PVF: Add Secure Validator Mode (#2486)

Co-authored-by: Javier Viola <[email protected]>

.gitlab/pipeline/zombienet.yml

@@ -1,7 +1,7 @@
 .zombienet-refs:
   extends: .build-refs
   variables:
-    ZOMBIENET_IMAGE: "docker.io/paritytech/zombienet:v1.3.83"
+    ZOMBIENET_IMAGE: "docker.io/paritytech/zombienet:v1.3.86"
 
 include:
   # substrate tests

cumulus/client/relay-chain-inprocess-interface/src/lib.rs

@@ -291,6 +291,7 @@ fn build_polkadot_full_node(
 
 			// Cumulus doesn't spawn PVF workers, so we can disable version checks.
 			node_version: None,
+			secure_validator_mode: false,
 			workers_path: None,
 			workers_names: None,
 

polkadot/cli/Cargo.toml

@@ -15,6 +15,7 @@ wasm-opt = false
 crate-type = ["cdylib", "rlib"]
 
 [dependencies]
+cfg-if = "1.0"
 clap = { version = "4.4.10", features = ["derive"], optional = true }
 log = "0.4.17"
 thiserror = "1.0.48"

polkadot/cli/src/cli.rs

@@ -88,6 +88,12 @@ pub struct RunCmd {
 	#[arg(long)]
 	pub no_beefy: bool,
 
+	/// Allows a validator to run insecurely outside of Secure Validator Mode. Security features
+	/// are still enabled on a best-effort basis, but missing features are no longer required. For
+	/// more information see <https://github.com/w3f/polkadot-wiki/issues/4881>.
+	#[arg(long = "insecure-validator-i-know-what-i-do", requires = "validator")]
+	pub insecure_validator: bool,
+
 	/// Enable the block authoring backoff that is triggered when finality is lagging.
 	#[arg(long)]
 	pub force_authoring_backoff: bool,

polkadot/cli/src/command.rs

@@ -238,6 +238,8 @@ where
 	let node_version =
 		if cli.run.disable_worker_version_check { None } else { Some(NODE_VERSION.to_string()) };
 
+	let secure_validator_mode = cli.run.base.validator && !cli.run.insecure_validator;
+
 	runner.run_node_until_exit(move |config| async move {
 		let hwbench = (!cli.run.no_hardware_benchmarks)
 			.then_some(config.database.path().map(|database_path| {
@@ -256,6 +258,7 @@ where
 				jaeger_agent,
 				telemetry_worker_handle: None,
 				node_version,
+				secure_validator_mode,
 				workers_path: cli.run.workers_path,
 				workers_names: None,
 				overseer_gen,

polkadot/node/core/candidate-validation/src/lib.rs

@@ -88,6 +88,8 @@ pub struct Config {
 	pub artifacts_cache_path: PathBuf,
 	/// The version of the node. `None` can be passed to skip the version check (only for tests).
 	pub node_version: Option<String>,
+	/// Whether the node is attempting to run as a secure validator.
+	pub secure_validator_mode: bool,
 	/// Path to the preparation worker binary
 	pub prep_worker_path: PathBuf,
 	/// Path to the execution worker binary
@@ -133,12 +135,19 @@ async fn run<Context>(
 	mut ctx: Context,
 	metrics: Metrics,
 	pvf_metrics: polkadot_node_core_pvf::Metrics,
-	Config { artifacts_cache_path, node_version, prep_worker_path, exec_worker_path }: Config,
+	Config {
+		artifacts_cache_path,
+		node_version,
+		secure_validator_mode,
+		prep_worker_path,
+		exec_worker_path,
+	}: Config,
 ) -> SubsystemResult<()> {
 	let (validation_host, task) = polkadot_node_core_pvf::start(
 		polkadot_node_core_pvf::Config::new(
 			artifacts_cache_path,
 			node_version,
+			secure_validator_mode,
 			prep_worker_path,
 			exec_worker_path,
 		),

polkadot/node/core/pvf/Cargo.toml

@@ -19,6 +19,7 @@ pin-project = "1.0.9"
 rand = "0.8.5"
 slotmap = "1.0"
 tempfile = "3.3.0"
+thiserror = "1.0.31"
 tokio = { version = "1.24.2", features = ["fs", "process"] }
 
 parity-scale-codec = { version = "3.6.1", default-features = false, features = ["derive"] }

polkadot/node/core/pvf/benches/host_prepare_rococo_runtime.rs

@@ -28,6 +28,8 @@ use tokio::{runtime::Handle, sync::Mutex};
 const TEST_PREPARATION_TIMEOUT: Duration = Duration::from_secs(30);
 
 struct TestHost {
+	// Keep a reference to the tempdir as it gets deleted on drop.
+	cache_dir: tempfile::TempDir,
 	host: Mutex<ValidationHost>,
 }
 
@@ -42,13 +44,14 @@ impl TestHost {
 		let mut config = Config::new(
 			cache_dir.path().to_owned(),
 			None,
+			false,
 			prepare_worker_path,
 			execute_worker_path,
 		);
 		f(&mut config);
 		let (host, task) = start(config, Metrics::default()).await.unwrap();
 		let _ = handle.spawn(task);
-		Self { host: Mutex::new(host) }
+		Self { host: Mutex::new(host), cache_dir }
 	}
 
 	async fn precheck_pvf(

polkadot/node/core/pvf/common/src/lib.rs

@@ -33,6 +33,7 @@ const LOG_TARGET: &str = "parachain::pvf-common";
 
 pub const RUNTIME_VERSION: &str = env!("SUBSTRATE_WASMTIME_VERSION");
 
+use parity_scale_codec::{Decode, Encode};
 use std::{
 	io::{self, Read, Write},
 	mem,
@@ -47,8 +48,11 @@ pub mod tests {
 }
 
 /// Status of security features on the current system.
-#[derive(Debug, Clone, Default, PartialEq, Eq)]
+#[derive(Debug, Clone, Default, PartialEq, Eq, Encode, Decode)]
 pub struct SecurityStatus {
+	/// Whether Secure Validator Mode is enabled. This mode enforces that all required security
+	/// features are present. All features are enabled on a best-effort basis regardless.
+	pub secure_validator_mode: bool,
 	/// Whether the landlock features we use are fully available on this system.
 	pub can_enable_landlock: bool,
 	/// Whether the seccomp features we use are fully available on this system.
@@ -57,6 +61,12 @@ pub struct SecurityStatus {
 	pub can_unshare_user_namespace_and_change_root: bool,
 }
 
+/// A handshake with information for the worker.
+#[derive(Debug, Encode, Decode)]
+pub struct WorkerHandshake {
+	pub security_status: SecurityStatus,
+}
+
 /// Write some data prefixed by its length into `w`. Sync version of `framed_send` to avoid
 /// dependency on tokio.
 pub fn framed_send_blocking(w: &mut (impl Write + Unpin), buf: &[u8]) -> io::Result<()> {