Skip to content

Comments

support optionally validating PCK configuration #4

Merged
burgerdev merged 2 commits intomainfrom
config
Jan 20, 2026
Merged

support optionally validating PCK configuration #4
burgerdev merged 2 commits intomainfrom
config

Conversation

@burgerdev
Copy link
Member

No description provided.

@burgerdev burgerdev requested a review from sespiros January 15, 2026 09:09
Copy link

@sespiros sespiros left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see there is also a cli tool included under tools/check which you can use to specify expected policy. If we make use of that we should add the SMTEnabled field there as well (as well as in the policy configuration proto).

Regarding the other two fields DynamicPlatform and CachedKeys. I would add them for completeness but they can also be done later. They are both relevant for multi-package/CPUs platforms:

  • DynamicPlatform is to express whether you allow your system to be extended with extra CPUs (multi-package platforms). I would be strict. I would add it and expect it to be false unless needed.

  • CachedKeys, if we don't have multi-package platforms, I would say we don't care about this. More info on https://cc-enabling.trustedservices.intel.com/intel-dcap-mp-ra/02/overview/#sgx-multi-package-registration-modes. The tl;dr of what happens if the keys are not cached is:

    When you use this method, PCK Certificates cannot be requested using the PPID since the Registration Service does not have the platform keys required to generate PPID. Instead, the platform manifest must be provided to generate the PCK Certificates. You must maintain a copy of the platform manifests.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
Signed-off-by: Markus Rudy <mr@edgeless.systems>
@burgerdev burgerdev changed the title support optionally validating SMTEnabled support optionally validating PCK configuration Jan 20, 2026
@burgerdev
Copy link
Member Author

I added the two other configuration items to validate.Options. Regarding the tools/check: this would be required for an upstream PR, but since we don't use it I'd rather not. ptal

@burgerdev burgerdev requested a review from sespiros January 20, 2026 08:59
@burgerdev burgerdev merged commit e070002 into main Jan 20, 2026
5 checks passed
@burgerdev burgerdev deleted the config branch January 20, 2026 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants