TAIKO (HEKLA TestNet)

https://github.com/taikoxyz/raiko/blob/taiko/unstable/README_Docker_and_RA.md

INSTALL SIMPLE TAIKO NODE

How to remove Taiko Katla docker

docker compose down --remove-orphans -v then do below to verify

docker ps -a | grep taiko --> this must be empty which is good

docker volume ls

then follow installation steps for Taiko docker for Hekla (do not use STN, use simple-taiko steps)

git clone https://github.com/taikoxyz/simple-taiko-node.git

cd simple-taiko-node

UPDATE .env file (fill up L1 endpoints rpc/ws/beacon and update the prover/proposer pvt keys and RECIPIENT

root@OVHBareMetal:~/simple-taiko-node# diff .env .env.sample | grep '<' L1_ENDPOINT_HTTP=https://ethereum-holesky-rpc.publicnode.com L1_ENDPOINT_WS=wss://ethereum-holesky-rpc.publicnode.com L1_BEACON_HTTP=https://ethereum-holesky-beacon-api.publicnode.com

ENABLE_PROVER=true (Initially set this as false and allow simple taiko node/proposer to sync 100%)

SGX_RAIKO_HOST=http://141.95.169.119:8080 [replace with your own RAIKO host] L1_PROVER_PRIVATE_KEY=dfe035884844b88b19XXXXXXXXXXXX

TOKEN_ALLOWANCE=250

TX_GAS_LIMIT=3000000000

ENABLE_PROPOSER=true

L1_PROPOSER_PRIVATE_KEY=9125dbab06f560546688bXXXXXXXXX L2_SUGGESTED_FEE_RECIPIENT=0xb8a8d16fd883C7624b393c7D2F30ba0e202c8ED1 [replace with your own BURNER WALLET]

BLOCK_PROPOSAL_FEE=10

You can refer to the latest list of PROVER ENDPOINTS HERE ---> https://dojonode.xyz/tatami

PROVER_ENDPOINTS=http://http://141.95.169.119/:9876,http://hekla.prover.taiko.coinblitz.pro:9876,http://taiko-testnet.m51nodes.xyz:9876,http://148.113.16.26:9876,http://51.161.118.103:9876,http://162.19.98.173:9876,http://49.13.215.95:9876,http://49.13.143.184:9876,http://49.13.210.192:9876,http://159.69.242.22:9876,http://49.13.69.238:9876,http://taiko.guru:9876,http://taiko.donkamote.xyz:9876,http://taiko.web3crypt.net:9876,http://kenz-prover.hekla.kzvn.xyz:9876,http://hekla.stonemac65.xyz:9876,http://51.91.70.42:9876,http://146.59.55.26:9876,https://prover-hekla.taiko.tools,https://prover2-hekla.taiko.tools,http://taiko-a7-prover.zkpool.io,http://198.244.201.79:9876

INITIAL SETUP MUST BE ENABLE_PROVER=false, we can ENABLE PROVER AFTER WE INSTALLED RAIKO PROVER SETUP

---> PROPOSER + PROVER (REMOVE PROMETHEUS and GRAFANA docker when installing on a NODE with LAVA VALIDATOR as conflicts on port 6060/9090/9091)

docker compose up taiko_client_proposer taiko_client_driver l2_execution_engine taiko_client_prover_relayer prometheus grafana -d ---> PROPOSER ONLY (REMOVE PROMETHEUS and GRAFANA docker when installing on a NODE with LAVA VALIDATOR as conflicts on port 9090/9091)

docker compose up taiko_client_proposer taiko_client_driver l2_execution_engine prometheus grafana -d

To verify if the taiko hekla docker containers are properly installed...

docker ps -a | grep taiko --> this must have values

To check the logs from taiko docker containers

docker compose logs -f taiko_client_proposer taiko_client_driver l2_execution_engine taiko_client_prover_relayer prometheus grafana | egrep -i 'sync|error' --> this is for PROVERS

docker compose logs -f taiko_client_proposer taiko_client_driver l2_execution_engine | egrep -i 'sync|error' --> this is for PROPOSERS

*****ALLOW TAIKO NODE PROPOSER TO REACH 100% SYNC*****

SUBSCRIBE to INTEL PCS SERVICE (you need the primary api key/password later in PCCS steps)

https://www.intel.com/content/www/us/en/developer/articles/guide/intel-software-guard-extensions-data-center-attestation-primitives-quick-install-guide.html

https://www.intel.com/content/www/us/en/developer/articles/guide/intel-software-guard-extensions-data-center-attestation-primitives-quick-install-guide.html -> REGISTER TO INTEL PCS SUBSCRIPTION BEFORE PROCEEDING TO STEPS BELOW!!!

$ sudo su

# echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' > /etc/apt/sources.list.d/intel-sgx.list

# wget -O - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add -

# apt update

INSTALL PCKRETRIEVAL TOOL

cd /tmp

mkdir PCK

cd PCK

wget wget https://download.01.org/intel-sgx/latest/dcap-latest/linux/tools/SGXCertRetrievalTool/ubuntu20.04-server/PCKIDRetrievalTool_v1.14.100.3.tar.gz

tar -zxvf PCKIDRetrievalTool_v1.14.100.3.tar.gz

cd PCKIDRetrievalTool_v1.14.100.3

Run the following command:

./PCKIDRetrievalTool

ls -lart pckid_retrieval.csv

cat pckid_retrieval.csv

PCKIDRetrievalTool If successful (SHOULD NOT ASK FOR PCS PASSWORD), it should generate a pckid_retrieval.csv. This is a csv string which consists of:

1. EncryptedPPID(384 BE byte array)

2. PCE_ID(LE 16 bit integer)

3. CPUSVN(16 byte BE byte array)

4. PCE ISVSVN (LE 16 bit integer)

5. QE_ID (16 byte BE byte array) You will need this info to retrieve your FMSPC.

Query Intel's API to get your machine's FMSPC curl -v "https://api.trustedservices.intel.com/sgx/certification/v4/pckcert?encrypted_ppid={}&cpusvn={}&pcesvn={}&pceid={}" -H "Ocp-Apim-Subscription-Key:{YOUR_API_KEY}" -> this API KEY is the API Intel PCS subscription which you subscribed initially.

Replace the curly braces in the above command with the values acquired from pckid_retrieval.csv and YOUR_API_KEY with your API key from subsribing to Intel's PCS Service.

Currently Supported FMSPCs:

00606A000000

00A067110000 --> Intel Xeon 2386G

00906ED50000

MAKE SURE YOU HAVE INSTALLED GIT DOCKER and GRAMINE

Install GRAMINE for Ubuntu 22.0.4

sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/gramine.list

sudo curl -fsSLo /usr/share/keyrings/intel-sgx-deb.asc https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx-deb.asc] https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/intel-sgx.list

sudo apt-get update sudo apt-get install gramine

INSTALL RAIKO DOCKER

sudo apt-get update && sudo apt-get install -y build-essential wget python-is-python3 debhelper zip libcurl4-openssl-dev pkgconf libboost-dev libboost-system-dev libboost-thread-dev protobuf-c-compiler libprotobuf-c-dev protobuf-compiler

Install and Configure PCCS

Generate certificate first for PCCS https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/main/QuoteGeneration/pccs/container#2-generate-certificates-to-use-with-pccs -> DO NOT PERFORM THIS, FOLLOW THE STEPS BELOW!!!

mkdir -p ~/pccs_tls

cd ~/pccs_tls

openssl genrsa -out private.pem 2048

openssl req -new -key private.pem -out csr.pem --> YOU CAN CHOOSE ANY PASSWORD, REMEMBER YOUR CHALLENGE PASSWORD!!!!

openssl x509 -req -days 365 -in csr.pem -signkey private.pem -out file.crt

rm -rf csr.pem --> PERFORMED, DELETED

chmod 644 ~/pccs_tls/*

mkdir ~/.config

mkdir ~/.config/sgx-pccs

cd ~/.config/sgx-pccs

openssl genrsa -out private.pem 2048

ls -lart # to verify if the private.pem was created

chmod 644 private.pem # Docker container needs access

openssl req -new -key private.pem -out csr.pem

openssl x509 -req -days 365 -in csr.pem -signkey private.pem -out file.crt

rm csr.pem

INSTALL NODEJS version 20

https://nodejs.org/en/download/package-manager

installs NVM (Node Version Manager)

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash

download and install Node.js

nvm install 20

verifies the right Node.js version is in the environment

node -v # should print v20.12.2

verifies the right NPM version is in the environment

npm -v # should print 10.5.0

apt install sgx-dcap-pccs --> EVEN IF THIS FAILS, JUST IGNORE!! WHAT IS IMPORTANT HERE IS THE BASELINE DEFAULT.JSON FILE

cd ~/.config/sgx-pccs

cp /opt/intel/sgx-dcap-pccs/config/default.json .

Make sure you've copied the default.json into the .config/sgx-pccs directory you created earlier. The raiko container will mount this as a volume. After copying the file, open it for editing and fill in the below listed parameters as recommended by Intel's manual:

• ApiKey: The PCCS uses this API key to request collaterals from Intel's Provisioning Certificate Service. User needs to subscribe first to obtain an API key. Use either the primary or secondary key you obtained from the previous step Subscribing to Intel PCS Service.

• UserTokenHash: SHA512 hash of the user token for the PCCS client user to register a platform. For example, PCK Cert ID retrieval tool will use the user token to send platform information to PCCS. (echo -n "user_password" | sha512sum | tr -d '[:space:]-').

• AdminTokenHash: SHA512 hash of the administrator token for the PCCS administrator to perform a manual refresh of cached artifacts (echo -n "admin_password" | sha512sum | tr -d '[:space:]-').

• hosts: replace it with "0.0.0.0".

Ensure docker can use it by modifying permissions to the file:

chmod 644 default.json

1. Make some directories to prevent errors

mkdir ~/.config/raiko
mkdir ~/.config/raiko/config
mkdir ~/.config/raiko/secrets

1. Now, clone raiko and check out the taiko/alpha-7 branch and navigate to the docker folder. From here you can build the docker images that we will be using.

git clone -b taiko/alpha-7 https://github.com/taikoxyz/raiko.git
cd raiko/docker
docker compose build

NOTE: This step will take some time, sometimes ~5 minutes.

1. Check that the images have been built

docker image ls

You should see at least two images, gcr.io/evmchain/raiko and gcr.io/evmchain/pccs.

1. If both are present, bootstrap Raiko with the following command:

docker compose up init

If everything is configured correctly, raiko-init should run without errors and generate a bootstrap.json. Check that it exists with the following command:

cat ~/.config/raiko/config/bootstrap.json

It should look something like this:

{
  "public_key": "0x0319c008667385c53cc66202eb961c624481f7317bff679d2f3c7571e06e4d9877",
  "new_instance": "0x768691497b3e5de5c5b7a8bd5e0910eba0672992",
  "quote": "03000200000000000a....................................000f00939a7"
}

You've now prepared your machine for running Raiko through Docker. Now, you need to perform On-Chain Remote Attestation to recieve TTKOh and begin proving for Taiko!

On-Chain RA

1. Clone taiko-mono and navigate to the scripts

git clone https://github.com/taikoxyz/taiko-mono.git
cd taiko-mono/packages/protocol

1. Install pnpm and foundry so that you can install dependencies for taiko-mono.

curl -fsSL https://get.pnpm.io/install.sh | sh -
curl -L https://foundry.paradigm.xyz | bash
source ~/.bashrc
foundryup

Once you have installed them, run the following:

pnpm install
pnpm compile

1. Prepare your prover's private key

export PRIVATE_KEY={PROVER_PRIVATE_KEY} 

1. Ensure the values in the script/config_dcap_sgx_verifier.sh script match

SGX_VERIFIER_ADDRESS=0x532EFBf6D62720D0B2a2Bb9d11066E8588cAE6D9 ATTESTATION_ADDRESS=0xC6cD3878Fc56F2b2BaB0769C580fc230A95e1398 PEM_CERTCHAIN_ADDRESS=0x08d7865e7F534d743Aba5874A9AD04bcB223a92E

1. If you've followed the Raiko Docker guide, you will have bootstrapped raiko and obtained a quote:

"public_key": "0x02ab85f14dcdc93832f4bb9b40ad908a5becb840d36f64d21645550ba4a2b28892",
"new_instance": "0xc369eedf4c69cacceda551390576ead2383e6f9e",
"quote": "0x030002......f00939a7233f79c4ca......9434154452d2d2d2d2d0a00"

Take that quote and replace V3_QUOTE_BYTES in the script/config_dcap_sgx_verifier.sh script.

1. In the script/config_dcap_sgx_verifier.sh script, replace --fork-url https://any-holesky-rpc-url/ with any Holesky RPC URL.

2. Call the script with ./script/config_dcap_sgx_verifier.sh.

NOTE: If you already have QE/TCB/Enclave already configured you can change export TASK_ENABLE="1,1,1,1,1" to export TASK_ENABLE="0,0,0,0,1" to only register the SGX instance.

1. If you've been successful, you will get a SGX instance id which can be used to run Raiko!

It should look like this:

emit InstanceAdded(id: 1, instance: 0xc369eedf4C69CacceDa551390576EAd2383E6f9E, replaced: 0x0000000000000000000000000000000000000000, validSince: 1708704201 [1.708e9])

Running Raiko

Once you've completed the above steps, you can actually run a prover. Your SGX_INSTANCE_ID is the one emitted in the InstanceAdded event above.

cd ~/raiko/docker
export SGX_INSTANCE_ID={YOUR_INSTANCE_ID}
docker compose up raiko -d

If everything is working, you should see something like the following when executing docker compose logs raiko:

Start config:
Object {
    "address": String("0.0.0.0:8080"),
    "cache_path": Null,
    "concurrency_limit": Number(16),
    "config_path": String("/etc/raiko/config.sgx.json"),
    "log_level": String("info"),
    "log_path": Null,
    "max_log": Number(7),
    "network": String("taiko_a7"),
    "sgx": Object {
        "instance_id": Number(19), <--- sgx instance id
    },
}
Args:
Opt {
    address: "0.0.0.0:8080",
    concurrency_limit: 16,
    log_path: None,
    max_log: 7,
    config_path: "/etc/raiko/config.sgx.json",
    cache_path: None,
    log_level: "info",
}
2024-04-18T12:50:09.400319Z  INFO raiko_host::server: Listening on http://0.0.0.0:8080

CORRECT COMMAND BELOW WHEN REGISTERING TAIKO SGX instance

PRIVATE_KEY=0xdfe035884844b88b1919607cc87a94b5690a9aXXXXXXXXXXXXXXX ./script/config_dcap_sgx_verifier.sh --quote (GET THIS FROM cat ~/.config/raiko/config/bootstrap.json)

SAMPLE CORRECT EXECUTION OF ABOVE COMMAND...

REMEMBER TO SAVE THE TX HASH and INSTANCE ID!!!!

VERIFY IF PROVER NODE IS RUNNING PROPERLY

curl --location 'http://localhost:8080' --header 'Content-Type: application/json' --data '{ "jsonrpc": "2.0", "method": "proof", "params": [ { "proof_type": "sgx", "block_number": 31991, "rpc": "https://rpc.hekla.taiko.xyz/", "l1_rpc": "https://ethereum-holesky-rpc.publicnode.com", "beacon_rpc": "http://unstable.holesky.beacon-api.nimbus.team/", "prover": "0x7b399987d24fc5951f3e94a4cb16e87414bf2229", "graffiti": "0x0000000000000000000000000000000000000000000000000000000000000000", "sgx": { "setup": false, "bootstrap": false, "prove": true } } ], "id": 0 }'

Sample Expected result on below image...

UPDATE .env file to enable PROVER

ENABLE_PROVER=true

source.env

RESTART DOCKER TO BRING UP PROVER SERVICES

TO STOP and START DOCKER...

cd ~/simple-taiko-node/

docker compose down taiko_client_proposer taiko_client_driver l2_execution_engine taiko_client_prover_relayer prometheus grafana && docker compose up taiko_client_proposer taiko_client_driver l2_execution_engine taiko_client_prover_relayer prometheus grafana -d

docker compose down taiko_client_proposer taiko_client_driver l2_execution_engine prometheus grafana && docker compose up taiko_client_proposer taiko_client_driver l2_execution_engine prometheus grafana -d

docker ps -a | grep taiko

TO RESTART RAIKO/PCCS

cd ~/raiko/docker

docker compose down raiko pccs && docker compose up raiko pccs -d