Merge pull request #296 from matter-labs/verify-era-proof-attestation-tdx

refactor(verify-era-proof-attestation): modularize and restructure proof verification logic

Author: haraldh

Cargo.lock

@@ -32,7 +32,6 @@ gpt = "4.0.0"
 hex = { version = "0.4.3", features = ["std"], default-features = false }
 intel-tee-quote-verification-rs = { package = "teepot-tee-quote-verification-rs", path = "crates/teepot-tee-quote-verification-rs", version = "0.3.0" }
 intel-tee-quote-verification-sys = { version = "0.2.1" }
-jsonrpsee-types = { version = "0.24", default-features = false }
 num-integer = "0.1.46"
 num-traits = "0.2.18"
 opentelemetry = { version = "0.28.0", features = ["default", "logs"] }

Cargo.toml

@@ -7,9 +7,9 @@ use anyhow::{bail, Context, Result};
 use clap::Parser;
 
 use std::{fs, io::Read, path::PathBuf, str::FromStr, time::UNIX_EPOCH};
-use teepot::{
-    quote::{error, tee_qv_get_collateral, verify_quote_with_collateral, QuoteVerificationResult},
-    sgx::TcbLevel,
+use teepot::quote::{
+    error, tcblevel::TcbLevel, tee_qv_get_collateral, verify_quote_with_collateral,
+    QuoteVerificationResult,
 };
 
 #[derive(Parser, Debug)]

bin/verify-attestation/src/main.rs

@@ -8,19 +8,24 @@ repository.workspace = true
 version.workspace = true
 
 [dependencies]
-anyhow.workspace = true
+bytes.workspace = true
 clap.workspace = true
+enumset.workspace = true
 hex.workspace = true
-jsonrpsee-types.workspace = true
+jsonrpsee-types = "0.24"
 reqwest.workspace = true
 secp256k1.workspace = true
 serde.workspace = true
+serde_json.workspace = true
 serde_with = { workspace = true, features = ["hex"] }
+serde_yaml = "0.9.33"
 teepot.workspace = true
+thiserror.workspace = true
 tokio.workspace = true
+tokio-util = "0.7.14"
 tracing.workspace = true
 tracing-subscriber.workspace = true
 url.workspace = true
-zksync_basic_types = "=0.1.0"
-zksync_types = "=0.1.0"
-zksync_web3_decl = "=0.1.0"
+zksync_basic_types = "27.0.0-non-semver-compat"
+zksync_types = "27.0.0-non-semver-compat"
+zksync_web3_decl = "27.0.0-non-semver-compat"

bin/verify-era-proof-attestation/Cargo.toml

@@ -0,0 +1,76 @@
+# Era Proof Attestation Verifier
+
+This tool verifies the SGX/TDX attestations and signatures for zkSync Era L1 batches.
+
+## Usage
+
+Basic usage with attestation policy provided from a YAML file:
+
+```bash
+verify-era-proof-attestation --rpc https://mainnet.era.zksync.io \
+    --continuous 493220 \
+    --attestation-policy-file examples/attestation_policy.yaml \
+    --log-level info
+```
+
+## Attestation Policy Configuration
+
+You can specify the attestation policy either through command-line arguments or by providing a YAML configuration file.
+
+### Command-line Arguments
+
+The following command-line arguments are available:
+
+- `--batch`, `-n <BATCH>`: The batch number or range of batch numbers to verify the attestation and signature (e.g., "
+  42" or "42-45"). Mutually exclusive with `--continuous`.
+- `--continuous <FIRST_BATCH>`: Continuous mode: keep verifying new batches starting from the specified batch number
+  until interrupted. Mutually exclusive with `--batch`.
+- `--rpc <URL>`: URL of the RPC server to query for the batch attestation and signature.
+- `--chain <CHAIN_ID>`: Chain ID of the network to query (default: L2ChainId::default()).
+- `--rate-limit <MILLISECONDS>`: Rate limit between requests in milliseconds (default: 0).
+- `--log-level <LEVEL>`: Log level for the log output. Valid values are: `off`, `error`, `warn`, `info`, `debug`,
+  `trace` (default: `warn`).
+- `--attestation-policy-file <PATH>`: Path to a YAML file containing attestation policy configuration. This overrides
+  any attestation policy settings provided via command line options.
+
+Either `--batch` or `--continuous` mode must be specified.
+
+### YAML Configuration File
+
+The attestation policy is loaded from a YAML file using the `--attestation-policy-file` option.
+
+Example YAML configuration file:
+
+```yaml
+sgx:
+  mrenclaves:
+    - a2caa7055e333f69c3e46ca7ba65b135a86c90adfde2afb356e05075b7818b3c
+    - 36eeb64cc816f80a1cf5818b26710f360714b987d3799e757cbefba7697b9589
+    - 4a8b79e5123f4dbf23453d583cb8e5dcf4d19a6191a0be6dd85b7b3052c32faf
+    - 1498845b3f23667356cc49c38cae7b4ac234621a5b85fdd5c52b5f5d12703ec9
+    - 1b2374631bb2572a0e05b3be8b5cdd23c42e9d7551e1ef200351cae67c515a65
+    - 6fb19e47d72a381a9f3235c450f8c40f01428ce19a941f689389be3eac24f42a
+    - b610fd1d749775cc3de88beb84afe8bb79f55a19100db12d76f6a62ac576e35d
+    - a0b1b069b01bdcf3c1517ef8d4543794a27ed4103e464be7c4afdc6136b42d66
+    - 71e2a11a74b705082a7286b2008f812f340c0e4de19f8b151baa347eda32d057
+    - d5a0bf8932d9a3d7af6d9405d4c6de7dcb7b720bb5510666b4396fc58ee58bb2
+  allowed_tcb_levels:
+    - Ok
+    - SwHardeningNeeded
+  allowed_advisory_ids:
+    - INTEL-SA-00615
+tdx:
+  mrs:
+    - - 2a90c8fa38672cafd791d994beb6836b99383b2563736858632284f0f760a6446efd1e7ec457cf08b629ea630f7b4525
+      - 3300980705adf09d28b707b79699d9874892164280832be2c386a715b6e204e0897fb564a064f810659207ba862b304f
+      - c08ab64725566bcc8a6fb1c79e2e64744fcff1594b8f1f02d716fb66592ecd5de94933b2bc54ffbbc43a52aab7eb1146
+      - 092a4866a9e6a1672d7439a5d106fbc6eb57b738d5bfea5276d41afa2551824365fdd66700c1ce9c0b20542b9f9d5945
+      - 971fb52f90ec98a234301ca9b8fc30b613c33e3dd9c0cc42dcb8003d4a95d8fb218b75baf028b70a3cabcb947e1ca453
+    - - 2a90c8fa38672cafd791d994beb6836b99383b2563736858632284f0f760a6446efd1e7ec457cf08b629ea630f7b4525
+      - 3300980705adf09d28b707b79699d9874892164280832be2c386a715b6e204e0897fb564a064f810659207ba862b304f
+      - c08ab64725566bcc8a6fb1c79e2e64744fcff1594b8f1f02d716fb66592ecd5de94933b2bc54ffbbc43a52aab7eb1146
+      - 092a4866a9e6a1672d7439a5d106fbc6eb57b738d5bfea5276d41afa2551824365fdd66700c1ce9c0b20542b9f9d5945
+      - f57bb7ed82c6ae4a29e6c9879338c592c7d42a39135583e8ccbe3940f2344b0eb6eb8503db0ffd6a39ddd00cd07d8317
+  allowed_tcb_levels:
+    - Ok
+```

bin/verify-era-proof-attestation/README.md

@@ -0,0 +1,31 @@
+sgx:
+  mrenclaves:
+    - a2caa7055e333f69c3e46ca7ba65b135a86c90adfde2afb356e05075b7818b3c
+    - 36eeb64cc816f80a1cf5818b26710f360714b987d3799e757cbefba7697b9589
+    - 4a8b79e5123f4dbf23453d583cb8e5dcf4d19a6191a0be6dd85b7b3052c32faf
+    - 1498845b3f23667356cc49c38cae7b4ac234621a5b85fdd5c52b5f5d12703ec9
+    - 1b2374631bb2572a0e05b3be8b5cdd23c42e9d7551e1ef200351cae67c515a65
+    - 6fb19e47d72a381a9f3235c450f8c40f01428ce19a941f689389be3eac24f42a
+    - b610fd1d749775cc3de88beb84afe8bb79f55a19100db12d76f6a62ac576e35d
+    - a0b1b069b01bdcf3c1517ef8d4543794a27ed4103e464be7c4afdc6136b42d66
+    - 71e2a11a74b705082a7286b2008f812f340c0e4de19f8b151baa347eda32d057
+    - d5a0bf8932d9a3d7af6d9405d4c6de7dcb7b720bb5510666b4396fc58ee58bb2
+  allowed_tcb_levels:
+    - Ok
+    - SwHardeningNeeded
+  allowed_advisory_ids:
+    - INTEL-SA-00615
+tdx:
+  mrs:
+    - - 2a90c8fa38672cafd791d994beb6836b99383b2563736858632284f0f760a6446efd1e7ec457cf08b629ea630f7b4525
+      - 3300980705adf09d28b707b79699d9874892164280832be2c386a715b6e204e0897fb564a064f810659207ba862b304f
+      - c08ab64725566bcc8a6fb1c79e2e64744fcff1594b8f1f02d716fb66592ecd5de94933b2bc54ffbbc43a52aab7eb1146
+      - 092a4866a9e6a1672d7439a5d106fbc6eb57b738d5bfea5276d41afa2551824365fdd66700c1ce9c0b20542b9f9d5945
+      - 971fb52f90ec98a234301ca9b8fc30b613c33e3dd9c0cc42dcb8003d4a95d8fb218b75baf028b70a3cabcb947e1ca453
+    - - 2a90c8fa38672cafd791d994beb6836b99383b2563736858632284f0f760a6446efd1e7ec457cf08b629ea630f7b4525
+      - 3300980705adf09d28b707b79699d9874892164280832be2c386a715b6e204e0897fb564a064f810659207ba862b304f
+      - c08ab64725566bcc8a6fb1c79e2e64744fcff1594b8f1f02d716fb66592ecd5de94933b2bc54ffbbc43a52aab7eb1146
+      - 092a4866a9e6a1672d7439a5d106fbc6eb57b738d5bfea5276d41afa2551824365fdd66700c1ce9c0b20542b9f9d5945
+      - f57bb7ed82c6ae4a29e6c9879338c592c7d42a39135583e8ccbe3940f2344b0eb6eb8503db0ffd6a39ddd00cd07d8317
+  allowed_tcb_levels:
+    - Ok

bin/verify-era-proof-attestation/examples/attestation_policy.yaml

@@ -0,0 +1,66 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2023-2025 Matter Labs
+
+//! HTTP client for making requests to external services
+
+use reqwest::Client;
+use serde::{de::DeserializeOwned, Serialize};
+use std::time::Duration;
+use url::Url;
+
+use crate::{
+    core::DEFAULT_HTTP_REQUEST_TIMEOUT,
+    error::{Error, Result},
+};
+
+/// Client for making HTTP requests
+#[derive(Clone)]
+pub struct HttpClient {
+    client: Client,
+}
+
+impl HttpClient {
+    /// Create a new HTTP client with default configuration
+    pub fn new() -> Self {
+        let client = Client::builder()
+            .timeout(Duration::from_secs(DEFAULT_HTTP_REQUEST_TIMEOUT))
+            .build()
+            .expect("Failed to create HTTP client");
+
+        Self { client }
+    }
+
+    /// Make a POST request to the specified URL with the provided body
+    pub async fn post<T: Serialize>(&self, url: &Url, body: T) -> Result<String> {
+        let response = self.client.post(url.clone()).json(&body).send().await?;
+        self.handle_response(response).await
+    }
+
+    /// Send a JSON request and parse the response
+    pub async fn send_json<T: Serialize, R: DeserializeOwned>(
+        &self,
+        url: &Url,
+        body: T,
+    ) -> Result<R> {
+        let response_text = self.post(url, body).await?;
+        let response: R = serde_json::from_str(&response_text)
+            .map_err(|e| Error::JsonRpcInvalidResponse(e.to_string()))?;
+
+        Ok(response)
+    }
+
+    /// Handle the HTTP response
+    async fn handle_response(&self, response: reqwest::Response) -> Result<String> {
+        let status = response.status();
+        let body = response.text().await?;
+
+        if status.is_success() {
+            Ok(body)
+        } else {
+            Err(Error::Http {
+                status_code: status.as_u16(),
+                message: body,
+            })
+        }
+    }
+}