# 闅愮璁＄畻鏂规

## 姒傝堪
涓€鑸潵璇达紝鍙備笌鍒板尯鍧楅摼浜ゆ槗涓殑鏁版嵁瀵归摼鍙備笌鑰呴兘鏄叕寮€鐨勩€傝€岄暱瀹夐摼闅愮鍚堢害鍔熻兘涓哄尯鍧楅摼鎻愪緵鍦ㄥ悎绾︿腑澶勭悊鏁忔劅鏁版嵁鐨勮兘鍔涳紝杈惧埌淇濇姢鏁版嵁闅愮鐨勫悓鏃朵繚璇佸悎绾︽墽琛岃繃绋嬬殑鍙潬鎬э紙鍖呮嫭鍚堢害閫昏緫銆佹暟鎹殑瀹屾暣鎬э級銆傞暱瀹夐摼闅愮鍚堢害閲囩敤鍙俊璁＄畻鎶€鏈紝鍦ㄥ彲淇℃墽琛岀幆澧冧腑鎵ц闅愮鍚堢害銆傛晱鎰熸暟鎹互瀵嗘枃褰㈠紡瀛樺湪浜庡尯鍧楅摼璐︽湰涓紝鐢ㄦ埛浣跨敤鏃跺湪鍙俊鎵ц鐜涓В瀵嗭紝鑰屽彲淇℃墽琛岀幆澧冨鏃犳硶鑾峰緱鏁忔劅鏁版嵁鏄庢枃銆傚悓鏃讹紝鍙俊鎵ц鐜鐨勮繙绋嬭瘉鏄庝繚璇佸悎绾﹂€昏緫涓嶈绡℃敼銆傚姝わ紝杈惧埌鏁忔劅鏁版嵁鍦ㄥ尯鍧楅摼涓婄殑鍙敤涓嶅彲瑙侊紝鑰屾暟鎹鐞嗘祦绋嬩粛鐒跺彲浠ュ湪鍖哄潡閾句笂鍏紑楠岃瘉鐨勬晥鏋溿€�

闀垮畨閾炬敮鎸両ntel SGX浣滀负鎵ц闅愮鍚堢害鐨勭‖浠跺熀纭€銆傜洰鍓岻ntel SGX鐩稿浜庡叾浠栧彲淇¤绠楃‖浠讹紝鍏锋湁鍏煎鎬уソ銆佹枃妗ｅ畬鍠勭瓑浼樺娍銆�

## 闅愮鍚堢害璁捐鏂规
闅愮鍚堢害鍔熻兘鐢变竴涓熀浜庡彲淇℃墽琛岀幆澧冪殑闅愮鍚堢害鐜鎻愪緵銆傝繖涓殣绉佸悎绾︾幆澧冪敱鍙俊鎵ц鐜Enclave鍜岄殣绉佽绠楃綉鍏崇粍鎴愩€傚叾涓璄nclave鏄繍琛屽湪鍙俊鎵ц鐜鐨勯€昏緫锛岃礋璐ｅ鍚堢害杩涜楠岃瘉銆佺紪璇戙€佹墽琛岋紝鏁忔劅鏁版嵁瀵嗘枃鍙兘鍦‥nclave涓В瀵嗐€傞暱瀹夐摼鐨凟nclave涓疄鐜颁簡涓€濂梂ASM閫昏緫锛屽彲浠ュ浠绘剰鏁版嵁澶勭悊閫昏緫杩涜缂栬瘧銆佽繍琛屻€傞殣绉佽绠楃綉鍏宠礋璐ｅ皢鐢ㄦ埛銆丒nclave鍙戝嚭鐨勪俊鎭墦鍖呮垚鍖哄潡閾剧殑浜ゆ槗payload锛屽苟杞彂缁欏尯鍧楅摼瀛樿瘉銆�

鏁翠釜娴佺▼鍒嗕负涓変釜闃舵锛氬彲淇℃墽琛岀幆澧冪殑杩滅▼璇佹槑銆侀殣绉佸悎绾︾殑閮ㄧ讲銆侀殣绉佸悎绾︾殑璋冪敤銆�

- 杩滅▼璇佹槑鍔ㄤ綔鍙互鏄竴娆℃€х殑銆傚湪璇ラ樁娈碉紝鐢辩敤鎴峰彂璧峰闅愮鍚堢害鐜涓璄nclave鐨勮繙绋嬭瘉鏄庯紝楠岃瘉璇nclave鏄惁杩愯浜庡彲淇℃墽琛岀幆澧冧腑锛屼互鍙婅Enclave涓殑閫昏緫鏄惁鍦ㄩ儴缃插悗琚鏀硅繃銆�
- 闅愮鍚堢害鐨勯儴缃插彂鐢熷湪杩滅▼璇佹槑涔嬪悗锛屾瘡涓笉鍚岀殑闅愮鍚堢害闇€瑕佸崟鐙繘琛屼竴娆￠儴缃层€傚湪杩欎釜闃舵涓紝鐢ㄦ埛鍙互閮ㄧ讲缁忓尯鍧楅摼鍏辫瘑鎺ュ彈鐨勪换鎰忔暟鎹鐞嗛€昏緫浣滀负闅愮鍚堢害锛岄殣绉佸悎绾︿細琚瓨鍦ㄥ尯鍧楅摼涓婏紝鍏堕€昏緫鍙楀埌鍏紑鐩戠銆備笉鍚屼簬鏅€氬悎绾︾敤鎴风洿鎺ュ皢鍚堢害浠ｇ爜涓婁紶鍒板尯鍧楅摼鑺傜偣鐨勯儴缃叉柟寮忥紝闅愮鍚堢害闇€瑕佺敤鎴峰皢鍚堢害涓婁紶鍒伴殣绉佽绠楃幆澧冨垵濮嬪寲鍚庯紝鐢遍殣绉佽绠楃幆澧冮€氳繃缃戝叧灏嗗鐞嗗ソ鐨勫悎绾︿笂浼犲埌鍖哄潡閾捐处鏈腑銆�
- 闅愮鍚堢害鐨勮皟鐢ㄥ彂鐢熷湪閮ㄧ讲涔嬪悗銆備竴涓殣绉佸悎绾﹂儴缃插悗锛岀敤鎴峰彲浠ョ敤鐩稿悓鎴栦笉鍚岀殑鏁版嵁涓哄叆鍙傝繘琛屽娆¤皟鐢ㄣ€�

### 鍙俊鎵ц鐜涓庤繙绋嬭瘉鏄�
[鍙俊鎵ц鐜](https://en.wikipedia.org/wiki/Trusted_execution_environment)鏄疌PU鐨勪竴涓畨鍏ㄥ姞鍥哄尯鍩燂紝鍙互淇濊瘉鍏朵腑鐨勮蒋浠堕€昏緫鍜屾暟鎹湪鏈哄瘑鎬у拰瀹屾暣鎬т笂寰楀埌淇濇姢銆傝鍖哄煙鐨勮蒋纭欢鐜鍙互鐪嬪仛鏄笌澶栫晫闅旂鐨勪竴涓弽娌欑鐜銆傚湪杩欎釜鐜涓繍琛岀殑绋嬪簭锛屽閮ㄥ寘鎷搷浣滅郴缁熸棤娉曡鍙栨垨鍐欏叆鍏跺唴瀛橈紝涔熸棤娉曞共鎵板叾浠ｇ爜杩愯閫昏緫銆�

[杩滅▼璇佹槑](https://en.wikipedia.org/wiki/Trusted_Computing#Remote_attestation)鍙互浣块獙璇佽€呰鲸鍒楠岃瘉鐨勫彲淇℃墽琛岀幆澧冧笂鐨勮蒋浠堕€昏緫鏄惁鏈夊彉鏇淬€傞€氬父锛岃繙绋嬭瘉鏄庣殑琚獙璇佹柟閫氳繃鍙俊纭欢鐢熸垚涓€涓瘉涔︼紝杩欎釜璇佷功鍖呭惈涓€涓猺eport淇℃伅锛岃繖涓俊鎭弿杩板綋鍓嶈繍琛屽湪鍙俊鎵ц鐜涓殑杞欢锛堜唬鐮佸害閲忥級銆傞獙璇佽€呴€氳繃楠岃瘉杩欎釜璇佷功鐨勫悎娉曟€ф潵楠岃瘉鍙俊纭欢涓婄殑杞欢杩涚▼鏄惁琚慨鏀硅繃銆�


#### [Intel DCAP](https://software.intel.com/content/dam/develop/external/us/en/documents/s21c-icmc2019-intel-sgx-opensource-attestation.pdf)杩滅▼璇佹槑锛堟殏涓嶆敮鎸侊紝闇€鎼厤鏂版鏈嶅姟鍣級
Intel鎻愪緵鐨勮繙绋嬭瘉鏄庢満鍒躲€�

- 淇′换Intel銆傚湪DCAP杩滅▼璇佹槑妯″紡涓紝Intel浼氫綔涓烘牴CA涓篠GX纭欢鎻愪緵璁よ瘉銆�
- 闇€瑕佸湪缃戠粶涓淮鎶や竴涓狿CCS鏈嶅姟鎻愪緵瀵圭綉缁滀腑鐨凷GX纭欢璁よ瘉銆侾CCS鏈嶅姟鏄皢Intel涓篠GX涓嬪彂鐨勭被浼间簩绾ц瘉涔︾殑淇℃伅缂撳瓨鍒颁竴涓眬鍩熺綉缁滀腑銆�

#### 鑷畾涔変俊浠绘牴鐨勮繙绋嬭瘉鏄庯紙v1.2.0寮€濮嬫敮鎸侊級
鑷畾涔変俊浠绘牴鐨勮繙绋嬭瘉鏄庡DCAP鍋氫簡涓€浜涙敼鍔紝灏嗗Intel鐨勪俊浠昏浆绉诲埌瀵逛换鎰忛€夊畾鐨凜A鏈烘瀯鐨勪俊浠讳笂銆�

鍦ㄥ彲淇℃墽琛岀幆澧冨垵濮嬪寲闃舵锛屽彲淇＄‖浠跺熀浜庣‖浠跺浐鏈夊瘑閽ョ敓鎴愪竴瀵圭鍚嶅叕绉侀挜瀵瑰拰涓€瀵瑰姞瀵嗗叕绉侀挜瀵癸紝骞跺悜涓€涓€夊畾鐨凜A鏈烘瀯鐢宠璇佷功銆傝璇佷功涓寘鍚鍚嶅叕閽ュ拰鍔犲瘑鍏挜銆傝繖涓繃绋嬬被浼间簬纭欢鍑哄巶鏃跺悜Intel娉ㄥ唽淇℃伅銆�

<img loading="lazy" src="../images/PrivateContract-RemoteAttestation.png" style="zoom:100%;" />

鍦ㄧ敤鎴峰彂璧峰Enclave鐨勮繙绋嬭瘉鏄庢椂锛�

1. 鐢ㄦ埛鐢熸垚涓€涓殢鏈烘寫鎴橈紙浠绘剰闅忔満瀛楃涓诧級锛屽皢鍏跺彂閫佸埌闅愮鍚堢害鐜锛岀敱闅愮璁＄畻缃戝叧杞彂鍒癊nclave涓€�
2. Enclave瀵规敹鍒扮殑闅忔満鎸戞垬鍒朵綔涓€涓繙绋嬭瘉鏄庛€侲nclave鏀跺埌闅忔満鎸戞垬鍚庯紝璋冪敤SGX EREPORT鎸囦护鑾峰彇report銆傝繖涓猺eport鍖呭惈褰撳墠杩愯涓殑杞欢鐨勪唬鐮佸害閲忓拰Enclave鐨勫叾浠栦俊鎭€侲nclave灏嗛殢鏈烘寫鎴樹笌report鎷兼帴鍚庯紝鐢ㄧ鍚嶇閽ュ鍏剁鍚嶏紝鍒朵綔鍑哄寘鍚殢鏈烘寫鎴樸€乺eport銆丒nclave绛惧悕銆丒nclave璇佷功4涓粍浠剁殑杩滅▼璇佹槑銆�
3. Enclave閫氳繃闅愮璁＄畻缃戝叧杈撳嚭杩滅▼璇佹槑锛堝寘鎷殢鏈烘寫鎴樸€乺eport銆丒nclave绛惧悕銆丒nclave璇佷功锛夈€�
    - 闅愮璁＄畻缃戝叧浼氳皟鐢ㄧ郴缁熷悎绾﹀皢杩滅▼璇佹槑鍐欏叆鍖哄潡閾惧瓨璇併€傜郴缁熷悎绾︿腑鍖呭惈楠岃瘉杩滅▼璇佹槑鍚堟硶鎬х殑閫昏緫锛岄€氳繃楠岃瘉鐨勮繙绋嬭瘉鏄庝細琚啓鍏ュ尯鍧楅摼瀛樿瘉銆�
    - 闅愮璁＄畻缃戝叧浼氳繑鍥炰竴浠借繙绋嬭瘉鏄庣粰鍙戣捣璇佹槑娴佺▼鐨勭敤鎴凤紝鐢ㄦ埛鍙互绾夸笅鑷楠岃瘉杩滅▼璇佹槑銆�

### 鍚堢害閮ㄧ讲闃舵
鍦ㄥ垵濮嬪寲锛堣繙绋嬭瘉鏄庯級闃舵灏咵nclave鐨勮繙绋嬭瘉鏄庡啓鍏ュ尯鍧楀悗锛屽氨鍙互鍦ㄩ摼涓婅繘琛岄殣绉佸悎绾︾殑閮ㄧ讲浜嗐€倂2.2.1_private_contract鐗堟湰鍙敮鎸乺ust璇█寮€鍙戠殑鍚堢害銆�

<img loading="lazy" src="../images/PrivateContract-ContractInstall.png" style="zoom:100%;" />

Solidity闅愮鍚堢害鐨勯儴缃叉祦绋嬪涓婂浘鎵€绀猴細
1. 鐢ㄦ埛鍙戣捣閮ㄧ讲鍚堢害鐨勮姹傦紝骞舵妸鍚堢害鍙戦€佺粰闅愮鍚堢害鐜銆�
2. 闅愮璁＄畻缃戝叧鍦ㄦ帴鏀跺埌鐢ㄦ埛閮ㄧ讲璇锋眰鍚庯紝鎶婂叾涓殑鍚堢害閫佸叆Enclave鐨刉ASM涓繘琛屽垵濮嬪寲銆傞儴鍒嗘儏鍐典腑锛岃繖涓€姝ヨ繕闇€瑕佸€熷姪閾句笂鏁版嵁鍙備笌锛屽垯鐢遍殣绉佽绠楃綉鍏虫墦鍖呮煡璇㈣姹備笌閾句氦浜掑悗锛屽啀鍦╓ASM涓垵濮嬪寲鍚堢害銆�
3. Enclave鍒濆鍖栧悎绾﹀畬鎴愬悗锛岄€氱煡闅愮璁＄畻缃戝叧銆�
4. 鑻nclave鍒濆鍖栧悎绾︽垚鍔燂紝闅愮璁＄畻缃戝叧浼氬皢鍚堢害閫氳繃閾句笂绯荤粺鍚堢害瀛樺叆鍖哄潡閾惧瓨璇併€傞摼涓婄殑鍚堢害鍙敤浜庡悎绾﹂€昏緫鐨勫彲闈犳€ф牎楠屽弬鐓у強鍚堢害鐨勫叕鍏辩洃绠°€�
5. 闅愮璁＄畻缃戝叧閫氱煡鐢ㄦ埛閮ㄧ讲鍚堢害鐨勪簨浠剁姸鎬併€�

<span id="invokeContract"></span>
### 鍚堢害璋冪敤闃舵
鐢ㄦ埛鍙互闅忔椂鍙戣捣瀵瑰凡缁忛儴缃茬殑闅愮鍚堢害鐨勮皟鐢ㄨ姹傘€傚湪璋冪敤闅愮鍚堢害鍓嶏紝鐢ㄦ埛闇€瑕佷粠鍖哄潡閾句笂鑾峰彇杩滅▼璇佹槑骞朵粠涓幏寰桬nclave鐨勫姞瀵嗗叕閽ュ拰绛惧悕楠岃瘉鍏挜銆傞殣绉佸悎绾︾殑璋冪敤娴佺▼濡備笅锛�

<img loading="lazy" src="../images/PrivateContract-ContractInvoke.png" style="zoom:100%;" />

1. 鐢ㄦ埛鍚戦殣绉佸悎绾︾幆澧冨彂璧疯皟鐢ㄩ殣绉佸悎绾︾殑璇锋眰銆傝繖涓姹備腑鍖呭惈瑕佽皟鐢ㄧ殑闅愮鍚堢害ID銆佹秹鍙婂埌鐨勯摼涓婃暟鎹殑key銆佺敤鎴峰噯澶囩殑閾惧鏁版嵁銆傦紙鍏朵腑锛岄摼涓婄殑鏁版嵁鍜岀敤鎴峰噯澶囩殑閾惧鏁版嵁鍙兘鏄姞瀵嗙殑銆傛垜浠細鍦ㄤ箣鍚庣殑灏忕珷鑺備腑浠嬬粛鍔犲瘑鏁版嵁鐨勬帹鑽愬鐞嗘柟寮忋€傦級
2. 闅愮璁＄畻缃戝叧鏍规嵁鐢ㄦ埛璋冪敤鍚堢害鐨勮姹傛瀯閫犱竴涓尯鍧楅摼璇锋眰锛岃繖涓尯鍧楅摼璇锋眰鐢ㄤ簬浠庨摼涓婅鍙栧搴旂殑闅愮鍚堢害鍜岄摼涓婃暟鎹€傞殣绉佽绠楃綉鍏冲皢杩欎釜璇锋眰鍙戦€佸埌鍖哄潡閾俱€�
3. 闅愮璁＄畻缃戝叧浠庡尯鍧楅摼涓婅幏鍙栧埌闅愮鍚堢害浠ｇ爜鍜岄渶瑕佺殑閾句笂鏁版嵁鍚庯紝杩炲悓鏉ヨ嚜鐢ㄦ埛鐨勯摼澶栨暟鎹竴璧凤紝杞彂缁橢nclave銆侲nclave鎺ユ敹鍒伴殣绉佸悎绾︿唬鐮併€佸尯鍧楅摼涓婃暟鎹€佺敤鎴锋彁渚涚殑閾惧鏁版嵁鍚庯紝
    - 鑻ユ暟鎹槸瀵嗘枃锛屼娇鐢ㄥ姞瀵嗙閽ヨВ瀵嗘暟鎹紱
    - 浠ヤ紶鍏nclave鐨勯摼涓娿€侀摼澶栨暟鎹负鍏ュ弬鎵ц闅愮鍚堢害锛�
    - 鎸夐渶瑕侀€夋嫨鏄惁瀵规墽琛岀粨鏋滃姞瀵嗭紱
    - 鎵撳寘鎵ц缁撴灉锛屽叾涓唴瀹瑰寘鎷細闅愮鍚堢害鎵ц缁撴灉銆侀殣绉佸悎绾︺€侀摼涓婂強閾惧鐨勫叆鍙傛暟鎹紱
    - 浣跨敤绛惧悕绉侀挜瀵规墦鍖呭ソ鐨勬墽琛岀粨鏋滅鍚嶃€�

    Enclave灏嗘墽琛岀粨鏋滀笌绛惧悕杩斿洖鍒伴殣绉佽绠楃綉鍏炽€�
4. 闅愮璁＄畻缃戝叧璋冪敤绯荤粺鍚堢害鎶婃墽琛岀粨鏋滀笌绛惧悕浼犲埌閾句笂銆傜郴缁熷悎绾︿細浠庨摼涓婅幏鍙朎nclave杩滅▼璇佹槑锛屼粠涓彁鍙栧嚭绛惧悕鍏挜锛屽苟瀵规墽琛岀粨鏋滅殑绛惧悕杩涜楠岃瘉锛屽苟浠庢墽琛岀粨鏋滀腑鎻愬彇闅愮鍚堢害銆侀摼涓婃暟鎹儴鍒嗭紝涓庡尯鍧楅摼涓婄殑淇℃伅杩涜姣斿銆傚鏋滆繖浜涢獙璇侀兘閫氳繃浜嗭紝鍒欑郴缁熷悎绾︽墽琛屾垚鍔燂紝闅愮鍚堢害鐨勬墽琛岀粨鏋滀細琚墦鍖呭埌鍖哄潡涓瓑寰呭叡璇嗗嚭鍧椼€�

#### 闅愮鍚堢害鍏ュ弬鏁版嵁鍔犲瘑

1. 鍦╗鍚堢害璋冪敤闃舵](#invokeContract)鐨勭2銆�4姝ヤ腑锛屾彁鍒拌繃闅愮鍚堢害浣跨敤鐨勬暟鎹彲鑳芥槸鍔犲瘑鐨勩€�
    - 閾惧鍔犲瘑鏁版嵁锛氱敤鎴峰彲浠ラ殢鏈虹敓鎴愬绉板瘑閽ヤ綔涓轰細璇濆瘑閽ュ鏁版嵁鍔犲瘑锛岀劧鍚庝粠鍖哄潡閾句笂鑾峰彇Enclave鐨勫姞瀵嗗叕閽ュ浼氳瘽瀵嗛挜鍔犲瘑銆傜敤鎴疯皟鐢ㄩ殣绉佸悎绾︽椂浼犲叆鐨勯摼澶栨暟鎹嵆涓烘暟鎹湰韬殑瀵圭О鍔犲瘑瀵嗘枃鍜屼細璇濆瘑閽ョ殑闈炲绉板姞瀵嗗瘑鏂囥€侲nclave浣跨敤鏃讹紝浣跨敤鍔犲瘑绉侀挜瑙ｅ瘑鍑轰細璇濆瘑閽ワ紝鍐嶇敤浼氳瘽瀵嗛挜瑙ｅ瘑鍑烘暟鎹€�
    - 鍖哄潡閾句笂鍔犲瘑鏁版嵁锛氬尯鍧楅摼涓婂彲鑳戒細鏈夊皯閲忔晱鎰熸暟鎹殑瀵嗘枃锛岃繖浜涘瘑鏂囬鍏堟槸浠ヤ笌閾惧鍔犲瘑鏁版嵁涓€鏍风殑澶勭悊鏂瑰紡涓婇摼鐨勶紝Enclave浣跨敤閾句笂瀵嗘枃鏃朵笌浣跨敤閾惧瀵嗘枃鐨勬柟寮忕浉鍚屻€�
2. 鍦╗鍚堢害璋冪敤闃舵](#invokeContract)鐨勭4姝ヤ腑锛屾彁鍒拌繃鍙互鎸夐渶瑕佸闅愮鍚堢害鐨勬墽琛岀粨鏋滆繘琛屽姞瀵嗐€傝繖閲屾湁涓や釜閫夋嫨锛�
    - 浣跨敤Enclave鐨勫姞瀵嗗叕閽ュ姞瀵嗭細Enclave闅忔満鐢熸垚涓€涓绉板瘑閽ヤ綔涓轰細璇濆瘑閽ワ紝鐢ㄤ簬鍔犲瘑缁撴灉锛屽啀鐢‥nclave鐨勫姞瀵嗗叕閽ュ姞瀵嗕細璇濆瘑閽ワ紱鎵ц缁撴灉鐨勫瘑鏂囧氨鍖呭惈浼氳瘽瀵嗛挜瀵嗘枃鍜屾暟鎹瘑鏂囦袱閮ㄥ垎銆傝繖绉嶆儏鍐典笅锛岄殣绉佸悎绾︾殑鎵ц缁撴灉鍙兘鍦ㄥ悗缁殑闅愮鍚堢害璋冪敤涓湪Enclave涓娇鐢紝澶栭儴鏃犳硶瑙ｅ瘑杩欎釜缁撴灉銆�
    
    - 浣跨敤鍏ュ弬涓紶鍏ョ殑涓€涓叕閽ュ姞瀵嗭細鍏ュ弬涓殑鍏挜鍙互鏄潵鑷尯鍧楅摼涓婄殑鏁版嵁锛屼篃鍙互鏄敤鎴峰彂閫佽皟鐢ㄩ殣绉佸悎绾︾殑璇锋眰鏃跺甫鍏ョ殑閾惧鐨勭敤鎴峰叕閽ャ€侲nclave闅忔満鐢熸垚涓€涓绉板瘑閽ヤ綔涓轰細璇濆瘑閽ワ紝鐢ㄤ簬鍔犲瘑缁撴灉锛屽啀鐢ㄥ叆鍙備腑鐨勫姞瀵嗗叕閽ュ姞瀵嗕細璇濆瘑閽ワ紱鎵ц缁撴灉鐨勫瘑鏂囧氨鍖呭惈浼氳瘽瀵嗛挜瀵嗘枃鍜屾暟鎹瘑鏂囦袱閮ㄥ垎銆傝繖绉嶆儏鍐典笅锛岄殣绉佸悎绾︾殑鎵ц缁撴灉鍙互琚搴旂殑鍔犲瘑绉侀挜鎸佹湁鑰呰В瀵嗕娇鐢ㄣ€�

## 浣跨敤鎸囧崡
### 璇存槑

- Graphene 鏄畼鏂瑰師鏈夌殑椤圭洰鍚嶇О鍚庢潵鏇存敼涓篏ramine锛屼笅鏂囬兘鏀规垚Gramine
- Gramine 浣跨敤v1.1锛屼粨搴撳湴鍧€锛歨ttps://github.com/gramineproject/gramine
- 1.1涔嬪墠鐨勭増鏈Golang鐨勬敮鎸佷笉鍙嬪ソ锛屼笉鑳戒娇鐢�
- 妫€鏌ヨ澶囨槸鍚︽敮鎸乻gx
  - 濡傛灉璁惧涓嶆敮鎸乻gx鍙互浣跨敤simulation mode 杩愯
  - simulation mode 涓嶈兘鐢ㄤ簬鐢熶骇鐜

### 鐜閮ㄧ讲

#### 鎺ㄨ崘閰嶇疆
- 绯荤粺锛歭inux  (涓嶆敮鎸亀indows,鏈枃鏁欑▼浣跨敤ubuntu20.04)
- 鍐呮牳锛� 5.11+锛堟帹鑽愪娇鐢�5.11浠ヤ笂鐗堟湰锛�
- 鍐呭瓨锛� 8G+

#### Gramine 鐜閰嶇疆

瀹夎鏁欑▼锛歨ttps://gramine.readthedocs.io/en/latest/quickstart.html

#### 涓嬭浇鐩稿叧浠ｇ爜

```sh
1. git clone -b v2.2.1_private_contract --depth=1 https://git.chainmaker.org.cn/chainmaker/chainmaker-go.git
2. git clone -b v2.2.1_private_contract  --depth=1 https://git.chainmaker.org.cn/chainmaker/graphene.git
3. git clone -b v2.2.1_private_contract  --depth=1 https://git.chainmaker.org.cn/chainmaker/chainmaker-tee.git
```

#### 浠ｇ爜缂栬瘧

##### CA鍑嗗

- 鍑嗗CA
  - 鍦╰ee鐩綍涓嬬殑info_test.go鏂囦欢涓彲浠ョ敓鎴愮涓夋柟鏍笴A浠呭仛娴嬭瘯浣跨敤
  - 鎴栬嚜琛屽噯澶囩涓夋柟CA

##### 缂栬瘧Enclave-server
###### 鍑嗗 enclave-server.manifest.template鏂囦欢
``` sh

loader.preload = "file:{{ gramine.libos }}"
libos.entrypoint = "{{ entrypoint }}"
loader.log_level = "{{ log_level }}"

loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/lib:/usr{{ arch_libdir }}"

loader.pal_internal_mem_size = "1G"
loader.insecure__use_cmdline_argv = true

sys.enable_sigterm_injection = true

fs.mount.lib.type = "chroot"
fs.mount.lib.path = "/lib"
fs.mount.lib.uri = "file:{{ gramine.runtimedir() }}"

fs.mount.lib2.type = "chroot"
fs.mount.lib2.path = "{{ arch_libdir }}"
fs.mount.lib2.uri = "file:{{ arch_libdir }}"


fs.mount.tmp.type = "chroot"
fs.mount.tmp.path = "/tmp"
fs.mount.tmp.uri = "file:/tmp"

# fs.mount.libos.path 
# fs.mount.libos.uri
# set Absolute Path
fs.mount.libos.type = "chroot"
fs.mount.libos.path = "/home/XXX/code-w/chainmaker-graphene/"  # 璁剧疆缁濆璺緞
fs.mount.libos.uri = "file:/home/XXX/code-w/chainmaker-graphene/" # 璁剧疆缁濆璺緞

sgx.nonpie_binary = true
sgx.enclave_size = "16G"  #鏍规嵁鑷繁鐨勬満鍣ㄩ厤缃瀷鏀癸紝寤鸿鏈€灏忓垎閰�8G鍐呭瓨
sys.stack.size = "128M"
sgx.thread_num = 256      #鏍规嵁鏈哄櫒閰嶇疆浼樺寲璋冩暣

sgx.trusted_files = [
    "file:{{ entrypoint }}",
    "file:{{ gramine.runtimedir() }}/",
    "file:{{ arch_libdir }}/",
    "file:/usr{{ arch_libdir }}/",
    "file:/etc/mime.types",
    "file:/etc/default/apport",
]


sgx.allowed_files = [
    "file:/etc/nsswitch.conf",
    "file:/etc/ethers",
    "file:/etc/hosts",
    "file:/etc/group",
    "file:/etc/passwd",
    "file:/etc/gai.conf",
    "file:/etc/host.conf",
    "file:/etc/resolv.conf",
    "file:./configs/",
    "file:/tmp",
    "file:/home/XXX/chainmaker-graphene/",  # 璁剧疆缁濆璺緞
    "file:./logs",
]
```

鍏朵粬瀛楁鍙嚜琛屽弬鑰僪ttps://gramine.readthedocs.io/en/latest/manifest-syntax.html 杩涜璁剧疆

- 鐢熸垚 enclave-key.pem

```
openssl genrsa -3 -out /home/XXX/chainmaker-graphene/enclave-key.pem 3072 //鏇挎崲鑷繁鐨勭洰褰�
```

- 鎵ц build.sh 鏂囦欢缂栬瘧

```shell
  sudo ./build.sh SIM //妯℃嫙妯″紡涓嬭繍琛�
  sudo ./build.sh SGX=1 DEBUG=1//纭欢妯″紡涓嬭繍琛岋紙闇€瑕乧pu鏀寔锛�
  DEBUG=1 鍙€夋ā寮�
```
##### 妯℃嫙妯″紡

- gramine-direct   ./enclave-server -module=1

##### 纭欢妯″紡

- 杩愯 gramine-sgx  ./enclave-server

##### 绛惧彂璇佷功

- 绗竴娆￠儴缃� 鍒濆鍖栧畬鎴愬悗enclave-server灏嗙敓鎴恈sr鏂囦欢
- 浣跨敤csr鏂囦欢鍦ㄧ涓夋柟CA澶勭敵璇风鍙慣EE璇佷功
- 灏嗙鍙戠殑TEE璇佷功浠EM鏍煎紡瀛樹簬鏂囦欢(in_teecert.pem)骞舵斁鍦╟hainmaker-graphene/configs鐩綍涓�
- 杩愯绋嬪簭浼氳嚜鍔ㄦ牎楠屽拰鍔犺浇TEE璇佷功

**娉細 enclave鍚姩鎴愬姛锛屼娇鐢� netstat -ntlp  鏌ヨ鏈� ./loader鐨勫崰鐢ㄦ爣璇唀nclave鍚姩鎴愬姛**

##### 楠岃瘉淇℃伅涓婇摼

- 浣跨敤浠ヤ笅[CMC](../dev/鍛戒护琛屽伐鍏�)鍛戒护璋冪敤绯荤粺鍚堢害灏嗗緱鍒扮殑report淇℃伅涓婇摼

```shell
cmc tee upload_report \
--sdk-conf-path={./testdata/sdk_config.yml(SDK閰嶇疆鏂囦欢璺緞)} \
--report={report璺緞} \
--admin-key-file-paths={key璺緞} \
--admin-crt-file-paths={璇佷功璺緞}
```

**娉細鑻nclave浠ｇ爜鐗堟湰鍙戠敓鍙樺寲锛岄渶瑕佸啀娆℃墽琛屾楠�2灏嗘洿鏂拌繃鐨剅eport淇℃伅閲嶆柊涓婇摼**

- 灏嗙涓夋柟CA鐨勭鍚嶆牴璇佷功涓婇摼

```shell
cmc tee upload_ca_cert \
--sdk-conf-path={./testdata/sdk_config.yml(SDK閰嶇疆鏂囦欢璺緞)} \
--ca_cert={鏍硅瘉涔﹀湴鍧€} \
--admin-key-file-paths={key璺緞} \
--admin-crt-file-paths={璇佷功璺緞}
```

##### 缂栬瘧闅愮璁＄畻缃戝叧

```sh
cd ../gateway
go build main.go
./main start
```
##### 闅愮璁＄畻缃戝叧閰嶇疆config.yml

```yaml
# 鏈嶅姟閰嶇疆淇℃伅
settings:
   # web鏈嶅姟閰嶇疆淇℃伅
   application:
      domain: localhost:9090
      host: 0.0.0.0
      ishttps: false # 鏄惁鍚敤https
      name: sgx      # 鏈嶅姟鍚嶇О
      port: "8081"   # 鏈嶅姟绔彛鍙�
      concurrency: 10  # 鏈€澶у苟鍙戞暟
   # SDK瀹㈡埛绔厤缃俊鎭�
   config:
      capaths: # 鏍硅瘉涔﹁矾寰勶紝鏀寔澶氫釜
         - cert/ca
      chainid: chain1  # 閾綢D
      conncnt: 1  # 鑺傜偣杩炴帴鏁�
      nodeaddr: 127.0.0.1:12301  # 鑺傜偣鍦板潃锛屾牸寮忥細127.0.0.1:12301
      orgid: wx-org1.chainmaker.org # 褰掑睘缁勭粐
      tlshostname: consensus1.tls.wx-org1.chainmaker.org  # TLS Hostname
      usercttpath: cert/client1.tls.crt  # 瀹㈡埛绔敤鎴风閽ヨ矾寰�
      userkeypath: cert/client1.tls.key  # 瀹㈡埛绔敤鎴疯瘉涔�
   # 鏃ュ織閰嶇疆淇℃伅
   log:
      compress: 1  # 鏄惁浣跨敤gzip鍘嬬缉锛岄粯璁や笉鍘嬬缉
      level: debug # 鏃ュ織绛夌骇,榛樿Info
      localtime: 1  # 鏃ュ織鏃堕棿鎴虫槸鍚︿负鏈湴鏃堕棿鎴筹紝榛樿UTC鏃堕棿
      maxage: 30 #  鏈€闀夸繚瀛樺ぉ鏁帮紝榛樿涓嶅垹闄�
      maxbackups: 300 # 鏈€澶氬浠藉嚑涓�
      maxsize: 1024 # 鏃ュ織鏂囦欢澶у皬锛岄粯璁�100M
      path: ./logs/gateway.log # 鏃ュ織鏂囦欢鍚�
   # https 閰嶇疆淇℃伅
   ssl:
      key: keystring  # 璇佷功key
      pem: temp/pem.pem # 璇佷功
   #grpc杩炴帴姹犻厤缃�
 internalClient:
    targeturl: ":50053"  #绔彛
    initcapacity: 20     #鍒濆鍖栬繛鎺ユ暟
    maxcapacity: 300     #鏈€澶ц繛鎺ユ暟
    dialtimeout: 2       #鎷ㄥ彿瓒呮椂鏃堕棿
    idletimeout: 6       #绌洪棽瓒呮椂鏃堕棿
    readtimeout: 5       #璇昏秴鏃舵椂闂�
    writetimeout: 5      #鍐欒秴鏃舵椂闂�
  internalServer:
    port: ":50052"       #璁块棶server绔彛

```
### 闅愮璁＄畻缃戝叧鎺ュ彛

缃戝叧鏄敤鎴疯皟鐢ㄩ殣绉佸悎绾︾殑鍏ュ彛锛屽綋鍓嶄娇鐢╤ttp鎺ュ彛鏂瑰紡杩涜璋冪敤銆傜綉鍏虫彁渚涚殑鎺ュ彛涓昏鍖呮嫭杩滅▼璇佹槑銆侀儴缃插悎绾﹀拰璋冪敤鍚堢害涓変釜鎺ュ彛銆傛墍鏈夋帴鍙ｇ殑璇锋眰method鍧囦娇鐢╬ost鏂瑰紡銆備娇鐢ㄦ柟寮忓弬鑰冪ず渚嬶紝鎻忚堪濡備笅锛�

#### 绀轰緥鍙傝€�

璇峰弬鑰僩ateway/service/tools/main.go

#### 閮ㄧ讲鍚堢害鎺ュ彛

鎺ュ彛鍦板潃锛歨ttp://x.x.x.x:port/private/deploy锛屽叾涓瓁.x.x.x:port涓烘湇鍔″湴鍧€锛岀敤鎴峰彲浠ュ湪閰嶇疆閲屾寚瀹氥€�

#### 鎵ц闅愮璁＄畻鎺ュ彛

鎺ュ彛鍦板潃锛歨ttp://x.x.x.x:port/private/compute锛屽叾涓瓁.x.x.x:port涓烘湇鍔″湴鍧€锛岀敤鎴峰彲浠ュ湪閰嶇疆閲屾寚瀹氥€�

#### 杩滅▼璇佹槑鎺ュ彛

鎺ュ彛鍦板潃锛歨ttp://x.x.x.x:port/private/remote_attestation锛屽叾涓瓁.x.x.x:port涓烘湇鍔″湴鍧€锛岀敤鎴峰彲浠ュ湪閰嶇疆閲屾寚瀹氥€�

## 闄勫綍鈥斺€旀帹鑽愮殑鏀寔闅愮鍚堢害鐨勬湇鍔″櫒CPU鍨嬪彿

| CPU搴忓垪鍙� | 鍨嬪彿鍙婃弿杩� | SGX Enclave鏈€澶ч鐣欏唴瀛�   |
| --- | --- | --- |
| 6354 | Ice Lake SP XCC Intel Xeon Gold 6345 18c 205W 3.0GHz | 64GB |
| 8360Y | Ice Lake SP XCC Intel Xeon Platinum 8360Y 36c 250W 2.4GHz | 64GB |
| 6348 | Ice Lake SP XCC Intel Xeon Gold 6348 28c 235W 2.6GHz | 64GB |
| 8380 | Ice Lake SP XCC Intel Xeon 8380 40c 270W 2.3GHz | 512GB |
| 8368 | Ice Lake SP XCC Intel Xeon Platinum 8368 38c 270W 2.4GHz | 512GB |
| 8368Q | Ice Lake SP XCC Intel Xeon Platinum 8368Q 38c 270W 2.6GHz (liquid cooled) | 512GB |
| 8358 | Ice Lake SP XCC Intel Xeon Platinum 8358 32c 250W 2.6GHz | 64GB |
| 8358P | Ice Lake SP XCC Intel Xeon Platinum 8358P 32c 240W 2.6GHz | 8GB |
| 8352V | Ice Lake SP XCC Intel Xeon Platinum 8352V 36c 195W 2.1GHz | 8GB |
| 8351N | Ice Lake SP XCC Intel Xeon Platinum 8351N 36c 225W 2.4GHz | 64GB |
| 6314U | Ice Lake SP XCC Intel Xeon Gold 6314U 32c 205W 2.3GHz | 64GB |
| 6338 | Ice Lake SP XCC Intel Xeon Gold 6338 32c 205W 2.0GHz | 64GB |
| 6338N | Ice Lake SP XCC Intel Xeon Gold 6338N 32c 185W 2.2GHz | 64GB |
| 8352Y | Ice Lake SP XCC Intel Xeon Platinum 8352Y 32c 205W 2.2GHz | 64GB |
| 8352S | Ice Lake SP XCC Intel Xeon Platinum 8352S 32c 205W 2.2GHz | 512GB |
| 6330 | Ice Lake SP XCC Intel Xeon Gold 6330 28c 205W 2.0GHz | 64GB |
| 6330N | Ice Lake SP XCC Intel Xeon Gold 6330N 28c 165W 2.2GHz | 64GB |
| 6346 | Ice Lake SP XCC Intel Xeon Gold 6346 16c 205W 3.1GHz | 64GB |