Private payments for mobile devices.

Overview

Testing your first payment

  • Please see TESTNET.md for instructions on participating in the TestNet!

Sending your first payment

Note to Developers

  • MobileCoin is a prototype. Expect substantial changes before the release.
  • Please see CONTRIBUTING.md for notes on contributing bug reports and code.

MobileCoin

MobileCoin is a privacy-preserving payments network designed for use on mobile devices.

Table of Contents

License

MobileCoin is available under open-source licenses. Look for the LICENSE file in each crate for more information.

Cryptography Notice

This distribution includes cryptographic software. Your country may have restrictions on the use of encryption software. Please check your country's laws before downloading or using this software.

Repository Structure

Directory Description
android-bindings Android bindings exposing primitives to build Fog-enabled MobileCoin clients
attest Remote attestation primitives.
build-info Measurements made at compile time.
common Items shared across MobileCoin crates.
consensus Byzantine Fault Tolerant Consensus.
crypto Cryptography.
enclave-boundary Intel® SGX ECALL infrastructure.
fog Private payments for mobile devices
ledger Storage and synchronization for the MobileCoin blockchain.
libmobilecoin A C-library exposing primitives to build Fog-enabled MobileCoin clients
mcbuild Tools for building and signing enclaves.
mcconnection Attested MobileCoin connections.
mobilecoind Blockchain daemon and example client code.
peers Peer-to-peer networking.
sgx Support for Intel® Software Guard eXtensions (Intel SGX).
transaction Private transactions.
util Miscellaneous utilities.

Selected Binaries

Target Description Used by...
consensus-service Validates new transactions for the public ledger. Validator Nodes
ledger-distribution Publishes the ledger to long-term storage. Full Validator Nodes
mobilecoind Synchronizes the ledger and provides the desktop API. Watcher and Validator Nodes

Build Instructions

The workspace can be built with cargo build and tested with cargo test. Either command will recognize the cargo --release flag to build with optimizations.

Some crates (for example consensus-service) depend on Intel SGX, which adds additional build and runtime requirements. For detailed information about setting up a build environment, how enclaves are built, and on configuring the build, see BUILD.md.

For a quick start, you can build in the same docker image that we use for CI, using the mob tool. Note that this requires you to install Docker. You can use the mob tool with the following commands:

# From the root of the cloned repository
./mob prompt

# At the resulting docker container prompt
cargo build

Overview

MobileCoin is a payment network with no central authority. The fundamental goal of the network is to safely and efficiently enable the exchange of value, represented as fractional ownership of the total value of the network. Like most cryptocurrencies, MobileCoin maintains a permanent and immutable record of all successfully completed payments in a blockchain data structure. Cryptography is used extensively to establish ownership, control transfers, and to preserve cash-like privacy for users.

Here we review a few design concepts that are essential for understanding the software.

Transactions

The MobileCoin blockchain is the source of truth for the allocation of value. It consists of an ordered collection of transaction outputs, organized into blocks. Each transaction output ("txo") has a unique corresponding construction called a key image. Every txo initially appears in the blockchain in a spendable state, as an unspent transaction output or utxo. Every successful payment consumes some utxos as inputs and creates new utxos as outputs. When a utxo is consumed, its corresponding key image is permanently added to the blockchain, ensuring that it can not be spent a second time.

The total value of the MobileCoin network is fixed by convention at a sum of 250 million mobilecoins. Each mobilecoin consists of 1012 indivisible parts, each referred to as one picomob. Each utxo represents an integer number of picomob that can be consumed in a valid payment.

Ownership of a utxo in the MobileCoin network is equivalent to knowledge of two private keys, called the spend private key and the view private key, that provision control over discovery and transfer of value. Most users will derive these two private key values from a single underlying key we call the root entropy.

To receive a payment, a user must calculate the two public key values corresponding to their private keys to share with their counter-party. MobileCoin specifies a standard encoding scheme using a base-58 symbol library for users to safely exchange payment information.

For more information on how transactions work, and how they use CrytpoNote-style transactions to preserve privacy of both the sender and receiver, see the transaction crate.

To understand the blockchain format and storage, see the ledger_db crate.

Consensus

New transactions must be checked for attempts to counterfeit value before new key images and utxos can be added to the MobileCoin blockchain. Transactions are prepared by the user on their local computer or mobile device, and submitted to a secure enclave running on a validator node of their choice. The validator node checks the transaction and, assuming it believes the transaction is valid, shares it with other nodes in the MobileCoin network. The transaction is passed only to peer secure enclaves that can establish via remote attestation that they are running unmodified MobileCoin software on an authentic Intel processor. Each secure enclave replicates a state machine that adds valid transactions to the ledger in a deterministic order using a consensus algorithm called the MobileCoin Consensus Protocol.

The MobileCoin Consensus Protocol is a high-performance solution to the byzantine agreement problem that allows new payments to be rapidly confirmed. The consensus-service target binary uses Intel Software Guard eXtensions (Intel SGX) to provide defense-in-depth improvements to privacy and trust.

To learn how MobileCoin uses Intel SGX to provide integrity in Byzantine Fault Tolerant (BFT) consensus as well as forward secrecy to secure your privacy, see the consensus/enclave crate. To build and run consensus, see the consensus/service crate.

Full validator nodes additionally use the ledger-distribution target binary to publish a copy of their computed blockchain to content delivery networks (currently to Amazon S3 only). The public blockchain is a zero-knowledge data structure that consists only of utxos, key images and block metadata used to ensure consistency and to construct Merkle proofs. To build and run ledger distribution, see the ledger/distribution crate.

Watcher nodes perform an essential role in the MobileCoin network by verifying the signatures that the full validator nodes attach to each block. In this way the watcher nodes continuously monitor the integrity of the decentralized MobileCoin network. A watcher node also maintains a complete local copy of the blockchain and provides an API for wallet or exchange clients.

To run a watcher node, build and run the mobilecoind daemon.

FAQ

  1. What is the impact of an Intel SGX compromise on transaction privacy?

    Secure enclaves can provide improved integrity and confidentiality while functioning as intended. Like most complex new technologies, we should anticipate that design flaws will inevitably be discovered. Several side channel attacks against secrets protected by Intel SGX have been published, and subsequently patched or otherwise mitigated. MobileCoin is designed to provide "defense in depth" in the event of an attack based on a secure enclave exploit. MobileCoin transactions use CryptoNote technology to ensure that, even in the clear, the recipient is concealed with a one-time address, the sender is concealed in a ring signature, and the amounts are concealed with Ring Confidential Transactions (RingCT).

    In the event of an Intel SGX compromise, the attacker's view of the ledger inside the enclave would still be protected by both ring signatures and one-time addresses, and amounts would remain concealed with RingCT. These privacy protection mechanisms leave open the possibility of statistical attacks that rely on tracing the inputs in ring signatures to determine probabilistic relationships between transactions. This attack is only applicable to transactions made during the time that the secure enclave exploit is known, but not patched. Once the Intel SGX vulnerability is discovered and addressed, statistical attacks are no longer possible, therefore forward secrecy is preserved.

  2. Can I run a validator node without Intel SGX?

    You can run the consensus-service using Intel SGX in simulation mode, however you will not be able to participate in consensus with other validator nodes. Your software measurement will be different from hardware-enabled Intel SGX peers and remote attestation will fail.

  3. Can I run a watcher node without Intel SGX?

    Yes, you can operate a watcher node and validate block signatures by running the mobilecoind daemon, which does not require Intel SGX.

  4. I thought you were called MobileCoin. Where is the code for mobile devices?

    Please see fog, android-bindings, and libmobilecoin, to see how the balance checking and transaction building process works on mobile devices that don't sync the ledger.

    Please see also the MobileCoin Android and iOS SDKs, which can be integrated into your app to enable MobileCoin payments.

  5. Will I need to put my keys on a remote server to scan the blockchain for incoming transactions?

    Keys will never leave your mobile device. For more details on how this works, please see the MobileCoin Fog README.

Support

For troubleshooting help and other questions, please visit our community forum.

You can also open a technical support ticket via email.

Trademarks

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries. MobileCoin is a registered trademark of MobileCoin Inc.

Comments
  • Redo fog url objects, query parameters for shard id and sig

    Redo fog url objects, query parameters for shard id and sig

    Soundtrack of this PR: https://www.youtube.com/watch?v=-Zbx8QFhDK4&t=5s

    Motivation

    There need to be three fog url objects, one for the report server, which also appears in public address. And one for the view server, and one for the ledger server. There are also some query parameters in the public address one that are needed, and the way in which these affect the other two needs to be implemented as specified.

    In this PR

    • Add FogUri object which conceptually is what is in the public address for a fog address.
    • Add query parameter support in this object and tests that it works
    • Add conversions which derive FogViewUri and FogLedgerUri objects from the FogUri object, based on the shard id value.
    • Test that conversions preserve the query parameters that they are supposed to and not the ones they aren't.

    This resolves Fog-20, Fog-95. This implements the internal RFC around fog query parameters.

    Future Work

    The sig will eventually be used when validating fog report cert chains. The sig is not yet computed and that step is not yet integrated with account key and public address. That is Fog-106

    opened by cbeck88 19
  • block-version-based protocol evolution

    block-version-based protocol evolution

    This makes transaction builder and validation aware of BlockVersion. It also plumbs this config into consensus.

    This commit adds support for the change in fog sample paykit and mobilecoind

    See also: https://github.com/mobilecoinfoundation/mcips/pull/26

    Checklist:

    • [x] Rebase on master
    • [x] Do the responder id parts
    • [x] I made the block version be a parameter to things like form_block, but it might be better to do it differently, e.g. block version is announced on enclave startup, and can change after form_block but not in between calls to form block?
    • [x] There is a place where I am taking a max of latest_block.version and configured block version, but perhaps it should only ever use the configured block version.
    • [x] In many tests, I decided it was worth testing all acceptable values of block version, and in other places, I only tested BlockVersion(1) or BlockVersion::MAX because that seemed like the highest value testing. Review these decisions.
    opened by cbeck88 18
  • confidential asset types

    confidential asset types

    This PR implements the transaction math part of confidential token ids. MCIP (still draft) is here: https://github.com/mobilecoinfoundation/mcips/pull/25

    Still TODO:

    • [x] Add the proof of knowledge of opening
    • [x] Rebase on master
    • [x] Use the mob id constant and token id types in master
    • [ ] Rename Amount -> MaskedAmount (that may come in a separate PR afterwards)
    • [x] More tests

    More TODO

    • [x] Remove proof of knowledge of opening
    • [x] Undo breaking changes to protos
    • [x] Use the block version feature test in transaction builder and validation
    • [x] Make sample paykit support multiple asset balances
    • [x] Make mobilecoind track token ids
    • [x] Make slam and fog distro respect token ids
    • [x] rebase again
    • [x] Make it possible to bootstrap with token ids, and test in CD
    opened by cbeck88 18
  • In digestible crate, allow that `string` and `bytes` can be omitted

    In digestible crate, allow that `string` and `bytes` can be omitted

    In digestible crate, part of the design is to allow that new optional and repeated fields can be added to structs corresponding to protobufs, without changing the hashes of old objects. By making the hash algorithm similar to protobuf in this regard, we make it easier to evolve the blockchain without breaking backwards compatibility.

    Unfortunately, there are some gaps still in what kinds of schema evolution digestible allows vs. what protobuf allows. Protobuf allows that new bytes and string fields can be added to a struct without a breaking change, but digestible doesn't, because it doesn't currently omit empty bytes or string fields when omitting them would be allowed. We didn't think about this when implementing the allow_omit stuff, because we were focused on containers -- but bytes and strings are primitives in protobuf.

    Currently, NO primitives can be added unless they are Optional in rust. Wrapping things in Optional<...> also works for Digestible, but it doesn't always work well for things like prost.

    This commit makes it so that strings and byte vectors have the "omit if empty" behavior and can be added easily to our prosty structures.

    I believe that there are currently no string objects in our blockchain. I believe that there are no byte objects that are being hashed by digestible that are not either fixed size, or wrapped in optional.

    This commit does not adjust the behavior of integers like u64 and u32, which could also arguably be omitted if zero. However we have a fine workaround for that in place which is the digestible(omit_when = 0) which Eran made. Unfortunately it is fairly difficult to make that work when the value to be omitted is not a literal.

    If we decide that it is safe to merge this, this will simplify the changes needed to support masked token ids.

    There are other approaches we could take like

    • adding more attributes to digestible, or,
    • representing this type using Option<GenericArray<u8, U4>>.

    But the latter requires a bunch of repr-bytes stuff with prost and serde macros which in the long run we would like to reduce.

    Dan Burkert was non-committal about supporting custom prost::Message implementations: https://github.com/tokio-rs/prost/pull/421#issuecomment-758867131 and suggested that this is an "at your own risk" undertaking not covered by semver guarantees. That makes the stuff where prost::Message is derived using a repr-bytes implementation somewhat uncomfortable. Hopefully in the future prost will just allow us to use things like Option<[u8; 99]> using const generics. Or, we may be able to just move everything over to Vec<u8> and then fixup the error handling.

    Additionally, we considered it surprising that Vec<u8> behaves differently from Vec<T> for digestible crate, around whether it is omitted when empty. The documentation mentions the behavior of Vec<T> but not that of Vec. By merging this we would eliminate that footgun.


    TODOs:

    • [ ] grep this repo for all derive(Digestible) and look for String/Vec<u8> fields
    • [ ] Do the same in full-service
    opened by cbeck88 16
  • Simplify target-cpu usage

    Simplify target-cpu usage

    Tested: cargo build -v, cargo build --release -v on my dev machine running Ubuntu.

    I verified all the rustc commands include -D warnings -C target-cpu=skylake

    Fixes #580

    opened by remoun 15
  • Implement core Fog Overseer functionality

    Implement core Fog Overseer functionality

    Motivation

    This PR contains the core functionality of the Fog Overseer service. The service monitors the active Fog Ingest cluster and makes sure that there is at least one active node. If there is no active node, then it performs the automatic failover logic. This logic is described in detail in the worker.rs documentation.

    Note that this PR contains the core logic: the monitoring logic is in worker.rs and the rest of the files basically just expose that functionality to clients via a Rocket HTTPS server. The tests test 5 different scenarios in an end to end fashion. Note that there are still some key features that need to be implemented before we can deploy this service. Namely, we'll need to implement the following items:

    1. Sentry alerting: in some cases, we need to send alerts to humans when Overseer encounters certain (unlikely) Fog Ingest cluster states.
    2. Prometheus metrics: as noted in the design doc, we want to capture Fog ingest cluster state metrics like number of ingress keys, number of responsive Fog ingest nodes, etc.
    3. Get info api: in addition to storing Fog ingest cluster state in Prometheus, we want to expose a get info api that allows clients to get the current Fog Ingest cluster info in real time.
    4. Config refresh: currently, we pass the list of Fog Ingest node uris to overseer through a CLI config. To allow for overseer to look at a new set of node urls during blue / green deployment without having to restart it, we'll move this list of uris to an environment variable that can be dynamically refreshed. This way, we can update the list of uris without having to restart overseer.

    I figured that it would be best if I implemented these 4 features in future PRs, since this PR is already quite large. However, if you find that any of these features should be in this PR, I'm open to discussing.

    In this PR

    • Implements the core functionality of the Fog Overseer Service
    • Creates 5 end to end tests that cover the core scenarios we expect Fog Overseer to help with.

    Future Work

    • Implement the 4 features listed above.
    opened by samdealy 15
  • Mitigate tob-5 by making a v2 of client_propose_tx endpoint

    Mitigate tob-5 by making a v2 of client_propose_tx endpoint

    TOB-MCCT-5 is about a "token id oracle" described by TOB during review of confidential tokens design. The idea is that the consensus enclave fee map can be changed by the untrusted side, by restarting the node. If the attacker controls a node and is able to get the user to submit their Tx once with one fee map, and once with another, then the priority value leaks information about what the token id of the Tx is.

    In principle they could do this without the user knowing -- they would restart the node and it would not be able to attest to the peers after changing the fee map, but it could still accept Tx proposals and see the WellFormedTxContext which conatins the priority number. Then they turn the node back to normal. The user's app retries when their transaction doesn't land, and the same Tx comes back to their node, now with the regular fee map.

    This requires having root on a consensus node, but the threat model is that attackers with root on the consensus node should not be able to see the user's token id.

    We view this as a time-of-check-vs-time-of-use (TOCTOU) bug, and we try to fix it a way that those bugs are sometimes fixed. The user, who checked the fee map, also makes an assertion about what the fee-map is when they try to use the system (by submitting a Tx). Before acting on the data (which the attacker has potentially tampered with), the enclave checks if the user's assertion is correct, and rejects the Tx without creating a WellFormedTxContext if the assertion is not correct. (This is sort of like dealing with races when manipulating atomic variables by using compare-and-swap.)

    It should be straightforward to add this check, but unfortunately, the status quo client_propose_tx has a design flaw. It does not have a Request protobuf as the RPC argument, the argument it takes is directly an (encrypted) Tx. So, we cannot add any additional data to that protobuf in a non-breaking way without adding things to Tx. And that is untenable in this case because it adds complexity in sensitive areas of the code. We really just want to add this check next to the Tx.

    To fix this, we introduce a ClientProposeTxRequest object, which contains a Tx, and the client's minimum fee map digest. We introduce client_propose_tx_v2 which encrypts this Request object instead of a naked Tx. This will come in handy if we want to add anything else like this in the future.

    Clients will not be able to use client_propose_tx_v2 until after the V3 service is live, because existing consensus nodes don't have this endpoint. However, in the next release of clients after the v3 release is live, they could all start using client_propose_tx_v2 and we could deprecate / remove client_propose_tx.

    I made the fog-sample-paykit exercise the client_propose_tx_v2 route, since the test client uses that and so we can see that it is working in CD without making mobilecoind or anything else use it yet.

    I am not sure if this change requires an MCIP. It is a protocol / api change, but not a big one, and users are unlikely to notice. If it does require an MCIP we can write one pretty easily. Let me know what you think.

    Also, lmk if you think there's a better approach than the route I took here.

    consensus blocks-v4.0.0 
    opened by cbeck88 12
  • initial attempt at GHA config that tests android-bindings on PRs

    initial attempt at GHA config that tests android-bindings on PRs

    The idea here is to add a github action that clones some remote repository, such as android-bindings and then go to the mobilecoin submodule there and checkout the branch going through CI, and try to build it. If the build fails, then it will try to build using the base branch of the PR (e.g. master in most cases). Then, if the master build succeeded and the branch build failed, it will comment on the PR indicating that this happened. The reason it checks if master builds, is because if that is already broken then it is out of scope for the current PR to deal with that - bit maybe we can remove this behavior. If the build is fixed after it was initially broken, the action should also comment on the PR to indicate the issue was resolved. Right now there's a bug that I still need to fix where if master is broken and this PR fixes the issue, I am not sure a comment gets created. I can work on that if people think this is worth pursuing further. I figured it's not high priority since usually what will happen is a PR on mobilecoin will break the remote repo (e.g. an API change that breaks android-sdk). This will be indicated in the PR, but the PR will move forward and get merged. Then someone from the SDK team can be notified that this PR caused a breakage, and they can go and uprev mobilecoin in android-sdk and fix the breakage.

    opened by eranrund 12
  • Move ReprBytes32 to its own crate and generalize it

    Move ReprBytes32 to its own crate and generalize it

    We currently have a lot of code that is like manually grabbing prost::encoding::*; and using it to create custom serializations with prost.

    This is a hazard, because that is not part of the public-facing interface of prost and it is not documented. It also changes periodically as upstream refactors the library. The only reason these symbols are publicly visible at all is that there is no way that prost-derive can function if the proc-macro generated code cannot access these symbols. When we grab prost::encodings::*; it is creating a maintanence hazard that will make it very hard ever to uprev prost again.

    In the past, every cryptographic primitive that went into prost or serde required custom bindings code, which was very long. ReprBytes32 was a quick stopgap to prevent the code duplication and take us down a route that would be more maintainable.

    It turns out that we have some types that are not exactly 32 bytes, and then we have started grabbing the prost::encodings::* again to support those.

    Separately from this, we have had a problem in keys crate where we need to be able to get the bytes of any Kex public key. Previously, Kex was only implemented for X25519 and was not implemented for Ristretto, which prevented us from writing generic (curve agnostic) code in a lot of places.

    In https://github.com/mobilecoinofficial/mobilecoin/pull/74 we fixed this, but we needed to introduce a trait GetBytes as a stopgap.

    I propose that GetBytes can go away and be replaced with this version of ReprBytes. I propose that ReprBytes32 can also go away and be replaced with this version of ReprBytes.

    I believe that ReprBytes should potentially be moved out of mobilecoin repo and treated as a "fundamental trait" in the RustCrypto ecosystem. Then, crates like prost and serde would integrate with ReprBytes trait, and e.g. Dalek crates would not have to know about prost or Dalek would not have to know about prost or serde, they would only have to know about ReprBytes.

    Even if RustCrypto folks don't want to take ownership of this, this will reduce a lot of nasty code duplication in our repo now, and may help to clean up the keys crate, and make it able to achieve its goals of abstracting both X25519 and Ristretto.


    Alternatives: In keys crate, the main alternative is, try to make everything implement AsRef<[u8]> and Into<Vec<u8>>. Because these are the "standard library interfaces" for doing this. However, traits like

    /// A trait which all public key structures should implement.
    pub trait PublicKey:
        Clone
        + Debug
        + DeserializeOwned
        + Digestible
        + Eq
        + Hash
        + Into<Vec<u8>>
        + PartialEq
        + PartialOrd
        + Ord
        + Serialize
        + Sized
        + for<'bytes> TryFrom<&'bytes [u8]>
    {
        /// Retrieve the size of this public key's raw bytes.
        fn size() -> usize;
    }
    

    Are bad because they force a requirement on extern crate alloc. Because they have a trait bound on a core trait Into<Vec<u8>>, there is no way that a consumer of this API can implement the trait unless they also have access to alloc crate.

    Suppose we wanted to take keys crate and add an alloc feature, so that it can be used in microcontroller environments without a standard allocator. All existing elliptic curve implementations do not require an allocator, and all of the code in RustCrypto is friendly to no-alloc development.

    If we try to simply do #[cfg(feature = "alloc")] to make the Into<Vec<u8>> go away, then we are creating global feature coordination problems. Anything that implements keys traits will have to have an alloc feature, and that feature must be configured exactly the same way as the way that keys crate is configured. This is exactly the same problem that serde has, and the source of an enormous number of build problems, for us, for months. This would not be an "additive" use of features.

    Cargo expects / requires that when a crate has features, turning them on is "additive", only adding things to the API, and not removing them. Otherwise, cargo's global feature unification is unsound and causes build breakage. Making a trait bound stricter when a feature is turned on is not additive, and the fact that serde itself does this, is a bug.

    (My criticism of serde, in this way, with respect to non-additive std::error::Error, is the reason that they added this release of serde: https://github.com/serde-rs/serde/releases/tag/v1.0.100. I think the reason that it ended up this way in the first place is that serde is older than no_std, and when they created no_std they failed / neglected to move std::error::Error to core.)

    So I think that we should expect to redesign the keys crate so that it does not have any dependence on Into<Vec<u8>> if we expect that it will eventually be taken up by RustCrypto folks. I think that a trait like ReprBytes can be an adequate replacement for it.

    opened by cbeck88 12
  • Make slog actually work inside of sgx enclave/impl crates

    Make slog actually work inside of sgx enclave/impl crates

    When we planned out the way that we build enclaves, one of the main questions was "how do we unit test the mission critical code that lives in enclaves". We split this logic into _impl crates that can compile as std, without having any sgx-only bits inside them.

    Currently, none of these crates support logging, because the mc-common::logger module is std-only. We built an mc-sgx-slog interface which sends slog structures logs over an OCALL to untrusted to be logged on the global logger. But because this code was enclave-specific, there was no way to actually use this in the enclave/impl crates without breaking the tests. And so mc-sgx-slog has been basically unused. None of the _impl crates use it, and none of the tests even use the [test_with_logger] functionality, because they can't actually use the logger in the code under test.

    After this revision we make the following changes:

    • mc-common depends unconditionally on slog, and configures it in a no_std mode.
    • mc-common unconditionally re-exports mc-common::logger, giving the mc-common::logger::log and mc-common::logger::slog parts, because these are portable to the enclaves.
    • Everything that depends on slog now gets it from the mc-common re-export instead of duplicating the dependency in its cargo toml.
    • slog is patched to fix minor problems in its no_std build when dynamic_keys feature is turned on.
    • Functionality in mc-common::logger that depends on slog_scope is gated on log feature as before, and this requires std.
    • Functionality in mc-common::logger that depends on loggers feature is still gated on loggers as before.
    • The mc-sgx-slog::untrusted module is moved to the mc-sgx-urts crate with the other logging related stuff. This also means that some times that a server needs to depend mc-sgx-slog "only for linkage" are removed, because it gets the needed code from mc-sgx-urts now.
    • mc-sgx-urts now sends eprintln and panic messages to global_log instead of eprintln.
    • consensus-enclave-impl owns a Logger object where it sends log messages
    • Tests in consensus-enclave-impl use test_with_logger and build the enclave using the test logger, to demonstrate that the functionality works.

    The biggest drawback in this commit is that it makes the mc-common::logger module messy, but this module was already messy and was re-exporting a lot of complicated and variously portable stuff from slog-* crates. The alternative here is that everything starts depending on my patched slog, and if they don't all get the right version then the build breaks. In this commit, we have tried to keep that module as nice as possible without breaking the API that it defined.

    We propose to consider changes to the API of the mc-common::logger module in another commit, because that will be onerous and will require touching almost the entire project, anything that uses the logger. By scoping this commit so that we don't change the API of mc-common we make it possible to land it and unblock other work that needs logging in enclaves.

    It seems that the logger module needs to be redesigned with the idea that there are three different components that different consumers need:

    • slog itself, which is totally portable
    • slog_scope, which is not portable to enclave, depends on std and a quite complex ArcSwap crate. This is used to manage the lifetime of the global logger instance. It also depends on thread local vectors of logger pointers, to manage the scope loggers. This stuff is no_std compatible only in nightly compiler because it relies on thread_local. But we already have several pieces of code that are nightly only. IMO We should consider whether to patch this crate to make it no_std compatible, which would simplify stuff somewhat. We would have to get rid of ArcSwap but that might be for the best anyways, it's difficult for me to see why we need all that, we could require that set_global_logger is only called once and not allow swapping out global logger on the fly. I have never seen a legitimate use-case for that in any project. But it's not for sure that we even need the global_log API in enclaves, we can probably get by without it.
    • sentry etc., which depends on std and an http stack, which we cannot compile with libmobilecoin or for the phones.
    opened by cbeck88 11
  • increase mint auditor test timeout

    increase mint auditor test timeout

    this increases the amount of time the test waits for mobilecoind and the mint auditor to catchup to network activity, and adds a named constant so that this can easily be adjusted in the future

    opened by cbeck88 10
  • Implement prometheus metrics for FVR

    Implement prometheus metrics for FVR

    Motivation

    Implements Prometheus metrics for Fog View Router (FVR). Previously, upon receiving a request, the router "opened" a Prometheus metrics session, but it never closed it. This PR closes the session and refactors some underlying util logic for cleanliness.

    opened by samdealy 1
  • Bump prost from 0.11.2 to 0.11.5 in /consensus/enclave/trusted

    Bump prost from 0.11.2 to 0.11.5 in /consensus/enclave/trusted

    Bumps prost from 0.11.2 to 0.11.5.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust blocks-v4.0.0 
    opened by dependabot[bot] 0
  • Bump blake2 from 0.10.4 to 0.10.6 in /fog/ledger/enclave/trusted

    Bump blake2 from 0.10.4 to 0.10.6 in /fog/ledger/enclave/trusted

    Bumps blake2 from 0.10.4 to 0.10.6.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust blocks-v4.0.0 
    opened by dependabot[bot] 0
  • Bump blake2 from 0.10.4 to 0.10.6 in /fog/ingest/enclave/trusted

    Bump blake2 from 0.10.4 to 0.10.6 in /fog/ingest/enclave/trusted

    Bumps blake2 from 0.10.4 to 0.10.6.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust blocks-v4.0.0 
    opened by dependabot[bot] 0
  • [FLR] Properly handle errors in `router_handlers::handle_requests`

    [FLR] Properly handle errors in `router_handlers::handle_requests`

    The router_handlers::handle_requests method does the bulk of the work of the Fog Ledger Router. Currently any errors in this method are logged, but no more. We need to enumerate what kinds of errors this method can produce and discuss what other actions we might need to take over and above logging to handle them.

    opened by awygle 0
  • [FLR] Re-use GRPC environment for Key Image Stores

    [FLR] Re-use GRPC environment for Key Image Stores

    Each connection to a Key Image Store is currently creating its own grpcio environment. We should instead create this once and re-use it for all Key Image Store connections.

    opened by awygle 0
Releases(v3.0.0)
Owner
MobileCoin Foundation
MobileCoin Foundation
The Mullvad VPN client app for desktop and mobile

Mullvad VPN desktop and mobile app Welcome to the Mullvad VPN client app. This repository contains all the source code for the desktop and mobile vers

Mullvad VPN 3k Jan 2, 2023
RGB smart contracts: client-facing library & command-line for desktop and mobile

RGB smart contracts RGB is confidential & scalable client-validated smart contracts for Bitcoin & Lightning. It embraces the concepts of private & mut

RGB: scalable & private smart contracts for bitcoin & lightning 4 Mar 15, 2023
Radix Babylon vanity address finder allowing easy import into Radix mobile Wallet.

Rad Vanity address finder for Radix Babylon which you can import directly into your Radix Wallet using QR scanner using Import from a Legacy Wallet fe

Alexander Cyon 6 Nov 13, 2023
An extensible open-source framework for creating private/permissioned blockchain applications

Exonum Status: Project info: Community: Exonum is an extensible open-source framework for creating blockchain applications. Exonum can be used to crea

Exonum 1.2k Jan 1, 2023
✈️A private, authenticated, permissioned cargo registry

chartered a little dig at creating a private cargo repository with authenticated downloads, the plan is to have git connect to a git server we setup t

Jordan Doyle 121 Dec 26, 2022
Convert private keys to PKCS#8 format in pure Rust

topk8 Convert private keys to PKCS#8 format in pure Rust. The following formats are supported at the moment: PKCS#1 PEM (RSA PRIVATE KEY) SEC1 PEM (EC

kazk 1 Dec 10, 2021
Add Rust on private-isu

private-isu Rust実装 private-isuにRust実装を追加するためのリポジトリです. 現状,Docker Composeのみ対応しています. Using Rustで起動するためには以下の手順が必要です. private-isuのwebappに本リポジトリを追加する. cd pr

Romira 3 Jun 22, 2022
Rust implementation of Namada, a sovereign proof-of-stake blockchain that enables asset-agnostic private transfers

Namada Overview Namada is a sovereign proof-of-stake blockchain, using Tendermint BFT consensus, that enables multi-asset private transfers for any na

anoma 144 Jan 2, 2023
Kryptokrona SDK in Rust for building decentralized private communication and payment systems.

Kryptokrona Rust SDK Kryptokrona is a decentralized blockchain from the Nordic based on CryptoNote, which forms the basis for Monero, among others. Cr

null 5 May 25, 2023
a Solana program for granting friends permissions on your account without revealing your private key.

Delegatooooor Granting Permission: An account holder (the delegator) decides to grant permission to a delegate. They create and sign a transaction tha

0xGhostMac 3 Apr 3, 2024
Private key finder based on the (Bitcoin) secp256k1 elliptic curve.

keyripper keyripper is a powerful tool developed in Rust to assist in the recovery of Bitcoin private keys by leveraging the Baby-Step Giant-Step (BSG

Denzy 12 Sep 27, 2024
Scrub dm-integrity devices

Synopsis This tool attempts to read all logical sectors of a block device, overwriting any sector that cannot be read due to an I/O error with zeros.

Mikael 1 Feb 26, 2022
Left To My Own Devices - NT hash tools

ntcrack Left To My Own Devices - NT cracker A full writeup of how it works is available at the SensePost blog Invocation ./ntcrack <input hashlist> <w

SensePost 24 Nov 24, 2022
Bitcoin PSBT signer, descriptor exporter and more for offline devices.

KeeChain Description KeeChain is a Bitcoin application to transform your offline computer in an AirGap Signing Device (aka Hardware Wallet). Getting s

Yuki Kishimoto 3 Dec 15, 2022
Narrowlink securely connects devices and services together, even when both nodes are behind separate NAT

Narrowlink Narrowlink is a self-hosted platform that allows you to establish secure remote connections between devices within a network that may be hi

Narrowlink 355 Aug 17, 2023
Private payments for mobile devices.

Testing your first payment Please see TESTNET.md for instructions on participating in the TestNet! Sending your first payment Please see MAINNET.md fo

MobileCoin Foundation 1.1k Dec 30, 2022
Payments Engine is a simple toy payments engine

Payments Engine is a simple toy payments engine that reads a series of transactions from a CSV, updates client accounts, handles disputes and chargebacks, and then outputs the state of clients accounts as a CSV.

Bogdan Arabadzhi 0 Feb 3, 2022
Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

null 294 Dec 23, 2022
Private swaps for Secret Network using a private entropy pool & differential privacy.

WIP SecretSwap: Anon Edition Private swaps for Secret Network! Uses private entropy pool for differential privacy when reporting pools sizes. Swap amo

Enigma 5 Apr 5, 2022
Private swaps for Secret Network using a private entropy pool & differential privacy.

WIP SecretSwap: Anon Edition Private swaps for Secret Network! Uses private entropy pool for differential privacy when reporting pools sizes. Swap amo

SCRT Labs 5 Apr 5, 2022