WIP: Trust Quorum: Start implementing Node

This code builds upon #7859, which itself builds upon #7891. Those
need to be merged in order first.

A `Node` is the sans-io entity driving the trust quorum protocol. This
PR starts the work of creating the `Node` type and coordinating an
initial configuration.

There's a property based test that generates an initial `ReconfigureMsg`
that is then used to call `Node::coordinate_reconfiguration`, which will
internally setup a `CoordinatorState` and create a bunch of messages
to be sent. We verify that a new `PersistentState` is returned and that
messages are sent.

This needs a bit more documentation and testing, so it's still WIP.

Author: andrewjstone

Diff for: Cargo.lock

@@ -26,7 +26,7 @@ pub use messages::{
 pub use peer::{Config, Node, NodeHandle, NodeRequestError, Status};
 pub use request_manager::{RequestManager, TrackableRequest};
 pub use share_pkg::{LearnedSharePkg, SharePkg, SharePkgCommon, create_pkgs};
-pub use storage::NetworkConfig;
+pub use storage::{NetworkConfig, PersistentFsmState};
 
 /// The current version of supported messages within the v0 scheme
 ///

Diff for: bootstore/src/schemes/v0/mod.rs

@@ -32,5 +32,7 @@ zeroize.workspace = true
 omicron-workspace-hack.workspace = true
 
 [dev-dependencies]
+assert_matches.workspace = true
+omicron-test-utils.workspace = true
 proptest.workspace = true
 test-strategy.workspace = true

Diff for: trust-quorum/Cargo.toml

@@ -5,8 +5,9 @@
 //! A configuration of a trust quroum at a given epoch
 
 use crate::crypto::{EncryptedRackSecret, RackSecret, Salt, Sha3_256Digest};
-use crate::{Epoch, PlatformId, ReconfigureMsg, Threshold};
-use gfss::shamir::SplitError;
+use crate::validators::ValidatedReconfigureMsg;
+use crate::{Epoch, PlatformId, Threshold};
+use gfss::shamir::{SecretShares, SplitError};
 use omicron_uuid_kinds::RackUuid;
 use secrecy::ExposeSecret;
 use serde::{Deserialize, Serialize};
@@ -57,8 +58,8 @@ impl Configuration {
     /// the last committed epoch.
     pub fn new(
         coordinator: PlatformId,
-        reconfigure_msg: &ReconfigureMsg,
-    ) -> Result<Configuration, ConfigurationError> {
+        reconfigure_msg: &ValidatedReconfigureMsg,
+    ) -> Result<(Configuration, SecretShares), ConfigurationError> {
         let rack_secret = RackSecret::new();
         let shares = rack_secret.split(
             reconfigure_msg.threshold,
@@ -82,14 +83,17 @@ impl Configuration {
             .zip(share_digests)
             .collect();
 
-        Ok(Configuration {
-            rack_id: reconfigure_msg.rack_id,
-            epoch: reconfigure_msg.epoch,
-            coordinator,
-            members,
-            threshold: reconfigure_msg.threshold,
-            previous_configuration: None,
-        })
+        Ok((
+            Configuration {
+                rack_id: reconfigure_msg.rack_id,
+                epoch: reconfigure_msg.epoch,
+                coordinator,
+                members,
+                threshold: reconfigure_msg.threshold,
+                previous_configuration: None,
+            },
+            shares,
+        ))
     }
 }
 

Diff for: trust-quorum/src/configuration.rs

@@ -0,0 +1,195 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! State of a reconfiguration coordinator inside a [`crate::Node`]
+
+use crate::crypto::{LrtqShare, Sha3_256Digest, ShareDigestLrtq};
+use crate::messages::{PeerMsg, PrepareMsg};
+use crate::validators::{ReconfigurationError, ValidatedReconfigureMsg};
+use crate::{Configuration, Envelope, Epoch, PlatformId};
+use gfss::shamir::{SecretShares, Share};
+use secrecy::ExposeSecret;
+use std::collections::{BTreeMap, BTreeSet};
+use std::time::Instant;
+
+/// The state of a reconfiguration coordinator.
+///
+/// A coordinator can be any trust quorum node that is a member of both the old
+/// and new group. The coordinator is chosen by Nexus for a given epoch when a
+/// trust quorum reconfiguration is triggered. Reconfiguration is only performed
+/// when the control plane is up, as we use Nexus to persist prepares and ensure
+/// commitment happens, even if the system crashes while committing. If a
+/// rack crash (such as a power outage) occurs before nexus is informed of the
+/// prepares, nexus will  skip the epoch and start a new reconfiguration. This
+/// allows progress to always be made with a full linearization of epochs.
+///
+/// We allow some unused fields before we complete the coordination code
+#[allow(unused)]
+pub struct CoordinatorState {
+    /// A copy of the platform_id from [`Node`] purely for ergonomics
+    platform_id: PlatformId,
+
+    /// When the reconfiguration started
+    pub start_time: Instant,
+
+    /// A copy of the message used to start this reconfiguration
+    pub reconfigure_msg: ValidatedReconfigureMsg,
+
+    /// Configuration that will get persisted inside a `Prepare` message in a
+    /// `Node`s `PersistentState`, once it is possible to create the Prepare.
+    pub configuration: Configuration,
+
+    /// What is the coordinator currently doing
+    pub op: CoordinatorOperation,
+
+    /// When to resend prepare messages next
+    pub retry_deadline: Instant,
+}
+
+impl CoordinatorState {
+    /// Start coordinating a reconfiguration for a brand new trust quorum
+    ///
+    /// Return the newly constructed `CoordinatorState` along with this node's
+    /// `PrepareMsg` so that it can be persisted.
+    ///
+    /// Precondition: This node must be a member of the new configuration
+    /// or this method will panic. This is ensured as part of passing in a
+    /// `ValidatedReconfigureMsg`.
+    pub fn new_uninitialized(
+        my_platform_id: PlatformId,
+        now: Instant,
+        msg: ValidatedReconfigureMsg,
+    ) -> Result<(CoordinatorState, PrepareMsg), ReconfigurationError> {
+        // Create a configuration for this epoch
+        let (config, shares) =
+            Configuration::new(my_platform_id.clone(), &msg)?;
+
+        let shares_by_member: BTreeMap<PlatformId, Share> = config
+            .members
+            .keys()
+            .cloned()
+            .zip(shares.shares.expose_secret().iter().cloned())
+            .collect();
+
+        let mut prepares = BTreeMap::new();
+        let mut my_prepare_msg: Option<PrepareMsg> = None;
+        for (platform_id, share) in shares_by_member.into_iter() {
+            let prepare_msg = PrepareMsg { config: config.clone(), share };
+            if platform_id == my_platform_id {
+                // The prepare message to add to our `PersistentState`
+                my_prepare_msg = Some(prepare_msg);
+            } else {
+                // Create a message that requires sending
+                prepares.insert(platform_id, prepare_msg);
+            }
+        }
+        let op = CoordinatorOperation::Prepare {
+            prepares,
+            prepare_acks: BTreeSet::new(),
+        };
+
+        let state = CoordinatorState::new(my_platform_id, now, msg, config, op);
+        Ok((state, my_prepare_msg.unwrap()))
+    }
+
+    /// A reconfiguration from one group to another
+    pub fn new_reconfiguration(
+        my_platform_id: PlatformId,
+        now: Instant,
+        msg: ValidatedReconfigureMsg,
+        last_committed_config: &Configuration,
+    ) -> Result<CoordinatorState, ReconfigurationError> {
+        let (config, new_shares) =
+            Configuration::new(my_platform_id.clone(), &msg)?;
+
+        // We must collect shares from the last configuration
+        // so we can recompute the old rack secret.
+        let op = CoordinatorOperation::CollectShares {
+            epoch: last_committed_config.epoch,
+            members: last_committed_config.members.clone(),
+            collected_shares: BTreeMap::new(),
+            new_shares,
+        };
+
+        Ok(CoordinatorState::new(my_platform_id, now, msg, config, op))
+    }
+
+    // Intentionallly private!
+    fn new(
+        platform_id: PlatformId,
+        now: Instant,
+        reconfigure_msg: ValidatedReconfigureMsg,
+        configuration: Configuration,
+        op: CoordinatorOperation,
+    ) -> CoordinatorState {
+        // We always set the retry deadline to `now` so that we will send
+        // messages upon new construction. This field gets updated after
+        // prepares are sent.
+        let retry_deadline = now;
+        CoordinatorState {
+            platform_id,
+            start_time: now,
+            reconfigure_msg,
+            configuration,
+            op,
+            retry_deadline,
+        }
+    }
+
+    // Send any required messages as a reconfiguration coordinator
+    //
+    // This varies depending upon the current `CoordinatorState`.
+    //
+    // In some cases a `PrepareMsg` will be added locally to the
+    // `PersistentState`, requiring persistence from the caller. In this case we
+    // will return a copy of it.
+    //
+    // This method is "in progress" - allow unused parameters for now
+    #[allow(unused)]
+    pub fn send_msgs(&mut self, now: Instant, outbox: &mut Vec<Envelope>) {
+        match &self.op {
+            CoordinatorOperation::CollectShares {
+                epoch,
+                members,
+                collected_shares,
+                ..
+            } => {}
+            CoordinatorOperation::CollectLrtqShares { members, shares } => {}
+            CoordinatorOperation::Prepare { prepares, prepare_acks } => {
+                for (platform_id, prepare) in prepares.clone().into_iter() {
+                    outbox.push(Envelope {
+                        to: platform_id,
+                        from: self.platform_id.clone(),
+                        msg: PeerMsg::Prepare(prepare),
+                    });
+                }
+            }
+        }
+    }
+}
+
+/// What should the coordinator be doing?
+///
+/// We haven't started implementing upgrade from LRTQ yet
+#[allow(unused)]
+pub enum CoordinatorOperation {
+    CollectShares {
+        epoch: Epoch,
+        members: BTreeMap<PlatformId, Sha3_256Digest>,
+        collected_shares: BTreeMap<PlatformId, Share>,
+        new_shares: SecretShares,
+    },
+    // Epoch is always 0
+    CollectLrtqShares {
+        members: BTreeMap<PlatformId, ShareDigestLrtq>,
+        shares: BTreeMap<PlatformId, LrtqShare>,
+    },
+    Prepare {
+        /// The set of Prepares to send to each node
+        prepares: BTreeMap<PlatformId, PrepareMsg>,
+
+        /// Acknowledgements that the prepare has been received
+        prepare_acks: BTreeSet<PlatformId>,
+    },
+}

Diff for: trust-quorum/src/coordinator_state.rs

@@ -13,11 +13,18 @@ use derive_more::Display;
 use serde::{Deserialize, Serialize};
 
 mod configuration;
+mod coordinator_state;
 pub(crate) mod crypto;
 mod messages;
+mod node;
+mod persistent_state;
+mod validators;
 pub use configuration::Configuration;
+pub(crate) use coordinator_state::CoordinatorState;
 pub use crypto::RackSecret;
 pub use messages::*;
+pub use node::Node;
+pub use persistent_state::PersistentState;
 
 #[derive(
     Debug,
@@ -61,8 +68,22 @@ pub struct Threshold(pub u8);
     Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize,
 )]
 pub struct PlatformId {
-    pub part_number: String,
-    pub serial_number: String,
+    part_number: String,
+    serial_number: String,
+}
+
+impl PlatformId {
+    pub fn new(part_number: String, serial_number: String) -> PlatformId {
+        PlatformId { part_number, serial_number }
+    }
+
+    pub fn part_number(&self) -> &str {
+        &self.part_number
+    }
+
+    pub fn serial_number(&self) -> &str {
+        &self.serial_number
+    }
 }
 
 /// A container to make messages between trust quorum nodes routable

Diff for: trust-quorum/src/lib.rs

@@ -13,7 +13,7 @@ use std::{collections::BTreeSet, time::Duration};
 
 /// A request from nexus informing a node to start coordinating a
 /// reconfiguration.
-#[derive(Debug, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
 pub struct ReconfigureMsg {
     pub rack_id: RackUuid,
     pub epoch: Epoch,
@@ -32,8 +32,20 @@ pub enum PeerMsg {
     PrepareAck(Epoch),
     Commit(CommitMsg),
 
+    /// When a node learns about a commit for a given epoch
+    /// but does not have a `PrepareMsg`, it must ask for it
+    /// from another node.
+    GetPrepare(Epoch),
+
+    /// Nodes reply with `PrepareAndCommit` to `GetPrepare` requests when they
+    /// are able to.
+    PrepareAndCommit,
+
     GetShare(Epoch),
-    Share { epoch: Epoch, share: Share },
+    Share {
+        epoch: Epoch,
+        share: Share,
+    },
 
     // LRTQ shares are always at epoch 0
     GetLrtqShare,
@@ -47,9 +59,7 @@ pub struct PrepareMsg {
     pub share: Share,
 }
 
-#[derive(
-    Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize,
-)]
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
 pub struct CommitMsg {
     epoch: Epoch,
 }