secretflow / trustedflow Goto Github PK

A privacy-preserving computing system based on TEE.

Home Page: https://www.secretflow.org.cn/docs/trustedflow

License: Apache License 2.0

Python 24.42% Rust 13.18% Dockerfile 2.05% Starlark 9.20% CMake 13.52% Shell 0.58% C 2.85% C++ 33.69% TypeScript 0.49% Less 0.03%

confidential-computing privacy privacy-preserving tee trusted-execution-environment llm meachine-learning

trustedflow's Introduction

简体中文｜English

What's TrustFlow

TrustFlow is a zero-trust computing system based on TEE(Trusted Execution Environments). TrustFlow derives its name from the fusion of Trusted Execution environments and SecretFlow.

TrustFlow leverages trusted execution environment technology to establish a secure and isolated environment that safeguards sensitive data. With a focus on data confidentiality, integrity, and availability, TrustFlow provides robust data storage and processing capabilities.

By employing encryption and utilizing controlled and restricted environments, TrustFlow ensures protection against unauthorized access. It incorporatesa range of security measures, such as remote authentication, computational isolation, authorization controls, and auditing mechanisms to provide comprehensive data protection. The implementation of end-to-end encryption enhances its zero-trust security features, allowing encryption mechanisms to be validated and limiting data access to the absolute minimum permissions required.

In addition to its strong security features, TrustFlow offers a diverse array of data processing functionalities. These include data preprocessing, classical machine learning, deep learning, large language modeling, and data analysis. These capabilities empower organizations to maximize the value of their data while preserving privacy.

TrustFlow is especially valuable in scenarios that involve secure storage, processing, or sharing of sensitive data, as it effectively mitigates the risks associated with data exposure and unauthorized usage. Its comprehensive security measures and powerful data processing capabilities make it a reliable solution for organizations seeking to protect their data and make the most of its potential.

Documentation

TrustFlow

TrustFlow Related Projects

CapsuleManager: authorization and key management module.
TEEAPPs: trusted applications.
CapsuleManagerSDK: the CLI tool and sdk for CapsuleManager.

Roadmap

roadmap

trustedflow's People

Contributors

Stargazers

Watchers

Forkers

zhouaihui zheyang0825 tpppppub wangq008 tonywu6 zhouyou9505 yuki252111 jiaicecream oceanqdu zhongtianq

trustedflow's Issues

trustedflow快速上手步骤一：（仅carol）前置部署

文档修改建议

请明确启动

假设三方机构bob alice，carol，每个机构分别部署在一个虚机上，各虚机间可正常通信。
每个机构已经生成一个自签的证书和私钥。
carol部署CapsuleManager时，如下：
CapsuleManager 默认会启用mTLS，关于如何配置mTLS可以参考CapsuleManager mTLS：
./capsule_manager --server-cert-key-path <SERVER_CERT_KEY_PATH>
--server-cert-path <SERVER_CERT_PATH>
--client-ca-cert-path <CLIENT_CA_CERT_PATH>
这里面的server-cert-key，-server-cert-path及client-ca-cert-path路径如何确定？server-cert和client-ca-cert分别指什么？与机构生成的自签证书是一回事吗？

技术信息

页面 https://www.secretflow.org.cn/zh-CN/docs/trustedflow/main/quick_start/step1
源码 https://github.com/secretflow/trustedflow/blob/47d96c25b320d6c2faae3332aed4d1b83b6b9872/docs/quick_start/step1.ipynb
浏览器 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36

文档问题

问题描述

cms_config init --host {CapsuleManager的服务地址} --sim true --root-ca-file xxx --private-key-file alice.key --cert-chain-file alice.crt --root-ca-file alice_ca.crt

--root-ca-file 写重复了

技术信息

页面 https://www.secretflow.org.cn/docs/trustedflow/main/zh-Hans/quick_start/step2
源码 https://github.com/secretflow/trustedflow/blob/e529736dda5000fa638150b0c1992a603de524ba/docs/quick_start/step2.ipynb
浏览器 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36

海光csv如何确定CapsuleManager的服务地址

Issue Type

Build/Install

Source

binary

Capsule Manager Version

0.2.0b

Capsule Manager SDK Version

0.2.0b

Tee Apps Version

0.2.0b

OS Platform and Distribution

海光csv Ubuntu 22.04

Python version

3.10

Bazel version

No response

GCC/Compiler version

No response

What happend and What you expected to happen.

按照https://www.secretflow.org.cn/zh-CN/docs/trustedflow/0.2.0b0/quick_start/step1#csvcapsulemanager通过海光csv虚拟机启动 capsule-manager-csv镜像，并通过ifconfig查找到虚拟机的ip地址为10.0.2.15
但是按照步骤二https://www.secretflow.org.cn/zh-CN/docs/trustedflow/0.2.0b0/quick_start/step2#id2上传密钥时显示
(capsule-manager-sdk) root@user:/home/alice# cms --config-file alice.yaml register-data-keys
Traceback (most recent call last):
  File "/root/miniconda3/envs/capsule-manager-sdk/bin/cms", line 8, in <module>
    sys.exit(cms())
  File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
  File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
  File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
  File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/click/decorators.py", line 33, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/cli/cms.py", line 142, in register_data_keys
    ctx.obj.create_data_keys(
  File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/sdc/capsule_manager_frame.py", line 321, in create_data_keys
    request, self.get_public_key(), private_key, cert_pems
  File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/sdc/capsule_manager_frame.py", line 208, in get_public_key
    response = self.stub.GetRaCert(request)
  File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/grpc/_channel.py", line 1176, in __call__
    return _end_unary_response_blocking(state, call, False, None)
  File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/grpc/_channel.py", line 1005, in _end_unary_response_blocking
    raise _InactiveRpcError(state)  # pytype: disable=not-instantiable
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
	status = StatusCode.UNAVAILABLE
	details = "failed to connect to all addresses; last error: UNKNOWN: ipv4:10.0.2.15:8888: Failed to connect to remote host: FD Shutdown"
	debug_error_string = "UNKNOWN:Error received from peer  {created_time:"2024-04-24T06:20:34.956096988+00:00", grpc_status:14, grpc_message:"failed to connect to all addresses; last error: UNKNOWN: ipv4:10.0.2.15:8888: Failed to connect to remote host: FD Shutdown"}"
>
请问，如何找到海光csv虚拟机下开启docker中CapsuleManager的服务地址

Reproduction code to reproduce the issue.

---

加密存储的实现

Issue Type

Bug

Source

binary

Capsule Manager Version

0.1

Capsule Manager SDK Version

0.1

Tee Apps Version

0.1

OS Platform and Distribution

ubuntu1804

Python version

3.8.13

Bazel version

No response

GCC/Compiler version

No response

What happend and What you expected to happen.

数据存储（data-at-rest）加密
TrustedFlow向外部存储（比如硬盘、网络存储等）写入数据前，会对数据进行加密，且密钥仅TrustedFlow可访问。

Reproduction code to reproduce the issue.

请问数据加密存储，这个能力是在哪个组件实现的？

在SGX模式下计算PSI时出错

Issue Type

Bug

Source

binary

Capsule Manager Version

0.2.0b0

Capsule Manager SDK Version

0.2.0b0

Tee Apps Version

0.2.0b0

OS Platform and Distribution

Ubuntu 22.04

Python version

3.10

Bazel version

No response

GCC/Compiler version

No response

What happend and What you expected to happen.

大佬，您好！我在SGX模式下运行示例到执行PSI计算时出错，且报错信息有多种：
第一种：
thread '<unnamed>' panicked at 'failed to sync when dropping the SEFS Inode: DeviceError(5)', /tmp/deb_build/occlum-0.30.1/occlum-src/deps/sefs/rcore-fs-sefs/src/lib.rs:805:14
stack backtrace:
note: Some details are omitted, call backtrace::enable_backtrace() with 'PrintFormat::Full' for a verbose backtrace.
fatal runtime error: failed to initiate panic, error 5
/opt/occlum/build/bin/occlum: line 472:   167 Illegal instruction     (core dumped) RUST_BACKTRACE=1 "$instance_dir/build/bin/occlum-run" "$@"

第二种：
thread '<unnamed>' panicked at 'called `Option::unwrap()` on a `None` value', /tmp/deb_build/occlum-0.30.1/occlum-src/deps/sefs/rcore-fs-unionfs/src/lib.rs:543:24
stack backtrace:
note: Some details are omitted, call backtrace::enable_backtrace() with 'PrintFormat::Full' for a verbose backtrace.
fatal runtime error: failed to initiate panic, error 5
/opt/occlum/build/bin/occlum: line 472:   199 Illegal instruction     (core dumped) RUST_BACKTRACE=1 "$instance_dir/build/bin/occlum-run" "$@"

配置中除了SGX模式特有的，其余都在仿真模式下测试过。请问可能是什么原因导致出错？

Reproduction code to reproduce the issue.

无。

请问carol的机构ID为什么不可以在teeappss-sim容器终端生成？

大佬们，carol的机构ID理应是要在哪里生成的？

我在teeappss-sim容器终端执行cms_util generate-party-id --cert-file carol.crt，但是没有对应的命令
请问理应是要在capsule-manager-sdk容器终端生成吗？

有关trustflow白屏产品的相关问题

在secretflow-allinone安装包里包含了tee相关的几个镜像，在使用中心化部署时也能够使用枢纽模式来体验tee相关的组件，但是这都是仿真模式执行的，如果想在真实的tee环境下部署使用，该如何在secretpad中部署使用？

请问步骤五的2.4第一条指令，为什么会出现以下报错？

执行了以下这条指令后

为什么会出现以下报错？

自我感觉alice.yaml文件都没有错误，格式都是和文档对齐的，以下是alice.yaml文件的内容



麻烦大佬们帮我看下是什么问题，应该如何解决，感激不尽！

kuscia调用这个dm的pod，他能跑在TEE里面吗

关于capsule-manager无法在sgx机器上启动的问题

我从咱们官方文档上了解到capsule-manager依赖pccs,然后pccs又依赖intel sgx sdk和sgx psw,所以我就使用官方文档中的docker命令

启动了capsule-manager，我按照流程启动不带mtls的capsule-manager的时候报了如下错误

错别字

文档修改建议

技术信息

页面 https://www.secretflow.org.cn/zh-CN/docs/trustedflow/main/quick_start/step3
源码 https://github.com/secretflow/trustedflow/blob/47d96c25b320d6c2faae3332aed4d1b83b6b9872/docs/quick_start/step3.ipynb
浏览器 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0

OP_PSI 隐私求交

在真实硬件上启动CapsuleManager失败

大佬，您好！我在真实机器上启用CapsuleManager时失败，错误为：
[2024-04-30 01:09:05.268] [info] [sgx2_generator.cc:102] Start generating sgx2 report
[get_platform_quote_cert_data ../qe_logic.cpp:388] Error returned from the p_sgx_get_quote_config API. 0xe019
thread 'main' panicked at capsule-manager/src/main.rs:53:6:
capsule_manager init error: Error { code: InternalErr, details: Some("runified_attestation_generate_auth_report err: "[Enforce fail at trustedflow/attestation/generation/sgx2/sgx2_generator.cc:115] ioctl(sgx_fd, SGXIOC_GET_DCAP_QUOTE_SIZE, &quote_size) == 0. -1 vs 0.Fail to get quote size, errno = 22\0""), location: Some(ErrorLocation { line: 198, file: "capsule-manager/src/server.rs" }) }
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace
请问这是我们的设置问题还是硬件上的问题？

如何在sgx模式下增加python的依赖？

您好，我想在teeapps-sgx镜像中安装matplotlib这样原来没有的依赖包，但是直接装到默认位置或者/home/teeapp/python-occlum/lib/下都是不行的，前者matplotlib没有生效，后者则在build occlum时提示：
make: *** No rule to make target '/home/teeapp/occlum/occlum_instance/build/mount/__ROOT/metadata', needed by '/home/teeapp/occlum/occlum_instance/build/.Occlum_sys.json'. Stop.

请问正确安装新依赖的方式是什么？

Fail to patch DCAP when compiling trustedflow_verifier.js

Issue Type

Bug

Source

source

Capsule Manager Version

Not related

Capsule Manager SDK Version

Not related

Tee Apps Version

Not related

OS Platform and Distribution

Ubuntu 22.04

Python version

3.8

Bazel version

No response

GCC/Compiler version

No response

What happend and What you expected to happen.

-- Downloading... done
-- extracting...
     src='/workspaces/trustedflow/build/external/dcap/src/DCAP_1.19.tar.gz'
     dst='/workspaces/trustedflow/build/external/dcap/src/dcap'
-- extracting... [tar xfz]
-- extracting... [analysis]
-- extracting... [rename]
-- extracting... [clean up]
-- extracting... done
[ 82%] No update step for 'dcap'
[ 82%] Performing patch step for 'dcap'
error: corrupt patch at line 103
make[2]: *** [CMakeFiles/dcap.dir/build.make:121: external/dcap/src/dcap-stamp/dcap-patch] Error 128
make[1]: *** [CMakeFiles/Makefile2:837: CMakeFiles/dcap.dir/all] Error 2
make[1]: *** Waiting for unfinished jobs....

Reproduction code to reproduce the issue.

Follow the instructions in https://github.com/secretflow/trustedflow/tree/main/trustedflow/attestation#cmake

数据血缘

请问数据血缘如何在发挥作用？我只在文档中找到一张概念图。数据血缘会如何记录计算方执行的代码？记录会存在什么地方？

安装问题

文档修改建议

除了拉取镜像安装操作外，还有其他安装方式吗

拉取镜像出现如下问题
docker run -it --name capsule-manager-sdk --network=host secretflow/trustedflow-release-ubuntu22.04:latest bash
Unable to find image 'secretflow/trustedflow-release-ubuntu22.04:latest' locally
latest: Pulling from secretflow/trustedflow-release-ubuntu22.04
bccd10f490ab: Pull complete
c68f04c398f6: Pull complete
acb65ff94393: Pull complete
8d09dc8ec270: Downloading
3719b991c0c3: Download complete
docker: Get "https://registry-1.docker.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority.

技术信息

页面 https://www.secretflow.org.cn/zh-CN/docs/trustedflow/main/quick_start/step2
源码 https://github.com/secretflow/trustedflow/blob/47d96c25b320d6c2faae3332aed4d1b83b6b9872/docs/quick_start/step2.ipynb
浏览器 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36

大佬们，想请教一下双向远程认证

看了大佬们在其它issue上的相关回答
请问
server-cert-key、server-cert、client-ca-cert这三个文件是server.key、server.crt、client.crt吗？
root-ca-file、private-key-file、cert-chain-file这三个文件是ca.crt、client.key、client.crt吗？

请问走SGX模式，PCCS是要在宿主机部署还是要在起的各个容器里分别部署？

大佬们，如题，PCCS是要在外部宿主机部署还是容器capsule-manager-sgx和teeapps-sgx里面各自部署？

关于启用mTLS的一些疑问

Issue Type

Build/Install

Source

binary

Capsule Manager Version

0.2.0b0

Capsule Manager SDK Version

0.2.0b0

Tee Apps Version

0.2.0b0

OS Platform and Distribution

Ubuntu 22.04

Python version

3.10

Bazel version

No response

GCC/Compiler version

No response

What happend and What you expected to happen.

大佬，您好！为了启用mTLS，我用openssl分别生成carol、alice、bob的公私钥、csr文件,ca的key、csr文件和crt文件，然后用ca相关的文件生成carol、alice和bob的证书。
然后正常启动capsule_manager:
    server_cert_path: Some(
        "/home/admin/capsule-manager/resources/carol.crt",
    ),
    server_cert_key_path: Some(
        "/home/admin/capsule-manager/resources/carol.key",
    ),
    client_ca_cert_path: Some(
        "/home/admin/capsule-manager/resources/ca",
    ),
    enable_tls: Some(
        true,
    ),
    mode: Some(
        "simulation",
    ),
}
O, AntGroup
L, HZ
OU, SecretFlow
C, CN
ST, HZ
CN, CapsuleManager
[2024-04-23T06:22:40.489337480+00:00] [capsule_manager] [INFO] Server run at: 0.0.0.0:8888 mode Some("simulation")

但是我在上传密钥时失败
raise _InactiveRpcError(state)  # pytype: disable=not-instantiable
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
	status = StatusCode.UNAVAILABLE
	details = "failed to connect to all addresses; last error: UNKNOWN: ipv4:127.0.0.1:8888: Ssl handshake failed: SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED"
	debug_error_string = "UNKNOWN:Error received from peer  {created_time:"2024-04-23T14:22:50.752018831+08:00", grpc_status:14, grpc_message:"failed to connect to all addresses; last error: UNKNOWN: ipv4:127.0.0.1:8888: Ssl handshake failed: SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED"}"
问题似乎是证书有问题，请问我的证书生成过程有问题吗，或者是必须要真实CA机构签的证书？

感谢帮助！

Reproduction code to reproduce the issue.

alice.yaml：

host: "127.0.0.1:8888"
# (required) str, capsule-manager's tee platform type, sim/sgx/tdx/csv
tee_plat: "sim"
# (optional) capsule-manager's identity constraints
tee_constraints:
  # (optional) str, The measurement of TEE implement internal stuff
  mr_plat:
  # (optional) str, The measurement of TEE instance boot time stuff
  mr_boot:
  # (optional) str, The static measurement of trust application when loading the code
  mr_ta:
  # (optional) str, The measurement or other identity of the trust application signer
  mr_signer:

# (optional) str, root ca cert path
root_ca_file: /home/u22/ca.crt
# (optional) str, sdk's private key path
private_key_file: /home/u22/alice.key
# (optional) List[str], sdk's cert chain path
cert_chain_file: "/home/u22/alice.crt"

common:
   # (required) str, should be generated from cert
   party_id: "OSA5326M7KIG7KFYC2BHWGPMY6UXUK3AW67VFF5UB73DUZ62EVKA"
   # (required) List[str], cert chain files, the order is [cert, mid_ca_cert, root_ca_cert]
   # file num can be 1 if the cert is self-signed
   cert_pems_file: 
     - alice.crt
     - ca.crt
   scheme: "RSA"
   # (required) str, file contains private key
   private_key_file: alice.key


register_data_keys:
  data_keys:
    -
      # (required) str
      resource_uri: breast_cancer_alice
      # (required) str
      data_key_b64: "uhq65rYinNeMuHO1CR272w=="

仿真模式是否无法进行双向远程认证的？

大佬们，请问一下，这里的意思是不是意味着：仿真模式无法进行capsule-manager-sim与capsule-manager-sdk的双向远程认证的？

SGX机器部署capsule-manager 报错0xe019

机器支持SGX1，但是不支持SGX2，自行搭建了PCCS服务，从容器curl PCCS服务的地址正常，但是occlum run capsule-manager的时候，始终无法成功

请问步骤五，《1. 定位要导出的文件ID》哪里能看到《2. 获取数据密钥》需要用到的数据ID？

容器（teeapps-sim）终端处的/host/testdata/breast_cancer/xgb_model文件是乱码文件，应该是加密后的文件。
/host/integration_test/xgb.json文件里面，并没有看到什么ID
请问大佬们，这个问题应该如何找到数据ID？

文档问题

问题描述

执行会报错
cms_util generate-party-id --cert-pems-file alice.crt

Usage: cms_util generate-party-id [OPTIONS]
Try 'cms_util generate-party-id --help' for help.

Error: No such option: --cert-pems-file Did you mean --cert-file?

改为 cms_util generate-party-id --cert-file alice.crt

技术信息

页面 https://www.secretflow.org.cn/docs/trustedflow/main/zh-Hans/quick_start/step2
源码 https://github.com/secretflow/trustedflow/blob/96b7be5db10d5d8b84d7106e65eae5a3d358b64a/docs/quick_start/step2.ipynb
浏览器 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36

请问步骤四（仿真模式）的"检查生成的任务执行配置文件内容"是如何执行？

大佬们，想问下，步骤四（仿真模式）第3步的c，如何看诸如task_initiator_id、task_initiator_certs、task_body、signature的这些内容，具体是在容器teeapps-sim里的/host/integration_test的哪个文件里面可以查看到？

请问支持SGX_LC的话，能否运行TrustedFlow？

大佬们，我目前的机器，只有SGX1和SGX_LC，没有SGX2，请问SGX_LC 能否运行TrustedFlow里的流程？

请问执行了步骤二的第三步仿真模式的上传密钥，docker为什么无法与外部主机连接？

报错信息具体如下：
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNAVAILABLE
details = "failed to connect to all addresses; last error: UNKNOWN: ipv4:xxxxx:0: Failed to connect to remote host: Connection refused"
debug_error_string = "UNKNOWN:Error received from peer {grpc_message:"failed to connect to all addresses; last error: UNKNOWN: ipv4:xxxxx:0: Failed to connect to remote host: Connection refused", grpc_status:14, created_time:"2024-05-21T07:29:18.299889202+00:00"}"

步骤二上传密钥失败

Issue Type

Build/Install

Source

binary

Capsule Manager Version

0.2.0b0

Capsule Manager SDK Version

0.2.0b0

Tee Apps Version

0.2.0b0

OS Platform and Distribution

Ubuntu 22.04

Python version

3.10

Bazel version

No response

GCC/Compiler version

No response

What happend and What you expected to happen.

您好，我在上传密钥时遇到了如下错误：
  File "/home/u22/anaconda3/envs/alice/lib/python3.10/site-packages/cli/cms.py", line 134, in register_data_keys
    data_key_b64 = data_key.get("data_key_b64")
AttributeError: 'str' object has no attribute 'get'
请问data_key_b64是否是填写之前通过cms_util generate-data-key-b64生成的密钥，并且应该如何正确的填写？

Reproduction code to reproduce the issue.

# Copyright 2023 Ant Group Co., Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# (required) str, capsule-manager's ip:port
host: "127.0.0.1:8888"
# (required) str, capsule-manager's tee platform type, sim/sgx/tdx/csv
tee_plat: "sim"
# (optional) capsule-manager's identity constraints
tee_constraints:
  # (optional) str, The measurement of TEE implement internal stuff
  mr_plat:
  # (optional) str, The measurement of TEE instance boot time stuff
  mr_boot:
  # (optional) str, The static measurement of trust application when loading the code
  mr_ta:
  # (optional) str, The measurement or other identity of the trust application signer
  mr_signer:

# (optional) str, root ca cert path
root_ca_file:
# (optional) str, sdk's private key path
private_key_file:
# (optional) List[str], sdk's cert chain path
cert_chain_file:

common:
  # (required) str, should be generated from cert
  party_id: "XDQSXTKQC4LGD3V5LXROVB5C4THPWULM45M6DQX32SPBAE7Y66DA"
  # (required) List[str], cert chain files, the order is [cert, mid_ca_cert, root_ca_cert]
  # file num can be 1 if the cert is self-signed
  cert_pems_file:
    - alice.crt
  # (required) str, keep it be "RSA" here
  scheme: "RSA"
  # (required) str, file contains private key
  private_key_file: alice.key


register_data_keys:
  data_keys:
      # (required) str
    resource_uri: breast_cancer_alice
      # (required) str
    data_key_b64: "peaNmQvlnFaEkJlATjruJQ=="

get_data_policys:
  # (required) str
  scope:

register_data_policy:
  # (required) str
  scope:
  # (required) str
  data_uuid:
  rules:
      # (required) str
    rule_id:
      # (required) List[str]
    grantee_party_ids:
      # (required) List[str]
    columns:
      # (optional) List[str]
    global_constraints:
      # (required) List[dict]
    op_constraints:
          # (required) str
      op_name:
          # (optional) List[str]
      constraints:

delete_data_policy:
  # (required) str
  scope:
  # (required) str
  data_uuid:

add_data_rule:
  # (required) str
  scope:
  # (required) str
  data_uuid:
  # (required) dict
  rule:
    # (required) str
    rule_id:
    # (required) List[str]
    grantee_party_ids:
    # (required) List[str]
    columns:
    # (optional) List[str]
    global_constraints:
    # (required) List[dict]
    op_constraints:
        # (required) str
      op_name:
        # (optional) List[str]
      constraints:

delete_data_rule:
  # (required) str
  scope:
  # (required) str
  data_uuid:
  # (required) str
  rule_id:

get_export_data_key_b64:
  # (required) str
  party_id:
  # (required) str
  resource_uri:
  # (required) str
  data_export_certificate_file:

delete_data_key:
  # (required) str
  resource_uri:

快速上手第一步，CapsuleManager镜像获得失败

docker run -it secretflow/capsule-manager-sim:latest
Unable to find image 'secretflow/capsule-manager-sim:latest' locally
docker: Error response from daemon: manifest for secretflow/capsule-manager-sim:latest not found: manifest unknown: manifest unknown.
docker pull secretflow/capsule-manager-sim:latest
Error response from daemon: manifest for secretflow/capsule-manager-sim:latest not found: manifest unknown: manifest unknown

快速上手第三步上传密钥失败

cms register-data-keys
Traceback (most recent call last):
File "/home/zchain/miniconda3/envs/sf/bin/cms", line 5, in
from cli.cms import cms
File "/home/zchain/miniconda3/envs/sf/lib/python3.8/site-packages/cli/cms.py", line 20, in
from sdc import capsule_manager_frame
File "/home/zchain/miniconda3/envs/sf/lib/python3.8/site-packages/sdc/capsule_manager_frame.py", line 28, in
from sdc.ual import ual
File "/home/zchain/miniconda3/envs/sf/lib/python3.8/site-packages/sdc/ual/ual.py", line 23, in
from secretflowapis.v2.sdc import ual_pb2
ModuleNotFoundError: No module named 'secretflowapis.v2'

如今执行pip install --upgrade capsule-manager-sdk为何会报错？

已自行通过阿里云启动并运行了trustedflow-release-ubuntu22.04:latest的docker终端
conda create -n capsule-manager-sdk python=3.10 -y
conda activate capsule-manager-sdk
执行到这一步pip install --upgrade capsule-manager-sdk的时候，为何会出现依赖关系冲突？前一段时间都能跑通的

请问大佬们，这是为什么？需要如何解决？
从报错来看感觉和之前的dockerhub被封应该没有太大关系

步骤四运行计算任务出错

Issue Type

Build/Install

Source

binary

Capsule Manager Version

0.2.0b0

Capsule Manager SDK Version

0.2.0b0

Tee Apps Version

0.2.0b0

OS Platform and Distribution

Ubuntu 22.04

Python version

3.10

Bazel version

No response

GCC/Compiler version

No response

What happend and What you expected to happen.

大佬，您好！我在仿真模式第四步运行psi时又遇到一个错误：
2024-04-18 09:19:21.941 [info] [app.cc:GetInputDataKeys:214] Got Ra Cert
2024-04-18 09:19:21.941 [info] [app.cc:GetInputDataKeys:215] Try to get data keys from Capsule Manager
2024-04-18 09:19:21.958 [error] [app.cc:Run:139] Running TEE application failed, error message: [Enforce fail at teeapps/framework/capsule_manager_client.cc:42] status.code() == secretflowapis::v2::Code::OK. Call service failed, error code: 7, message: err code: Permission denied; err detail: request is not satisfied with the policy breast_cancer_alice.; location: [line = 52, file = capsule-manager/src/core/policy_enforcer.rs]
Stacktrace:
#0 teeapps::framework::CapsuleManagerClient::GetDataKeys()+0x64c4a10f9836
#1 teeapps::framework::App::GetInputDataKeys()+0x64c4a10edddc
#2 teeapps::framework::App::PreProcess()+0x64c4a10eefc8
#3 teeapps::framework::App::Run()+0x64c4a10f0ebf
#4 main+0x64c4a10adb12
#5 (unknown)+0x7446f82aad90

2024-04-18 09:19:21.958 [error] [main.cc:main:53] [teeapps/framework/app.cc:143] Exiting application with exception task process error: 
 task execution error: 

之前的步骤都没有问题，请问可能是什么原因导致的？

Reproduction code to reproduce the issue.

无

为什么trustedflow框架里面，alice上传密钥，会出错？

Issue Type

Bug

Source

binary

Secretflow Version

trustedflow 0.2.0b0.post0

OS Platform and Distribution

ubuntu20.04

Python version

3.10.14

Bazel version

No response

GCC/Compiler version

No response

What happend and What you expected to happen.

执行到trustedflow框架的步骤二，第三步，仿真模式，第5的alice上传密钥"cms --config-file alice.yaml register-data-keys"命令后，报错。我检查了，第4的"register_data_keys"配置alice.yaml文件，格式和内容都没有错，密钥也对应上了。

Reproduction code to reproduce the issue.

报错信息如下：
Traceback (most recent call last):
 File "/root/miniconda3/envs/capsule-manager-sdk/bin/cms", line 8, in <module>
  sys.exit(cms())
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/click/core.py", line 1157, in __call__
  return self.main(*args, **kwargs)
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/click/core.py", line 1078, in main
  rv = self.invoke(ctx)
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/click/core.py", line 1685, in invoke
  super().invoke(ctx)
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/click/core.py", line 1434, in invoke
  return ctx.invoke(self.callback, **ctx.params)
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/click/core.py", line 783, in invoke
  return __callback(*args, **kwargs)
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/click/decorators.py", line 33, in new_func
  return f(get_current_context(), *args, **kwargs)
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/cli/cms.py", line 55, in cms
  config = file.read_yaml_file(CONFIG_FILE)
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/sdc/util/file.py", line 38, in read_yaml_file
  res = yaml.load(f)
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/ruamel/yaml/main.py", line 451, in load
  return constructor.get_single_data()
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/ruamel/yaml/constructor.py", line 114, in get_single_data
  node = self.composer.get_single_node()
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/ruamel/yaml/composer.py", line 72, in get_single_node
  document = self.compose_document()
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/ruamel/yaml/composer.py", line 94, in compose_document
  node = self.compose_node(None, None)
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/ruamel/yaml/composer.py", line 130, in compose_node
  node = self.compose_mapping_node(anchor)
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/ruamel/yaml/composer.py", line 211, in compose_mapping_node
  item_value = self.compose_node(node, item_key)
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/ruamel/yaml/composer.py", line 130, in compose_node
  node = self.compose_mapping_node(anchor)
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/ruamel/yaml/composer.py", line 211, in compose_mapping_node
  item_value = self.compose_node(node, item_key)
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/ruamel/yaml/composer.py", line 128, in compose_node
  node = self.compose_sequence_node(anchor)
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/ruamel/yaml/composer.py", line 172, in compose_sequence_node
  while not self.parser.check_event(SequenceEndEvent):
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/ruamel/yaml/parser.py", line 141, in check_event
  self.current_event = self.state()
 File "/root/miniconda3/envs/capsule-manager-sdk/lib/python3.10/site-packages/ruamel/yaml/parser.py", line 546, in parse_block_sequence_entry
  raise ParserError(
ruamel.yaml.parser.ParserError: while parsing a block collection
 in "alice.yaml", line 52, column 5
expected <block end>, but found '<scalar>'
 in "alice.yaml", line 56, column 7

alice.yaml文件只做了以下变动：
register_data_keys:
  data_keys:
    - 
      # (required) str
      resource_uri: breast_cancer_alice
      # (required) str
      data_key_b64: xxxx###对应上没问题的

cms register-data-policy报错

<采用仿真模式，参照https://www.secretflow.org.cn/zh-CN/docs/trustedflow/main/quick_start/step3 进行数据授权，报如下错误：
Traceback (most recent call last):
File "/usr/local/bin/cms", line 8, in
sys.exit(cms())
File "/usr/local/lib/python3.8/dist-packages/click/core.py", line 1157, in call
return self.main(*args, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/click/core.py", line 1078, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python3.8/dist-packages/click/core.py", line 1688, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/usr/local/lib/python3.8/dist-packages/click/core.py", line 1434, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python3.8/dist-packages/click/core.py", line 783, in invoke
return __callback(*args, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/click/decorators.py", line 33, in new_func
return f(get_current_context(), *args, **kwargs)
File "/usr/local/lib/python3.8/dist-packages/cli/cms.py", line 184, in register_data_policy
ctx.obj.create_data_policy(
File "/usr/local/lib/python3.8/dist-packages/sdc/capsule_manager_frame.py", line 489, in create_data_policy
for index in range(len(rule_ids)):
TypeError: object of type 'NoneType' has no len()
具体的cli.yaml配置：
register_data_policy:
scope: default
data_uuid: breast_cancer_bob
grantee_party_ids:
-
- LPSZB6L446NS2P3I3NUCQZEX2SG2EQSJZ2QNXZSE2W56INE7LZ3Q
columns:
-
- id
- mean radius
- mean texture
- mean perimeter
- mean area
- mean smoothness
global_constraints: null
op_constraints_body: null
op_constraints_name:
-
- OP_PSI
- OP_DATASET_SPLIT
- OP_XGB
- OP_PREDICT
- OP_BICLASSIFIER_EVALUATION
rule_ids: null
这里rule_ids要怎么填写，有没有关于数据授权的配置文件修改指定文档？>

技术信息

页面 https://www.secretflow.org.cn/zh-CN/docs/trustedflow/main/quick_start/step3
源码 https://github.com/secretflow/trustedflow/blob/47d96c25b320d6c2faae3332aed4d1b83b6b9872/docs/quick_start/step3.ipynb
浏览器 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0

烦请大佬们修复一下TrustedFlow镜像源

在不同机器的ubuntu系统上执行“运行CapsuleManager镜像”
docker run -it --name capsule-manager-sim --network=host secretflow/capsule-manager-sim-ubuntu22.04:latest bash
都得到了类似的拉取镜像超时的报错
Unable to find image 'secretflow/capsule-manager-sim-ubuntu22.04:latest' locally latest: Pulling from secretflow/capsule-manager-sim-ubuntu22.04 bccd10f490ab: Pulling fs layer c68f04c398f6: Pulling fs layer acb65ff94393: Pulling fs layer 8d09dc8ec270: Waiting 3719b991c0c3: Waiting 4406b88d1f00: Waiting 6eb736a9844f: Waiting 66c5dc6034a8: Waiting dc4f537cc51c: Waiting 537beec93efc: Waiting 8915fc22d7d8: Waiting a07e06ffa612: Waiting 4f4fb700ef54: Waiting docker: error pulling image configuration: Get "https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/d8/d812e80bd13dea5b0a9a825c7ab322755c2787bcfd3523bf88081bd6646dc249/data?verify=1717728015-maQVvUPhj5j%2FMjxeG71iZS4v3Es%3D": dial tcp 157.240.2.50:443: connect: connection refused.
麻烦大佬们去贵司隐语看下是否TrustedFlow镜像源出问题

SGX模式与多任务并行运算

大佬，您好！因为Occlum不能同时运行多个任务，所以需要开多个容器来解决这个问题。但是我发现容器一旦被停止，重启之后就无法再连上pccs服务，这样管理容器就会很麻烦。请问如何能更有效的同时运行多个任务？

快速上手第二步，配置yaml莫名添加!!python/tuple []

Issue Type

Build/Install

Source

binary

Capsule Manager Version

secretflow/capsule-manager-sim-ubuntu20.04:latest

Capsule Manager SDK Version

0.1.2b0

Tee Apps Version

secretflow/teeapps-sim-ubuntu20.04:latest

OS Platform and Distribution

Ubuntu 22.04

Python version

3.8.18

Bazel version

No response

GCC/Compiler version

No response

What happend and What you expected to happen.

运行 cms_config common --party-id xxx --scheme RSA  和 cms_config init --host {CapsuleManager的服务地址} --sim true --private-key-file alice.key --cert-chain-file alice.crt --root-ca-file alice_ca.crt 均会莫名增加!!python/tuple []

Reproduction code to reproduce the issue.

cms_util generate-party-id --cert-file alice.crt
BCXWUIUOSS34POIMZEPR7HJS7XW6HGCXDVTCPQFLKQMK6QHLU25Q
cms_config common --party-id BCXWUIUOSS34POIMZEPR7HJS7XW6HGCXDVTCPQFLKQMK6QHLU25Q --scheme RSA 
cli.yaml中显示
common:
  cert_pems_file: !!python/tuple []
  party_id: BCXWUIUOSS34POIMZEPR7HJS7XW6HGCXDVTCPQFLKQMK6QHLU25Q
  private_key_file: null
  scheme: RSA
CapsuleManager 显示
[2024-03-12T08:25:38.961825103+00:00] [monitor] [INFO] |create_data_keys|13|"err code: Assert err; err detail: party_id BCXWUIUOSS34POIMZEPR7HJS7XW6HGCXDVTCPQFLKQMK6QHLU25Q is wrong derived from public key; location: [line = 108, file = capsule-manager/src/server.rs]"

请问步骤三的carol机构ID是重复步骤二的第三步获取的机构ID吗？

走的是仿真模式。因为步骤二压根没有获取carol机构ID这一步，想问下大佬们，步骤三的carol机构ID是要在carol那边的docker终端（capsule-manager-sim）键入"cms_util generate-party-id --cert-file carol.crt"指令吗？

请问步骤二的选项一（仿真模式）的CapsuleManager的服务地址是宿主机的私有IP地址还是外部IP地址？

因为步骤一起的容器的网络模式是host，所以他的IP地址理应等于宿主机的IP地址。但想问下大佬们，这个IP地址，应该是宿主机的私有IP地址还是外部IP地址？

步骤五获取结果解密密钥失败

Issue Type

Build/Install

Source

binary

Capsule Manager Version

0.2.0b0

Capsule Manager SDK Version

0.2.0b0

Tee Apps Version

0.2.0b0

OS Platform and Distribution

Ubuntu 22.04

Python version

3.10

Bazel version

No response

GCC/Compiler version

No response

What happend and What you expected to happen.

大佬，您好！我在用cms_util sign-vote-request --vote-request-file vote-request.yaml --signed-vote-request-file signed-vote-request.yam获取结果解密密钥时出现了一个错误:
  File "/home/u22/.local/lib/python3.10/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/u22/.local/lib/python3.10/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
  File "/home/u22/anaconda3/envs/alice/lib/python3.10/site-packages/cli/cms_util.py", line 216, in sign_vote_request
    cert_chain.append(file.read_file(filename, "r"))
  File "/home/u22/anaconda3/envs/alice/lib/python3.10/site-packages/sdc/util/file.py", line 26, in read_file
    with open(file_path, mode) as f:
FileNotFoundError: [Errno 2] No such file or directory: 'a'

我用查看下a的调用，发现似乎是cert_chain_file，但是我已经将alice.crt放到了运行命令的目录下。请问如何能解决这个问题？

Reproduction code to reproduce the issue.

vote_request:
  # (required) str, vote type, should be "TEE_DOWNLOAD" when export data keys for tee tasks' encrypted result
  type: "TEE_DOWNLOAD"
  # (required) int, vote approved threshold
  approved_threshold: 1
  # (required) str, vote approved action, shoule be "tee/download,xxxx_uuid", replace "xxxx_uuid" with tee task's result data_uuid
  approved_action: "tee/download,model_uuid"
  # (required) List[str], cert chain files, the order is [cert, mid_ca_cert, root_ca_cert]
  # file num can be 1 if the cert is self-signed
  cert_chain_file: "alice.crt"
  # (required) str, file contains private key
  private_key_file: "alice.key"

自行搭建PCCS服务那里，version、os、arch具体应该怎么填？

系统：ubuntu20.04
node版本：21.4（是用nvm安装的，不是根据https://github.com/nodesource/distributions安装）
问题1：https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/main/QuoteGeneration/pccs的指令"dpkg -i sgx-dcap-pccs*${version}-${os}*${arch}.deb"里面version、os、arch具体应该怎么填？
问题2：尝试跳过https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/main/QuoteGeneration/pccs的文档教程，执行命令sudo apt-get install sgx-dcap-pccs ，为何会报错？详见图片，具体是说node的实际版本为20.13，但我输入"node -v"，输出是21.4
问题3：执行命令sudo systemctl start pccs，没有任何输出，是意味着其实pccs已经搭建好了，并且也启动了吗？

请求解密文件密钥时失败

Issue Type

Build/Install

Source

binary

Capsule Manager Version

0.2.0b0

Capsule Manager SDK Version

0.2.0b0

Tee Apps Version

0.2.0b0

OS Platform and Distribution

Ubuntu 22.04

Python version

3.10

Bazel version

No response

GCC/Compiler version

No response

What happend and What you expected to happen.

大佬，您好！我在最后一步从alice请求解密结果的密钥时失败。
    raise CapsuleManagerError(
sdc.error.CapsuleManagerError: CapsuleManager server error code: 13, error message: err code: Assert err; err detail: model_uuid xgb_model is not the same as expected; location: [line = 346, file = capsule-manager/src/core/model/request.rs]
model_uuid xgb_model应该是对应的一组吧，为什么会出错呢？

Reproduction code to reproduce the issue.

get_export_data_key_b64:
  # (required) str
  party_id: "XDQSXTKQC4LGD3V5LXROVB5C4THPWULM45M6DQX32SPBAE7Y66DA"
  # (required) str
  resource_uri: xgb_model
  # (required) str
  data_export_certificate_file: vote-result.json

请问可信APP里面拥有的Alice(Bob)的私钥是本来就存在的吗？

https://www.secretflow.org.cn/zh-CN/docs/trustedflow/0.2.0b0.post0/architecture/principle
如题，链接里第6步，CapsuleManager向可信APP发送（Alice的）经加密后的数据密钥，然而第7步，可信APP却直接使用（Alice的）私钥解密得到数据密钥，再用数据密钥解密得到（Alice的）原始数据。
不太理解，可信APP里面拥有的Alice的私钥是怎么来的？是可信APP里本来就存在的？还是我忽略了某些步骤（Alice向可信APP发送自己的私钥）？
大佬们可以帮忙看下这个问题吗？感激不尽！

步骤二上传密钥失败

Issue Type

Build/Install

Source

binary

Capsule Manager Version

镜像

Capsule Manager SDK Version

python3.8虚拟环境用pip安装

Tee Apps Version

与tee无关

OS Platform and Distribution

Ubuntu 22.04

Python version

3.8

Bazel version

No response

GCC/Compiler version

No response

What happend and What you expected to happen.

您好，我按照快速上手教程执行到步骤二，在执行cms register-data-keys上传密钥时失败。报错信息为：
  File "/home/u22/anaconda3/envs/alice/lib/python3.8/site-packages/cli/cms.py", line 77, in cms
    config["host"], config["mr_enclave"], None, config["sim"]
cli.yaml中确实没有后两个选项，模板中也没有这两项。
请问如何才能正确的生成cli.yaml以正确地通过第二步？

Reproduction code to reproduce the issue.

配置文件
add_data_rule:
  data_uuid: null
  rule:
    columns: null
    global_constraints: null
    grantee_party_ids: null
    op_constraints:
    - constraints: null
      op_name: null
    rule_id: null
  scope: null
cert_chain_file: null
common:
  cert_pems_file: null
  party_id: ZFBZB6LPM4SAYH2JUTYD26D65MVO2IZWSABUVUEBF6A7GWVPEXUA
  private_key_file: null
  scheme: RSA
delete_data_key:
  resource_uri: null
delete_data_policy:
  data_uuid: null
  scope: null
delete_data_rule:
  data_uuid: null
  rule_id: null
  scope: null
get_data_policys:
  scope: null
get_export_data_key_b64:
  data_export_certificate_file: null
  party_id: null
  resource_uri: null
host: 127.0.0.1:8888
private_key_file: null
register_data_keys:
  resource_uris:
    - breast_cancer_alice
  data_key_b64s: 
    - Rg0QdwhWd6hugT9KS78cTA==
  data_keys:
  - data_key_b64: null
    resource_uri: null
register_data_policy:
  data_uuid: null
  rules:
  - columns: null
    global_constraints: null
    grantee_party_ids: null
    op_constraints:
    - constraints: null
      op_name: null
    rule_id: null
  scope: null
root_ca_file: null
tee_constraints:
  mr_boot: null
  mr_plat: null
  mr_signer: null
  mr_ta: null
tee_plat: sim