|
| 1 | +--- |
| 2 | +simd: 'XXXX' |
| 3 | +title: Loader-v3 to loader-v4 migration |
| 4 | +authors: |
| 5 | + - Alexander Meißner |
| 6 | +category: Standard |
| 7 | +type: Core |
| 8 | +status: Review |
| 9 | +created: 2024-08-15 |
| 10 | +feature: 2aQJYqER2aKyb3cZw22v4SL2xMX7vwXBRWfvS4pTrtED |
| 11 | +extends: SIMD-0167 |
| 12 | +--- |
| 13 | + |
| 14 | +## Summary |
| 15 | + |
| 16 | +Migration of loader-v3 programs to loader-v4. |
| 17 | + |
| 18 | +## Motivation |
| 19 | + |
| 20 | +In order to remove the issues of loader-v3 (mentioned in SIMD-0167) from |
| 21 | +validator implementations, all remaining loader-v3 must be migrated to |
| 22 | +loader-v4. |
| 23 | + |
| 24 | +## Alternatives Considered |
| 25 | + |
| 26 | +None. |
| 27 | + |
| 28 | +## New Terminology |
| 29 | + |
| 30 | +None. |
| 31 | + |
| 32 | +## Detailed Design |
| 33 | + |
| 34 | +The feature gate must: |
| 35 | + |
| 36 | +- enable loader-v4 `LoaderV411111111111111111111111111111111111` program |
| 37 | +management and execution (see SIMD-0167). |
| 38 | +- enable the loader-v3 `BPFLoaderUpgradeab1e11111111111111111111111` |
| 39 | +instruction `UpgradeableLoaderInstruction::Migrate`. |
| 40 | + |
| 41 | +### Loader-v3 Instruction: Migrate |
| 42 | + |
| 43 | +- Instruction accounts: |
| 44 | + - `[writable]` The program data account. |
| 45 | + - `[writable]` The program account. |
| 46 | + - `[signer]` The migration authority. |
| 47 | +- Instruction data: |
| 48 | + - Enum variant `8u32` |
| 49 | +- Behavior: |
| 50 | + - Check that there are at least three instruction accounts, |
| 51 | + otherwise throw `NotEnoughAccountKeys` |
| 52 | + - Check that the program data account is writable, |
| 53 | + otherwise throw `InvalidArgument` |
| 54 | + - Check that the program data was last modified before the current slot |
| 55 | + if the program data has the state `ProgramData`, |
| 56 | + otherwise throw `InvalidArgument` |
| 57 | + - Check that the provided authority is either: |
| 58 | + - the migration authority |
| 59 | + (pubkey is `3Scf35jMNk2xXBD6areNjgMtXgp5ZspDhms8vdcbzC42`) |
| 60 | + - or the upgrade authority stored in the program data account |
| 61 | + - or the program signer if the program is finalized, closed or |
| 62 | + uninitialized |
| 63 | + otherwise throw `IncorrectAuthority` |
| 64 | + - Check that the provided authority is a signer, |
| 65 | + otherwise throw `MissingRequiredSignature` |
| 66 | + - Check that the program account is writable, |
| 67 | + otherwise throw `InvalidArgument` |
| 68 | + - Check that the program account is owned by loader-v3, |
| 69 | + otherwise throw `IncorrectProgramId` |
| 70 | + - Check that the program account has the state `Program`, |
| 71 | + otherwise throw `InvalidAccountData` |
| 72 | + - Check that the program account points to the program data account, |
| 73 | + otherwise throw `InvalidArgument` |
| 74 | + - Clear the program account (setting its size to zero) |
| 75 | + - Transfer all funds from the program data account to the program account |
| 76 | + - Assign ownership of the program account to loader-v4 |
| 77 | + - If the program data account was not closed / empty or uninitialized: |
| 78 | + - CPI loader-v4 `SetProgramLength` the program account to the size of the |
| 79 | + program data account minus the loader-v3 header size and use the migration |
| 80 | + authority. |
| 81 | + - CPI loader-v4 `Copy` the program data account into the program account |
| 82 | + - CPI loader-v4 `Deploy` the program account |
| 83 | + - If the program data account was finalized (upgrade authority is `None`): |
| 84 | + - CPI loader-v4 `Finalize` without a next version forwarding |
| 85 | + - otherwise, if the program data account was not finalized and the |
| 86 | + migration authority (as opposed to the upgrade authority) was provided: |
| 87 | + - CPI loader-v4 `TransferAuthority` to the upgrade authority |
| 88 | + - Clear the program data account (setting its size to zero) |
| 89 | + - Assign ownership of the program data account to the system program |
| 90 | + |
| 91 | +## Impact |
| 92 | + |
| 93 | +This changes enables the migration of programs from loader-v3 to loader-v4 |
| 94 | +without changing their program address via a new loader-v3 instruction. This |
| 95 | +will count as a redeployment and thus render the program unavailable for the |
| 96 | +rest of the slot (delay visibility). |
| 97 | + |
| 98 | +Once new programs can not be deployed on loader-v3 anymore, the list of all |
| 99 | +loader-v3 programs becomes fixed and can be extracted from a snapshot. Using |
| 100 | +the added loader-v3 migration instruction and the global migration authority, |
| 101 | +the core protocol developers will then migrate all loader-v3 programs to |
| 102 | +loader-v4 programs, which once completed: |
| 103 | + |
| 104 | +- removes the need to copy ELFs during program loading to align them. |
| 105 | +- allows transaction account loading to be simplified, because every program |
| 106 | +would load exactly one account, no need to load the proxy account to get to |
| 107 | +the actual program data (which is not listed in the transaction accounts). |
| 108 | +- allows the removal of the write lock demotion exception if loader-v3 is |
| 109 | +present in a transaction. |
| 110 | +- allows dApp devs to resuscitate closed loader-v3 programs if they still |
| 111 | +control the program authority. This allows redeployment at the same address |
| 112 | +or completely closing the program account in order to retrieve the locked |
| 113 | +funds. |
| 114 | + |
| 115 | +## Security Considerations |
| 116 | + |
| 117 | +None. |
| 118 | + |
| 119 | +## Backwards Compatibility |
| 120 | + |
| 121 | +None. |
0 commit comments