Skip attestation verification (#263)

* Update espresso-tee-contracts submodule to sishan/skip-attestation-verification

* Skip attestation verification to reduce gas costs

* Reduce L1 gas limit from 45M to 16M

* Update snapshots for registerSignerWithoutAttestationVerification

* Ignore lib/automate submodule directory

* fix CI

* Update espresso-tee-contracts submodule

Remove onlyOwner modifier from registerSignerWithoutAttestationVerification

* keep large gasLimit

* circleci: Enable workflow on all branches via API trigger

Allow CircleCI main workflow to run on any branch when triggered via API,
not just webhook triggers. This enables go-lint and go-tests to run on
feature branches.

* Regenerate semver-lock.json after rebase

The initCodeHash for BatchAuthenticator needed to be regenerated
after rebasing onto celo-integration-rebase-14.1.

---------

Co-authored-by: EC2 Default User <[email protected]>

Author: dailinsubjam

.circleci/config.yml

@@ -1779,9 +1779,11 @@ jobs:
 
 workflows:
   main:
+    # Run on all branches via webhook or API
     when:
       or:
         - equal: ["webhook", << pipeline.trigger_source >>]
+        - equal: ["api", << pipeline.trigger_source >>]
         - and:
             - equal: [true, <<pipeline.parameters.main_dispatch>>]
             - equal: ["api", << pipeline.trigger_source >>]

.gitignore

@@ -67,3 +67,4 @@ gha-creds-*.json
 # Ignore keys
 *.pem
 
+packages/contracts-bedrock/lib/automate/

op-batcher/batcher/espresso.go

@@ -1082,9 +1082,17 @@ func (l *BatchSubmitter) registerBatcher(ctx context.Context) error {
 		return fmt.Errorf("failed to get Batch Authenticator ABI: %w", err)
 	}
 
-	txData, err = abi.Pack("registerSigner", l.Attestation.COSESign1, l.Attestation.Signature)
+	// Extract PCR0 hash from attestation document
+	pcr0Hash := crypto.Keccak256Hash(l.Attestation.Document.PCRs[0])
+
+	// Extract enclave address from attestation document public key
+	// The publicKey's first byte 0x04 determines if the public key is compressed or not, so we ignore it
+	publicKeyHash := crypto.Keccak256Hash(l.Attestation.Document.PublicKey[1:])
+	enclaveAddress := common.BytesToAddress(publicKeyHash[12:])
+
+	txData, err = abi.Pack("registerSignerWithoutAttestationVerification", pcr0Hash, l.Attestation.COSESign1, l.Attestation.Signature, enclaveAddress)
 	if err != nil {
-		return fmt.Errorf("failed to create RegisterSigner transaction: %w", err)
+		return fmt.Errorf("failed to create RegisterSignerWithoutAttestationVerification transaction: %w", err)
 	}
 
 	candidate := txmgr.TxCandidate{

op-batcher/bindings/batch_authenticator.go

@@ -127,6 +127,34 @@
     "stateMutability": "nonpayable",
     "type": "function"
   },
+  {
+    "inputs": [
+      {
+        "internalType": "bytes32",
+        "name": "pcr0Hash",
+        "type": "bytes32"
+      },
+      {
+        "internalType": "bytes",
+        "name": "attestationTbs",
+        "type": "bytes"
+      },
+      {
+        "internalType": "bytes",
+        "name": "signature",
+        "type": "bytes"
+      },
+      {
+        "internalType": "address",
+        "name": "enclaveAddress",
+        "type": "address"
+      }
+    ],
+    "name": "registerSignerWithoutAttestationVerification",
+    "outputs": [],
+    "stateMutability": "nonpayable",
+    "type": "function"
+  },
   {
     "inputs": [],
     "name": "renounceOwnership",

op-batcher/bindings/batch_inbox.go

@@ -1,7 +1,7 @@
 {
   "src/L1/BatchAuthenticator.sol:BatchAuthenticator": {
-    "initCodeHash": "0x886ad73f143db896806140ccb2a64c353c4822bcc6021e1e6bb48497da478d1c",
-    "sourceCodeHash": "0xb0769be04670274b46231d81eb19b7bac6f2f8d4b4989ad9dda4aea85ef6166d"
+    "initCodeHash": "0xe6ba63f419d207f6e940b5561bc8dd5f04ca68db90958e162ef4ad5aea742bca",
+    "sourceCodeHash": "0x35ef276cc6c8e33b09c957f3636c6dc98a961429d1cba4ca219b93fb1afb5864"
   },
   "src/L1/DataAvailabilityChallenge.sol:DataAvailabilityChallenge": {
     "initCodeHash": "0xacbae98cc7c0f7ecbf36dc44bbf7cb0a011e6e6b781e28b9dbf947e31482b30d",

packages/contracts-bedrock/lib/espresso-tee-contracts

@@ -61,4 +61,17 @@ contract BatchAuthenticator is ISemver, OwnableUpgradeable {
     function registerSigner(bytes calldata attestationTbs, bytes calldata signature) external {
         espressoTEEVerifier.registerSigner(attestationTbs, signature, IEspressoTEEVerifier.TeeType.NITRO);
     }
+
+    function registerSignerWithoutAttestationVerification(
+        bytes32 pcr0Hash,
+        bytes calldata attestationTbs,
+        bytes calldata signature,
+        address enclaveAddress
+    )
+        external
+    {
+        espressoTEEVerifier.espressoNitroTEEVerifier().registerSignerWithoutAttestationVerification(
+            pcr0Hash, attestationTbs, signature, enclaveAddress
+        );
+    }
 }