From 070eb2b5eb62ee06eae1b5a6f967d040f34fd545 Mon Sep 17 00:00:00 2001 From: "iguerNL@Functori" Date: Wed, 8 Jan 2025 16:11:21 +0100 Subject: [PATCH 1/2] DAL/Proto: export function allowed_commitments_publisher --- src/proto_alpha/lib_protocol/dal_slot_repr.mli | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/proto_alpha/lib_protocol/dal_slot_repr.mli b/src/proto_alpha/lib_protocol/dal_slot_repr.mli index b86a5520e0bd..97ec2120176b 100644 --- a/src/proto_alpha/lib_protocol/dal_slot_repr.mli +++ b/src/proto_alpha/lib_protocol/dal_slot_repr.mli @@ -420,6 +420,12 @@ module History : sig print the serialized version of the proof (i.e. a sequence of bytes). *) val pp_proof : serialized:bool -> Format.formatter -> proof -> unit + (** [allowed_commitments_publisher publisher whitelist] returns true iff + [whitelist] is None or if it's [Some wl], where [publisher] appears in + [wl]. *) + val allowed_commitments_publisher : + Contract_repr.t -> Contract_repr.t list option -> bool + (** This function returns a commitment and its publisher (wrapped in Either.Right if and only if the skip list cell whose content is given is attested. In case the commitment is not attested, the -- GitLab From b1b3a334b5896ab0c82a88943a737c4d21174613 Mon Sep 17 00:00:00 2001 From: "iguerNL@Functori" Date: Wed, 8 Jan 2025 16:11:50 +0100 Subject: [PATCH 2/2] ADAL/Proto: implement the missing verification logic in Sc_rollup_repr --- .../lib_protocol/sc_rollup_proof_repr.ml | 77 +++++++++++++++---- 1 file changed, 63 insertions(+), 14 deletions(-) diff --git a/src/proto_alpha/lib_protocol/sc_rollup_proof_repr.ml b/src/proto_alpha/lib_protocol/sc_rollup_proof_repr.ml index 6892a67f0051..187fea21d1ba 100644 --- a/src/proto_alpha/lib_protocol/sc_rollup_proof_repr.ml +++ b/src/proto_alpha/lib_protocol/sc_rollup_proof_repr.ml @@ -304,7 +304,7 @@ module Dal_helpers = struct ~dal_number_of_slots page_id ~dal_attested_slots_validity_lag - then ( + then let* verify_proof_result = Dal_slot_repr.History.verify_proof ~with_migration:(protocol_activation_level, dal_attestation_lag) @@ -315,17 +315,17 @@ module Dal_helpers = struct in let Dal_slot_repr.History. { - page_content_opt = input; + page_content_opt; attestation_threshold_percent; commitment_publisher_opt; } = verify_proof_result in - (* TODO: Check the ignored values below against the payload of - input_requested (Next MRs). *) - ignore (attestation_threshold_percent, commitment_publisher_opt) ; - return_some (Sc_rollup_PVM_sig.Reveal (Dal_page input))) - else return_none + return + ( Some (Sc_rollup_PVM_sig.Reveal (Dal_page page_content_opt)), + attestation_threshold_percent, + commitment_publisher_opt ) + else return (None, None, None) let produce ~metadata ~dal_activation_level ~dal_attestation_lag ~dal_number_of_slots ~commit_inbox_level dal_parameters @@ -469,7 +469,7 @@ let valid (type state proof output) PVM is actually requesting a DAL page whose ID coincides with the one of the given proof. *) | Some (Reveal_proof (Dal_page_proof {proof; page_id})) -> - let*? input_opt = + let*? input_opt, attestation_threshold_percent, commitment_publisher_opt = Dal_helpers.verify ~protocol_activation_level ~dal_number_of_slots @@ -487,13 +487,62 @@ let valid (type state proof output) input_opt (function | Needs_reveal (Request_dal_page pid) -> + let* () = + check + (Dal_slot_repr.Page.equal page_id pid) + "Dal proof's page ID is not the one expected in input \ + request." + in + (* For Regular DAL, we check [attestation_threshold_percent] is + set to None, as attestation status is decided by the protocol. + But, we don't have to check the value of + [commitment_publisher_opt]. (We could actually also omit the + verification of [attestation_threshold_percent]). *) + check + (Option.is_none attestation_threshold_percent) + "Cannot accept an Adjustable DAL proof in the context of \ + Regular Dal_page request" + | Needs_reveal + (Request_adal_page + { + page_id = pid; + attestation_threshold_percent = kernel_threshold; + restricted_commitments_publishers = kernel_whitelist; + }) -> + (* Like for Regular DAL, we first check for Adjustable DAL that + we're targetting the right page, by checking the requested page + id against the one in the provided proof. *) + let* () = + check + (Dal_slot_repr.Page.equal page_id pid) + "Dal proof's page ID is not the one expected in input \ + request." + in + (* Additionally, we check that the provided value for + [attestation_threshold_percent] in the proof matches the one + expected by the kernel. *) + let* () = + check + (Option.equal + Compare.Int.equal + (Some kernel_threshold) + attestation_threshold_percent) + "The provided attestation_threshold_percent in the proof \ + doesn't match the one defined in the kernel." + in + (* Finally, in case the ADAL proof is a confirmation of an + attested slot, we check that the publisher is indeed in the + whitelist stored in the input request (if any). *) check - (Dal_slot_repr.Page.equal page_id pid) - "Dal proof's page ID is not the one expected in input request." - | Needs_reveal (Request_adal_page _pid) -> - (* ADAL/FIXME: https://gitlab.com/tezos/tezos/-/milestones/410 implement - refutation games for adaptive DAL. *) - assert false + (Option.fold + ~none:true + ~some:(fun publisher -> + Dal_slot_repr.History.allowed_commitments_publisher + publisher + kernel_whitelist) + commitment_publisher_opt) + "The provided DAL slot publisher in the (DAL) confirmation \ + proof is not in the kernel's whitelisted publishers." | _ -> inbox_proof_and_input_request_are_dissociated ()) (* Case where the provided proof pretends that the PVM is asking for DAL parameters. In this case, we just check that the PVM is requesting DAL -- GitLab