This Registry change is being released early as this bug prevented updating subnet features in a previous proposal that was adopted over the weekend.
Proposals submitted
# Upgrade the Registry Canister to Commit 8622959
__Proposer__: maximilian.summe at dfinity.org
__Source code__: [86229594d61b433c39fc5331ab818ccb6c6aa6a7][new-commit]
[new-commit]: https://github.com/dfinity/ic/tree/86229594d61b433c39fc5331ab818ccb6c6aa6a7
## Summary
This release includes a bug fix that prevented setting any subnet features if the subnet record did not contain any existing feature settings.
Also includes several refactorings.
## New Commits
```
$ git log --format="%C(auto) %h %s" d265b130647f04aa25909ec1fbb8294ce0139d1c..86229594d61b433c39fc5331ab818ccb6c6aa6a7 -- ./rs/registry/canister
c2e11ca2ae fix(registry): Ensure subnet features can be changed for subnets without any features (#3044)
3e0cf89b23 test(IDX): depend on the universal canister at run-time instead of at build-time (#2502)
3c3d9cd360 refactor(crypto): CRP-2597 move MasterPublicKeyId protobuf from registry/crypto to types (#2406)
44095f27bb chore(CRP-2617): Generalize CUP’s ChainKeyInitialization (#2337)
```
## Current Version
__Current git hash__: d265b130647f04aa25909ec1fbb8294ce0139d1c
__Current wasm hash__: 2fabd44386a8af5a579a72af4a27c6b844a8a88aced49d16f286187e5660d771
## Verification
See the general instructions on [how to verify] proposals like this. A "quick
start" guide is provided here.
[how to verify]: https://github.com/dfinity/ic/tree/86229594d61b433c39fc5331ab818ccb6c6aa6a7/rs/nervous_system/docs/proposal_verification.md
### WASM Verification
See ["Building the code"][prereqs] for prerequisites.
[prereqs]: https://github.com/dfinity/ic/tree/86229594d61b433c39fc5331ab818ccb6c6aa6a7/README.adoc#building-the-code
```
# 1. Get a copy of the code.
git clone git@github.com:dfinity/ic.git
cd ic
# Or, if you already have a copy of the ic repo,
git fetch
git checkout 86229594d61b433c39fc5331ab818ccb6c6aa6a7
# 2. Build canisters.
./ci/container/build-ic.sh -c
# 3. Fingerprint the result.
sha256sum ./artifacts/canisters/registry-canister.wasm.gz
```
This should match `wasm_module_hash` field of this proposal.
c2e11ca2ae fix(registry): Ensure subnet features can be changed for subnets without any features (#3044)
The validate_update_sev_feature function is used to make sure that the SEV feature for a subnet remains immutable after the subnet’s creation.
The update of this function improves simplicity and readability while keeping the functionality of validating the sev_enabled feature on existing subnets.
The previous logic used to compare old & new SubnetFeatures is replaced with a simple check against sev_enabled field in the payload.
Reason:
Build successful and hashes match, commits look great and match the description. Found no issues.
[c2e11ca2ae]: This commit fixes a bug found in the previous Subnet Management Proposal 134382. The following line caused the problem if let Some(old_features) = subnet_record.features where if the old_features was None the condition would evaluate to false triggering the panic Proposal attempts to change sev_enabled for Subnet '{}', but sev_enabled can only be set during subnet creation. which isn’t true. Now this if condition is replaced with if let Some(sev_enabled) = features.sev_enabled that makes sure that only sev features are not changed since this can only be set during subnet creation.
[3e0cf89b23]: Previously the Universal Canister wasm needed to be manually changed at build time following specific instructions. Now it is treated as a run time dependency and it’s wasm is loaded during execution using an environment variable "UNIVERSAL_CANISTER_WASM_PATH": "$(rootpath //rs/universal_canister/impl:universal_canister.wasm.gz)".
[3c3d9cd360]: Moves the MasterPublicKeyId Protobuf and subsequently contained message definitions from the registry.crypto.v1package to thetypes.v1package. This is done in order to avoid a circular dependency in a later stage when adding an optional field to thetypes.v1.NiDkgId` message. The code is then refactored accordingly to the move.
[44095f27bb]: The ChainKeyInitialization message type is extended to include a new variant transcript_record. The dealings variant is replaced with a oneof initialization which can either hold InitialIDkgDealings dealings or InitialNiDkgTranscriptRecord transcript_record. Using the oneof like this does the change the wire representation of the type and doesn’t introduce incompatibilities, so no migration code was necessary.
Build completed successfully, hashes are verified, and commits match the changes described with the code implemented.
Hash Match: MATCH
Feedback: NONE
Proposer Check: MATCH
Commits
c2e11ca2ae
Modifies the validate_update_sev_feature function to completely prohibit setting the sev_enabled field during subnet updates, regardless of its previous state. Any presence of the sev_enabled field in the update payload leads to a panic. Subnet features can be added or modified only for subnets that do not currently have any features.
3e0cf89b23
Replace the statically included universal canister WASM (include_bytes!) with a dynamic runtime dependency using UNIVERSAL_CANISTER_WASM_PATH. This allows the universal canister’s WASM to be treated as a runtime dependency, enabling Bazel to manage updates and automatically rerun dependent tests.
Standardized WASM usage by replacing calls to UNIVERSAL_CANISTER_WASM.into() with UNIVERSAL_CANISTER_WASM.to_vec().
3c3d9cd360
Relocate the MasterPublicKeyId and related cryptographic key definitions (EcdsaCurve, EcdsaKeyId, SchnorrAlgorithm, SchnorrKeyId, VetKdCurve, VetKdKeyId) from the registry.crypto.v1 namespace to types.v1. This restructuring prevents circular dependencies between registry.crypto.v1.crypto.proto and types.v1.types.proto, enabling future enhancements such as adding a MasterPublicKeyId field to the NiDkgId message as described in the commit description.
44095f27bb
Update the ChainKeyInitialization structure to use a oneof field named initialization, allowing it to include either InitialIDkgDealings or InitialNiDkgTranscriptRecord instead of only dealings. This matches the description to add InitialNiDkgTranscriptRecord variant to ChainKeyInitialization using a oneof to support VetKeys, ensuring backward compatibility and updating client code without requiring migration, with registry enhancements planned for future updates.
Reason: Build is successful and both code changes and hashes match.
c2e11ca2ae Fixed validate_update_sev_feature method to allow updating subnet features. Previously it’d panic if any changes were made to the subnet’s features, now it will only panic when attempting to change sev state on an existing subnet.
Added more tests to ensure sev can’t be toggled on/off and other features can be changed.
Other commits have already been validated as part of previous releases.
Vote: Adopted Args: No args. Canister Id: rwlgt-iiaaa-aaaaa-aaaaa-cai is indeed the registry canister. Install Mode: Upgrade.
The build is reproducible.
The function validate_update_sev_feature was refactored to improve clarity and robustness. Key updates include:
Enhanced Documentation: Added a detailed explanation of SEV (AMD Secure Encrypted Virtualization).