Fixes and update readme

base · Feb 17, 2025 · ffeeb30 · ffeeb30
1 parent 5f20a66
commit ffeeb30
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 5 deletions.
diff --git a/op-enclave/pcr0-extractor/Dockerfile b/op-enclave/pcr0-extractor/Dockerfile
@@ -37,7 +37,8 @@ FROM amazonlinux:2
 RUN amazon-linux-extras enable aws-nitro-enclaves-cli && \
     yum clean metadata && \
     yum update -y && \
-    yum install -y aws-nitro-enclaves-cli aws-nitro-enclaves-cli-devel jq
+    yum install -y aws-nitro-enclaves-cli aws-nitro-enclaves-cli-devel jq && \
+    yum clean all
 
 COPY --from=op-enclave /app/bundle/rootfs/build/eif.bin /app/eif.bin
 COPY extract-pcr0.sh /extract-pcr0.sh

diff --git a/op-enclave/pcr0-extractor/README.md b/op-enclave/pcr0-extractor/README.md
@@ -6,12 +6,13 @@ This tool extracts the PCR0 measurement from an op-enclave EIF (Enclave Image Fo
 
 - Docker installed on your system
 - Access to the op-enclave container registry
+- [cast](https://book.getfoundry.sh/cast/) (for contract verification)
 
 ## Building and Running
 
 1. Build the PCR0 extractor container:
 ```bash
-docker build -f Dockerfile -t pcr0-extractor .
+docker build -t pcr0-extractor .
 ```
 
 2. Run the container to extract the PCR0:
@@ -23,15 +24,28 @@ The tool will:
 1. Download the specified op-enclave EIF
 2. Extract it using AWS Nitro CLI tools
 3. Output the PCR0 measurement
+4. Generate a cast command to verify the PCR0 against the SystemConfigGlobal contract
+
+## Verifying PCR0 Against SystemConfigGlobal Contract
+
+The tool will output a `cast` command that you can use to verify if the PCR0 is registered in the SystemConfigGlobal contract. The command will look like:
+
+```bash
+export SYSTEM_CONFIG_GLOBAL_ADDRESS=<contract_address>
+cast call $SYSTEM_CONFIG_GLOBAL_ADDRESS 'validPCR0s(bytes32)' <keccak256_hash_of_pcr0>
+```
+
+Note that the contract stores the keccak256 hash of the PCR0 value, not the raw PCR0 measurement. The tool automatically converts the PCR0 to the correct format for verification.
 
 ## How it Works
 
 The tool uses a multi-stage Docker build to:
 1. Build required tools (skopeo and umoci)
 2. Download and extract the op-enclave EIF
 3. Use AWS Nitro CLI tools to extract the PCR0 measurement
+4. Convert the PCR0 to a keccak256 hash for contract verification
 
-The output will be a hex string representing the PCR0 measurement of the enclave.
+The output will include both the raw PCR0 measurement and instructions for verifying it against the contract.
 
 ## Note
 

diff --git a/op-enclave/pcr0-extractor/extract-pcr0.sh b/op-enclave/pcr0-extractor/extract-pcr0.sh
@@ -1,10 +1,20 @@
 #!/bin/bash
-set -x
 
 echo "Starting PCR0 extraction..."
 echo "Checking if EIF file exists:"
 ls -l /app/eif.bin
 
 echo "Command used: nitro-cli describe-eif --eif-path /app/eif.bin"
 echo "PCR0 measurement:"
-nitro-cli describe-eif --eif-path /app/eif.bin | tee /dev/stderr | jq -r ".Measurements.PCR0"
+PCR0=$(nitro-cli describe-eif --eif-path /app/eif.bin | tee /dev/stderr | jq -r ".Measurements.PCR0")
+PCR0_WITH_PREFIX="0x${PCR0}"
+
+echo -e "\nTo verify against SystemConfigGlobal contract, run:"
+echo "# First set your environment variables:"
+echo "export SYSTEM_CONFIG_GLOBAL_ADDRESS=<contract_address>"
+echo "export RPC_URL=<rpc_url>"
+echo -e "\n# Then run these commands to verify:"
+echo "# To register a new PCR0 (requires owner access):"
+echo "cast send \$SYSTEM_CONFIG_GLOBAL_ADDRESS 'registerPCR0(bytes)' ${PCR0_WITH_PREFIX} --rpc-url \$RPC_URL"
+echo -e "\n# To check if a PCR0 is valid:"
+echo "cast call \$SYSTEM_CONFIG_GLOBAL_ADDRESS 'validPCR0s(bytes32)' \$(cast keccak ${PCR0_WITH_PREFIX}) --rpc-url \$RPC_URL"