Merge pull request #5054 from oasisprotocol/kostko/stable/22.2.x/back…

…port-multi [BACKPORT/22.2.x] Multiple backports
oasisprotocol · Nov 16, 2022 · f0a5a3b · f0a5a3b
2 parents b3e5523 + 6ab353c
commit f0a5a3b
Show file tree

Hide file tree

Showing 11 changed files with 294 additions and 44 deletions.
diff --git a/.changelog/5049.feature.md b/.changelog/5049.feature.md
@@ -0,0 +1 @@
+registry: Add MaxRuntimeDeployments parameter
diff --git a/.changelog/5053.bugfix.md b/.changelog/5053.bugfix.md
@@ -0,0 +1 @@
+runtime: Properly handle state root verification on backup nodes
diff --git a/go/oasis-node/cmd/debug/txsource/workload/governance.go b/go/oasis-node/cmd/debug/txsource/workload/governance.go
@@ -417,6 +417,9 @@ func (g *governanceWorkload) doChangeParametersProposal() error { // nolint: goc
 		if randBool() {
 			pc.TEEFeatures = &params.TEEFeatures
 		}
+		if randBool() {
+			pc.MaxRuntimeDeployments = &params.MaxRuntimeDeployments
+		}
 		shouldFail = pc.SanityCheck() != nil
 		module = registry.ModuleName
 		changes = cbor.Marshal(pc)

diff --git a/go/oasis-test-runner/scenario/e2e/e2e.go b/go/oasis-test-runner/scenario/e2e/e2e.go
@@ -466,7 +466,7 @@ func RegisterScenarios() error {
 		// Node upgrade tests.
 		NodeUpgradeDummy,
 		NodeUpgradeMaxAllowances,
-		NodeUpgradeV61,
+		NodeUpgradeV62,
 		NodeUpgradeEmpty,
 		NodeUpgradeCancel,
 		// Debonding entries from genesis test.

diff --git a/go/oasis-test-runner/scenario/e2e/upgrade.go b/go/oasis-test-runner/scenario/e2e/upgrade.go
@@ -80,13 +80,13 @@ func (n *noOpUpgradeChecker) PostUpgradeFn(ctx context.Context, ctrl *oasis.Cont
 	return nil
 }
 
-type upgradeV61Checker struct{}
+type upgradeV62Checker struct{}
 
-func (n *upgradeV61Checker) PreUpgradeFn(ctx context.Context, ctrl *oasis.Controller) error {
+func (n *upgradeV62Checker) PreUpgradeFn(ctx context.Context, ctrl *oasis.Controller) error {
 	return nil
 }
 
-func (n *upgradeV61Checker) PostUpgradeFn(ctx context.Context, ctrl *oasis.Controller) error {
+func (n *upgradeV62Checker) PostUpgradeFn(ctx context.Context, ctrl *oasis.Controller) error {
 	// Check updated registry parameters.
 	registryParams, err := ctrl.Registry.ConsensusParameters(ctx, consensus.HeightLatest)
 	if err != nil {
@@ -110,6 +110,9 @@ func (n *upgradeV61Checker) PostUpgradeFn(ctx context.Context, ctrl *oasis.Contr
 	if registryParams.GasCosts[registry.GasOpProveFreshness] != registry.DefaultGasCosts[registry.GasOpProveFreshness] {
 		return fmt.Errorf("default gas cost for freshness proofs is not set")
 	}
+	if registryParams.MaxRuntimeDeployments != 5 {
+		return fmt.Errorf("maximum number of runtime deployments is not set correctly")
+	}
 
 	// Check updated governance parameters.
 	govParams, err := ctrl.Governance.ConsensusParameters(ctx, consensus.HeightLatest)
@@ -128,8 +131,8 @@ var (
 	NodeUpgradeDummy scenario.Scenario = newNodeUpgradeImpl(migrations.DummyUpgradeHandler, &dummyUpgradeChecker{})
 	// NodeUpgradeMaxAllowances is the node upgrade max allowances scenario.
 	NodeUpgradeMaxAllowances scenario.Scenario = newNodeUpgradeImpl(migrations.ConsensusMaxAllowances16Handler, &noOpUpgradeChecker{})
-	// NodeUpgradeV61 is the node consensus V61 migration scenario.
-	NodeUpgradeV61 scenario.Scenario = newNodeUpgradeImpl(migrations.ConsensusV61, &upgradeV61Checker{})
+	// NodeUpgradeV62 is the node consensus V61 migration scenario.
+	NodeUpgradeV62 scenario.Scenario = newNodeUpgradeImpl(migrations.ConsensusV62, &upgradeV62Checker{})
 	// NodeUpgradeEmpty is the empty node upgrade scenario.
 	NodeUpgradeEmpty scenario.Scenario = newNodeUpgradeImpl(migrations.EmptyHandler, &noOpUpgradeChecker{})
 

diff --git a/go/registry/api/api.go b/go/registry/api/api.go
@@ -1132,7 +1132,7 @@ func VerifyRuntime( // nolint: gocyclo
 
 	// Validate the deployments.  This also handles validating that the
 	// appropriate TEE configuration is present in each deployment.
-	if err := rt.ValidateDeployments(now, params.TEEFeatures); err != nil {
+	if err := rt.ValidateDeployments(now, params); err != nil {
 		logger.Error("RegisterRuntime: invalid deployments",
 			"runtime_id", rt.ID,
 			"err", err,
@@ -1301,7 +1301,7 @@ func VerifyRuntimeUpdate(
 
 	// Validate the deployments.
 	activeDeployment := currentRt.ActiveDeployment(now)
-	if err := currentRt.ValidateDeployments(now, params.TEEFeatures); err != nil {
+	if err := currentRt.ValidateDeployments(now, params); err != nil {
 		// Invariant violation, this should NEVER happen.
 		logger.Error("RegisterRuntime: malformed deployments present in state",
 			"runtime_id", currentRt.ID,
@@ -1315,7 +1315,7 @@ func VerifyRuntimeUpdate(
 	}
 
 	newActiveDeployment := newRt.ActiveDeployment(now)
-	if err := newRt.ValidateDeployments(now, params.TEEFeatures); err != nil {
+	if err := newRt.ValidateDeployments(now, params); err != nil {
 		logger.Error("RegisterRuntime: malformed deployments",
 			"runtime_id", currentRt.ID,
 			"err", err,
@@ -1443,6 +1443,9 @@ type ConsensusParameters struct {
 
 	// TEEFeatures contains the configuration of supported TEE features.
 	TEEFeatures *node.TEEFeatures `json:"tee_features,omitempty"`
+
+	// MaxRuntimeDeployments is the maximum number of runtime deployments.
+	MaxRuntimeDeployments uint8 `json:"max_runtime_deployments,omitempty"`
 }
 
 // ConsensusParameterChanges are allowed registry consensus parameter changes.
@@ -1464,6 +1467,9 @@ type ConsensusParameterChanges struct {
 
 	// TEEFeatures are the new TEE features.
 	TEEFeatures **node.TEEFeatures `json:"tee_features,omitempty"`
+
+	// MaxRuntimeDeployments is the new maximum number of runtime deployments.
+	MaxRuntimeDeployments *uint8 `json:"max_runtime_deployments,omitempty"`
 }
 
 // Apply applies changes to the given consensus parameters.
@@ -1486,6 +1492,9 @@ func (c *ConsensusParameterChanges) Apply(params *ConsensusParameters) error {
 	if c.TEEFeatures != nil {
 		params.TEEFeatures = *c.TEEFeatures
 	}
+	if c.MaxRuntimeDeployments != nil {
+		params.MaxRuntimeDeployments = *c.MaxRuntimeDeployments
+	}
 	return nil
 }
 

diff --git a/go/registry/api/runtime.go b/go/registry/api/runtime.go
@@ -522,24 +522,22 @@ func (r *Runtime) DeploymentForVersion(v version.Version) *VersionInfo {
 
 // ValidateDeployments validates a runtime descriptor's Deployments field
 // at the specified epoch.
-func (r *Runtime) ValidateDeployments(now beacon.EpochTime, teeCfg *node.TEEFeatures) error {
+func (r *Runtime) ValidateDeployments(now beacon.EpochTime, params *ConsensusParameters) error {
 	// The runtime descriptor's deployments field is considered valid
 	// if:
 	//  * There is at least one entry present.
 	//  * All of the entries are well-formed.
-	//  * There is at most 2 entries:
-	//     * One expired, one active
-	//     * One active
-	//     * One active, one future
-	//    While it is possible to express expired/active/future
-	//    this is disallowed, and the expired descriptor must
-	//    be pruned to deploy an upgrade.
+	//  * There is at most max(2, params.MaxRuntimeDeployments) entries:
 	//  * The versions field increases as versions are deployed.
 
 	if len(r.Deployments) == 0 {
 		return fmt.Errorf("%w: no deployments", ErrInvalidArgument)
 	}
-	if len(r.Deployments) > 2 {
+	maxRuntimeDeployments := uint8(2) // We must allow at least two deployments.
+	if params.MaxRuntimeDeployments > maxRuntimeDeployments {
+		maxRuntimeDeployments = params.MaxRuntimeDeployments
+	}
+	if len(r.Deployments) > int(maxRuntimeDeployments) {
 		return fmt.Errorf("%w: too many deployments", ErrInvalidArgument)
 	}
 	// Ensure no nil deployments.
@@ -592,7 +590,7 @@ func (r *Runtime) ValidateDeployments(now beacon.EpochTime, teeCfg *node.TEEFeat
 			if err := cbor.Unmarshal(deployment.TEE, &cs); err != nil {
 				return fmt.Errorf("%w: invalid SGX TEE constraints", ErrInvalidArgument)
 			}
-			if err := cs.ValidateBasic(teeCfg); err != nil {
+			if err := cs.ValidateBasic(params.TEEFeatures); err != nil {
 				return fmt.Errorf("%w: invalid SGX TEE constraints", ErrInvalidArgument)
 			}
 			if len(cs.Enclaves) == 0 {