hyperledger · munapower · Jan 7, 2025 · Jan 7, 2025 · Jan 7, 2025 · Jan 8, 2025
@@ -14,4 +14,27 @@
 |---|---|---|
 | Michael Steiner | g2flyer | [email protected] |
 
+## Special thanks to:
+
+### Initial Committers
+
+- [Marcus Brandenburger](https://github.com/mbrandenburger) ([email protected])
+- [Christian Cachin](https://github.com/cca88) ([email protected])
+- [Rüdiger Kapitza](https://github.com/rrkapitz) ([email protected])
+- [Alessandro Sorniotti](https://github.com/ale-linux) ([email protected])
+
+
+### Core Team FPC 1.0
+- [Mic Bowman](https://github.com/cmickeyb) ([email protected])
+- [Marcus Brandenburger](https://github.com/mbrandenburger) ([email protected])
+- [Jeb Linton](https://github.com/jrlinton) ([email protected])
+- [Michael Steiner](https://github.com/g2flyer) ([email protected])
+- [Bruno Vavala](https://github.com/bvavala) ([email protected])
+
+
+### Sponsor
+
+[Gari Singh](https://github.com/mastersingh24) ([email protected])
+
+
 <a rel="license" href="http://creativecommons.org/licenses/by/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International License</a>
@@ -0,0 +1,26 @@
+### Design
+
+More detailed architectural information and overview of the protocols can be found in the [Fabric Private Chaincode RFC](https://github.com/hyperledger/fabric-rfcs/blob/main/text/0000-fabric-private-chaincode-1.0.md).
+
+The full detailed operation of FPC is documented in a series of UML
+Sequence Diagrams. Note that FPC version 1.x corresponds to `FPC Lite`
+in documents and code.
+
+Specifically:
+
+- The `fpc-lifecycle-v2`([puml](docs/design/fabric-v2%2B/fpc-lifecycle-v2.puml)) diagram describes the normal lifecycle of a chaincode in FPC, focusing in particular on those elements that change in FPC vs. regular Fabric.
+- The `fpc-registration`([puml](docs/design/fabric-v2%2B/fpc-registration.puml)) diagram describes how an FPC Chaincode Enclave is created on a Peer and registered in the FPC Registry, including the Remote Attestation process.
+- The `fpc-key-dist`([puml](docs/design/fabric-v2%2B/fpc-key-dist.puml)) diagram describes the process by which chaincode-unique cryptographic keys are created and distributed among enclaves running identical chaincodes. Note that in the current version of FPC, key generation is performed, but the key distribution protocol has not yet been implemented.
+- The `fpc-cc-invocation`([puml](docs/design/fabric-v2%2B/fpc-cc-invocation.puml)) diagram illustrates the invocation process at the beginning of the chaincode lifecycle in detail, focusing on the cryptographic operations between the Client and Peer leading up to submission of a transaction for Ordering.
+- The `fpc-cc-execution`([puml](docs/design/fabric-v2%2B/fpc-cc-execution.puml)) diagram provides further detail of the execution phase of an FPC chaincode, focusing in particular on the `getState` and `putState` interactions with the Ledger.
+- The `fpc-validation`([puml](docs/design/fabric-v2%2B/fpc-validation.puml)) diagram describes the FPC-specific process of validation.
+- The `fpc-components`([puml](docs/design/fabric-v2%2B/fpc-components.puml)) diagram shows the important data structures of FPC components and messages exchanged between components.
+- The detailed message definitions can be found as [protobufs](protos/fpc).
+- The [interfaces document](docs/design/fabric-v2%2B/interfaces.md) defines the interfaces exposed by the FPC components and their internal state.
+
+Additional Google documents provide details on FPC 1.0:
+
+- The [FPC for Health use case](https://docs.google.com/document/d/1jbiOY6Eq7OLpM_s3nb-4X4AJXROgfRHOrNLQDLxVnsc/) describes how FPC 1.0 enables a health care use case.
+  The document also gives more details on the FPC 1.0-enabled application domains and related constraints. Lastly, it provides a security analysis why these constraints are sufficient for security.
+- The [FPC externalized endorsement validation](https://docs.google.com/document/d/1RSrOfI9nh3d_DxT5CydvCg9lVNsZ9a30XcgC07in1BY/) describes the FPC 1.0 enclave endorsement validation mechanism.
+
@@ -0,0 +1,35 @@
+#### Details - Intel SGX Attestation Support
+
+Note that the simulation mode is for developing purpose only and does
+not provide any security guarantees.
+
+As mentioned before, by default the project builds in SGX simulation mode, `SGX_MODE=SIM` as defined in `$FPC_PATH/config.mk` and you can
+explicitly opt for building in hardware-mode SGX, `SGX_MODE=HW`. In order to set non-default values for install
+location, or for building in hardware-mode SGX, you can create the file `$FPC_PATH/config.override.mk` and override the default
+values by defining the corresponding environment variable.
+
+Note that you can always come back here when you want a setup with SGX
+hardware-mode later after having tested with simulation mode.
+
+#### Register with Intel Attestation Service (IAS)
+
+If you run SGX in __simulation mode only__, you can skip this section.
+We currently support EPID-based attestation and  use the Intel's
+Attestation Service to perform attestation with chaincode enclaves.
+
+What you need:
+* a Service Provider ID (SPID)
+* the (primary) api-key associated with your SPID
+
+In order to use Intel's Attestation Service (IAS), you need to register
+with Intel. On the [IAS EPID registration page](https://api.portal.trustedservices.intel.com/EPID-attestation)
+you can find more details on how to register and obtain your SPID plus corresponding api-key.
+We currently support both `linkable` and `unlinkable` signatures for the attestation.
+
+Place your ias api key and your SPID in the `ias` folder as follows:
+```bash
+echo 'YOUR_API_KEY' > $FPC_PATH/config/ias/api_key.txt
+echo 'YOUR_SPID_TYPE' > $FPC_PATH/config/ias/spid_type.txt
+echo 'YOUR_SPID' > $FPC_PATH/config/ias/spid.txt
+```
+where `YOUR_SPID_TYPE` must be `epid-linkable` or `epid-unlinkable`, depending on the type of your subscription.
@@ -0,0 +1,23 @@
+In your `config.override.mk` set the following to variables:
+```Makefile
+FPC_CCENV_IMAGE=ubuntu:22.04
+ERCC_GOTAGS=
+```
+This configuration sets a standard Ubuntu image as alternative to our `fabric-private-chaincode-ccenv` image and overrides the default build tags we use to build `ercc`.
+
+Next you can build `ercc` using the following command:
+```bash
+GOOS=linux make -C $FPC_PATH/ercc build docker
+```
+
+For building a chaincode, for instance `$FPC_PATH/samples/chaincode/kv-test-go`, just run: 
+```bash
+GOOS=linux make -C $FPC_PATH/samples/chaincode/kv-test-go with_go docker
+```
+
+You can test your FPC chaincode easily with one of the [sample deployments](samples/deployment) tutorials.
+We recommend to start with [the-simple-testing-network](samples/deployment/fabric-smart-client/the-simple-testing-network).
+
+Notes:
+- On Mac use a recent version of bash (`brew install bash`).
+- TODO more to come
@@ -0,0 +1,29 @@
+### Management API
+
+While the management API for Fabric is mostly unchanged, some modifications are needed for FPC to work.
+In particular, FPC extends the Fabric's lifecycle API with additional commands to create an FPC enclave and handle the key provisioning.
+These are detailed separately in the **[FPC Management API document](docs/design/fabric-v2%2B/fpc-management.md)**
+
+### FPC Shim
+
+The FPC Shim follows the programming model used in the standard Fabric Go shim and offers a C++ based FPC Shim to FPC chaincode developers. It currently comprises only a subset of the standard Fabric Shim and is complemented in the future.
+These details are documented separately in the Shim header file itself: **[`ecc_enclave/enclave/shim.h`](ecc_enclave/enclave/shim.h)**
+
+*Important*: The initial version of FPC, FPC 1.0 (aka FPC Lite), has a
+few constraints in applicability and programming model.  Hence, study carefully the
+[section discussing this in the FPC RFC](https://github.com/hyperledger/fabric-rfcs/blob/main/text/0000-fabric-private-chaincode-1.0.md#fpc-10-application-domain)
+and the comments at the top of [`shim.h`](ecc_enclave/enclave/shim.h)
+before designing, implementing and deploying an FPC-based solution.
+<!-- could also mention
+	[FPC for Health use  case](https://docs.google.com/document/d/1jbiOY6Eq7OLpM_s3nb-4X4AJXROgfRHOrNLQDLxVnsc/)
+-->
+
+
+### FPC Client SDK
+
+In order to interact with a FPC chaincode you can use the FPC Client SDK for Go or use the Peer CLI tool provided with FPC.
+Both make FPC related client-side encryption and decryption transparent to the user, i.e., client-side programming is mostly standard Fabric and agnostic to FPC.
+
+The FPC Client SDK for Go is located in [client_sdk/go](client_sdk/go). See also [Godocs](https://pkg.go.dev/github.com/hyperledger/fabric-private-chaincode/client_sdk/go/).
+
+For the command-line invocations, use the **`$FPC_PATH/fabric/bin/peer.sh`** wrapper script. We refer to our integration tests for usage examples.
@@ -0,0 +1,63 @@
+In this section we explain how to set up a Docker-based development environment that allows you to develop and test FPC chaincode.
+The docker images come with all necessary software dependencies and allow you a quick start.
+We recommend to set privileges to manage docker as a non-root user. See the
+official docker [documentation](https://docs.docker.com/install/linux/linux-postinstall/)
+for more details.
+
+First make sure your host has
+* Docker v23.0 (or higher).
+  It also should use `/var/run/docker.sock` as socket to interact with the daemon (or you
+  will have to override in `$FPC_PATH/config.override.mk` the default definition in make of `DOCKER_DAEMON_SOCKET`)
+* GNU make
+
+Once you have cloned the repository, you can either use the pre-built images or you can manually build them. After that you will start the development container.
+
+#### Pull docker images
+To pull the docker image execute the following:
+```bash
+make -C $FPC_PATH/utils/docker pull pull-dev 
+```
+#### Manually build docker images
+In order to build the development image manually you can use the following commands. Note that this process may take some time.
+```bash
+make -C $FPC_PATH/utils/docker build build-dev 
+```
+#### Start the dev container
+Next we will open a shell inside the FPC development container, with environment variables like `$FPC_PATH` appropriately defined and all dependencies like the Intel SGX SDK, ready to build and run FPC.
+Continue with the following command:
+
+```bash
+make -C $FPC_PATH/utils/docker run-dev
+```
+
+Note that by default the dev container mounts your local cloned FPC project as a volume to `/project/src/github.com/hyperledger/fabric-private-chaincode` within the docker container.
+This allows you to edit the content of the repository using your favorite editor in your system and the changes inside the docker container. Additionally, you are also not loosing changes inside the container when you reboot or the container gets stopped for other reasons.
+
+A few more notes:
+* We use Ubuntu 22.04 by default.
+  To build also docker images with a different version of Ubuntu, add the following to `$FPC_PATH/config.override.mk`.
+  ```bash
+  DOCKER_BUILD_OPTS=--build-arg UBUNTU_VERSION=18.04 --build-arg UBUNTU_NAME=bionic
+  ```
+* If you run behind a proxy, you will have to configure the proxy,
+  e.g., for docker (`~/.docker/config.json`) and load the configuration inside the dev container by setting `DOCKER_DEV_RUN_OPTS += -v "$HOME/.docker":"/root/.docker"` in `$FPC_PATH/config.override.mk`.
+  See [Working from behind a proxy](#working-from-behind-a-proxy) below for more information. Also note that with newer docker versions (i.e., docker desktop), the docker socket is located on the host in `~/.docker/`. This may cause issues when using docker inside the FPC dev container as the docker client is not able to access the docker socket at the path of the host system. You may try to switch the docker context to use `/var/run/docker.sock`. We do not recommend this approach and happy for suggestions.
+* If your local host is SGX enabled, i.e., there is a device `/dev/sgx/enclave` or
+  `/dev/isgx` and your PSW daemon listens to `/var/run/aesmd`, then the docker image will be sgx-enabled and your settings from `./config/ias` will be used. You will have to manually set `SGX_MODE=HW` before building anything to use HW mode.
+* If you want additional apt packages to be automatically added to your
+  container images, you can do so by modifying `$FPC_PATH/config.override.mk` file in the fabric-private-chaincode directory.
+  In that file, define
+  `DOCKER_BASE_RT_IMAGE_APT_ADD_PKGS`,
+  `DOCKER_BASE_DEV_IMAGE_APT_ADD_PKGS'`and/or
+  `DOCKER_DEV_IMAGE_APT_ADD_PKGS` with a list of packages you want to be added to you
+  all images,
+  all images where fabric/fpc is built from source and
+  the dev(eloper) container, respectively.
+  They will then be automatically added to the docker image.
+* Due to the way the peer's port for chaincode connection is managed,
+  you will be able to run only a single FPC development container on a
+  particular host.
+* For support for Apple Mac (M1 or newer) see the [Troubleshooting](#troubleshooting) section.
+
+Now you are ready to start development *within* the container. Continue with building FPC as described in the [Build Fabric Private Chaincode
+](../README.md#build-fabric-private-chaincode) Section and then write [your first Private Chaincode](../README.md#your-first-private-chaincode).
@@ -0,0 +1,108 @@
+
+#### Requirements
+
+Make sure that you have the following required dependencies installed:
+* Linux (OS) (we recommend Ubuntu 22.04, see [list](https://github.com/intel/linux-sgx#prerequisites) supported OS)
+
+* CMake v3.5.1 or higher
+
+* [Go](https://golang.org/) 1.21.x or higher
+
+* Docker 18.09 (or higher) and docker-compose 1.25.x (or higher)
+  Note that version from Ubuntu 18.04 is not recent enough!  To upgrade, install a recent version following the instructions from [docker.com](https://docs.docker.com/compose/install/), e.g., for version 1.25.4 execute	
+  ```bash	
+  sudo curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose	
+  sudo chmod +x /usr/local/bin/docker-compose
+  ```
+
+  To install docker-componse 1.25.4 from [docker.com](https://docs.docker.com/compose/install/), execute
+  ```bash
+  sudo curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+  sudo chmod +x /usr/local/bin/docker-compose
+  ``` 
+
+* yq v4.x
+  You can install `yq` via `go get`.
+  ```bash
+    go get github.com/mikefarah/yq/v4
+  ```
+
+* Protocol Buffers
+    - Protocol Buffers 3.0.x needed for the Intel SGX SDK
+    - Protocol Buffers 3.11.x or higher and [Nanopb](http://github.com/nanopb/nanopb) 0.4.7
+
+* SGX PSW & SDK v2.22 for [Linux](https://01.org/intel-software-guard-extensions/downloads)
+  (alternatively, you could also install it from the [source](https://github.com/intel/linux-sgx)
+
+* Credentials for Intel Attestation Service, read [here](#intel-attestation-service-ias) (for hardware-mode SGX)
+
+* [Intel Software Guard Extensions SSL](https://github.com/intel/intel-sgx-ssl)
+  (we recommend using tag `3.0_Rev2` OpenSSL `3.0.12`)
+
+* Hyperledger [Fabric](https://github.com/hyperledger/fabric/tree/v2.5.9) v2.5.9
+
+* Clang-format 6.x or higher
+
+* jq
+
+* hex (for Ubuntu, found in package basez)
+
+* A recent version of [PlantUML](http://plantuml.com/), including Graphviz, for building documentation. See [Documentation](#building-documentation) for our recommendations on installing. The version available in common package repositories may be out of date.
+
+#### Intel SGX SDK and SSL
+
+Fabric Private Chaincode requires the Intel [SGX SDK](https://github.com/intel/linux-sgx) and
+[SGX SSL](https://github.com/intel/intel-sgx-ssl) to build the main components of our framework and to develop and build
+your first private chaincode.
+
+Install the Intel SGX software stack for Linux by following the
+official [documentation](https://github.com/intel/linux-sgx). Please make sure that you use the
+SDK version as denoted above in the list of requirements.
+
+For SGX SSL, just follow the instructions on the [corresponding
+github page](https://github.com/intel/intel-sgx-ssl). In case you are
+building for simulation mode only and do not have HW support, you
+might also want to make sure that [simulation mode is set](https://github.com/intel/intel-sgx-ssl#available-make-flags)
+when building and installing it.
+
+Once you have installed the SGX SDK and SSL for SGX SDK please double check that `SGX_SDK` and `SGX_SSL` variables
+are set correctly in your environment.
+
+
+#### Protocol Buffers
+
+We use *nanopb*, a lightweight implementation of Protocol Buffers, inside the enclaves to parse blocks of
+transactions. Install nanopb by following the instruction below. For this you need a working Google Protocol Buffers
+compiler with python bindings (e.g. via `apt-get install protobuf-compiler python3-protobuf libprotobuf-dev`).
+For more detailed information consult the official nanopb documentation http://github.com/nanopb/nanopb.
+```bash
+export NANOPB_PATH=/path-to/install/nanopb/
+git clone https://github.com/nanopb/nanopb.git $NANOPB_PATH
+cd $NANOPB_PATH
+git checkout nanopb-0.4.7
+cd generator/proto && make
+```
+
+Make sure that you set `$NANOPB_PATH` as it is needed to build Fabric Private Chaincode.
+
+Moreover, in order to build Fabric protobufs we also require a newer Protobuf compiler than what is provided as standard Ubuntu package and is used to build the
+Intel SGX SDK. For this reason you will have to download and install another version and use it together with Nanopb. Do not install the new protobuf, though, such that it is not found in your standard PATH but instead define the `PROTOC_CMD`, either as environment variable or via `config.override.mk` to point to the new `protoc` binary
+```bash
+wget https://github.com/protocolbuffers/protobuf/releases/download/v22.3/protoc-22.3-linux-x86_64.zip
+unzip protoc-22.3-linux-x86_64.zip -d /usr/local/proto3
+export PROTOC_CMD=/usr/local/proto3/bin/protoc
+```
+
+#### Hyperledger Fabric
+
+Our project fetches the latest supported Fabric binaries during the build process automatically.
+However, if you want to use your own Fabric binaries, please checkout Fabric 2.5.9 release using the following commands:
+```bash
+export FABRIC_PATH=$GOPATH/src/github.com/hyperledger/fabric
+git clone https://github.com/hyperledger/fabric.git $FABRIC_PATH
+cd $FABRIC_PATH; git checkout tags/v2.5.9
+```
+
+Note that Fabric Private Chaincode may not work with the Fabric `main` branch.
+Therefore, make sure you use the Fabric `v2.5.9` tag.
+Make sure the source of Fabric is in your `$GOPATH`.