Add workload id as metric to builder

Author: avalonche

crates/op-rbuilder/src/flashtestations/attestation.rs

@@ -1,8 +1,22 @@
 use reqwest::Client;
+use sha3::{Digest, Keccak256};
 use tracing::info;
 
 const DEBUG_QUOTE_SERVICE_URL: &str = "http://ns31695324.ip-141-94-163.eu:10080/attest";
 
+// Automata serialized output structure constants
+// The output from Automata's verifyAndAttestOnChain has a 13-byte header:
+// quoteVersion (2 bytes) + tee (4 bytes) + tcbStatus (1 byte) + fmspcBytes (6 bytes)
+const SERIALIZED_OUTPUT_OFFSET: usize = 13;
+const TD_REPORT10_LENGTH: usize = 584;
+
+// TDX workload constants
+const TD_XFAM_FPU: u64 = 0x0000000000000001;
+const TD_XFAM_SSE: u64 = 0x0000000000000002;
+const TD_TDATTRS_VE_DISABLED: u64 = 0x0000000010000000;
+const TD_TDATTRS_PKS: u64 = 0x0000000040000000;
+const TD_TDATTRS_KL: u64 = 0x0000000080000000;
+
 /// Configuration for attestation
 #[derive(Default)]
 pub struct AttestationConfig {
@@ -63,3 +77,73 @@ pub fn get_attestation_provider(config: AttestationConfig) -> RemoteAttestationP
         )
     }
 }
+
+/// ComputeWorkloadID computes the workload ID from Automata's serialized verifier output
+/// This corresponds to QuoteParser.parseV4VerifierOutput in Solidity implementation
+/// https://github.com/flashbots/flashtestations/tree/7cc7f68492fe672a823dd2dead649793aac1f216
+/// The workload ID uniquely identifies a TEE workload based on its measurement registers
+pub fn compute_workload_id(serialized_output: &[u8]) -> eyre::Result<[u8; 32]> {
+    // Validate output length
+    if serialized_output.len() < SERIALIZED_OUTPUT_OFFSET + TD_REPORT10_LENGTH {
+        eyre::bail!(
+            "invalid output length: {}, expected at least {}",
+            serialized_output.len(),
+            SERIALIZED_OUTPUT_OFFSET + TD_REPORT10_LENGTH
+        );
+    }
+
+    // Skip the 13-byte header to get to the TD10ReportBody
+    let report_body = &serialized_output[SERIALIZED_OUTPUT_OFFSET..];
+
+    // Extract fields exactly as parseRawReportBody does in Solidity
+    // Using hardcoded offsets to match Solidity implementation exactly
+    let mr_td = &report_body[136..136 + 48];
+    let rt_mr0 = &report_body[328..328 + 48];
+    let rt_mr1 = &report_body[376..376 + 48];
+    let rt_mr2 = &report_body[424..424 + 48];
+    let rt_mr3 = &report_body[472..472 + 48];
+    let mr_config_id = &report_body[184..184 + 48];
+
+    // Extract xFAM and tdAttributes (8 bytes each)
+    // In Solidity, bytes8 is treated as big-endian for bitwise operations
+    let xfam = u64::from_be_bytes(report_body[128..128 + 8].try_into().unwrap());
+    let td_attributes = u64::from_be_bytes(report_body[120..120 + 8].try_into().unwrap());
+
+    // Apply transformations as per the Solidity implementation
+    // expectedXfamBits = TD_XFAM_FPU | TD_XFAM_SSE
+    let expected_xfam_bits = TD_XFAM_FPU | TD_XFAM_SSE;
+
+    // ignoredTdAttributesBitmask = TD_TDATTRS_VE_DISABLED | TD_TDATTRS_PKS | TD_TDATTRS_KL
+    let ignored_td_attributes_bitmask = TD_TDATTRS_VE_DISABLED | TD_TDATTRS_PKS | TD_TDATTRS_KL;
+
+    // Transform xFAM: xFAM ^ expectedXfamBits
+    let transformed_xfam = xfam ^ expected_xfam_bits;
+
+    // Transform tdAttributes: tdAttributes & ~ignoredTdAttributesBitmask
+    let transformed_td_attributes = td_attributes & !ignored_td_attributes_bitmask;
+
+    // Convert transformed values to bytes (big-endian, to match Solidity bytes8)
+    let xfam_bytes = transformed_xfam.to_be_bytes();
+    let td_attributes_bytes = transformed_td_attributes.to_be_bytes();
+
+    // Concatenate all fields
+    let mut concatenated = Vec::new();
+    concatenated.extend_from_slice(mr_td);
+    concatenated.extend_from_slice(rt_mr0);
+    concatenated.extend_from_slice(rt_mr1);
+    concatenated.extend_from_slice(rt_mr2);
+    concatenated.extend_from_slice(rt_mr3);
+    concatenated.extend_from_slice(mr_config_id);
+    concatenated.extend_from_slice(&xfam_bytes);
+    concatenated.extend_from_slice(&td_attributes_bytes);
+
+    // Compute keccak256 hash
+    let mut hasher = Keccak256::new();
+    hasher.update(&concatenated);
+    let result = hasher.finalize();
+
+    let mut workload_id = [0u8; 32];
+    workload_id.copy_from_slice(&result);
+
+    Ok(workload_id)
+}

crates/op-rbuilder/src/flashtestations/service.rs

@@ -13,7 +13,11 @@ use super::{
     tx_manager::TxManager,
 };
 use crate::{
-    flashtestations::builder_tx::{FlashtestationsBuilderTx, FlashtestationsBuilderTxArgs},
+    flashtestations::{
+        attestation::compute_workload_id,
+        builder_tx::{FlashtestationsBuilderTx, FlashtestationsBuilderTxArgs},
+    },
+    metrics::record_workload_id_metrics,
     tx_signer::{Signer, generate_key_from_seed, generate_signer},
 };
 use std::fmt::Debug;
@@ -74,6 +78,10 @@ where
     info!(target: "flashtestations", "requesting TDX attestation");
     let attestation = attestation_provider.get_attestation(report_data).await?;
 
+    // Compute workload id and record metrics
+    let workload_id = compute_workload_id(&attestation)?;
+    record_workload_id_metrics(workload_id);
+
     // Use an external rpc when the builder is not the same as the builder actively building blocks onchain
     let registered = if let Some(rpc_url) = args.rpc_url {
         let tx_manager = TxManager::new(

crates/op-rbuilder/src/metrics.rs

@@ -202,6 +202,15 @@ pub fn record_flag_gauge_metrics(builder_args: &OpRbuilderArgs) {
         .set(builder_args.enable_revert_protection as i32);
 }
 
+/// Set the workload id metrics
+pub fn record_workload_id_metrics(workload_id: [u8; 32]) {
+    let encoded = hex::encode(workload_id);
+    let encoded_static: &'static str = Box::leak(encoded.into_boxed_str());
+    let labels: [(&str, &str); 1] = [("workload_id", encoded_static)];
+    let gauge = gauge!("op_rbuilder_workload_id", &labels);
+    gauge.set(1);
+}
+
 /// Contains version information for the application.
 #[derive(Debug, Clone)]
 pub struct VersionInfo {