Manage ROFL Apps
The rofl command combines a series of actions for managing the Runtime
OFfchain Logic (ROFL) apps:
- build ROFL locally,
- verify the ROFL bundle,
- register, deregister and update ROFL apps on the network,
- show information about the registered ROFL apps,
- other convenient tooling for ROFL app developers.
Initialize a new ROFL app manifest
The rofl init command will prepare a new ROFL app manifest in the given
directory (defaults to the current directory). The manifest is a YAML file named
rofl.yaml which defines the versions of all components, upgrade policies, etc.
needed to manage, build and deploy the ROFL app.
You can also define specific Network, ParaTime and Account parameters as those get recorded into the manfiest so you don't need to specify them on each invocation:
oasis rofl init --network testnet --account my_rofl_acc
Creating a new ROFL app with default policy...
Name: myapp
Version: 0.1.0
TEE: tdx
Kind: container
Deployment 'default':
Network: testnet
ParaTime: sapphire
Debug: false
Admin: test_a
Created manifest in 'rofl.yaml'.
Run `oasis rofl create --update-manifest` to register your ROFL app and configure an app ID.
Create a new ROFL app on the network
Use rofl create to register a new ROFL app on the network using an existing
manifest.
oasis rofl create --update-manifest
You are about to sign the following transaction:
Format: plain
Method: rofl.Create
Body:
{
"policy": {
"quotes": {
"pcs": {
"tcb_validity_period": 30,
"min_tcb_evaluation_data_number": 17,
"tdx": {}
}
},
"enclaves": [],
"endorsements": [
{
"any": {}
}
],
"fees": 2,
"max_expiration": 3
},
"scheme": 1
}
Authorized signer(s):
1. sk5kvBHaZ/si0xXRdjllIOxOgr7o2d1K+ckVaU3ndG4= (ed25519)
Nonce: 319
Fee:
Amount: 0.0101405 TEST
Gas limit: 101405
(gas price: 0.0000001 TEST per gas unit)
Network: testnet
ParaTime: sapphire (Sapphire Testnet)
Account: test:alice
? Sign this transaction? Yes
(In case you are using a hardware-based signer you may need to confirm on device.)
Broadcasting transaction...
Transaction included in block successfully.
Round: 412
Transaction hash: 2d8ef6e832256986a19d7b92dcf182976205c5247aff71487832877ff4d72edd
Execution successful.
Created ROFL app: rofl1qzd82n99vtwesvcqjfyur4tcm45varz2due7s635
Run `oasis rofl build --update-manifest` to build your ROFL app.
Returned is the unique ROFL app ID starting with rofl1 and which you
will refer to for managing your ROFL app in the future. If you specify the
--update-manifest parameter the manifest will be automatically updated with
the newly assigned app identifier.
In order to prevent spam attacks registering a ROFL app requires a certain amount to be deposited from your account until you decide to remove it. The deposit remains locked for the lifetime of the app. Check out the ROFL chapter to view the current staking requirements.
With the --scheme parameter, you can select one of the following ROFL app ID
derivation schemes:
cnfor the ROFL app creator address (the account you're using to sign the transaction) combined with the account's nonce (default). This behavior is similar to the one of the Ethereum smart contract address derivation and is deterministic.criuses the ROFL app creator address combined with the block round the transaction will be validated in and its position inside that block.
Build ROFL
The rofl build command will execute a series of build commands depending on
the target Trusted Execution Environment (TEE) and produce the Oasis Runtime
Container (ORC) bundle.
Additionally, the following flags are available:
-
--update-manifestupdates the enclave identity in the app manifest with the identity of the locally built app. -
--outputthe filename of the output ORC bundle. Defaults to the pattern<name>.<deployment>.orcwhere<name>is the app name from the manifest and<deployment>is the deployment name from the manifest. -
--verifyalso verifies the locally built enclave identity against the identity that is currently defined in the manifest and also against the identity that is currently set in the on-chain policy.
Building ROFL apps does not require a working TEE on your machine. However, you do need to install all corresponding tools. Check out the ROFL Prerequisites chapter for details.
Update ROFL app config
Use rofl update command to update the ROFL app's configuration on chain:
oasis rofl update
You are about to sign the following transaction:
Format: plain
Method: rofl.Update
Body:
{
"id": "rofl1qzd82n99vtwesvcqjfyur4tcm45varz2due7s635",
"policy": {
"quotes": {
"pcs": {
"tcb_validity_period": 30,
"min_tcb_evaluation_data_number": 17,
"tdx": {}
}
},
"enclaves": [],
"endorsements": [
{
"any": {}
}
],
"fees": 2,
"max_expiration": 3
},
"admin": "oasis1qpwaggvmhwq5uk40clase3knt655nn2tdy39nz2f"
}
Authorized signer(s):
1. sk5kvBHaZ/si0xXRdjllIOxOgr7o2d1K+ckVaU3ndG4= (ed25519)
Nonce: 320
Fee:
Amount: 0.010145 TEST
Gas limit: 101450
(gas price: 0.0000001 TEST per gas unit)
Network: testnet
ParaTime: sapphire (Sapphire Testnet)
Account: test:alice
? Sign this transaction? Yes
(In case you are using a hardware-based signer you may need to confirm on device.)
Broadcasting transaction...
Transaction included in block successfully.
Round: 310
Transaction hash: 2d8ef6e832256986a19d7b92dcf182976205c5247aff71487832877ff4d72edd
Execution successful.
Remove ROFL app from the network
Run rofl remove to deregister your ROFL app:
oasis rofl remove
You are about to sign the following transaction:
Format: plain
Method: rofl.Remove
Body:
{
"id": "rofl1qzd82n99vtwesvcqjfyur4tcm45varz2due7s635"
}
Authorized signer(s):
1. sk5kvBHaZ/si0xXRdjllIOxOgr7o2d1K+ckVaU3ndG4= (ed25519)
Nonce: 321
Fee:
Amount: 0.0011288 TEST
Gas limit: 11288
(gas price: 0.0000001 TEST per gas unit)
Network: testnet
ParaTime: sapphire (Sapphire Testnet)
Account: test:alice
? Sign this transaction? Yes
(In case you are using a hardware-based signer you may need to confirm on device.)
Broadcasting transaction...
Transaction included in block successfully.
Round: 510
Transaction hash: b3a6f36c7a846dcf3f28c2dd3d2383cc2c3f7c1e05cea4be92fff2338849d825
Execution successful.
The deposit required to register the ROFL app will be returned to the current administrator account.
Show ROFL information
Run rofl show to obtain the information from the network on the ROFL admin
account, staked amount, current ROFL policy and running instances:
oasis rofl show
App ID: rofl1qzd82n99vtwesvcqjfyur4tcm45varz2due7s635
Admin: oasis1qrec770vrek0a9a5lcrv0zvt22504k68svq7kzve
Staked amount: 10000.0
Policy:
{
"quotes": {
"pcs": {
"tcb_validity_period": 30,
"min_tcb_evaluation_data_number": 17,
"tdx": {}
}
},
"enclaves": [
"z+StFagJfBOdGlUGDMH7RlcNUm1uqYDUZDG+g3z2ik8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==",
"6KfY4DqD1Vi+H7aUn5FwwLobEzERHoOit7xsrPNz3eUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
],
"endorsements": [
{
"any": {}
}
],
"fees": 2,
"max_expiration": 3
}
=== Instances ===
- RAK: UwuhJrOYX6FDOc27NilQSrcVEtWD9voq+ST+ohsaRTI=
Node ID: DbeoxcRwDO4Wh8bwq5rAR7wzhiB+LeYn+y7lFSGAZ7I=
Expiration: 7
Advanced
Show ROFL identity
Run rofl identity to compute the cryptographic identity of the ROFL app:
oasis rofl identity rofl-oracle.orc
wzwUd5Ym/e5OO87pGVk2yWL4v0x12U3Zx/48Vdoe1PyTBkRbZbh9kPyqgY1RsvenXEIHQA0c2nR/WlmvS1vbcg==
The output above is Base64-encoded enclave identity which depends on the ROFL source code and the build environment. Enclave identities should be reproducible on any computer and are used to prove and verify the integrity of ROFL binaries on the network. See the Reproducibility chapter to learn more.
Show the current trust-root
In order the ROFL app can trust the environment it is executed in, it needs to have a hardcoded trust root. Typically, it consists of:
- the ParaTime ID,
- the chain domain separation context,
- the specific consensus block hash and its height.
To obtain the latest trust root in rust programming language, run
oasis rofl trust-root:
oasis rofl trust-root
TrustRoot {
height: 1022,
hash: "bb3e63d729dd568ce07b37eea33eddf8082ed4cacbd64097aad32168a4a4fc9a".into(),
runtime_id: "8000000000000000000000000000000000000000000000000000000000000000".into(),
chain_context: "074f5ba071c4385a7ad24aea0a3a7b137901395e8f3b35479c1cce87d3170f4e".to_string(),
}
You can also define specific Network and ParaTime parameters:
oasis rofl trust-root --network testnet --paratime sapphire