MystenLabs · joyqvq · Feb 6, 2025 · Feb 6, 2025
diff --git a/crates/sui-framework/packages/sui-framework/sources/crypto/nitro_attestation.move b/crates/sui-framework/packages/sui-framework/sources/crypto/nitro_attestation.move
@@ -0,0 +1,101 @@
+// Copyright (c) Mysten Labs, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+module sui::nitro_attestation;
+
+use sui::clock::{Self, Clock};
+
+#[allow(unused_const)]
+/// Error that the feature is not available on this network.
+const ENotSupportedError: u64 = 0;
+#[allow(unused_const)]
+/// Error that the attestation input failed to be parsed. 
+const EParseError: u64 = 1;
+#[allow(unused_const)]
+/// Error that the attestation failed to be verified. 
+const EVerifyError: u64 = 2;
+#[allow(unused_const)]
+/// Error that the PCRs are invalid.
+const EInvalidPCRsError: u64 = 3;
+
+/// Represents a PCR entry with an index and value.
+public struct PCREntry has drop {
+    index: u8,
+    value: vector<u8>
+}
+
+/// Nitro Attestation Document defined for AWS.
+public struct NitroAttestationDocument has drop  {
+    /// Issuing Nitro hypervisor module ID.
+    module_id: vector<u8>,
+    /// UTC time when document was created, in milliseconds since UNIX epoch.
+    timestamp: u64,
+    /// The digest function used for calculating the register values.
+    digest: vector<u8>,
+    /// A list of PCREntry containing the index and the PCR bytes.
+    /// <https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html#where>.
+    pcrs: vector<PCREntry>,
+    /// An optional DER-encoded key the attestation, consumer can use to encrypt data with.
+    public_key: Option<vector<u8>>,
+    /// Additional signed user data, defined by protocol.
+    user_data: Option<vector<u8>>,
+    /// An optional cryptographic nonce provided by the attestation consumer as a proof of 
+    /// authenticity.
+    nonce: Option<vector<u8>>,
+}
+
+/// @param attestation: attesttaion documents bytes data. 
+/// @param clock: the clock object.
+///
+/// Returns the parsed NitroAttestationDocument after verifying the attestation, 
+/// may abort with errors described above. 
+entry fun load_nitro_attestation(
+    attestation: vector<u8>,
+    clock: &Clock
+): NitroAttestationDocument {
+    load_nitro_attestation_internal(&attestation, clock::timestamp_ms(clock))
+}
+
+public fun module_id(attestation: &NitroAttestationDocument): &vector<u8> {
+    &attestation.module_id
+}
+
+public fun timestamp(attestation: &NitroAttestationDocument): &u64 {
+    &attestation.timestamp
+}
+
+public fun digest(attestation: &NitroAttestationDocument): &vector<u8> {
+    &attestation.digest
+}
+
+/// Returns a list of mapping PCREntry containg the index and the PCR bytes. 
+/// Currently AWS supports PCR0, PCR1, PCR2, PCR3, PCR4, PCR8. 
+public fun pcrs(attestation: &NitroAttestationDocument): &vector<PCREntry> {
+    &attestation.pcrs
+}
+
+public fun public_key(attestation: &NitroAttestationDocument): &Option<vector<u8>> {
+    &attestation.public_key
+}
+
+public fun user_data(attestation: &NitroAttestationDocument): &Option<vector<u8>> {
+    &attestation.user_data
+}
+
+public fun nonce(attestation: &NitroAttestationDocument): &Option<vector<u8>> {
+    &attestation.nonce
+}
+
+public fun index(entry: &PCREntry): u8 {
+    entry.index
+}
+
+public fun value(entry: &PCREntry): &vector<u8> {
+    &entry.value
+}
+
+/// Internal native function
+native fun load_nitro_attestation_internal(
+    attestation: &vector<u8>,
+    current_timestamp: u64,
+): NitroAttestationDocument;
diff --git a/crates/sui-framework/packages/sui-framework/tests/crypto/nitro_attestation_test.move b/crates/sui-framework/packages/sui-framework/tests/crypto/nitro_attestation_test.move
diff --git a/crates/sui-framework/packages_compiled/sui-framework b/crates/sui-framework/packages_compiled/sui-framework
diff --git a/crates/sui-framework/published_api.txt b/crates/sui-framework/published_api.txt
@@ -2791,6 +2791,45 @@ sqrt_u128
 divide_and_round_up
 	public fun
 	0x2::math
+PCREntry
+	public struct
+	0x2::nitro_attestation
+NitroAttestationDocument
+	public struct
+	0x2::nitro_attestation
+load_nitro_attestation
+	entry fun
+	0x2::nitro_attestation
+module_id
+	public fun
+	0x2::nitro_attestation
+timestamp
+	public fun
+	0x2::nitro_attestation
+digest
+	public fun
+	0x2::nitro_attestation
+pcrs
+	public fun
+	0x2::nitro_attestation
+public_key
+	public fun
+	0x2::nitro_attestation
+user_data
+	public fun
+	0x2::nitro_attestation
+nonce
+	public fun
+	0x2::nitro_attestation
+index
+	public fun
+	0x2::nitro_attestation
+value
+	public fun
+	0x2::nitro_attestation
+load_nitro_attestation_internal
+	fun
+	0x2::nitro_attestation
 ObjectBag
 	public struct
 	0x2::object_bag

diff --git a/crates/sui-open-rpc/spec/openrpc.json b/crates/sui-open-rpc/spec/openrpc.json
@@ -1323,6 +1323,7 @@
                 "enable_group_ops_native_function_msm": false,
                 "enable_group_ops_native_functions": false,
                 "enable_jwk_consensus_updates": false,
+                "enable_nitro_attestation": false,
                 "enable_poseidon": false,
                 "enable_vdf": false,
                 "end_of_epoch_transaction_supported": false,
@@ -1853,6 +1854,10 @@
                 "move_binary_format_version": {
                   "u32": "6"
                 },
+                "nitro_attestation_parse_base_cost": null,
+                "nitro_attestation_parse_cost_per_byte": null,
+                "nitro_attestation_verify_base_cost": null,
+                "nitro_attestation_verify_cost_per_cert": null,
                 "obj_access_cost_delete_per_byte": {
                   "u64": "40"
                 },

@@ -213,7 +213,8 @@ const MAX_PROTOCOL_VERSION: u64 = 74;
 //             Enable zstd compression for consensus tonic network in testnet.
 //             Enable smart ancestor selection in mainnet.
 //             Enable probing for accepted rounds in round prober in mainnet
-// Version 74:
+// Version 74: Enable load_nitro_attestation move function in sui framework in devnet.
+//             Enable all gas costs for load_nitro_attestation.
 //
 
 #[derive(Copy, Clone, Debug, Hash, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord)]
@@ -472,6 +473,10 @@ struct FeatureFlags {
     #[serde(skip_serializing_if = "is_false")]
     enable_group_ops_native_function_msm: bool,
 
+    // Enable nitro attestation.
+    #[serde(skip_serializing_if = "is_false")]
+    enable_nitro_attestation: bool,
+
     // Reject functions with mutable Random.
     #[serde(skip_serializing_if = "is_false")]
     reject_mutable_random_on_entry_functions: bool,
@@ -1225,6 +1230,12 @@ pub struct ProtocolConfig {
     vdf_verify_vdf_cost: Option<u64>,
     vdf_hash_to_input_cost: Option<u64>,
 
+    // nitro_attestation::load_nitro_attestation
+    nitro_attestation_parse_base_cost: Option<u64>,
+    nitro_attestation_parse_cost_per_byte: Option<u64>,
+    nitro_attestation_verify_base_cost: Option<u64>,
+    nitro_attestation_verify_cost_per_cert: Option<u64>,
+
     // Stdlib costs
     bcs_per_byte_serialized_cost: Option<u64>,
     bcs_legacy_min_output_size_cost: Option<u64>,
@@ -1790,6 +1801,9 @@ impl ProtocolConfig {
     pub fn consensus_zstd_compression(&self) -> bool {
         self.feature_flags.consensus_zstd_compression
     }
+    pub fn enable_nitro_attestation(&self) -> bool {
+        self.feature_flags.enable_nitro_attestation
+    }
 }
 
 #[cfg(not(msim))]
@@ -2224,6 +2238,12 @@ impl ProtocolConfig {
             vdf_verify_vdf_cost: None,
             vdf_hash_to_input_cost: None,
 
+            // nitro_attestation::verify_nitro_attestation
+            nitro_attestation_parse_base_cost: None,
+            nitro_attestation_parse_cost_per_byte: None,
+            nitro_attestation_verify_base_cost: None,
+            nitro_attestation_verify_cost_per_cert: None,
+
             bcs_per_byte_serialized_cost: None,
             bcs_legacy_min_output_size_cost: None,
             bcs_failure_cost: None,
@@ -3208,7 +3228,16 @@ impl ProtocolConfig {
                     cfg.gas_budget_based_txn_cost_absolute_cap_commit_count = Some(50);
                     cfg.allowed_txn_cost_overage_burst_per_object_in_commit = Some(370_000_000);
                 }
-                74 => {}
+                74 => {
+                    // Enable nitro attestation verify native move function for devnet
+                    if chain != Chain::Mainnet && chain != Chain::Testnet {
+                        cfg.feature_flags.enable_nitro_attestation = true;
+                    }
+                    cfg.nitro_attestation_parse_base_cost = Some(53);
+                    cfg.nitro_attestation_parse_cost_per_byte = Some(1);
+                    cfg.nitro_attestation_verify_base_cost = Some(49632);
+                    cfg.nitro_attestation_verify_cost_per_cert = Some(52369);
+                }
                 // Use this template when making changes:
                 //
                 //     // modify an existing constant.

@@ -1,6 +1,7 @@
 ---
 source: crates/sui-protocol-config/src/lib.rs
 expression: "ProtocolConfig::get_for_version(cur, *chain_id)"
+snapshot_kind: text
 ---
 version: 74
 feature_flags:
@@ -290,6 +291,10 @@ hmac_hmac_sha3_256_input_cost_per_byte: 2
 hmac_hmac_sha3_256_input_cost_per_block: 2
 check_zklogin_id_cost_base: 200
 check_zklogin_issuer_cost_base: 200
+nitro_attestation_parse_base_cost: 53
+nitro_attestation_parse_cost_per_byte: 1
+nitro_attestation_verify_base_cost: 49632
+nitro_attestation_verify_cost_per_cert: 52369
 bcs_per_byte_serialized_cost: 2
 bcs_legacy_min_output_size_cost: 1
 bcs_failure_cost: 52

@@ -1,6 +1,7 @@
 ---
 source: crates/sui-protocol-config/src/lib.rs
 expression: "ProtocolConfig::get_for_version(cur, *chain_id)"
+snapshot_kind: text
 ---
 version: 74
 feature_flags:
@@ -292,6 +293,10 @@ hmac_hmac_sha3_256_input_cost_per_byte: 2
 hmac_hmac_sha3_256_input_cost_per_block: 2
 check_zklogin_id_cost_base: 200
 check_zklogin_issuer_cost_base: 200
+nitro_attestation_parse_base_cost: 53
+nitro_attestation_parse_cost_per_byte: 1
+nitro_attestation_verify_base_cost: 49632
+nitro_attestation_verify_cost_per_cert: 52369
 bcs_per_byte_serialized_cost: 2
 bcs_legacy_min_output_size_cost: 1
 bcs_failure_cost: 52

@@ -1,6 +1,7 @@
 ---
 source: crates/sui-protocol-config/src/lib.rs
 expression: "ProtocolConfig::get_for_version(cur, *chain_id)"
+snapshot_kind: text
 ---
 version: 74
 feature_flags:
@@ -46,6 +47,7 @@ feature_flags:
   enable_coin_deny_list: true
   enable_group_ops_native_functions: true
   enable_group_ops_native_function_msm: true
+  enable_nitro_attestation: true
   reject_mutable_random_on_entry_functions: true
   per_object_congestion_control_mode: TotalGasBudgetWithCap
   consensus_choice: Mysticeti
@@ -301,6 +303,10 @@ check_zklogin_id_cost_base: 200
 check_zklogin_issuer_cost_base: 200
 vdf_verify_vdf_cost: 1500
 vdf_hash_to_input_cost: 100
+nitro_attestation_parse_base_cost: 53
+nitro_attestation_parse_cost_per_byte: 1
+nitro_attestation_verify_base_cost: 49632
+nitro_attestation_verify_cost_per_cert: 52369
 bcs_per_byte_serialized_cost: 2
 bcs_legacy_min_output_size_cost: 1
 bcs_failure_cost: 52

diff --git a/crates/sui-swarm-config/tests/snapshots/snapshot_tests__genesis_config_snapshot_matches.snap b/crates/sui-swarm-config/tests/snapshots/snapshot_tests__genesis_config_snapshot_matches.snap
@@ -1,6 +1,7 @@
 ---
 source: crates/sui-swarm-config/tests/snapshot_tests.rs
 expression: genesis_config
+snapshot_kind: text
 ---
 ssfn_config_info: ~
 validator_config_info: ~