This is supposed to make it so that view server does not get stuck on blocks that fog never promised to scan.

The main change is in the fog-view block tracker. To support the new idea, we make it not use ingestable ranges, but track ingress keys directly, and load blocks from database based on ingress key rather than ingest invocation id.

There are a couple additional places we try to unwind assumptions it was making like, every block leads to at least one ETxOutRecord, which isn't strictly speaking true. There is a code path in ingest enclave where a non-conforming client can send data that leads to no ETxOutRecord being produced, if the plaintext of encrypted fog hint isn't a valid ristretto.

Because it changes the DB API, a lot of unit tests need to be fixed up after this change. A bunch more need to be added for the new behavior as well.

This makes fog ingest include the encrypted memo in the TxOutRecord object. It then passes through fog view as usual. We also update the FogTxOut object to parse the memo out of the view response.

fog sample paykit is updated to both produce memos on new transactions, and parse memos from incoming transactions, and remember the last one or an error.

This uprevs mobilecoin submodule, and makes the android bindings and libmobilecoin able to build.

It installs a RTHMemoBuilder when those bindings create transaction builder, but it does not configure the RTHMemoBuilder, because we probably need to extend the bindings to do that properly.

It also gets all the tests passing

Still TODO:

• [x] Make sample paykit actually read the memos and expose this info in some basic way
• [x] Make fog test client confirm that the memos are working (if A sends to B then B got the right memo and so did A)

this commit attempts to make it so that ingest server updates the enclave report cache only when necessary

This is: (1) At least once before anything happens (2) Whenever the ingress key has changed (3) Whenever we notice that the report doesn't match the key we think we are publishing to the database.

Additionally, a background thread is created that updates it at least as frequently as consensus (18 hours)

Before this commit, we update it at least once per block.

There are some questions about whether DNS failures with looking for IAS were causing instability in the service. This commit doesn't speak directly to that, but it can't hurt to hit up IAS less often than we were doing.

This makes a second "mode" for fog-report-cli where it doesn't do any validation of the fog report response and just parses the data of interest out of it -- that is, the hex bytes of the fog ingress pubkey, and its pubkey expiry value.

This is useful because sometimes, when the system gets stuck, the users report "tombstone block exceeded" and it can be traced back to the pubkey expiry value in the fog report server.

It's also useful because it lets us quickly see the most recent fog ingress pubkey that has been published. If the active server dies, knowing the hex bytes of this key may help you figure out which backup to restart, if they have different keys.

Some pitfalls with this workflow, before this commit:

(1) You had to make a pubkey file which has all the right data, which requires going to another repo, building, and running a tool to generate keys, and then getting the artifacts to this repo and pointing this program at the keyfiles, which is cumbersome. In the new revision, you can specify fog url and SPKI as command-line args and skip the keyfile stuff. (2) If you don't download all the correct measurements and SPKI's for the network, and use that SPKI when you generate sample keys, the attestation check or the fog signature check will fail and it takes some time to work through this. If you are just trying to diagnose why a network is stopped, this is kind of a time suck. In the new revision, if there is no public address file and no spki provided, (only fog url), then we skip the normal validation pathway, and use the mc-attest-core types to parse the verification report (without validating it) and get the data of interest, without any possibility of failure due to IAS, attestation, certificate chains, and so on.

Ideally, there would be some kind of dashboard that can provide this and other information without relying on a cli, but this is a decent starting point, and may help us diagnose problems later.

Motivation

This brings forward the latest changes from the mobilecoin repository, including updates to aes-gcm, grpc, and mbedtls.

In this PR

• Uprev mobilecoin submodule
• Remove aes-gcm cargo.io patch
• Update sha2
• Add patch for cpufeatures + feature-selection usage to enclaves

This fixes a bug that exists today in fog ingest deployments. I thought this was only a minor issue because, it would wrongly add the peer listen uri to the list of peer uris, but then filter it out and not connect to it. But because the active server replicates its peer list onto the backups continuously, they will all end up with this uri in their list, and there is no configuration that will fix this. Additionally, a server won't be able to filter out it's own (real) URI that the peers have in their lists, because it doesn't filter by responder id before this commit.

• This adds configurable retries to postgres operations

Retries are added at the level of the SqlRecoveryDb object.

We also adjust some retry logic for fog ingest controller

• Redevelop previous per Eran's comment, to more systematically retry

This adds the retries at the level of the SqlRecoveryDb object to systematically apply retries to all postgres operations.

• fixup missing "should_retry()" calls

• fix clippy

This repository is no longer used, please rebase your PR against https://github.com/mobilecoinfoundation/mobilecoin.git.

Thanks!

Soundtrack of this PR: Pump it Up - Network(1984)

Motivation

< The motivation for the changes in this PR. "Currently we...", "This is needed because..." >

In this PR

• < Additions, removals, fixes, features >

< Ticket status, e.g. "fixes #issue number" >

Future Work

• < Out of scope non-goals for this PR >
• < These should be links to tickets. If the tickets do not exist, make them. >

Soundtrack of this PR: link to song that really fits the mood of this PR

Motivation

Currently the watcher database provides an API for getting block signatures and from there we can get timestamps for a block. However, sometimes the watcher fails or gets stuck. Both fog ingest and fog ledger have code for handling these errors and retries. Because the clients need a timestamp on every piece of data in order to function, failing to get a timestamp blocks the service, and immediately escalates to a P0 issue. We now have the code for getting the timestamps from the watcher in two places — in the fog-ingest worker thread and in the fog ledger worker thread, and specifically a function "get_watcher_timestamp" .https://github.com/mobilecoinfoundation/fog/blob/5a776bd027e1e2cc5f4717f4d4f8f56f30ae0585/fog/ingest/server/src/worker.rs#L151 that is duplicated in both places.

In this PR

It would be better to have a crate like "fog-timestamps" to provides this function, and reconcile any differences between the two versions, and test this. So that we know it works the same way everywhere, and this will make it easier to debug if fog gets blocked on this in production (which has happened before, and will happen again).

< Ticket status, e.g. "fixes #issue number" > https://app.asana.com/0/1200353042931237/1200688378834228/f

Future Work

• < Out of scope non-goals for this PR >
• < These should be links to tickets. If the tickets do not exist, make them. >

Bumps mobilecoin from 631b144 to 2940fa4.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

This updates TxOutRecord in a few ways:

• amount_compressed_commitment_data is now optional, and omitted except for backwards compat. (If backwards compat is not needed, then that field could be deleted entirely.)
• amount_compressed_commitment_data_crc32 is now present when that field is omitted. This is an IEEE crc32 of the omitted data.
• The sample paykit is updated so that it attempts to reconstruct the compressed commitment using the view private key. (This was koe's idea.) Then it checks the crc32 to confirm correct recomputation. This saves ~30 bytes in fog view, which we can use for the memo.
• A method is added to construct TxOutRecord more nicely, and then a bunch of test code and the enclave code is simplified.

Sometimes, we lose connection to the sql DB, and the report server write operation fails.

This should not be logged as an error because it's not actionable and errors get converted to sentry alerts.