Skip to content

Commit ad898db

Browse files
joyqvqjoyqvq
authored
[chore] Enable all pcrs for devnet and testnet (#24214)
## Description adding a parsing for all pcrs in attestation document parsing to enable new use cases. ## Test plan How did you test the new or updated feature? --- ## Release notes Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required. For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates. - [ ] Protocol: - [ ] Nodes (Validators and Full nodes): - [ ] gRPC: - [ ] JSON-RPC: - [ ] GraphQL: - [ ] CLI: - [ ] Rust SDK: - [ ] Indexing Framework:
1 parent 7acc806 commit ad898db

File tree

11 files changed

+116
-35
lines changed

11 files changed

+116
-35
lines changed

crates/sui-framework/docs/sui/nitro_attestation.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -286,7 +286,7 @@ may abort with errors described above.
286286
## Function `pcrs`
287287

288288
Returns a list of mapping PCREntry containg the index and the PCR bytes.
289-
Currently AWS supports PCR0, PCR1, PCR2, PCR3, PCR4, PCR8.
289+
AWS supports PCR0-31. All-zero PCR values are excluded.
290290

291291

292292
<pre><code><b>public</b> <b>fun</b> <a href="../sui/nitro_attestation.md#sui_nitro_attestation_pcrs">pcrs</a>(attestation: &<a href="../sui/nitro_attestation.md#sui_nitro_attestation_NitroAttestationDocument">sui::nitro_attestation::NitroAttestationDocument</a>): &vector&lt;<a href="../sui/nitro_attestation.md#sui_nitro_attestation_PCREntry">sui::nitro_attestation::PCREntry</a>&gt;

crates/sui-framework/packages/sui-framework/sources/crypto/nitro_attestation.move

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@ public fun digest(attestation: &NitroAttestationDocument): &vector<u8> {
6666
}
6767

6868
/// Returns a list of mapping PCREntry containg the index and the PCR bytes.
69-
/// Currently AWS supports PCR0, PCR1, PCR2, PCR3, PCR4, PCR8.
69+
/// AWS supports PCR0-31. All-zero PCR values are excluded.
7070
public fun pcrs(attestation: &NitroAttestationDocument): &vector<PCREntry> {
7171
&attestation.pcrs
7272
}

crates/sui-framework/packages/sui-framework/tests/crypto/nitro_attestation_test.move

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,8 @@ fun test_nitro_attestation() {
1818
let mut clock = sui::clock::create_for_testing(ctx);
1919
clock.set_for_testing(1747071568899);
2020
let res = nitro_attestation::load_nitro_attestation(payload, &clock);
21-
assert!(res.pcrs().length() == 6);
21+
std::debug::print(res.pcrs());
22+
assert!(res.pcrs().length() == 5);
2223

2324
assert!(res.pcrs()[0].index() == 0);
2425
assert!(
@@ -45,10 +46,6 @@ fun test_nitro_attestation() {
4546
res.pcrs()[4].value() == x"f3e18816e8d0ba69088d034522e742f0e1909ab34d5e83a1f579ffb43c58f0f0f35d64401efc9426097565d0506a8a5f",
4647
);
4748

48-
assert!(res.pcrs()[5].index() == 8);
49-
assert!(
50-
res.pcrs()[5].value() == x"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
51-
);
5249

5350
assert!(res.user_data().is_none());
5451
assert!(res.nonce().is_none());

crates/sui-open-rpc/spec/openrpc.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1352,6 +1352,7 @@
13521352
"enable_group_ops_native_functions": false,
13531353
"enable_jwk_consensus_updates": false,
13541354
"enable_nitro_attestation": false,
1355+
"enable_nitro_attestation_all_nonzero_pcrs_parsing": false,
13551356
"enable_nitro_attestation_upgraded_parsing": false,
13561357
"enable_non_exclusive_writes": false,
13571358
"enable_party_transfer": false,

crates/sui-protocol-config/src/lib.rs

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -277,6 +277,7 @@ const MAX_PROTOCOL_VERSION: u64 = 104;
277277
// Set max updates per settlement txn to 100.
278278
// Version 103: Framework update: internal Coin methods
279279
// Version 104: Framework update: CoinRegistry follow up for Coin methods
280+
// Enable all non-zero PCRs parsing for nitro attestation native function in Devnet and Testnet.
280281

281282
#[derive(Copy, Clone, Debug, Hash, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord)]
282283
pub struct ProtocolVersion(u64);
@@ -554,6 +555,10 @@ struct FeatureFlags {
554555
#[serde(skip_serializing_if = "is_false")]
555556
enable_nitro_attestation_upgraded_parsing: bool,
556557

558+
// Enable upgraded parsing of nitro attestation containing all nonzero PCRs.
559+
#[serde(skip_serializing_if = "is_false")]
560+
enable_nitro_attestation_all_nonzero_pcrs_parsing: bool,
561+
557562
// Reject functions with mutable Random.
558563
#[serde(skip_serializing_if = "is_false")]
559564
reject_mutable_random_on_entry_functions: bool,
@@ -2232,6 +2237,11 @@ impl ProtocolConfig {
22322237
self.feature_flags.enable_nitro_attestation_upgraded_parsing
22332238
}
22342239

2240+
pub fn enable_nitro_attestation_all_nonzero_pcrs_parsing(&self) -> bool {
2241+
self.feature_flags
2242+
.enable_nitro_attestation_all_nonzero_pcrs_parsing
2243+
}
2244+
22352245
pub fn get_consensus_commit_rate_estimation_window_size(&self) -> u32 {
22362246
self.consensus_commit_rate_estimation_window_size
22372247
.unwrap_or(0)
@@ -4278,6 +4288,10 @@ impl ProtocolConfig {
42784288
cfg.poseidon_bn254_cost_base = Some(260);
42794289

42804290
cfg.feature_flags.consensus_skip_gced_accept_votes = true;
4291+
if chain != Chain::Mainnet {
4292+
cfg.feature_flags
4293+
.enable_nitro_attestation_all_nonzero_pcrs_parsing = true;
4294+
}
42814295
}
42824296
// Use this template when making changes:
42834297
//

crates/sui-protocol-config/src/snapshots/sui_protocol_config__test__Testnet_version_104.snap

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
---
22
source: crates/sui-protocol-config/src/lib.rs
33
expression: "ProtocolConfig::get_for_version(cur, *chain_id)"
4+
snapshot_kind: text
45
---
56
version: 104
67
feature_flags:
@@ -49,6 +50,7 @@ feature_flags:
4950
enable_group_ops_native_functions: true
5051
enable_nitro_attestation: true
5152
enable_nitro_attestation_upgraded_parsing: true
53+
enable_nitro_attestation_all_nonzero_pcrs_parsing: true
5254
reject_mutable_random_on_entry_functions: true
5355
per_object_congestion_control_mode:
5456
ExecutionTimeEstimate:

crates/sui-protocol-config/src/snapshots/sui_protocol_config__test__version_104.snap

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
---
22
source: crates/sui-protocol-config/src/lib.rs
33
expression: "ProtocolConfig::get_for_version(cur, *chain_id)"
4+
snapshot_kind: text
45
---
56
version: 104
67
feature_flags:
@@ -50,6 +51,7 @@ feature_flags:
5051
enable_group_ops_native_function_msm: true
5152
enable_nitro_attestation: true
5253
enable_nitro_attestation_upgraded_parsing: true
54+
enable_nitro_attestation_all_nonzero_pcrs_parsing: true
5355
reject_mutable_random_on_entry_functions: true
5456
per_object_congestion_control_mode:
5557
ExecutionTimeEstimate:

crates/sui-types/benches/nitro_attestation_bench.rs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ fn nitro_attestation_benchmark(c: &mut Criterion) {
1616
let bytes = Hex::decode("8444a1013822a0591121a9696d6f64756c655f69647827692d30663733613462346362373463633966322d656e633031393265343138386665663738316466646967657374665348413338346974696d657374616d701b000001932d1239ca6470637273b0005830000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000015830000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000025830000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000035830639a8b65f68b0223cbb14a0032487e5656d260434e3d1a10e7ec1407fb86143860717fc8afee90df7a1604111709af460458309ab5a1aba055ee41ee254b9b251a58259b29fa1096859762744e9ac73b5869b25e51223854d9f86adbb37fe69f3e5d1c0558300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000658300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000758300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000858300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000958300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a58300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b58300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c58300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d58300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e58300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f58300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006b636572746966696361746559027e3082027a30820201a00302010202100192e4188fef781d0000000067366a8d300a06082a8648ce3d04030330818e310b30090603550406130255533113301106035504080c0a57617368696e67746f6e3110300e06035504070c0753656174746c65310f300d060355040a0c06416d617a6f6e310c300a060355040b0c034157533139303706035504030c30692d30663733613462346362373463633966322e75732d656173742d312e6177732e6e6974726f2d656e636c61766573301e170d3234313131343231323432365a170d3234313131353030323432395a308193310b30090603550406130255533113301106035504080c0a57617368696e67746f6e3110300e06035504070c0753656174746c65310f300d060355040a0c06416d617a6f6e310c300a060355040b0c03415753313e303c06035504030c35692d30663733613462346362373463633966322d656e63303139326534313838666566373831642e75732d656173742d312e6177733076301006072a8648ce3d020106052b810400220362000442e0526fc41af71feac64fc6f68a8ac8aae831a9e945ab7d482b842acaf05d6b762d00cbc2115da270187c44597b1c16dcf497c70e543b41612e9041ea143d11d58bd1c847496e5d41ec78a49fe445348cf9a47af9387e0451d9ec145b56ec12a31d301b300c0603551d130101ff04023000300b0603551d0f0404030206c0300a06082a8648ce3d0403030367003064023078001466c0c64293b9bde3d0834edb67ff18417f6075a8f7d137701e10164ce6cf45c508bf383ed0d8d41c51a5977a43023033cb8e4a6ad2686b86c2533accbab5dd5e98cf25d3612b1a48502f327ce00acc921641242d5a3a27d222df1f7dfc3e2c68636162756e646c65845902153082021130820196a003020102021100f93175681b90afe11d46ccb4e4e7f856300a06082a8648ce3d0403033049310b3009060355040613025553310f300d060355040a0c06416d617a6f6e310c300a060355040b0c03415753311b301906035504030c126177732e6e6974726f2d656e636c61766573301e170d3139313032383133323830355a170d3439313032383134323830355a3049310b3009060355040613025553310f300d060355040a0c06416d617a6f6e310c300a060355040b0c03415753311b301906035504030c126177732e6e6974726f2d656e636c617665733076301006072a8648ce3d020106052b8104002203620004fc0254eba608c1f36870e29ada90be46383292736e894bfff672d989444b5051e534a4b1f6dbe3c0bc581a32b7b176070ede12d69a3fea211b66e752cf7dd1dd095f6f1370f4170843d9dc100121e4cf63012809664487c9796284304dc53ff4a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604149025b50dd90547e796c396fa729dcf99a9df4b96300e0603551d0f0101ff040403020186300a06082a8648ce3d0403030369003066023100a37f2f91a1c9bd5ee7b8627c1698d255038e1f0343f95b63a9628c3d39809545a11ebcbf2e3b55d8aeee71b4c3d6adf3023100a2f39b1605b27028a5dd4ba069b5016e65b4fbde8fe0061d6a53197f9cdaf5d943bc61fc2beb03cb6fee8d2302f3dff65902c2308202be30820245a003020102021100ab314210a819b4842e3be045e7daddbe300a06082a8648ce3d0403033049310b3009060355040613025553310f300d060355040a0c06416d617a6f6e310c300a060355040b0c03415753311b301906035504030c126177732e6e6974726f2d656e636c61766573301e170d3234313131333037333235355a170d3234313230333038333235355a3064310b3009060355040613025553310f300d060355040a0c06416d617a6f6e310c300a060355040b0c034157533136303406035504030c2d343834633637303131656563376235332e75732d656173742d312e6177732e6e6974726f2d656e636c617665733076301006072a8648ce3d020106052b8104002203620004cbd3e3fe8793852d952a214ee1c7f17e13eff238c5952ffc6c48f2b8e70beec10194585089829f4818d012a6061cdc9f4d8c5a67aada1233f75b65d3f7704e1c02460cfcc74f0e94193c8d4030f6d1662de0427836c1d32c571c919230fae73aa381d53081d230120603551d130101ff040830060101ff020102301f0603551d230418301680149025b50dd90547e796c396fa729dcf99a9df4b96301d0603551d0e04160414b5f0f617140aa7057c7977f361eee896fd9a58b4300e0603551d0f0101ff040403020186306c0603551d1f046530633061a05fa05d865b687474703a2f2f6177732d6e6974726f2d656e636c617665732d63726c2e73332e616d617a6f6e6177732e636f6d2f63726c2f61623439363063632d376436332d343262642d396539662d3539333338636236376638342e63726c300a06082a8648ce3d04030303670030640230038362cf11e189755d6a2306d728a7f356740eefe623d5e0e9e7c33c1b061ade2224127ac3a2e4bce60b43fc8c53326902306aceccf6f45a8d5c066bd10ce3ffaeeebdee56eedb86deb18ea22172c07196750924dd8f4656c70bd95eb6714cb8ecdd59031a308203163082029ba0030201020211009a0f4f29c1649826edb5b5f9f93b6326300a06082a8648ce3d0403033064310b3009060355040613025553310f300d060355040a0c06416d617a6f6e310c300a060355040b0c034157533136303406035504030c2d343834633637303131656563376235332e75732d656173742d312e6177732e6e6974726f2d656e636c61766573301e170d3234313131343034323230325a170d3234313132303033323230325a308189313c303a06035504030c33373532313933346262636164353432622e7a6f6e616c2e75732d656173742d312e6177732e6e6974726f2d656e636c61766573310c300a060355040b0c03415753310f300d060355040a0c06416d617a6f6e310b3009060355040613025553310b300906035504080c0257413110300e06035504070c0753656174746c653076301006072a8648ce3d020106052b810400220362000496f4565c489625767e8e2d3006ba06bd48ba3e384027a205b93d1ad4958128887c38ddbb2f4922888708ef0985e1e5d3bd73b33f86785ac66a204eed3a6b663686434f64e19fb39cd7b33068edb2108b79774a961e7080cb1b4eaa60a5e63e22a381ea3081e730120603551d130101ff040830060101ff020101301f0603551d23041830168014b5f0f617140aa7057c7977f361eee896fd9a58b4301d0603551d0e0416041484b6dc9994365b56081f5d1bc8ee21f58e45d7df300e0603551d0f0101ff0404030201863081800603551d1f047930773075a073a071866f687474703a2f2f63726c2d75732d656173742d312d6177732d6e6974726f2d656e636c617665732e73332e75732d656173742d312e616d617a6f6e6177732e636f6d2f63726c2f34396230376261342d303533622d346435622d616434612d3364626533653065396637652e63726c300a06082a8648ce3d0403030369003066023100d00c2999e66fbcce624d91aedf41f5532b04c300c86a61d78ed968716a7f7ff565e2c361f4f46fe5c5486a9d2bfe0d60023100bc46872a45820fb552b926d420d4f6a1be831bb26821d374e95bff5ed042b3313465b5b4cde79f16f6a57bd5b541353c5902c3308202bf30820245a003020102021500eaa3f0b662c2a61c96f94194fa33d5baf26eeb84300a06082a8648ce3d040303308189313c303a06035504030c33373532313933346262636164353432622e7a6f6e616c2e75732d656173742d312e6177732e6e6974726f2d656e636c61766573310c300a060355040b0c03415753310f300d060355040a0c06416d617a6f6e310b3009060355040613025553310b300906035504080c0257413110300e06035504070c0753656174746c65301e170d3234313131343130313032345a170d3234313131353130313032345a30818e310b30090603550406130255533113301106035504080c0a57617368696e67746f6e3110300e06035504070c0753656174746c65310f300d060355040a0c06416d617a6f6e310c300a060355040b0c034157533139303706035504030c30692d30663733613462346362373463633966322e75732d656173742d312e6177732e6e6974726f2d656e636c617665733076301006072a8648ce3d020106052b81040022036200040fe46adf864a558a00a9ca4b64ece5ba124ed1d29656a1f16ca71d0dc8fca56b0fb15aafd309f6258374e8c7b4a5b0521c76d1812a7873474dae9322aef1cd782db19fc2ece4d36fa08acbe65e4bec2a3cfe70960d179778ea7e7711f827b36ea366306430120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020204301d0603551d0e041604143e40d423bf86e9565c378487843389bd2f471a56301f0603551d2304183016801484b6dc9994365b56081f5d1bc8ee21f58e45d7df300a06082a8648ce3d0403030368003065023100c2767f29cc6e40e087617cf680d81e3b77962c29d8ace426b3c4a62a560354da73de6f80986d44da2593a3c268fea94302306056e2f3c88c30170c4940f578acc279a01fe689123e81def4f8c313e1f0cbc44a562a171d12810e847e441aee233f676a7075626c69635f6b6579f669757365725f6461746158205a264748a62368075d34b9494634a3e096e0e48f6647f965b81d2a653de684f2656e6f6e6365f65860284d57f029e1b3beb76455a607b9a86360d6451370f718a0d7bdcad729eea248c25461166ab684ad31fb52713918ee3e401d1b56251d6f9d85bf870e850e0b47559d17091778dbafc3d1989a94bd54c0991053675dcc3686402b189172aae196").unwrap();
1717
group.bench_function("parse_attestation", |b| {
1818
b.iter(|| {
19-
parse_nitro_attestation(&bytes, true).unwrap();
19+
parse_nitro_attestation(&bytes, true, true).unwrap();
2020
})
2121
});
2222

@@ -33,7 +33,7 @@ fn nitro_attestation_benchmark(c: &mut Criterion) {
3333
})
3434
});
3535

36-
let parsed = parse_nitro_attestation(&bytes, true).unwrap();
36+
let parsed = parse_nitro_attestation(&bytes, true, true).unwrap();
3737
group.bench_function("parse_and_verify_attestation_with_entire_cert_chain", |b| {
3838
b.iter(|| verify_nitro_attestation(&parsed.0, &parsed.1, &parsed.2, 1731627987382))
3939
});

crates/sui-types/src/nitro_attestation.rs

Lines changed: 23 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -97,9 +97,14 @@ impl From<NitroAttestationVerifyError> for SuiError {
9797
pub fn parse_nitro_attestation(
9898
attestation_bytes: &[u8],
9999
is_upgraded_parsing: bool,
100+
include_all_nonzero_pcrs: bool,
100101
) -> SuiResult<(Vec<u8>, Vec<u8>, AttestationDocument)> {
101102
let cose_sign1 = CoseSign1::parse_and_validate(attestation_bytes)?;
102-
let doc = AttestationDocument::parse_payload(&cose_sign1.payload, is_upgraded_parsing)?;
103+
let doc = AttestationDocument::parse_payload(
104+
&cose_sign1.payload,
105+
is_upgraded_parsing,
106+
include_all_nonzero_pcrs,
107+
)?;
103108
let msg = cose_sign1.to_signed_message()?;
104109
let signature = cose_sign1.signature;
105110
Ok((signature, msg, doc))
@@ -391,9 +396,10 @@ impl AttestationDocument {
391396
pub fn parse_payload(
392397
payload: &[u8],
393398
is_upgraded_parsing: bool,
399+
include_all_nonzero_pcrs: bool,
394400
) -> Result<AttestationDocument, NitroAttestationVerifyError> {
395401
let document_map = Self::to_map(payload, is_upgraded_parsing)?;
396-
Self::validate_document_map(&document_map, is_upgraded_parsing)
402+
Self::validate_document_map(&document_map, is_upgraded_parsing, include_all_nonzero_pcrs)
397403
}
398404

399405
fn to_map(
@@ -444,6 +450,7 @@ impl AttestationDocument {
444450
fn validate_document_map(
445451
document_map: &BTreeMap<String, Value>,
446452
is_upgraded_parsing: bool,
453+
include_all_nonzero_pcrs: bool,
447454
) -> Result<AttestationDocument, NitroAttestationVerifyError> {
448455
let module_id = document_map
449456
.get("module_id")
@@ -604,19 +611,26 @@ impl AttestationDocument {
604611
)
605612
})?;
606613

607-
// Valid PCR indices are 0, 1, 2, 3, 4, 8 for AWS. Ignores other keys.
608-
// See: <https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html#where>
609-
if !matches!(key_u8, 0 | 1 | 2 | 3 | 4 | 8) {
610-
continue;
611-
}
612-
613614
if pcr_map.contains_key(&key_u8) {
614615
return Err(NitroAttestationVerifyError::InvalidAttestationDoc(
615616
format!("duplicate PCR index {}", key_u8),
616617
));
617618
}
618619

619-
pcr_map.insert(key_u8, value.to_vec());
620+
if include_all_nonzero_pcrs {
621+
// If flag=true, parse all 0..31 PCRs, but skip all-zero values.
622+
// See: <https://github.com/aws/aws-nitro-enclaves-nsm-api/issues/18#issuecomment-970172662>
623+
// Also: <https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/main/nsm-test/src/bin/nsm-check.rs#L193-L199>
624+
if key_u8 <= 31 && !value.iter().all(|&b| b == 0) {
625+
pcr_map.insert(key_u8, value.to_vec());
626+
}
627+
} else {
628+
// In legacy mode (flag=false): Parse only specific PCRs (0, 1, 2, 3, 4, 8), including zero values.
629+
// See: <https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html#where>
630+
if matches!(key_u8, 0 | 1 | 2 | 3 | 4 | 8) {
631+
pcr_map.insert(key_u8, value.to_vec());
632+
}
633+
}
620634
}
621635
}
622636
Ok((pcr_vec, pcr_map))

0 commit comments

Comments
 (0)