support optionally validating PCK configuration

burgerdev · burgerdev · commit c4e089be6d09 · 2026-01-20T09:45:56.000+01:00
Signed-off-by: Markus Rudy &lt;mr@edgeless.systems&gt;
diff --git a/validate/validate.go b/validate/validate.go
@@ -101,6 +101,15 @@ type TdQuoteBodyOptions struct {
 type PCKOptions struct {
 	// SgxType is the expected SGXType. Not checked if nil.
 	SgxType *pcs.SGXType
+
+	// PCK certificate configuration items.
+
+	// SMTEnabled is the expected SMTEnabled status in the PCK configuration section. Not checked if nil.
+	SMTEnabled *bool
+	// DynamicPlatform is the expected DynamicPlatform status in the PCK configuration section. Not checked if nil.
+	DynamicPlatform *bool
+	// CachedKeys is the expected CachedKeys status in the PCK configuration section. Not checked if nil.
+	CachedKeys *bool
 }
 
 func lengthCheck(name string, length int, value []byte) error {
@@ -366,6 +375,15 @@ func validatePck(quote *pb.QuoteV4, opts *PCKOptions) error {
 	if opts.SgxType != nil && *opts.SgxType != exts.SGXType {
 		return fmt.Errorf("PCK extension SGXType is %d. Expect %d", *opts.SgxType, exts.SGXType)
 	}
+	if opts.SMTEnabled != nil && *opts.SMTEnabled != exts.Configuration.SMTEnabled {
+		return fmt.Errorf("PCK extension SMTEnabled is %v. Expect %v", exts.Configuration.SMTEnabled, *opts.SMTEnabled)
+	}
+	if opts.DynamicPlatform != nil && *opts.DynamicPlatform != exts.Configuration.DynamicPlatform {
+		return fmt.Errorf("PCK extension DynamicPlatform is %v. Expect %v", exts.Configuration.DynamicPlatform, *opts.DynamicPlatform)
+	}
+	if opts.CachedKeys != nil && *opts.CachedKeys != exts.Configuration.CachedKeys {
+		return fmt.Errorf("PCK extension CachedKeys is %v. Expect %v", exts.Configuration.CachedKeys, *opts.CachedKeys)
+	}
 	return nil
 }
 
diff --git a/validate/validate_test.go b/validate/validate_test.go
@@ -75,6 +75,9 @@ func TestTdxQuote(t *testing.T) {
 		0xeb, 0x74, 0x6, 0xa3, 0x8d, 0x1e, 0xed, 0x31, 0x3b, 0x98, 0x7a, 0x46, 0x7d, 0xac, 0xea, 0xd6,
 		0xf0, 0xc8, 0x7a, 0x6d, 0x76, 0x6c, 0x66, 0xf6, 0xf2, 0x9f, 0x8a, 0xcb, 0x28, 0x1f, 0x11, 0x13}
 	sgxType := pcs.SGXTypeScalable
+	smtEnabled := true
+	dynamicPlatform := true
+	cachedKeys := false
 
 	mknonce := func(front []byte) []byte {
 		result := make([]byte, 64)
@@ -143,7 +146,10 @@ func TestTdxQuote(t *testing.T) {
 					EnableTdDebugCheck: true,
 				},
 				PCKOptions: PCKOptions{
-					SgxType: &sgxType,
+					SgxType:         &sgxType,
+					SMTEnabled:      &smtEnabled,
+					DynamicPlatform: &dynamicPlatform,
+					CachedKeys:      &cachedKeys,
 				},
 			},
 		},
@@ -308,6 +314,30 @@ func TestTdxQuote(t *testing.T) {
 			},
 			wantErr: "PCK extension SGXType",
 		},
+		{
+			name:  "Test incorrect SMTEnabled",
+			quote: quote12345,
+			opts: &Options{
+				PCKOptions: PCKOptions{SMTEnabled: toPtr(false)},
+			},
+			wantErr: "PCK extension SMTEnabled",
+		},
+		{
+			name:  "Test incorrect DynamicPlatform",
+			quote: quote12345,
+			opts: &Options{
+				PCKOptions: PCKOptions{DynamicPlatform: toPtr(false)},
+			},
+			wantErr: "PCK extension DynamicPlatform",
+		},
+		{
+			name:  "Test incorrect CachedKeys",
+			quote: quote12345,
+			opts: &Options{
+				PCKOptions: PCKOptions{CachedKeys: toPtr(true)},
+			},
+			wantErr: "PCK extension CachedKeys",
+		},
 	}
 
 	for _, tc := range tests {
@@ -317,3 +347,7 @@ func TestTdxQuote(t *testing.T) {
 		}
 	}
 }
+
+func toPtr[A any](a A) *A {
+	return &a
+}
