feat: enable TDX tasks support (#673)

Author: jbern0rd

gradle.properties

@@ -4,8 +4,8 @@ version=9.2.0
 iexecCommonsPocoVersion=5.4.0
 iexecCommonVersion=9.2.0
 iexecCommonsContainersVersion=2.0.0
-iexecResultVersion=9.0.0
-iexecSmsVersion=9.0.0
-iexecCoreVersion=9.0.0
+iexecResultVersion=9.1.0
+iexecSmsVersion=9.3.0
+iexecCoreVersion=9.2.1
 nexusUser
 nexusPassword

src/main/java/com/iexec/worker/chain/ContributionService.java

@@ -169,7 +169,8 @@ public Contribution getContribution(ComputedFile computedFile) {
         String enclaveChallenge = workerpoolAuthorization.getEnclaveChallenge();
         String enclaveSignature = computedFile.getEnclaveSignature();
 
-        if (iexecHubService.getTaskDescription(chainTaskId).requiresSgx()) {
+        final TaskDescription taskDescription = iexecHubService.getTaskDescription(chainTaskId);
+        if (taskDescription.requiresSgx() || taskDescription.requiresTdx()) {
             if (!enclaveAuthorizationService.isVerifiedEnclaveSignature(
                     chainTaskId, resultHash, resultSeal, enclaveSignature, enclaveChallenge)) {
                 log.error("Cannot get contribution with invalid enclave " +

src/main/java/com/iexec/worker/compute/ComputeManagerService.java

@@ -160,10 +160,10 @@ public boolean isAppDownloaded(String imageUri) {
      * @see PreComputeService#runTeePreCompute(TaskDescription)
      */
     public PreComputeResponse runPreCompute(final TaskDescription taskDescription) {
-        log.info("Running pre-compute [chainTaskId:{}, requiresSgx:{}]",
-                taskDescription.getChainTaskId(), taskDescription.requiresSgx());
+        log.info("Running pre-compute [chainTaskId:{}, requiresSgx:{}, requiresTdx:{}]",
+                taskDescription.getChainTaskId(), taskDescription.requiresSgx(), taskDescription.requiresTdx());
 
-        if (taskDescription.requiresSgx()) {
+        if (taskDescription.requiresSgx() || taskDescription.requiresTdx()) {
             return preComputeService.runTeePreCompute(taskDescription);
         }
         return PreComputeResponse.builder().build();
@@ -178,8 +178,8 @@ public PreComputeResponse runPreCompute(final TaskDescription taskDescription) {
      */
     public AppComputeResponse runCompute(final TaskDescription taskDescription) {
         final String chainTaskId = taskDescription.getChainTaskId();
-        log.info("Running compute [chainTaskId:{}, requiresSgx:{}]",
-                chainTaskId, taskDescription.requiresSgx());
+        log.info("Running compute [chainTaskId:{}, requiresSgx:{}, requiresTdx:{}]",
+                chainTaskId, taskDescription.requiresSgx(), taskDescription.requiresTdx());
 
         final AppComputeResponse appComputeResponse = appComputeService.runCompute(taskDescription);
 
@@ -211,11 +211,11 @@ private void writeLogs(String chainTaskId, String filename, String logs) {
      */
     public PostComputeResponse runPostCompute(final TaskDescription taskDescription) {
         final String chainTaskId = taskDescription.getChainTaskId();
-        log.info("Running post-compute [chainTaskId:{}, requiresSgx:{}]",
-                chainTaskId, taskDescription.requiresSgx());
+        log.info("Running post-compute [chainTaskId:{}, requiresSgx:{}, requiresTdx:{}]",
+                chainTaskId, taskDescription.requiresSgx(), taskDescription.requiresTdx());
 
         final PostComputeResponse postComputeResponse;
-        if (!taskDescription.requiresSgx()) {
+        if (!taskDescription.requiresSgx() && !taskDescription.requiresTdx()) {
             postComputeResponse = postComputeService.runStandardPostCompute(taskDescription);
         } else {
             postComputeResponse = postComputeService.runTeePostCompute(taskDescription);

src/main/java/com/iexec/worker/compute/app/AppComputeService.java

@@ -63,7 +63,7 @@ public AppComputeResponse runCompute(final TaskDescription taskDescription) {
 
         final List<String> env;
         final HostConfig hostConfig;
-        if (taskDescription.requiresSgx()) {
+        if (taskDescription.requiresSgx() || taskDescription.requiresTdx()) {
             final TeeService teeService = teeServicesManager.getTeeService(taskDescription.getTeeFramework());
             env = teeService.buildComputeDockerEnv(taskDescription);
             binds.addAll(teeService.getAdditionalBindings().stream().map(Bind::parse).toList());

src/main/java/com/iexec/worker/compute/post/PostComputeService.java

@@ -38,6 +38,7 @@
 import com.iexec.worker.tee.TeeServicesPropertiesService;
 import com.iexec.worker.workflow.WorkflowError;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.stereotype.Service;
 
 import java.io.IOException;
@@ -181,6 +182,10 @@ public PostComputeResponse runTeePostCompute(final TaskDescription taskDescripti
                 .withBinds(binds)
                 .withDevices(teeService.getDevices())
                 .withNetworkMode(workerConfigService.getDockerNetworkName());
+        // TDX specific config to access worker DNS from post-compute
+        if (taskDescription.requiresTdx() && !StringUtils.isBlank(workerConfigService.getDockerExtraHosts())) {
+            hostConfig.withExtraHosts(workerConfigService.getDockerExtraHosts());
+        }
         final DockerRunRequest request = DockerRunRequest.builder()
                 .hostConfig(hostConfig)
                 .chainTaskId(chainTaskId)

src/main/java/com/iexec/worker/compute/pre/PreComputeService.java

@@ -35,6 +35,7 @@
 import com.iexec.worker.tee.TeeServicesPropertiesService;
 import com.iexec.worker.workflow.WorkflowError;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.stereotype.Service;
 
 import java.time.Duration;
@@ -147,6 +148,10 @@ private Integer prepareTeeInputData(final TaskDescription taskDescription) throw
                 .withBinds(binds)
                 .withDevices(teeService.getDevices())
                 .withNetworkMode(workerConfigService.getDockerNetworkName());
+        // TDX specific config to access worker DNS from pre-compute
+        if (taskDescription.requiresTdx() && !StringUtils.isBlank(workerConfigService.getDockerExtraHosts())) {
+            hostConfig.withExtraHosts(workerConfigService.getDockerExtraHosts());
+        }
         final DockerRunRequest request = DockerRunRequest.builder()
                 .hostConfig(hostConfig)
                 .chainTaskId(chainTaskId)

src/main/java/com/iexec/worker/config/WorkerConfigurationService.java

@@ -41,6 +41,7 @@ public class WorkerConfigurationService {
     private Integer overrideAvailableCpuCount;
 
     @Value("${worker.gpu-enabled}")
+    @Getter
     private boolean isGpuEnabled;
 
     @Value("${worker.gas-price-multiplier}")
@@ -67,6 +68,10 @@ public class WorkerConfigurationService {
     @Getter
     private String dockerNetworkName;
 
+    @Value("${worker.docker-extra-hosts:}")
+    @Getter
+    private String dockerExtraHosts;
+
     @PostConstruct
     private void postConstruct() {
         if (overrideAvailableCpuCount != null && overrideAvailableCpuCount <= 0) {
@@ -75,10 +80,6 @@ private void postConstruct() {
         }
     }
 
-    public boolean isGpuEnabled() {
-        return isGpuEnabled;
-    }
-
     public String getWorkerBaseDir() {
         return workerBaseDir + File.separator + workerName;
     }

src/main/java/com/iexec/worker/result/ResultService.java

@@ -191,7 +191,7 @@ public String uploadResultAndGetLink(final WorkerpoolAuthorization workerpoolAut
         }
 
         // Cloud computing - tee
-        if (task.requiresSgx()) {
+        if (task.requiresSgx() || task.requiresTdx()) {
             log.info("Web2 storage, already uploaded (with tee) [chainTaskId:{}]", chainTaskId);
             return getWeb2ResultLink(task);
         }

src/main/java/com/iexec/worker/task/TaskManagerService.java

@@ -107,12 +107,12 @@ ReplicateActionResponse start(final TaskDescription taskDescription) {
         }
 
         // result encryption is not supported for standard tasks
-        if (!taskDescription.requiresSgx() && taskDescription.getDealParams().isIexecResultEncryption()) {
+        if (!taskDescription.requiresSgx() && !taskDescription.requiresTdx() && taskDescription.getDealParams().isIexecResultEncryption()) {
             return getFailureResponseAndPrintErrors(
                     List.of(new WorkflowError(TASK_DESCRIPTION_INVALID)), context, chainTaskId);
         }
 
-        if (taskDescription.requiresSgx()) {
+        if (taskDescription.requiresSgx() || taskDescription.requiresTdx()) {
             // If any TEE prerequisite is not met,
             // then we won't be able to run the task.
             // So it should be aborted right now.
@@ -195,7 +195,7 @@ ReplicateActionResponse downloadData(final TaskDescription taskDescription) {
         requireNonNull(taskDescription, "task description must not be null");
         final String chainTaskId = taskDescription.getChainTaskId();
         // Return early if TEE task
-        if (taskDescription.requiresSgx()) {
+        if (taskDescription.requiresSgx() || taskDescription.requiresTdx()) {
             log.info("Dataset and input files will be downloaded by the pre-compute enclave [chainTaskId:{}]", chainTaskId);
             return ReplicateActionResponse.success();
         }
@@ -256,7 +256,7 @@ ReplicateActionResponse compute(final TaskDescription taskDescription) {
                     List.of(new WorkflowError(APP_NOT_FOUND_LOCALLY)), context, chainTaskId);
         }
 
-        if (taskDescription.requiresSgx()) {
+        if (taskDescription.requiresSgx() || taskDescription.requiresTdx()) {
             final TeeService teeService = teeServicesManager.getTeeService(taskDescription.getTeeFramework());
             if (!teeService.prepareTeeForTask(chainTaskId)) {
                 return getFailureResponseAndPrintErrors(

src/main/java/com/iexec/worker/tee/TeeService.java

@@ -56,7 +56,7 @@ public List<WorkflowError> areTeePrerequisitesMetForTask(final String chainTaskI
             // If it can't be loaded, then we won't be able to run the task.
             smsService.getSmsClient(chainTaskId);
         } catch (SmsClientCreationException e) {
-            log.error("Couldn't get SmsClient [chainTaskId: {}]", chainTaskId, e);
+            log.error("Couldn't get SmsClient [chainTaskId:{}]", chainTaskId, e);
             return List.of(new WorkflowError(ReplicateStatusCause.UNKNOWN_SMS));
         }