Secure validator mode

.github/workflows/test.yml

@@ -60,7 +60,7 @@ jobs:
     name: "${{ matrix.options.name }}"
     runs-on: ubuntu-latest
     timeout-minutes: 60
-    container: qdrvm/kagome-dev:6-minideb
+    container: qdrvm/kagome-dev:7-minideb
     steps:
       - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6
       - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
@@ -99,7 +99,7 @@ jobs:
     name: "${{ matrix.options.name }}"
     runs-on: [ actions-runner-controller ]
     timeout-minutes: 60
-    container: qdrvm/kagome-dev:6-minideb
+    container: qdrvm/kagome-dev:7-minideb
     steps:
       - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6
       - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
@@ -138,7 +138,7 @@ jobs:
     name: "${{ matrix.options.name }}"
     runs-on: [ actions-runner-controller ]
     timeout-minutes: 60
-    container: qdrvm/kagome-dev:6-minideb
+    container: qdrvm/kagome-dev:7-minideb
     steps:
       - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6
       - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
@@ -163,7 +163,7 @@ jobs:
     name: "Linux: clang-tidy"
     runs-on: ubuntu-latest
     timeout-minutes: 60
-    container: qdrvm/kagome-dev:6-minideb
+    container: qdrvm/kagome-dev:7-minideb
     steps:
       - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6
         with:
@@ -187,7 +187,7 @@ jobs:
     name: "Self-hosted: Linux: gcc-12 coverage/sonar"
     runs-on: [ actions-runner-controller ]
     timeout-minutes: 60
-    container: qdrvm/kagome-dev:6-minideb
+    container: qdrvm/kagome-dev:7-minideb
     steps:
       - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6
       - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
@@ -236,7 +236,7 @@ jobs:
     name: "${{ matrix.options.name }}"
     runs-on: ubuntu-latest
     timeout-minutes: 60
-    container: qdrvm/kagome-dev:6-minideb
+    container: qdrvm/kagome-dev:7-minideb
     steps:
       - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6
       - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed
@@ -261,7 +261,7 @@ jobs:
     name: "${{ matrix.options.name }}"
     runs-on: [ actions-runner-controller ]
     timeout-minutes: 60
-    container: qdrvm/kagome-dev:6-minideb
+    container: qdrvm/kagome-dev:7-minideb
     steps:
       - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6
       - uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed

CMakePresets.json

@@ -35,6 +35,14 @@
                 "WASM_COMPILER": "WasmEdge"
             }
         },
+        {
+            "name": "release-wasmedge",
+            "binaryDir": "cmake-build-release-wasmedge",
+            "inherits": "base-release",
+            "cacheVariables": {
+                "WASM_COMPILER": "WasmEdge"
+            }
+        },
         {
             "name": "debug-wavm",
             "binaryDir": "cmake-build-debug-wavm",

cmake/Hunter/config.cmake

@@ -115,8 +115,7 @@ hunter_config(
 
 hunter_config(
     libsecp256k1
-    URL https://github.com/qdrvm/soramitsu-libsecp256k1/archive/ace3e08075d9cc1ecff1afe1be65c31fc9059c4c.zip
-    SHA1 bc1e4413a56ce2cdc17175dd1c9b569345c1e709
+    VERSION 0.4.1-qdrvm1
     CMAKE_ARGS
         SECP256K1_ENABLE_MODULE_RECOVERY=ON
 )

cmake/Hunter/hunter-gate-url.cmake

@@ -1,5 +1,5 @@
 HunterGate(
-  URL  https://github.com/qdrvm/hunter/archive/refs/tags/v0.25.3-qdrvm8.zip
-  SHA1 dc0af42b358dc0bcab304a455e80681c12d52e0f
+  URL  https://github.com/qdrvm/hunter/archive/refs/tags/v0.25.3-qdrvm9.zip
+  SHA1 7f3f8ee341aaac8c400e776c8a9f28e8fc458296
   LOCAL
 )

cmake/toolchain/compiler/clang-15.cmake

@@ -24,7 +24,7 @@ if (CMAKE_CXX_COMPILER STREQUAL "CMAKE_CXX_COMPILER-NOTFOUND")
   find_program(CMAKE_CXX_COMPILER clang++ PATHS "${compiler_path}" NO_DEFAULT_PATH REQUIRED)
 
   execute_process(COMMAND "${CMAKE_CXX_COMPILER}" --version OUTPUT_VARIABLE compiler_version_output)
-  string(REGEX MATCH "clang version ([0-9]+)\.[0-9]+\.[0-9]+" compiler_version "${compiler_version_output}")
+  string(REGEX MATCH "clang version ([0-9]+)\\.[0-9]+\\.[0-9]+" compiler_version "${compiler_version_output}")
   if (NOT CMAKE_MATCH_1 STREQUAL "15")
     message(FATAL_ERROR "Found clang++ version ${CMAKE_MATCH_1}, 15 is required")
   endif()

core/application/impl/app_configuration_impl.cpp

@@ -7,6 +7,7 @@
 #include "application/impl/app_configuration_impl.hpp"
 
 #include <charconv>
+#include <filesystem>
 #include <limits>
 #include <regex>
 #include <string>
@@ -1472,6 +1473,17 @@ namespace kagome::application {
         }
       }
     }
+    {
+      std::error_code ec;
+      kagome::filesystem::create_directories(runtimeCacheDirPath(), ec);
+      if (ec) {
+        SL_ERROR(logger_,
+                 "Failed to create runtime cache dir {}: {}",
+                 runtimeCacheDirPath(),
+                 ec);
+        return false;
+      }
+    }
 
     if (auto arg = find_argument<uint32_t>(
             vm, "parachain-runtime-instance-cache-size");
@@ -1493,6 +1505,7 @@ namespace kagome::application {
     if (find_argument(vm, "parachain-single-process")) {
       use_pvf_subprocess_ = false;
     }
+    logger_->info("Parachain multi process: {}", use_pvf_subprocess_);
 
     if (auto arg = find_argument<uint32_t>(vm, "parachain-check-deadline");
         arg.has_value()) {

core/common/optref.hpp

@@ -6,8 +6,8 @@
 
 #pragma once
 
-#include <type_traits>
 #include <optional>
+#include <type_traits>
 
 #include <boost/assert.hpp>
 

core/dispute_coordinator/participation/impl/participation_impl.cpp

@@ -31,15 +31,15 @@ namespace kagome::dispute {
         api_(std::move(api)),
         recovery_(std::move(recovery)),
         pvf_(std::move(pvf)),
-        dispute_thred_handler_(std::move(dispute_thread_handler)),
+        dispute_thread_handler_(std::move(dispute_thread_handler)),
         dispute_coordinator_(std::move(dispute_coordinator)),
         queue_(std::make_unique<QueuesImpl>(
             block_header_repository_, std::move(hasher), api_)) {
     BOOST_ASSERT(block_header_repository_ != nullptr);
     BOOST_ASSERT(api_ != nullptr);
     BOOST_ASSERT(recovery_ != nullptr);
     BOOST_ASSERT(pvf_ != nullptr);
-    BOOST_ASSERT(dispute_thred_handler_ != nullptr);
+    BOOST_ASSERT(dispute_thread_handler_ != nullptr);
     BOOST_ASSERT(not dispute_coordinator_.expired());
   }
 
@@ -66,9 +66,9 @@ namespace kagome::dispute {
       ParticipationRequest request, primitives::BlockHash recent_head) {
     if (running_participations_.emplace(request.candidate_hash).second) {
       // https://github.com/paritytech/polkadot/blob/40974fb99c86f5c341105b7db53c7aa0df707d66/node/core/dispute-coordinator/src/participation/mod.rs#L256
-      dispute_thred_handler_->execute([wp{weak_from_this()},
-                                       request{std::move(request)},
-                                       recent_head{std::move(recent_head)}]() {
+      dispute_thread_handler_->execute([wp{weak_from_this()},
+                                        request{std::move(request)},
+                                        recent_head{std::move(recent_head)}]() {
         if (auto self = wp.lock()) {
           self->participate(std::move(request), std::move(recent_head));
         }
@@ -222,7 +222,7 @@ namespace kagome::dispute {
 
   void ParticipationImpl::participate_stage3(ParticipationContextPtr ctx,
                                              ParticipationCallback &&cb) {
-    REINVOKE(*dispute_thred_handler_,
+    REINVOKE(*dispute_thread_handler_,
              participate_stage3,
              std::move(ctx),
              std::move(cb));

core/dispute_coordinator/participation/impl/participation_impl.hpp

@@ -85,7 +85,7 @@ namespace kagome::dispute {
     std::shared_ptr<runtime::ParachainHost> api_;
     std::shared_ptr<parachain::Recovery> recovery_;
     std::shared_ptr<parachain::Pvf> pvf_;
-    std::shared_ptr<PoolHandlerReady> dispute_thred_handler_;
+    std::shared_ptr<PoolHandlerReady> dispute_thread_handler_;
     std::weak_ptr<DisputeCoordinator> dispute_coordinator_;
 
     /// Participations currently being processed.

core/host_api/impl/host_api_factory_impl.cpp

@@ -27,7 +27,7 @@ namespace kagome::host_api {
         ed25519_provider_(std::move(ed25519_provider)),
         secp256k1_provider_(std::move(secp256k1_provider)),
         hasher_(std::move(hasher)),
-        // we do this instead of passing key_store as an optional right away 
+        // we do this instead of passing key_store as an optional right away
         // because boost.di doesn't like optional<shared_ptr>
         key_store_(key_store ? std::optional(key_store) : std::nullopt),
         offchain_persistent_storage_(std::move(offchain_persistent_storage)),

core/injector/application_injector.cpp

@@ -610,6 +610,7 @@ namespace {
                     Compile
             ? runtime::wasm_edge::ModuleFactoryImpl::ExecType::Compiled
             : runtime::wasm_edge::ModuleFactoryImpl::ExecType::Interpreted,
+        config->runtimeCacheDirPath(),
     };
 #endif
 

core/parachain/CMakeLists.txt

@@ -55,6 +55,7 @@ add_library(kagome_pvf_worker
     pvf/kagome_pvf_worker.cpp
     )
 target_link_libraries(kagome_pvf_worker
+    PUBLIC
     fmt::fmt
     scale::scale
     soralog::fallback_configurator
@@ -81,3 +82,6 @@ target_link_libraries(kagome_pvf_worker
     p2p::p2p_asio_scheduler_backend
     )
 
+if (CMAKE_SYSTEM_NAME STREQUAL Linux)
+    target_link_libraries(kagome_pvf_worker PRIVATE seccomp)
+endif()

core/parachain/approval/approval_distribution.cpp

@@ -2874,9 +2874,9 @@ namespace kagome::parachain {
       std::promise<primitives::BlockInfo> promise;
       auto future = promise.get_future();
       approval_thread_handler_->execute(
-           libp2p::SharedFn{[&, promise{std::move(promise)}]() mutable {
-             promise.set_value(approvedAncestor(min, max));
-           }});
+          libp2p::SharedFn{[&, promise{std::move(promise)}]() mutable {
+            promise.set_value(approvedAncestor(min, max));
+          }});
       return future.get();
     }