Implement FIPs #993 SealerID

[magik6k]

See filecoin-project/FIPs#993

• Add new Sealer actor type
• Extend Miners prove_commit_sectors_ni validation logic to accept sectors sealed through the sealer actor.
• Add two new optional fields, sealer_id_actor and sealer_id_verifier_signature to ProveCommitSectorsNIParams

Couple of liberties/departures from design in #993, to be discussed and reincorporated into the FIP:

• The Sealer actor now always has an owner / "verifier". I don't think there is much use for mechanisms vulnerable to front-running.
  • The verification is done through the AuthenticateMessage mechanism, with a payload containing enough metadata to be useful for fevm-based sector market implementations.
• Sealer actor also has a CompactSectorNumbers method, really just implementation detail, but should be contained in the FIP.
• ProveCommitSectorsNIParams only allows a single sealer-id per message, I believe this constraint is reasonable in the name of lower complexity.

Couple asks:

• What testing is reasonable to implement here?
  • Any docs/resources on where I should build those?
• Please generally review the approach, let me know if I'm missing any major things in the miner actor integration

[ZenGround0]

We should figure out what's up with replaying sectors. I think its a big issue but maybe I'm missing something. Should be a one line fix if I'm right. Overall looks good. I'll look over sealer closer on next review.

For testing the two actors

• For sealer id it should be straightforward to follow the pattern we have with other small actors. Look at multisig actor for example. Generally we make an actorHarness structure which enforces expectations using the MockRuntime and put that in a util.rs. Then we call this harness in test specific ways.

• Miner actor tests are some of the densest and most annoying code in the network but there are a lot of examples to follow from.

• The first thing I would do is add new edge cases to prove_commit_niporep_test.rs. This is an integration test running a full dummy fvm which is a good target for these cases because it will exercise the true inter actor communication

• The miner actor also has extensive actorHarness unit tests like the one I'm recommending for sealer_id. It looks like we never added any for ni_porep. Ideally this change would include ni porep calls that involved sealer id edge cases there too.

[ZenGround0]

Based on this it looks like we might have a different idea of the security concern of collisions. I think we shouldn't even configure this and always deny collisions as a matter of network security. I want to hear your thoughts though -- it looks like none of this was really specified in the draft FIP.

[magik6k]

This is matching the same exact logic in the miner actor, the allocate_sector_numbers is pretty much copy-paste of the miner one

[ZenGround0]

Ok that makes sense then

[ZenGround0]

I would either remove this over engineered collision policy thing in this copied code or extract the allocation function somewhere so miner and sealer can share it.

[ZenGround0]

The Sealer actor now always has an owner / "verifier". I don't think there is much use for mechanisms vulnerable to front-running.
The verification is done through the AuthenticateMessage mechanism, with a payload containing enough metadata to be useful for fevm-based sector market implementations.
Sealer actor also has a CompactSectorNumbers method, really just implementation detail, but should be contained in the FIP.
ProveCommitSectorsNIParams only allows a single sealer-id per message, I believe this constraint is reasonable in the name of lower complexity.

Also all of this SGTM thanks for keeping things simple

[ZenGround0]

Looked over sealer code and this looks about ready to go once tests are in.