chore: download enclave sgxs if not provided

Author: ozwaldorf

.gitignore

@@ -12,3 +12,4 @@ target
 **.jpg
 **.png
 raw_data
+services/sgx/enclave.sgxs

Cargo.lock

@@ -4840,6 +4840,7 @@ dependencies = [
  "sgxs-loaders",
  "tokio",
  "tracing-subscriber",
+ "ureq",
  "url",
  "whoami",
 ]

flake.nix

@@ -214,6 +214,12 @@
             CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUSTFLAGS = " -Clink-arg=-fuse-ld=${pkgs.mold-wrapped}/bin/mold";
             CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER = "${pkgs.clang}/bin/clang";
             CARGO_TARGET_AARCH64_APPLE_DARWIN_LINKER = "${pkgs.clang}/bin/clang";
+
+            FN_ENCLAVE_SGXS = pkgs.fetchurl {
+              name = "enclave.sgxs";
+              url = "https://bafybeid37ogyu3ogfctq4ecqa3t3ozneegbkj3gswg3h6lxwx5gq5f4rdm.ipfs.flk-ipfs.xyz";
+              hash = "sha256-glOrKYZ4KzIEcr34XjW3jakudmx0DLN5TksRk2kH4S0=";
+            };
           };
 
           # Build *just* the cargo dependencies, so we can reuse all of that

services/sgx/Cargo.toml

@@ -38,6 +38,9 @@ sgx-isa = { version = "0.4.1", features = ["serde"]}
 whoami = "1.5.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 
+[build-dependencies]
+ureq = "2.10"
+
 [[bin]]
 name = "fn-service-3"
 path = "src/bin.rs"

services/sgx/build.rs

@@ -7,10 +7,17 @@ const STACK_SIZE: &str = "0x1000000"; // 10 MiB
 /// Number of threads to support in enclave
 const THREADS: &str = "16";
 
+/// URL of latest enclave
+/// TODO: Also download mrsigner signature and get checksum
+const ENCLAVE_URL: &str =
+    "https://bafybeid37ogyu3ogfctq4ecqa3t3ozneegbkj3gswg3h6lxwx5gq5f4rdm.ipfs.flk-ipfs.xyz";
+
 fn main() {
     println!("cargo::rerun-if-changed=build.rs");
     println!("cargo::rerun-if-env-changed=FN_ENCLAVE_SOURCE");
+    println!("cargo::rerun-if-env-changed=FN_ENCLAVE_SGXS");
 
+    // Build from source
     if let Ok(path) = std::env::var("FN_ENCLAVE_SOURCE").map(PathBuf::from) {
         if !path.is_dir() {
             panic!("enclave source must be a directory")
@@ -56,5 +63,34 @@ fn main() {
         // copy new enclave into the project
         std::fs::copy(bin.with_extension("sgxs"), "./enclave.sgxs")
             .unwrap_or_else(|_| panic!("failed to copy enclave to output directory"));
+
+        return;
+    }
+
+    // Use precompiled enclave
+    if let Ok(path) = std::env::var("FN_ENCLAVE_SGXS").map(PathBuf::from) {
+        if !path.is_file() {
+            panic!("enclave must be a file");
+        }
+
+        println!("cargo::rerun-if-changed={}", path.to_string_lossy());
+        std::fs::copy(path, "./enclave.sgxs").expect("failed to copy provided enclave.sgx");
+
+        return;
+    }
+
+    // If enclave is not provided, fetch latest precompile from the specified url
+    if !PathBuf::from("./enclave.sgxs").is_file() {
+        let mut buf = Vec::new();
+        ureq::get(ENCLAVE_URL)
+            .send_bytes(&[])
+            .expect("failed to download enclave.sgxs")
+            .into_reader()
+            .read_to_end(&mut buf)
+            .expect("failed to download enclave.sgxs");
+
+        // TODO: verify checksum
+
+        std::fs::write("./enclave.sgxs", buf).expect("failed to write enclave.sgxs to disk");
     }
 }