feat: enable TDX on arbitrum-sepolia-testnet

Author: PierreJeanjacquot

cli/src/cmd/deploy.ts

@@ -2,6 +2,9 @@ import {
   dockerBuild,
   pushDockerImage,
   checkDockerDaemon,
+  parseImagePath,
+  inspectImage,
+  tagDockerImage,
 } from '../execDocker/docker.js';
 import { sconify } from '../utils/sconify.js';
 import { askForDockerhubUsername } from '../cli-helpers/askForDockerhubUsername.js';
@@ -20,7 +23,6 @@ import { goToProjectRoot } from '../cli-helpers/goToProjectRoot.js';
 import * as color from '../cli-helpers/color.js';
 import { hintBox } from '../cli-helpers/box.js';
 import { addDeploymentData } from '../utils/cacheExecutions.js';
-import { deployTdxApp, getIExecTdx } from '../utils/tdx-poc.js';
 import { useTdx } from '../utils/featureFlags.js';
 import { ensureBalances } from '../cli-helpers/ensureBalances.js';
 import { warnBeforeTxFees } from '../cli-helpers/warnBeforeTxFees.js';
@@ -39,11 +41,16 @@ export async function deploy({ chain }: { chain?: string }) {
     const userAddress = await signer.getAddress();
 
     // initialize iExec
-    let iexec;
-    if (useTdx) {
-      iexec = getIExecTdx({ ...chainConfig, signer });
-    } else {
-      iexec = getIExec({ ...chainConfig, signer });
+    const iexec = getIExec({ ...chainConfig, signer });
+    // determine TEE framework based on feature flag
+    const teeFramework = useTdx ? 'tdx' : 'scone';
+    // check TEE framework compatibility with selected chain
+    try {
+      await iexec.config.resolveSmsURL({ teeFramework });
+    } catch {
+      throw new Error(
+        `TEE framework ${teeFramework.toUpperCase()} is not supported on the selected chain`
+      );
     }
 
     await ensureBalances({ spinner, iexec, warnOnlyRlc: true });
@@ -64,7 +71,7 @@ export async function deploy({ chain }: { chain?: string }) {
       throw Error('Invalid version');
     }
 
-    const imageTag = `${dockerhubUsername}/${projectNameToImageName(projectName)}:${iAppVersion}`;
+    const nonTeeImage = `${dockerhubUsername}/${projectNameToImageName(projectName)}:${iAppVersion}`;
 
     const appSecret = await askForAppSecret({ spinner });
 
@@ -75,37 +82,60 @@ export async function deploy({ chain }: { chain?: string }) {
     spinner.start('Building docker image...\n');
     const buildLogs = [];
     const imageId = await dockerBuild({
-      tag: imageTag,
+      tag: nonTeeImage,
       progressCallback: (msg) => {
         buildLogs.push(msg); // do we want to show build logs after build is successful?
         spinner.text = spinner.text + color.comment(msg);
       },
     });
-    spinner.succeed(`Docker image built (${imageId}) and tagged ${imageTag}`);
-
-    spinner.start('Pushing docker image...\n');
-    await pushDockerImage({
-      tag: imageTag,
-      dockerhubAccessToken,
-      dockerhubUsername,
-      progressCallback: (msg) => {
-        spinner.text = spinner.text + color.comment(msg);
-      },
-    });
-    spinner.succeed(`Pushed image ${imageTag} on dockerhub`);
+    spinner.succeed(`Docker image built (${imageId})`);
 
     let appDockerImage: string;
     let appContractAddress: string;
 
-    if (useTdx && iexec) {
+    if (useTdx) {
+      spinner.start('Pushing docker image...\n');
+      const {
+        dockerUserName,
+        imageName,
+        imageTag: originalImageTag,
+      } = parseImagePath(nonTeeImage);
+      const repo = `${dockerUserName}/${imageName}`;
+      const inspectResult = await inspectImage(nonTeeImage);
+      const tdxImageShortId = inspectResult.Id.substring(7, 7 + 12); // extract 12 first chars after the leading "sha256:"
+      const tdxImageTag = `${originalImageTag}-tdx-${tdxImageShortId}`; // add digest in tag to avoid replacing previous build
+      const tdxImage = await tagDockerImage({
+        image: nonTeeImage,
+        repo,
+        tag: tdxImageTag,
+      });
+      await pushDockerImage({
+        tag: tdxImage,
+        dockerhubUsername,
+        dockerhubAccessToken,
+      });
+      spinner.succeed(`Pushed image ${tdxImage} on dockerhub`);
+      appDockerImage = tdxImage;
       spinner.start('Deploying your TDX TEE app on iExec...');
-      ({ tdxImage: appDockerImage, appContractAddress } = await deployTdxApp({
-        iexec,
-        image: imageTag,
+      const { address } = await iexec.app.deployApp({
+        owner: await iexec.wallet.getAddress(),
+        name: `${imageName}-${originalImageTag}`,
+        type: 'DOCKER',
+        multiaddr: tdxImage,
+        checksum: `0x${inspectResult.RepoDigests[0].split('@sha256:')[1]}`,
+      });
+      appContractAddress = address;
+    } else {
+      spinner.start('Pushing docker image...\n');
+      await pushDockerImage({
+        tag: nonTeeImage,
         dockerhubAccessToken,
         dockerhubUsername,
-      }));
-    } else {
+        progressCallback: (msg) => {
+          spinner.text = spinner.text + color.comment(msg);
+        },
+      });
+      spinner.succeed(`Pushed image ${nonTeeImage} on dockerhub`);
       spinner.start(
         'Transforming your image into a TEE image, this may take a few minutes...'
       );
@@ -116,17 +146,16 @@ export async function deploy({ chain }: { chain?: string }) {
         fingerprint,
         entrypoint,
       } = await sconify({
-        iAppNameToSconify: imageTag,
+        iAppNameToSconify: nonTeeImage,
         template,
         walletAddress: userAddress,
         dockerhubAccessToken,
         dockerhubUsername,
       });
       appDockerImage = dockerImage;
       spinner.succeed(`Pushed TEE image ${appDockerImage} on dockerhub`);
-
       spinner.start('Deploying your TEE app on iExec...');
-      ({ address: appContractAddress } = await iexec.app.deployApp({
+      const { address } = await iexec.app.deployApp({
         owner: userAddress,
         name: `${projectNameToImageName(projectName)}-${iAppVersion}`,
         type: 'DOCKER',
@@ -140,16 +169,19 @@ export async function deploy({ chain }: { chain?: string }) {
           heapSize: 1073741824,
           fingerprint,
         },
-      }));
+      });
+      appContractAddress = address;
     }
-
     // Add deployment data to deployments.json
     await addDeploymentData({
       image: appDockerImage,
       app: appContractAddress,
       owner: userAddress,
       chainName,
     });
+    spinner.succeed(
+      `TEE app deployed with image ${appDockerImage} on iExec with address ${appContractAddress}`
+    );
 
     spinner.succeed('TEE app deployed');
     if (appSecret !== null && iexec) {

cli/src/cmd/run.ts

@@ -4,11 +4,7 @@ import { utils } from 'iexec';
 import { ConsumableDatasetorder } from 'iexec/IExecOrderModule';
 import { mkdir, rm } from 'node:fs/promises';
 import { askForWallet } from '../cli-helpers/askForWallet.js';
-import {
-  SCONE_TAG,
-  RUN_OUTPUT_DIR,
-  TASK_OBSERVATION_TIMEOUT,
-} from '../config/config.js';
+import { RUN_OUTPUT_DIR, TASK_OBSERVATION_TIMEOUT } from '../config/config.js';
 import { addRunData } from '../utils/cacheExecutions.js';
 import { getSpinner, type Spinner } from '../cli-helpers/spinner.js';
 import { handleCliError } from '../cli-helpers/handleCliError.js';
@@ -19,8 +15,6 @@ import { goToProjectRoot } from '../cli-helpers/goToProjectRoot.js';
 import * as color from '../cli-helpers/color.js';
 import { IExec } from 'iexec';
 import { getChainConfig, readIAppConfig } from '../utils/iAppConfigFile.js';
-import { getIExecTdx, WORKERPOOL_TDX } from '../utils/tdx-poc.js';
-import { useTdx } from '../utils/featureFlags.js';
 import { ensureBalances } from '../cli-helpers/ensureBalances.js';
 import { askForAcknowledgment } from '../cli-helpers/askForAcknowledgment.js';
 import { warnBeforeTxFees } from '../cli-helpers/warnBeforeTxFees.js';
@@ -52,17 +46,27 @@ export async function run({
     await warnBeforeTxFees({ spinner, chain: chainConfig.name });
 
     spinner.start('checking inputs...');
-    let readOnlyIexec: IExec;
-    if (useTdx) {
-      readOnlyIexec = getIExecTdx(chainConfig);
-    } else {
-      readOnlyIexec = getIExec(chainConfig);
-    }
+    // initialize iExec
+    const readOnlyIexec = getIExec(chainConfig);
 
     // input checks
     if ((await readOnlyIexec.app.checkDeployedApp(iAppAddress)) === false) {
       throw Error('No iApp found at the specified address.');
     }
+
+    const { app } = await readOnlyIexec.app.showApp(iAppAddress);
+    // determine TEE framework based on app properties (SCONE apps define `appMREnclave`, TDX apps do NOT define `appMREnclave`)
+    const isTdxApp = !app.appMREnclave;
+    const teeFramework = isTdxApp ? 'tdx' : 'scone';
+    // check TEE framework compatibility with selected chain
+    try {
+      await readOnlyIexec.config.resolveSmsURL({ teeFramework });
+    } catch {
+      throw new Error(
+        `TEE framework ${teeFramework.toUpperCase()} is not supported on the selected chain`
+      );
+    }
+
     if (protectedData.length > 0) {
       await Promise.all(
         protectedData.map(async (dataset) => {
@@ -74,7 +78,7 @@ export async function run({
           }
           const isSecretSet =
             await readOnlyIexec.dataset.checkDatasetSecretExists(dataset, {
-              teeFramework: 'scone',
+              teeFramework,
             });
           if (!isSecretSet) {
             throw Error(
@@ -89,22 +93,17 @@ export async function run({
     const signer = await askForWallet({ spinner });
     const userAddress = await signer.getAddress();
 
-    let iexec: IExec;
-    if (useTdx) {
-      iexec = getIExecTdx({ ...chainConfig, signer });
-    } else {
-      iexec = getIExec({
-        ...chainConfig,
-        signer,
-      });
-    }
+    const iexec = getIExec({
+      ...chainConfig,
+      signer,
+    });
 
     // App Order
     spinner.start('Creating app order...');
     const apporderTemplate = await iexec.order.createApporder({
       app: iAppAddress,
       requesterrestrict: userAddress,
-      tag: SCONE_TAG,
+      tag: ['tee', teeFramework],
     });
     const apporder = await iexec.order.signApporder(apporderTemplate);
     spinner.succeed('AppOrder created');
@@ -121,8 +120,7 @@ export async function run({
             dataset,
             app: iAppAddress,
             requester: userAddress,
-            minTag: SCONE_TAG,
-            maxTag: SCONE_TAG,
+            minTag: ['tee'], // TEE framework tag is ignored for dataset order matching, as dataset can be shared between SCONE and TDX apps
             bulkOnly: protectedData.length > 1, // bulk if multiple datasets
           });
           const datasetorder = datasetOrderbook.orders[0]?.order;
@@ -153,6 +151,7 @@ export async function run({
             const name = await pushRequesterSecret({
               iexec,
               value,
+              teeFramework,
             });
             return [key, name];
           })
@@ -164,10 +163,11 @@ export async function run({
     // Workerpool Order
     spinner.start('Fetching workerpool order...');
     const workerpoolOrderbook = await iexec.orderbook.fetchWorkerpoolOrderbook({
-      workerpool: useTdx ? WORKERPOOL_TDX : chainConfig.workerpool,
+      workerpool: isTdxApp
+        ? chainConfig.tdxWorkerpool
+        : chainConfig.sconeWorkerpool,
       app: iAppAddress,
-      minTag: SCONE_TAG,
-      maxTag: SCONE_TAG,
+      minTag: apporder.tag,
       minVolume: volume, // TODO handle multiple matches if not enough volume
     });
     const workerpoolorder = workerpoolOrderbook.orders[0]?.order;
@@ -192,7 +192,7 @@ export async function run({
           ? datasetorders[0].datasetprice.toString()
           : 0,
       workerpoolmaxprice: workerpoolorder.workerpoolprice,
-      tag: SCONE_TAG,
+      tag: ['tee', teeFramework],
       volume,
       params: {
         iexec_args: args,
@@ -310,12 +310,14 @@ ${color.link(`${chainConfig.ipfsGatewayUrl}${location}`)}`);
 async function pushRequesterSecret({
   iexec,
   value,
+  teeFramework,
 }: {
   iexec: IExec;
   value: string;
+  teeFramework: 'scone' | 'tdx';
 }) {
   const secretName = uuidV4();
-  await iexec.secrets.pushRequesterSecret(secretName, value);
+  await iexec.secrets.pushRequesterSecret(secretName, value, { teeFramework });
   return secretName;
 }
 

cli/src/cmd/test.ts

@@ -9,12 +9,13 @@ import {
 } from '../execDocker/docker.js';
 import { checkDeterministicOutputExists } from '../utils/deterministicOutput.js';
 import {
-  IEXEC_WORKER_HEAP_SIZE,
+  IEXEC_SCONE_WORKER_HEAP_SIZE,
   IEXEC_RESULT_UPLOAD_MAX_SIZE,
   PROTECTED_DATA_MOCK_DIR,
   TASK_OBSERVATION_TIMEOUT,
   TEST_INPUT_DIR,
   TEST_OUTPUT_DIR,
+  IEXEC_TDX_WORKER_HEAP_SIZE,
 } from '../config/config.js';
 import { getSpinner, type Spinner } from '../cli-helpers/spinner.js';
 import { handleCliError } from '../cli-helpers/handleCliError.js';
@@ -26,7 +27,6 @@ import { goToProjectRoot } from '../cli-helpers/goToProjectRoot.js';
 import * as color from '../cli-helpers/color.js';
 import { hintBox } from '../cli-helpers/box.js';
 import { useTdx } from '../utils/featureFlags.js';
-import { IEXEC_TDX_WORKER_HEAP_SIZE } from '../utils/tdx-poc.js';
 
 export async function test({
   args,
@@ -182,7 +182,7 @@ export async function testApp({
   }, TASK_OBSERVATION_TIMEOUT);
   const memoryLimit = useTdx
     ? IEXEC_TDX_WORKER_HEAP_SIZE
-    : IEXEC_WORKER_HEAP_SIZE;
+    : IEXEC_SCONE_WORKER_HEAP_SIZE;
   const appLogs: string[] = [];
   const { exitCode, outOfMemory } = await runDockerContainer({
     image: imageId,