Lexe is a managed, non-custodial Lightning node and wallet based on Intel SGX.
- LDK-based Lightning node written in Rust
- Flutter/Dart iOS and Android apps
- BDK wallet for on-chain payments
- Fortanix EDP for integration with SGX
This repository contains all public code including the user Lightning node, iOS / Android apps, and shared libraries.
More information is available on our website: lexe.app
node
: Lightning node (usually referred to as the "user node").app
: Flutter/Dart apps.app-rs
: Rust logic used in the Lexe mobile app along with an FFI interface for the Flutter apps.lexe-ln
: Shared Bitcoin and Lightning logic.common
: A general shared library which contains:- APIs: definitions, errors, clients (with TLS and quote verification), models
- SGX: remote attestation, sealing, SGX types
- Cryptography: ed25519, ring, secp256k1, AES-256-GCM, SHA-256, root seeds, key derivation, rng, E2EE "vfs" for untrusted storage
- Utils: hex, byte strings, test-utils, tasks, channels, exponential backoff, iterator extensions
- and other miscellaneous things.
flake.nix
: Reproducible node buildSECURITY.md
contains information about Lexe's security model and responsible disclosure.
Install nix
with the DeterminateSystems/nix-installer.
We suggest the multi-user installation.
$ curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix \
| sh -s -- install
Enter an ephemeral dev shell for working on the project. This shell is setup with all the tools needed to build, lint, run tests, etc...
$ nix develop
Try running the Rust tests:
$ cargo test
If you want to reproducibly build the user node SGX enclave, you'll need to
follow the above setup instructions on an x86_64-linux
machine or VM. You can
check your machine architecture with a simple command:
$ uname -sm
Linux x86_64
If you don't have one readily available, we suggest using a cloud VM (make sure it's running on an x86_64 CPU). If you use macOS, our engineers currently use OrbStack to run local, near-native x86_64 linux pseudo-VMS. Follow our OrbStack linux-builder setup to get going quickly. If you're on Windows, then WSL2 might work, though we haven't tried it.
Once you have an x86_64-linux
machine setup, reproduce the user node for the
given release tag (e.g., node-v0.1.0
):
$ git fetch --all --tags
$ git checkout tags/node-v0.1.0 -b node-v0.1.0
$ nix build .#node-release-sgx
$ cat result/bin/node.measurement
867d0c37d5af59644d9d30f376dc1f574de9196b3f8b0287f52d76a0e15d621b
Install rustup
$ curl --proto '=https' --tlsv1.3 -sSf https://sh.rustup.rs | bash
# default host triple: default
# default toolchain: stable
# profile: default
# modify PATH variable: yes
Install Protocol Buffers
# (Ubuntu/Debian/Pop!_OS)
$ sudo apt install protobuf-compiler
# (macOS)
$ brew install protobuf
For devs without x86_64
linux hosts, you'll need to set up a
x86_64-unknown-linux-gnu
cross-compilation toolchain in order to build for
the enclave target x86_64-fortanix-unknown-sgx
.
# (macOS)
$ brew tap MaterializeInc/homebrew-crosstools https://github.com/MaterializeInc/homebrew-crosstools
$ brew install materializeinc/crosstools/x86_64-unknown-linux-gnu
Install the enclave toolchain (does not appear to work on M1 Macs)
$ cd ~
$ git clone --branch lexe-2023_09_27 https://github.com/lexe-app/rust-sgx.git
$ cd rust-sgx
$ cargo install --path intel-sgx/fortanix-sgx-tools
$ cargo install --path intel-sgx/sgxs-tools
Non-x86_64
linux hosts should also add the following to their
~/.cargo/config.toml
:
[target.x86_64-fortanix-unknown-sgx]
linker = "x86_64-unknown-linux-gnu-ld"
[env]
CC_x86_64-fortanix-unknown-sgx = "x86_64-unknown-linux-gnu-gcc"
AR_x86_64-fortanix-unknown-sgx = "x86_64-unknown-linux-gnu-ar"
If running the node or running tests in SGX, install our runners:
# Clone the repo if not already cloned
$ git clone https://github.com/lexe-app/lexe-public
$ cd lexe-public # or $ cd lexe/public
$ cargo install --path run-sgx
Run lints and tests
$ cargo clippy --all
$ cargo fmt -- --check
$ cargo test
Build the node
# Build for the local environment (non-SGX)
$ cargo build -p node
# Build for SGX
$ cargo build -p node --target=x86_64-fortanix-unknown-sgx
$ cargo build -p node --release --target=x86_64-fortanix-unknown-sgx
Check that the node runs by printing the current version
$ cargo run -p node -- --version
$ cargo run -p node --target=x86_64-fortanix-unknown-sgx -- --version
$ cargo run -p node --release --target=x86_64-fortanix-unknown-sgx -- --version
See node help
$ cargo run -p node -- run --help
$ cargo run -p node --target=x86_64-fortanix-unknown-sgx -- run --help
$ cargo run -p node --release --target=x86_64-fortanix-unknown-sgx -- run --help
- If running in SGX, make sure that you are running on real Intel hardware with SGX enabled.
- If running the node independently of Lexe services, you will need to use mock
API clients instead of the real ones, which simulate the APIs exposed by these
services. To do this, pass
-m
and simply don't specify a--backend-url
,--runner-url
, or LSP url. Note that mocking functionality is provided on a best-effort basis and is not tested (or used) regularly by Lexe devs.
See RunArgs
/ProvisionArgs
contained in common::cli::node
for full options.
Follow these instructions if you're running on macOS and want to reproduce the user node.
Download OrbStack. Either follow https://orbstack.dev/download or just install with homebrew:
$ brew install orbstack
Create a new NixOS VM @ v24.05 called linux-builder
:
NOTE: when orbstack runs, you don't need to install the privileged docker socket helper, since we don't require it.
$ orb create nixos linux-builder
In order to get a usable builder VM, we have to tweak the base NixOS config. This will install some extra required packages in the VM (git), enable some nix features, and tell the VM to sign its store packages:
$ orb push -m linux-builder ./nix/linux-builder/configuration.nix /tmp/configuration.nix
$ orb run -m linux-builder --user root --shell <<EOF
sed "s/{{ username }}/$USER/" /tmp/configuration.nix > /etc/nixos/configuration.nix
chown root:root /etc/nixos/configuration.nix
nixos-rebuild switch
EOF
Now, you can shell into the VM and build:
$ orb shell -m linux-builder
(linux-builder)$ nix build .#packages.x86_64-linux.node-release-sgx
(linux-builder)$ cat ./result/bin/node.measurement
bdd9eec1fbd625eec3b2a9e2a6072f60240c930b0867b47199730b320c148e8c
All files in this repository are licensed under the PolyForm Noncommercial License 1.0.0.
© 2022-2024 Lexe Corporation