Skip to content

Commit 0f65286

Browse files
iKevinYiKevinY
committed
Add SgxIdentityExpectation and auxillary messages
This commit adds the `SgxIdentityExpectation`, `SgxIdentityMatchSpec`, and `SgxMachineConfigurationMatchSpec` messages, intended to closely resemble `CodeIdentityExpectation` and related messages. The reasoning behind mirroring the hierarchy found in the `CodeIdentity` messages (ie. introducing `SgxIdentityMatchSpec` which consists solely of the composition of the two children match specs, rather than just adding them as two additional fields to `SgxIdentityExpectation`) is because the `code_identity_util` API currently contains methods that operate on "match spec"-level messages; therefore, it makes the most sense to maintain this parity, since `SgxIdentity` is intended to eventually replace existing instances of `CodeIdentity`. PiperOrigin-RevId: 263855701 Change-Id: I156a95fb86043925a003fc479e128b9a83cc1d23
1 parent f9a6049 commit 0f65286

File tree

1 file changed

+22
-0
lines changed

1 file changed

+22
-0
lines changed

asylo/identity/sgx/sgx_identity.proto

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,10 +26,32 @@ message SgxMachineConfiguration {
2626
optional sgx.CpuSvn cpu_svn = 1;
2727
}
2828

29+
// Specification of which fields from SgxMachineConfiguration to match.
30+
message SgxMachineConfigurationMatchSpec {
31+
// Flag indicating whether to perform a match on |cpu_svn|.
32+
optional bool is_cpu_svn_match_required = 1;
33+
}
34+
2935
// A high-level representation of the identity of an SGX enclave, which includes
3036
// the properties of its code identity (sgx.CodeIdentity) and the security-
3137
// relevant properties of its execution environment (SgxMachineConfiguration).
3238
message SgxIdentity {
3339
optional sgx.CodeIdentity code_identity = 1;
3440
optional SgxMachineConfiguration machine_configuration = 2;
3541
}
42+
43+
// Specification of which fields from SgxIdentity to match.
44+
message SgxIdentityMatchSpec {
45+
optional sgx.CodeIdentityMatchSpec code_identity_match_spec = 1;
46+
optional SgxMachineConfigurationMatchSpec machine_configuration_match_spec =
47+
2;
48+
}
49+
50+
// A verifier's expectation on an SgxIdentity.
51+
message SgxIdentityExpectation {
52+
// Reference identity matched against the target identity per `match_spec`.
53+
optional SgxIdentity reference_identity = 1;
54+
55+
// Specification of which fields from enclave identity to match.
56+
optional SgxIdentityMatchSpec match_spec = 2;
57+
}

0 commit comments

Comments
 (0)