From 9227c3ff14a58181b2e2a6c908cf25fa41484f14 Mon Sep 17 00:00:00 2001 From: Jernej Kos Date: Wed, 6 Nov 2024 09:37:27 +0100 Subject: [PATCH] go/runtime/bundle: Add expected enclave identity to manifest --- .changelog/5931.feature.md | 1 + go/common/sgx/common.go | 8 ++++++++ go/runtime/bundle/bundle.go | 10 ++++++++++ go/runtime/bundle/bundle_test.go | 11 +++++++++++ go/runtime/bundle/manifest.go | 5 +++++ 5 files changed, 35 insertions(+) create mode 100644 .changelog/5931.feature.md diff --git a/.changelog/5931.feature.md b/.changelog/5931.feature.md new file mode 100644 index 00000000000..36eb4ffa927 --- /dev/null +++ b/.changelog/5931.feature.md @@ -0,0 +1 @@ +go/runtime/bundle: Add expected enclave identity to manifest diff --git a/go/common/sgx/common.go b/go/common/sgx/common.go index e95b12cd84a..6af0843e5fd 100644 --- a/go/common/sgx/common.go +++ b/go/common/sgx/common.go @@ -243,3 +243,11 @@ func (id *EnclaveIdentity) UnmarshalHex(text string) error { func (id EnclaveIdentity) String() string { return hex.EncodeToString(id.MrEnclave[:]) + hex.EncodeToString(id.MrSigner[:]) } + +// Clone returns a copy of the enclave identity. +func (id *EnclaveIdentity) Clone() *EnclaveIdentity { + return &EnclaveIdentity{ + MrEnclave: id.MrEnclave, + MrSigner: id.MrSigner, + } +} diff --git a/go/runtime/bundle/bundle.go b/go/runtime/bundle/bundle.go index f0e4ee4fda6..807b627f234 100644 --- a/go/runtime/bundle/bundle.go +++ b/go/runtime/bundle/bundle.go @@ -221,6 +221,16 @@ func (bnd *Bundle) MrSigner(id component.ID) (*sgx.MrSigner, error) { // EnclaveIdentity returns the SGX enclave identity of the given component. func (bnd *Bundle) EnclaveIdentity(id component.ID) (*sgx.EnclaveIdentity, error) { + // If the component has a build-time known expected identity, use it. + comp := bnd.Manifest.GetComponentByID(id) + if comp == nil { + return nil, fmt.Errorf("runtime/bundle: component '%s' not available", id) + } + if comp.Identity != nil { + return comp.Identity.Clone(), nil + } + + // When not available, recompute at runtime (only supported for SGX). mrEnclave, err := bnd.MrEnclave(id) if err != nil { return nil, err diff --git a/go/runtime/bundle/bundle_test.go b/go/runtime/bundle/bundle_test.go index 7ace6bdabd1..3392f9a0f95 100644 --- a/go/runtime/bundle/bundle_test.go +++ b/go/runtime/bundle/bundle_test.go @@ -9,6 +9,7 @@ import ( "github.com/stretchr/testify/require" "github.com/oasisprotocol/oasis-core/go/common" + "github.com/oasisprotocol/oasis-core/go/common/sgx" "github.com/oasisprotocol/oasis-core/go/runtime/bundle/component" ) @@ -40,6 +41,10 @@ func TestBundle(t *testing.T) { SGX: &SGXMetadata{ Executable: "runtime.sgx", }, + Identity: &sgx.EnclaveIdentity{ + MrSigner: sgx.MrSigner{0x01}, + MrEnclave: sgx.MrEnclave{0x02}, + }, }, }, } @@ -77,6 +82,12 @@ func TestBundle(t *testing.T) { delete(bundle2.Data, manifestName) ensureBundlesEqual(t, bundle, bundle2, "opened bundle mismatch") + + // Test enclave identity is correct. + eid, err := bundle2.EnclaveIdentity(component.ID_RONL) + require.NoError(t, err, "EnclaveIdentity") + require.Equal(t, "0100000000000000000000000000000000000000000000000000000000000000", eid.MrSigner.String()) + require.Equal(t, "0200000000000000000000000000000000000000000000000000000000000000", eid.MrEnclave.String()) }) t.Run("ResetManifest", func(t *testing.T) { diff --git a/go/runtime/bundle/manifest.go b/go/runtime/bundle/manifest.go index 63e5840dd63..700ddddff98 100644 --- a/go/runtime/bundle/manifest.go +++ b/go/runtime/bundle/manifest.go @@ -5,6 +5,7 @@ import ( "github.com/oasisprotocol/oasis-core/go/common" "github.com/oasisprotocol/oasis-core/go/common/crypto/hash" + "github.com/oasisprotocol/oasis-core/go/common/sgx" "github.com/oasisprotocol/oasis-core/go/common/version" "github.com/oasisprotocol/oasis-core/go/runtime/bundle/component" ) @@ -232,6 +233,10 @@ type Component struct { // TDX is the TDX specific manifest metadata if any. TDX *TDXMetadata `json:"tdx,omitempty"` + // Identity is the (optional) expected enclave identity. When it is not provided, it must be + // computed at runtime. In the future, this field will become required. + Identity *sgx.EnclaveIdentity `json:"identity,omitempty"` + // Disabled specifies whether the component is disabled by default and needs to be explicitly // enabled via node configuration to be used. Disabled bool `json:"disabled,omitempty"`