EspressoSystems · philippecamacho · Jul 3, 2025 · Jun 23, 2025 · Jun 23, 2025 · Jun 23, 2025
diff --git a/.github/workflows/enclave.yaml b/.github/workflows/enclave.yaml
@@ -18,6 +18,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - uses: aws-actions/configure-aws-credentials@v4
         name: configure aws credentials
         with:
@@ -69,7 +73,7 @@ jobs:
       - name: Launch EC2 Instance
         id: ec2
         run: |
-          AMI_ID=ami-0fe972392d04329e1
+          AMI_ID=ami-0ff5662328e9bbc2f
           INSTANCE_ID=$(aws ec2 run-instances \
           --image-id "$AMI_ID" \
           --count 1 \
@@ -96,53 +100,17 @@ jobs:
           echo "DNS=$DNS" >> $GITHUB_ENV
           echo "dns=$DNS" >> $GITHUB_OUTPUT
 
-      - name: Install dependencies
-        run: |
-          echo "Current branch: $BRANCH_NAME"
-          ssh -o StrictHostKeyChecking=no -i key.pem ec2-user@$DNS << EOF
-            set -e
-            sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon
-            source ~/.bashrc
-            mkdir -p ~/.config/nix
-            echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf
-            sudo yum update
-            sudo yum install git -y
-            sudo yum install docker -y
-            sudo amazon-linux-extras install aws-nitro-enclaves-cli -y
-            git clone https://github.com/EspressoSystems/optimism-espresso-integration.git
-            cd optimism-espresso-integration
-            git checkout "$BRANCH_NAME"
-            git submodule update --init --recursive
-            nix develop
-          EOF
-
-      - name: Configure and start enclave service
+      - name: Upload run-tests.sh to EC2
         run: |
-          ssh -o StrictHostKeyChecking=no -i key.pem ec2-user@$DNS << 'EOF'
-            set -e
-            sudo nitro-cli --version
-            sudo systemctl stop nitro-enclaves-allocator.service
-            echo -e '---\nmemory_mib: 4096\ncpu_count: 2' | sudo tee /etc/nitro_enclaves/allocator.yaml
-            sudo systemctl start nitro-enclaves-allocator.service
-          EOF
-
-      - name: Start docker service
-        run: |
-          ssh -o StrictHostKeyChecking=no -i key.pem ec2-user@$DNS << 'EOF'
-            set -e
-            sudo usermod -a -G docker ec2-user
-            sudo service docker start
-            sudo chown ec2-user /var/run/docker.sock
-          EOF
+          scp -o StrictHostKeyChecking=no -i key.pem espresso/scripts/run-tests-github-actions.sh ec2-user@$DNS:/home/ec2-user/
+          ssh -o StrictHostKeyChecking=no -i key.pem ec2-user@$DNS "chmod +x run-tests-github-actions.sh"
 
-      # Compile contracts first to avoid text file busy error
-      - name: Run tests
+      - name: Run test script on EC2
+        timeout-minutes: 40
         run: |
-          ssh -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=5  -i key.pem ec2-user@$DNS << 'EOF'
-            set -e
-            cd /home/ec2-user/optimism-espresso-integration
-            nix develop --command just compile-contracts
-            nix develop --command just espresso-enclave-tests
+          ssh -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=5 -i key.pem ec2-user@$DNS << EOF
+            export BRANCH_NAME=$BRANCH_NAME
+            ./run-tests-github-actions.sh  ${{ secrets.CACHIX_AUTH_TOKEN }}
           EOF
 
       - name: Terminate EC2 instance

diff --git a/README_ESPRESSO.md b/README_ESPRESSO.md
@@ -313,3 +313,9 @@ In order to run the tests for the enclave in EC2 via github actions one must cre
 	]
 }
 ```
+
+Currently, the github workflow in `.github/workflows/enclave.yaml` relies on a custom AWS AMI with id `ami-0ff5662328e9bbc2f`.
+In order to refresh this AMI one needs to:
+1. Create an AWS EC2 instance with the characteristics described in (see `.github/workflows/enclave.yaml` *Launch EC2 Instance* job).
+2. Copy the script `espresso/scrips/enclave-prepare-ami.sh` in the EC2 instance (e.g. using scp) and run it.
+3. [Export the AMI instance](https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/tkv-create-ami-from-instance.html).
diff --git a/espresso/scripts/enclave-prepare-ami.sh b/espresso/scripts/enclave-prepare-ami.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+set -euo pipefail
+set -x
+
+echo "[*] Setting up Nix"
+sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --no-confirm
+source /etc/profile.d/nix.sh
+nix-env -iA cachix -f https://cachix.org/api/v1/install
+mkdir -p ~/.config/nix
+echo "trusted-users = root ec2-user" | sudo tee -a /etc/nix/nix.conf && sudo pkill nix-daemon
+
+
+echo "[*] Installing dependencies..."
+sudo yum update -y
+sudo yum install -y git docker
+sudo amazon-linux-extras enable aws-nitro-enclaves-cli
+sudo yum install -y aws-nitro-enclaves-cli-1.4.2
+
+
+# Workaround due to https://github.com/foundry-rs/foundry/issues/4736
+sudo yum install -y gcc
+curl https://sh.rustup.rs -sSf | sh -s -- -y
+. $HOME/.cargo/env
+cargo install svm-rs
+svm install 0.8.15
+svm install 0.8.19
+svm install 0.8.22
+svm install 0.8.25
+svm install 0.8.28
+svm install 0.8.30
diff --git a/espresso/scripts/run-tests-github-actions.sh b/espresso/scripts/run-tests-github-actions.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -euo pipefail
+set -x
+
+echo "[*] Setting up Cachix"
+cachix authtoken $1
+cachix use espresso-systems-private
+echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf
+
+echo "[*] Cloning repo and checking out branch $BRANCH_NAME..."
+git clone https://github.com/EspressoSystems/optimism-espresso-integration.git
+cd optimism-espresso-integration
+git checkout "$BRANCH_NAME"
+git submodule update --init --recursive
+# Poblate cachix cahe
+nix flake archive --json | jq -r '.path,(.inputs|to_entries[].value.path)' | cachix push espresso-systems-private
+
+echo "[*] Starting Docker..."
+sudo systemctl enable --now docker
+sudo usermod -a -G docker ec2-user
+sudo chown ec2-user /var/run/docker.sock
+
+echo "[*] Configuring Nitro Enclaves..."
+sudo systemctl stop nitro-enclaves-allocator.service || true
+echo -e '---\nmemory_mib: 4096\ncpu_count: 2' | sudo tee /etc/nitro_enclaves/allocator.yaml
+sudo systemctl start nitro-enclaves-allocator.service
+
+
+echo "[*] Running tests in nix develop shell..."
+
+nix develop --command bash -c "just compile-contracts-fast && just build-batcher-enclave-image && just espresso-enclave-tests"
diff --git a/flake.nix b/flake.nix
@@ -102,6 +102,7 @@
               pkgs.awscli2
               pkgs.just
               pkgs.pnpm
+              pkgs.cargo
             ];
             shellHook = ''
               export FOUNDRY_DISABLE_NIGHTLY_WARNING=1

diff --git a/justfile b/justfile
@@ -20,6 +20,9 @@ run-test12: compile-contracts
 compile-contracts:
  (cd packages/contracts-bedrock && just build-dev)
 
+compile-contracts-fast:
+ (cd packages/contracts-bedrock && forge build --offline --skip "/**/test/**")
+
 build-batcher-enclave-image:
  (cd kurtosis-devnet && just op-batcher-enclave-image)
 
@@ -30,8 +33,9 @@ espresso_tests_timeout := "35m"
 espresso-tests timeout=espresso_tests_timeout: compile-contracts
  go test -timeout={{timeout}} -p=1 -count=1 ./espresso/environment
 
-espresso-enclave-tests timeout=espresso_tests_timeout: compile-contracts build-batcher-enclave-image
- ESPRESSO_RUN_ENCLAVE_TESTS=true go test -timeout={{timeout}} -p=1 -count=1 ./espresso/enclave-tests/...
+espresso-enclave-tests:
+  ESPRESSO_RUN_ENCLAVE_TESTS=true go test -timeout={{espresso_tests_timeout}} -p=1 -count=1 ./espresso/enclave-tests/...
+
 
 IMAGE_NAME := "ghcr.io/espressosystems/espresso-sequencer/espresso-dev-node:release-colorful-snake"
 remove-espresso-containers:

diff --git a/op-batcher/batcher/espresso.go b/op-batcher/batcher/espresso.go
@@ -996,6 +996,15 @@ func (l *BatchSubmitter) registerBatcher(ctx context.Context) error {
 		return nil
 	}
 
+	log.Info("Batch authenticator address", "value", l.RollupConfig.BatchAuthenticatorAddress)
+	code, err := l.L1Client.CodeAt(ctx, l.RollupConfig.BatchAuthenticatorAddress, nil)
+	if err != nil {
+		return fmt.Errorf("Failed to check code at contrat address: %w", err)
+	}
+	if len(code) == 0 {
+		return fmt.Errorf("No contract deployed at this address %w", err)
+	}
+
 	batchAuthenticator, err := bindings.NewBatchAuthenticator(l.RollupConfig.BatchAuthenticatorAddress, l.L1Client)
 	if err != nil {
 		return fmt.Errorf("failed to create BatchAuthenticator contract bindings: %w", err)

diff --git a/packages/contracts-bedrock/lib/espresso-tee-contracts b/packages/contracts-bedrock/lib/espresso-tee-contracts
+1 −0		.gitignore
+2 −1		.gitmodules
+109 −10		README.md
+3 −0		deployments/421614-certmanager.json
+4 −0		deployments/421614-nitro-verifier.json
+3 −0		deployments/421614-sgx-verifier.json
+3 −0		deployments/421614tee-verifier.json
+33 −6		foundry.toml
+1 −1		lib/nitro-validator
+21 −0		scripts/DeployCertManager.sol
+52 −0		scripts/DeployNitroTEEVerifier.s.sol
+34 −0		scripts/DeploySGXTEEVerifier.s.sol
+41 −0		scripts/DeployTEEVerifier.s.sol
+62 −21		src/EspressoNitroTEEVerifier.sol
+17 −6		src/EspressoTEEVerifier.sol
+9 −18		src/interface/IEspressoNitroTEEVerifier.sol
+10 −1		src/interface/IEspressoTEEVerifier.sol
+8 −3		src/mocks/EspressoTEEVerifier.sol
+271 −9		test/EspressoNitroTEEVerifier.t.sol
+181 −5		test/EspressoTEEVerifier.t.sol
+ −		test/configs/certs/ca0cert.bin
+ −		test/configs/certs/ca1cert.bin
+ −		test/configs/certs/ca2cert.bin
+ −		test/configs/certs/ca3cert.bin
+ −		test/configs/certs/client-cert.bin
+ −		test/configs/indefinite-item-attestation.bin
+1 −0		test/configs/indefinite-item-sig.bin
+ −		test/configs/nitro-attestation.bin
+1 −0		test/configs/nitro-valid-signature.bin
+ −		test/configs/nitro-verify-attestation.bin
+1 −0		test/configs/nitro-verify-signature.bin
+ −		test/configs/unverified-cert.bin
+1 −0		test/configs/unverified-parent-cert-hash.bin
+ −		test/configs/verified-cert.bin
+1 −0		test/configs/verified-parent-cert-hash.bin