50,10 @@ public struct NitroAttestationDocument has drop  {
 /// Returns the parsed NitroAttestationDocument after verifying the attestation, 
 /// may abort with errors described above. 
 entry fun load_nitro_attestation(
-    attestation: &vector<u8>,
+    attestation: vector<u8>,
     clock: &Clock
 ): NitroAttestationDocument {
-    load_nitro_attestation_internal(attestation, clock::timestamp_ms(clock))
+    load_nitro_attestation_internal(&attestation, clock::timestamp_ms(clock))
 }
 
 public fun module_id(attestation: &NitroAttestationDocument): &vector<u8> {
@@ -67,7 +69,7 @@ public fun digest(attestation: &NitroAttestationDocument): &vector<u8> {
 }
 
 /// Returns a list of mapping PCREntry containg the index and the PCR bytes. 
-/// Currently AWS supports supports PCR0, PCR1, PCR2, PCR3, PCR4, PCR8. 
+/// Currently AWS supports PCR0, PCR1, PCR2, PCR3, PCR4, PCR8. 
 public fun pcrs(attestation: &NitroAttestationDocument): &vector<PCREntry> {
     &attestation.pcrs
 }

crates/sui-framework/published_api.txt

@@ -2797,11 +2797,8 @@ PCREntry
 NitroAttestationDocument
 	public struct
 	0x2::nitro_attestation
-verify_nitro_attestation_internal
-	fun
-	0x2::nitro_attestation
-verify_nitro_attestation
-	public fun
+load_nitro_attestation
+	entry fun
 	0x2::nitro_attestation
 module_id
 	public fun
@@ -2824,15 +2821,15 @@ user_data
 nonce
 	public fun
 	0x2::nitro_attestation
-version
-	public fun
-	0x2::nitro_attestation
 index
 	public fun
 	0x2::nitro_attestation
 value
 	public fun
 	0x2::nitro_attestation
+load_nitro_attestation_internal
+	fun
+	0x2::nitro_attestation
 ObjectBag
 	public struct
 	0x2::object_bag

crates/sui-protocol-config/src/lib.rs

@@ -213,7 +213,8 @@ const MAX_PROTOCOL_VERSION: u64 = 74;
 //             Enable zstd compression for consensus tonic network in testnet.
 //             Enable smart ancestor selection in mainnet.
 //             Enable probing for accepted rounds in round prober in mainnet
-// Version 74:
+// Version 74: Enable load_nitro_attestation move function in sui framework in devnet.
+//             Enable all gas costs for load_nitro_attestation.
 //
 
 #[derive(Copy, Clone, Debug, Hash, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord)]
@@ -1229,7 +1230,7 @@ pub struct ProtocolConfig {
     vdf_verify_vdf_cost: Option<u64>,
     vdf_hash_to_input_cost: Option<u64>,
 
-    // nitro_attestation::verify_nitro_attestation
+    // nitro_attestation::load_nitro_attestation
     nitro_attestation_parse_base_cost: Option<u64>,
     nitro_attestation_parse_cost_per_byte: Option<u64>,
     nitro_attestation_verify_base_cost: Option<u64>,
@@ -2868,6 +2869,7 @@ impl ProtocolConfig {
                     // Turn on shared object congestion control in devnet.
                     if chain != Chain::Testnet && chain != Chain::Mainnet {
                         cfg.max_accumulated_txn_cost_per_object_in_narwhal_commit = Some(100);
+                        // Increase congestion control budget.
                         cfg.feature_flags.per_object_congestion_control_mode =
                             PerObjectCongestionControlMode::TotalTxCount;
                     }
@@ -3203,9 +3205,6 @@ impl ProtocolConfig {
                         // Assuming a round rate of max 15/sec, then using a gc depth of 60 allow blocks within a window of ~4 seconds
                         // to be included before be considered garbage collected.
                         cfg.consensus_gc_depth = Some(60);
-
-                        // Enable nitro attestation verify native move function for devnet
-                        cfg.feature_flags.enable_nitro_attestation = true;
                     }
 
                     if chain != Chain::Mainnet {
@@ -3229,6 +3228,21 @@ impl ProtocolConfig {
                     cfg.gas_budget_based_txn_cost_absolute_cap_commit_count = Some(50);
                     cfg.allowed_txn_cost_overage_burst_per_object_in_commit = Some(370_000_000);
                 }
+                74 => {
+                    // Enable nitro attestation verify native move function for devnet
+                    if chain != Chain::Mainnet && chain != Chain::Testnet {
+                        cfg.feature_flags.enable_nitro_attestation = true;
+                    }
+                    cfg.nitro_attestation_parse_base_cost = Some(53);
+                    cfg.nitro_attestation_parse_cost_per_byte = Some(1);
+                    cfg.nitro_attestation_verify_base_cost = Some(49632);
+                    cfg.nitro_attestation_verify_cost_per_cert = Some(52369);
+                }
+                // Use this template when making changes:
+                //
+                //     // modify an existing constant.
+                //     move_binary_format_version: Some(7),
+                //
                 //     // Add a new constant (which is set to None in prior versions).
                 //     new_constant: Some(new_value),
                 //

crates/sui-protocol-config/src/snapshots/sui_protocol_config__test__Mainnet_version_72.snap

@@ -1,7 +1,6 @@
 ---
 source: crates/sui-protocol-config/src/lib.rs
 expression: "ProtocolConfig::get_for_version(cur, *chain_id)"
-snapshot_kind: text
 ---
 version: 72
 feature_flags:
@@ -344,3 +343,4 @@ max_accumulated_randomness_txn_cost_per_object_in_mysticeti_commit: 3700000
 gas_budget_based_txn_cost_cap_factor: 400000
 gas_budget_based_txn_cost_absolute_cap_commit_count: 50
 sip_45_consensus_amplification_threshold: 5
+

crates/sui-protocol-config/src/snapshots/sui_protocol_config__test__Mainnet_version_73.snap

@@ -291,10 +291,6 @@ hmac_hmac_sha3_256_input_cost_per_byte: 2
 hmac_hmac_sha3_256_input_cost_per_block: 2
 check_zklogin_id_cost_base: 200
 check_zklogin_issuer_cost_base: 200
-nitro_attestation_parse_base_cost: 53
-nitro_attestation_parse_cost_per_byte: 1
-nitro_attestation_verify_base_cost: 49632
-nitro_attestation_verify_cost_per_cert: 52369
 bcs_per_byte_serialized_cost: 2
 bcs_legacy_min_output_size_cost: 1
 bcs_failure_cost: 52

crates/sui-protocol-config/src/snapshots/sui_protocol_config__test__Mainnet_version_74.snap

@@ -1,6 +1,7 @@
 ---
 source: crates/sui-protocol-config/src/lib.rs
 expression: "ProtocolConfig::get_for_version(cur, *chain_id)"
+snapshot_kind: text
 ---
 version: 74
 feature_flags:
@@ -290,6 +291,10 @@ hmac_hmac_sha3_256_input_cost_per_byte: 2
 hmac_hmac_sha3_256_input_cost_per_block: 2
 check_zklogin_id_cost_base: 200
 check_zklogin_issuer_cost_base: 200
+nitro_attestation_parse_base_cost: 53
+nitro_attestation_parse_cost_per_byte: 1
+nitro_attestation_verify_base_cost: 49632
+nitro_attestation_verify_cost_per_cert: 52369
 bcs_per_byte_serialized_cost: 2
 bcs_legacy_min_output_size_cost: 1
 bcs_failure_cost: 52

crates/sui-protocol-config/src/snapshots/sui_protocol_config__test__Testnet_version_73.snap

@@ -293,10 +293,6 @@ hmac_hmac_sha3_256_input_cost_per_byte: 2
 hmac_hmac_sha3_256_input_cost_per_block: 2
 check_zklogin_id_cost_base: 200
 check_zklogin_issuer_cost_base: 200
-nitro_attestation_parse_base_cost: 53
-nitro_attestation_parse_cost_per_byte: 1
-nitro_attestation_verify_base_cost: 49632
-nitro_attestation_verify_cost_per_cert: 52369
 bcs_per_byte_serialized_cost: 2
 bcs_legacy_min_output_size_cost: 1
 bcs_failure_cost: 52

crates/sui-protocol-config/src/snapshots/sui_protocol_config__test__Testnet_version_74.snap

@@ -1,6 +1,7 @@
 ---
 source: crates/sui-protocol-config/src/lib.rs
 expression: "ProtocolConfig::get_for_version(cur, *chain_id)"
+snapshot_kind: text
 ---
 version: 74
 feature_flags:
@@ -292,6 +293,10 @@ hmac_hmac_sha3_256_input_cost_per_byte: 2
 hmac_hmac_sha3_256_input_cost_per_block: 2
 check_zklogin_id_cost_base: 200
 check_zklogin_issuer_cost_base: 200
+nitro_attestation_parse_base_cost: 53
+nitro_attestation_parse_cost_per_byte: 1
+nitro_attestation_verify_base_cost: 49632
+nitro_attestation_verify_cost_per_cert: 52369
 bcs_per_byte_serialized_cost: 2
 bcs_legacy_min_output_size_cost: 1
 bcs_failure_cost: 52

crates/sui-protocol-config/src/snapshots/sui_protocol_config__test__version_73.snap

@@ -1,7 +1,6 @@
 ---
 source: crates/sui-protocol-config/src/lib.rs
 expression: "ProtocolConfig::get_for_version(cur, *chain_id)"
-snapshot_kind: text
 ---
 version: 73
 feature_flags:
@@ -47,7 +46,6 @@ feature_flags:
   enable_coin_deny_list: true
   enable_group_ops_native_functions: true
   enable_group_ops_native_function_msm: true
-  enable_nitro_attestation: true
   reject_mutable_random_on_entry_functions: true
   per_object_congestion_control_mode: TotalGasBudgetWithCap
   consensus_choice: Mysticeti
@@ -303,10 +301,6 @@ check_zklogin_id_cost_base: 200
 check_zklogin_issuer_cost_base: 200
 vdf_verify_vdf_cost: 1500
 vdf_hash_to_input_cost: 100
-nitro_attestation_parse_base_cost: 53
-nitro_attestation_parse_cost_per_byte: 1
-nitro_attestation_verify_base_cost: 49632
-nitro_attestation_verify_cost_per_cert: 52369
 bcs_per_byte_serialized_cost: 2
 bcs_legacy_min_output_size_cost: 1
 bcs_failure_cost: 52

crates/sui-protocol-config/src/snapshots/sui_protocol_config__test__version_74.snap

@@ -1,6 +1,7 @@
 ---
 source: crates/sui-protocol-config/src/lib.rs
 expression: "ProtocolConfig::get_for_version(cur, *chain_id)"
+snapshot_kind: text
 ---
 version: 74
 feature_flags:
@@ -46,6 +47,7 @@ feature_flags:
   enable_coin_deny_list: true
   enable_group_ops_native_functions: true
   enable_group_ops_native_function_msm: true
+  enable_nitro_attestation: true
   reject_mutable_random_on_entry_functions: true
   per_object_congestion_control_mode: TotalGasBudgetWithCap
   consensus_choice: Mysticeti
@@ -301,6 +303,10 @@ check_zklogin_id_cost_base: 200
 check_zklogin_issuer_cost_base: 200
 vdf_verify_vdf_cost: 1500
 vdf_hash_to_input_cost: 100
+nitro_attestation_parse_base_cost: 53
+nitro_attestation_parse_cost_per_byte: 1
+nitro_attestation_verify_base_cost: 49632
+nitro_attestation_verify_cost_per_cert: 52369
 bcs_per_byte_serialized_cost: 2
 bcs_legacy_min_output_size_cost: 1
 bcs_failure_cost: 52

crates/sui-swarm-config/tests/snapshots/snapshot_tests__populated_genesis_snapshot_matches-2.snap

@@ -1,6 +1,7 @@
 ---
 source: crates/sui-swarm-config/tests/snapshot_tests.rs
 expression: genesis.sui_system_object().into_genesis_version_for_tooling()
+snapshot_kind: text
 ---
 epoch: 0
 protocol_version: 74
@@ -240,56 +241,56 @@ validators:
         next_epoch_worker_address: ~
         extra_fields:
           id:
-            id: "0x384d3ac58338eebd19d68cde74499166b6e0ddfb1799ed15f15d7839f381862b"
+            id: "0x11693c52355bb3d36790e8258a13f1659886f84144f09dfee218525444b19be5"
           size: 0
       voting_power: 10000
-      operation_cap_id: "0xf440c11ec41e44b32fab639967b250db559aa2f3acc61fe1c321793856e3ad4e"
+      operation_cap_id: "0xe17b0163645e2e8c95cde62143d38f42f3d4b26f102ed5beefee8c593fdd6874"
       gas_price: 1000
       staking_pool:
-        id: "0xc5112ce3051bba61753b3c68274f7f32899a45c3627d6f71af7dcbb8613733d9"
+        id: "0x55bc149c1babaca666cbf4c45a0a4ec7c294cc87eeb0d2005687db17126ff802"
         activation_epoch: 0
         deactivation_epoch: ~
         sui_balance: 20000000000000000
         rewards_pool:
           value: 0
         pool_token_balance: 20000000000000000
         exchange_rates:
-          id: "0xbcf45c33beb82c1c6c8142ef07dce10a28be74f8f466233cb881b260c352a505"
+          id: "0x3e54875f1f234223c3984f9160d9020f17acf3720b7991f6b7b7b0658d9746a2"
           size: 1
         pending_stake: 0
         pending_total_sui_withdraw: 0
         pending_pool_token_withdraw: 0
         extra_fields:
           id:
-            id: "0xf0d424b0faa22df59110ee016713fc8b9e4c7f4120dcc5ec26625ae932d0ac14"
+            id: "0x6821aaa835c4b4e4db20151b8f876cead6304de276f66e088e3c9e1fec0c7ee8"
           size: 0
       commission_rate: 200
       next_epoch_stake: 20000000000000000
       next_epoch_gas_price: 1000
       next_epoch_commission_rate: 200
       extra_fields:
         id:
-          id: "0x129b4d785a26c90ae43844c28d8c9b051383a9082fe51fb4d91af7ffde96783a"
+          id: "0xc240b358a6bc8b3f2e0fa2c2af04bc5cb3517a21c05b7d1f1f65b1e3bcdbe3c0"
         size: 0
   pending_active_validators:
     contents:
-      id: "0xaf44b5c7c0759d11356e6663360a9939463f1079c3c2a717b370daae3933e549"
+      id: "0x6ffbab22d81b136120a0791de7103d68990b439cf100e21949f1490cae133be9"
       size: 0
   pending_removals: []
   staking_pool_mappings:
-    id: "0xef30f7d0d06d183948d85cec99d359f52e23f6d9c9058e278ccd6b1e9a5f008b"
+    id: "0xe109603980b0221620101a2a7fffc7e28e5340bc9fc033542dd1dc93127bd8d2"
     size: 1
   inactive_validators:
-    id: "0x23cdf9d285b6df49e9d1f649cf9f282e1ade2efd474464ed0cbb7cc2d748dba4"
+    id: "0xe0c0aa67e52558ae315c182d006b982445f20f2d0df64b4fb13d0aca3d14e5e4"
     size: 0
   validator_candidates:
-    id: "0x80f57e221929e0c3fe36500631d2f187f3d44f84fa3a5b8dda5fa1cf3c8c6114"
+    id: "0xb0171a27a270a5ec5832898d5a36d37ceab9e93a1024a356c8ad283082e60715"
     size: 0
   at_risk_validators:
     contents: []
   extra_fields:
     id:
-      id: "0x9248b57d427df32c9ff29d356519c25a442c1d4001e743c4a6d0e452db08e3f1"
+      id: "0x05834c1aada6e2b4fe8fdecb87620913115be43b16111591b4e80fcaf5d63af2"
     size: 0
 storage_fund:
   total_object_storage_rebates:
@@ -306,7 +307,7 @@ parameters:
   validator_low_stake_grace_period: 7
   extra_fields:
     id:
-      id: "0x536d0583b12d7c967d618754632e21715e0d3f3766a2beb91956fab9ac59bc3d"
+      id: "0x755fad0ca3e36e31874cbcc183244a8aacd404e8a4109d02921ee9bbc70326ba"
     size: 0
 reference_gas_price: 1000
 validator_report_records:
@@ -320,7 +321,7 @@ stake_subsidy:
   stake_subsidy_decrease_rate: 1000
   extra_fields:
     id:
-      id: "0xd7d8f4a1db4c4ba05e9b080d8e1843c36583e0c93cce5423b1d89ffc362a2d21"
+      id: "0xb7ccb01b238e3800e41c734729e7ffe296e4406cc62ec3bb4313f971e94b83b5"
     size: 0
 safe_mode: false
 safe_mode_storage_rewards:
@@ -332,5 +333,5 @@ safe_mode_non_refundable_storage_fee: 0
 epoch_start_timestamp_ms: 10
 extra_fields:
   id:
-    id: "0x3840efb8897144bf2a9308c5f40883fb1b20f9f9e16cd3909615675f2e3a8fcb"
+    id: "0x70ce54551fcd7e67814b44677fa5432ccd7693eac6b5fc6a87bb9b6e24dba660"
   size: 0

sui-execution/latest/sui-move-natives/src/crypto/nitro_attestation.rs

@@ -1,8 +1,8 @@
 // Copyright (c) Mysten Labs, Inc.
 // SPDX-License-Identifier: Apache-2.0
 
-use move_binary_format::errors::PartialVMResult;
-use move_core_types::gas_algebra::InternalGas;
+use move_binary_format::errors::{PartialVMError, PartialVMResult};
+use move_core_types::{gas_algebra::InternalGas, vm_status::StatusCode};
 use move_vm_runtime::native_functions::NativeContext;
 use move_vm_types::{
     loaded_data::runtime_types::Type,
@@ -19,6 +19,7 @@ use move_vm_runtime::native_charge_gas_early_exit;
 pub const NOT_SUPPORTED_ERROR: u64 = 0;
 pub const PARSE_ERROR: u64 = 1;
 pub const VERIFY_ERROR: u64 = 2;
+pub const INVALID_PCRS_ERROR: u64 = 3;
 
 // Gas related structs and functions.
 #[derive(Clone)]
@@ -132,11 +133,14 @@ fn to_option_vector_u8(value: Option<Vec<u8>>) -> PartialVMResult<Value> {
     }
 }
 
-// Convert a list of PCRs into a vector of PCREntry struct with index and value, 
-// where the indices are [0, 1, 2, 3, 4, 8] since AWS currently supports PCR0, 
+// Convert a list of PCRs into a vector of PCREntry struct with index and value,
+// where the indices are [0, 1, 2, 3, 4, 8] since AWS currently supports PCR0,
 // PCR1, PCR2, PCR3, PCR4, PCR8.
 fn to_indexed_struct(pcrs: Vec<Vec<u8>>) -> PartialVMResult<Value> {
     let indices = [0, 1, 2, 3, 4, 8];
+    if pcrs.len() != indices.len() {
+        return Err(PartialVMError::new(StatusCode::ABORTED).with_sub_status(INVALID_PCRS_ERROR));
+    };
     let mut indexed_struct = vec![];
     for (index, pcr) in pcrs.iter().enumerate() {
         indexed_struct.push(Value::struct_(Struct::pack(vec![