Merge branch 'main' into ci/update

Author: aquint-zama

.github/actions/gpu_setup/action.yml

@@ -0,0 +1,63 @@
+name: Setup Cuda
+description: Setup Cuda on Hyperstack or GitHub instance
+
+inputs:
+  cuda-version:
+    description: Version of Cuda to use
+    required: true
+  gcc-version:
+    description: Version of GCC to use
+    required: true
+  cmake-version:
+    description: Version of cmake to use
+    default: 3.29.6
+  github-instance:
+    description: Instance is hosted on GitHub
+    default: 'false'
+
+runs:
+  using: "composite"
+  steps:
+    # Mandatory on hyperstack since a bootable volume is not re-usable yet.
+    - name: Install dependencies
+      shell: bash
+      run: |
+        sudo apt update
+        curl -fsSL https://apt.kitware.com/keys/kitware-archive-latest.asc | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/kitware.gpg
+        sudo chmod 644 /etc/apt/trusted.gpg.d/kitware.gpg
+        echo 'deb [signed-by=/etc/apt/trusted.gpg.d/kitware.gpg] https://apt.kitware.com/ubuntu/ jammy main' | sudo tee /etc/apt/sources.list.d/kitware.list >/dev/null
+        sudo apt update
+        sudo apt install -y cmake cmake-format libclang-dev
+
+    - name: Install CUDA
+      if: inputs.github-instance == 'true'
+      shell: bash
+      run: |
+        TOOLKIT_VERSION="$(echo ${{ inputs.cuda-version }} | sed 's/\(.*\)\.\(.*\)/\1-\2/')"
+        wget https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-keyring_1.1-1_all.deb
+        sudo dpkg -i cuda-keyring_1.1-1_all.deb
+        sudo apt update
+        sudo apt -y install cuda-toolkit-${TOOLKIT_VERSION}
+
+    - name: Export CUDA variables
+      shell: bash
+      run: |
+        CUDA_PATH=/usr/local/cuda-${{ inputs.cuda-version }}
+        echo "CUDA_PATH=$CUDA_PATH" >> "${GITHUB_ENV}"
+        echo "PATH=$PATH:$CUDA_PATH/bin" >> "${GITHUB_PATH}"
+        echo "LD_LIBRARY_PATH=$CUDA_PATH/lib64:$LD_LIBRARY_PATH" >> "${GITHUB_ENV}"
+        echo "CUDA_MODULE_LOADER=EAGER" >> "${GITHUB_ENV}"
+
+    # Specify the correct host compilers
+    - name: Export gcc and g++ variables
+      shell: bash
+      run: |
+        {
+          echo "CC=/usr/bin/gcc-${{ inputs.gcc-version }}";
+          echo "CXX=/usr/bin/g++-${{ inputs.gcc-version }}";
+          echo "CUDAHOSTCXX=/usr/bin/g++-${{ inputs.gcc-version }}";
+        } >> "${GITHUB_ENV}"
+
+    - name: Check device is detected
+      shell: bash
+      run: nvidia-smi

.github/workflows/gpu-tests.yml

@@ -0,0 +1,197 @@
+# Compile and test fhevm-backend on a single L40 GPU, on hyperstack
+name: GPU backend tests (L40)
+
+env:
+  CARGO_TERM_COLOR: always
+  ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+  RUSTFLAGS: "-C target-cpu=native"
+  RUST_BACKTRACE: "full"
+  RUST_MIN_STACK: "8388608"
+  IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }}
+  CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }}
+  # Secrets will be available only to zama-ai organization members
+  SECRETS_AVAILABLE: ${{ secrets.JOB_SECRET != '' }}
+
+on:
+  # Allows you to run this workflow manually from the Actions tab as an alternative.
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - fhevm-engine/Cargo.toml
+      - fhevm-engine/coprocessor/Cargo.toml
+      - fhevm-engine/coprocessor/build.rs
+      - fhevm-engine/coprocessor/src/**
+      - fhevm-engine/executor/Cargo.toml
+      - fhevm-engine/executor/build.rs
+      - fhevm-engine/executor/src/**
+      - fhevm-engine/scheduler/src/**
+      - fhevm-engine/scheduler/Cargo.toml
+      - fhevm-engine/scheduler/build.rs
+      - proto/**
+      - '.github/workflows/gpu-tests.yml'
+      - ci/slab.toml
+  push:
+    branches:
+      - main
+    paths:
+      - fhevm-engine/Cargo.toml
+      - fhevm-engine/coprocessor/Cargo.toml
+      - fhevm-engine/coprocessor/build.rs
+      - fhevm-engine/coprocessor/src/**
+      - fhevm-engine/executor/Cargo.toml
+      - fhevm-engine/executor/build.rs
+      - fhevm-engine/executor/src/**
+      - fhevm-engine/scheduler/src/**
+      - fhevm-engine/scheduler/Cargo.toml
+      - fhevm-engine/scheduler/build.rs
+      - proto/**
+      - '.github/workflows/gpu-tests.yml'
+      - ci/slab.toml
+
+jobs:
+  should-run:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    outputs:
+      gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }}
+    steps:
+      - name: Checkout fhevm-backend
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          fetch-depth: 0
+          persist-credentials: 'false'
+          token: ${{ env.CHECKOUT_TOKEN }}
+
+      - name: Check for file changes
+        id: changed-files
+        uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8
+        with:
+          files_yaml: |
+            gpu:
+              - fhevm-engine/Cargo.toml
+              - fhevm-engine/coprocessor/Cargo.toml
+              - fhevm-engine/coprocessor/build.rs
+              - fhevm-engine/coprocessor/src/**
+              - fhevm-engine/executor/Cargo.toml
+              - fhevm-engine/executor/build.rs
+              - fhevm-engine/executor/src/**
+              - fhevm-engine/scheduler/src/**
+              - fhevm-engine/scheduler/Cargo.toml
+              - fhevm-engine/scheduler/build.rs
+              - proto/**
+              - '.github/workflows/gpu-tests.yml'
+              - ci/slab.toml
+
+  setup-instance:
+    name: Setup instance (fhevm-backend GPU tests - L40)
+    needs: should-run
+    if: github.event_name == 'workflow_dispatch' ||
+      needs.should-run.outputs.gpu_test == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      runner-name: ${{ steps.start-remote-instance.outputs.label }}
+    steps:
+      - name: Start remote instance
+        id: start-remote-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@79939325c3c429837c10d6041e4fd8589d328bac
+        with:
+          mode: start
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          backend: hyperstack
+          profile: l40
+
+  fhevm-backend-gpu:
+    name: fhevm-backend GPU tests - L40
+    needs: [ should-run, setup-instance ]
+    if: github.event_name != 'pull_request' ||
+      (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped')
+    concurrency:
+      group: ${{ github.workflow }}_${{ github.head_ref || github.ref }}
+      cancel-in-progress: true
+    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      # explicit include-based build matrix, of known valid options
+      matrix:
+        include:
+          - os: ubuntu-22.04
+            cuda: "12.2"
+            gcc: 11 
+    steps:
+      - name: Checkout fhevm-backend
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: 'false'
+          token: ${{ env.CHECKOUT_TOKEN }}
+          lfs: true
+
+      - name: Checkout LFS objects
+        run: git lfs checkout
+
+      - name: Setup Hyperstack dependencies
+        uses: ./.github/actions/gpu_setup
+        with:
+          cuda-version: ${{ matrix.cuda }}
+          gcc-version: ${{ matrix.gcc }}
+          github-instance: ${{ env.SECRETS_AVAILABLE == 'false' }}
+
+      - name: Install latest stable
+        uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203
+        with:
+          toolchain: stable
+
+      - name: Install cargo dependencies
+        run: |
+          sudo apt-get install -y protobuf-compiler && \
+          cargo install sqlx-cli
+
+      - name: Install foundry
+        uses: foundry-rs/foundry-toolchain@de808b1eea699e761c404bda44ba8f21aba30b2c
+
+      - name: Cache cargo
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: ${{ runner.os }}-cargo-
+
+      - name: Init database
+        run: make init_db
+        working-directory: fhevm-engine/coprocessor
+
+      - name: Run tests on GPU
+        run: |
+          date
+          #DATABASE_URL=postgresql://postgres:postgres@localhost:5432/coprocessor cargo test --release --features=gpu -- --test-threads=1
+        working-directory: fhevm-engine
+
+
+  teardown-instance:
+    name: Teardown instance (fhevm-backend-gpu L40 test)
+    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    needs: [ setup-instance, fhevm-backend-gpu ]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Stop remote instance
+        id: stop-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@79939325c3c429837c10d6041e4fd8589d328bac
+        with:
+          mode: stop
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          label: ${{ needs.setup-instance.outputs.runner-name }}

.github/workflows/slither.yml

@@ -0,0 +1,32 @@
+name: Slither Analysis
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - run: cp ./contracts/.env.example ./contracts/.env
+      - run: npm --prefix ./contracts ci --include=optional
+      - run: npm --prefix ./contracts install
+      - run: npm --prefix ./contracts run compile
+      - name: Run Slither
+        uses: crytic/[email protected]
+        with:
+          node-version: 20
+          ignore-compile: false
+          solc-version: "0.8.24"
+          slither-config: ".slither.config.json"
+          sarif: results.sarif
+          fail-on: none
+          target: "./contracts/"
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

.slither.config.json

@@ -0,0 +1,4 @@
+{
+  "solc_remaps": ["@openzeppelin/=node_modules/@openzeppelin/"],
+  "filter_paths": "contracts/node_modules/|contracts/lib/|contracts/test/"
+}

ci/slab.toml

@@ -0,0 +1,11 @@
+[backend.hyperstack.single-h100]
+environment_name = "canada"
+image_name = "Ubuntu Server 22.04 LTS R535 CUDA 12.2"
+flavor_name = "n3-H100x1"
+user = "ubuntu"
+
+[backend.hyperstack.l40]
+environment_name = "canada"
+image_name = "Ubuntu Server 22.04 LTS R535 CUDA 12.2"
+flavor_name = "n3-L40x1"
+user = "ubuntu"

contracts/.env.example

@@ -7,9 +7,11 @@ export PRIVATE_KEY_KMS_SIGNER_0="388b7680e4e1afa06efbfd45cdd1fe39f3c6af381df6555
 export PRIVATE_KEY_KMS_SIGNER_1="bbaed91514fa4b7c86aa4f73becbabcf4bce0ae130240f0d6ac3f87e06812440"
 export PRIVATE_KEY_KMS_SIGNER_2="1bfa3e2233b0103ad67954a728b246c528916791f7fab4894ff361e3937b47e1"
 export PRIVATE_KEY_KMS_SIGNER_3="7a604eed8cf4a43277d192aa0c7894d368577a4021e52bf45420f256e34c7dd7"
-export PRIVATE_KEY_COPROCESSOR_ACCOUNT="7ec8ada6642fc4ccfb7729bc29c17cf8d21b61abd5642d1db992c0b8672ab901"
-export IS_COPROCESSOR="true"
-
+export NUM_COPROCESSOR_SIGNERS="1"
+export PRIVATE_KEY_COPROCESSOR_ACCOUNT_0="c2454775cca95e6d17d70b68105f48009fc4bf661f025e6a7911a6b4acf2a2f3"
+export PRIVATE_KEY_COPROCESSOR_ACCOUNT_1="8cd5feab038d5e3aceaa7ba4825cc046bb6b6144ff6468463c6d2a20428c0a9f"
+export PRIVATE_KEY_COPROCESSOR_ACCOUNT_2="bbfec2330ec03c0936ace29ab484560619c549edf745639e1bc7a96ed4a240b0"
+export PRIVATE_KEY_COPROCESSOR_ACCOUNT_3="699013f478c4e22e08de83c0cd44d70dbb265eebfd2ae991ca24ceff57e18f31"
 export SEPOLIA_RPC_URL="https://sepolia.infura.io/v3/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 export ETHERSCAN_API_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
 export STAGING_RPC_URL="http://layer1-node:8545"

contracts/.env.example.deployment

@@ -1,15 +1,13 @@
-export MNEMONIC="adapt mosquito move limb mobile illegal tree voyage juice mosquito burger raise father hope layer"
-export CHAIN_ID_GATEWAY="654321"
 export PRIVATE_KEY_FHEVM_DEPLOYER="0c66d8cde71d2faa29d0cb6e3a567d31279b6eace67b0a9d9ba869c119843a5e"
-export PRIVATE_KEY_DECRYPTION_ORACLE_RELAYER="7ec931411ad75a7c201469a385d6f18a325d4923f9f213bd882bbea87e160b67"
-export NUM_KMS_SIGNERS="1"
-export PRIVATE_KEY_KMS_SIGNER_0="388b7680e4e1afa06efbfd45cdd1fe39f3c6af381df6555a19661f283b97de91"
-export PRIVATE_KEY_KMS_SIGNER_1="bbaed91514fa4b7c86aa4f73becbabcf4bce0ae130240f0d6ac3f87e06812440"
-export PRIVATE_KEY_KMS_SIGNER_2="1bfa3e2233b0103ad67954a728b246c528916791f7fab4894ff361e3937b47e1"
-export PRIVATE_KEY_KMS_SIGNER_3="7a604eed8cf4a43277d192aa0c7894d368577a4021e52bf45420f256e34c7dd7"
-export PRIVATE_KEY_COPROCESSOR_ACCOUNT="7ec8ada6642fc4ccfb7729bc29c17cf8d21b61abd5642d1db992c0b8672ab901"
-export IS_COPROCESSOR="true"
-
+export CHAIN_ID_GATEWAY="654321"
+export NUM_KMS_SIGNERS="4"
+export ADDRESS_KMS_SIGNER_0="0x0971C80fF03B428fD2094dd5354600ab103201C5"
+export ADDRESS_KMS_SIGNER_1="0xB68deCb047B5e6Cc82280502A7E2318c6b3E5eC6"
+export ADDRESS_KMS_SIGNER_2="0xfe0fB0BCceb872ee7a6ef6c455e6E127Aef55DD7"
+export ADDRESS_KMS_SIGNER_3="0x2dac5193bE0AB0eD8871399E6Ae61EAe6cc8cAE1"
+export NUM_COPROCESSOR_SIGNERS="1"
+export ADDRESS_COPROCESSOR_ACCOUNT_0="0x3C0033584da3A0f61AA5C7bde50eAF3642875a21"
 export SEPOLIA_RPC_URL="https://sepolia.infura.io/v3/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+export MAINNET_RPC_URL="https://mainnet.infura.io/v3/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 export ETHERSCAN_API_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
 export STAGING_RPC_URL="http://layer1-node:8545"

contracts/.npmignore

@@ -1,8 +1,7 @@
 *
 !/artifacts/contracts/ACL.sol/ACL.json
 !/artifacts/contracts/FHEGasLimit.sol/FHEGasLimit.json
-!/artifacts/contracts/InputVerifier.coprocessor.sol/InputVerifier.json
-!/artifacts/contracts/InputVerifier.native.sol/InputVerifier.json
+!/artifacts/contracts/InputVerifier.sol/InputVerifier.json
 !/artifacts/contracts/KMSVerifier.sol/KMSVerifier.json
 !/artifacts/contracts/TFHEExecutor.sol/TFHEExecutor.json
 !/artifacts/contracts/TFHEExecutorWithEvents.sol/TFHEExecutorWithEvents.json

contracts/.solcover.js

@@ -0,0 +1,6 @@
+module.exports = {
+  mocha: {
+    fgrep: "[skip-on-coverage]",
+    invert: true,
+  },
+};

contracts/addresses/.env.acl

@@ -1 +1 @@
-ACL_CONTRACT_ADDRESS=0xFee8407e2f5e3Ee68ad77cAE98c434e637f516e5
+ACL_CONTRACT_ADDRESS=0x339EcE85B9E11a3A3AA557582784a15d7F82AAf2

contracts/addresses/.env.coprocessor

@@ -1 +1 @@
-DECRYPTION_ORACLE_ADDRESS=0x33347831500F1e73f0ccCBb95c9f86B94d7b1123
+DECRYPTION_ORACLE_ADDRESS=0x3d39707abEa4f23229E5109C83c155F27029B7A9

contracts/addresses/.env.decryptionoracle

@@ -1 +1 @@
-TFHE_EXECUTOR_CONTRACT_ADDRESS=0x687408aB54661ba0b4aeF3a44156c616c6955E07
+TFHE_EXECUTOR_CONTRACT_ADDRESS=0xB4A8CBDed90998c564dF33679143e7A41c5259fE

contracts/addresses/.env.exec

@@ -1 +1 @@
-FHE_GASLIMIT_CONTRACT_ADDRESS=0xFb03BE574d14C256D56F09a198B586bdfc0A9de2
+FHE_GASLIMIT_CONTRACT_ADDRESS=0x208De73316E44722e16f6dDFF40881A3e4F86104

contracts/addresses/.env.fhegaslimit

@@ -1 +1 @@
-INPUT_VERIFIER_CONTRACT_ADDRESS=0x3a2DA6f1daE9eF988B48d9CF27523FA31a8eBE50
+INPUT_VERIFIER_CONTRACT_ADDRESS=0x4862Ca9360e9131AfD04cD1217b94Df15CC1aEEC

contracts/addresses/.env.inputverifier

@@ -1 +1 @@
-KMS_VERIFIER_CONTRACT_ADDRESS=0x9D6891A6240D6130c54ae243d8005063D05fE14b
+KMS_VERIFIER_CONTRACT_ADDRESS=0x596E6682c72946AF006B27C131793F2b62527A4b

contracts/addresses/.env.kmsverifier

@@ -2,4 +2,4 @@
 
 pragma solidity ^0.8.24;
 
-address constant aclAdd = 0xFee8407e2f5e3Ee68ad77cAE98c434e637f516e5;
+address constant aclAdd = 0x339EcE85B9E11a3A3AA557582784a15d7F82AAf2;