feat: Remove storage and TDX-releated PCSs from SGX manifests

matevz · matevz · commit a842b81e71d3 · 2025-10-29T17:52:14.000+01:00
diff --git a/build/rofl/manifest.go b/build/rofl/manifest.go
@@ -167,7 +167,7 @@ func (m *Manifest) Validate() error {
 		return fmt.Errorf("unsupported app kind: %s", m.Kind)
 	}
 
-	if err := m.Resources.Validate(); err != nil {
+	if err := m.Resources.Validate(m.TEE); err != nil {
 		return fmt.Errorf("bad resources config: %w", err)
 	}
 
@@ -443,13 +443,18 @@ type ResourcesConfig struct {
 }
 
 // Validate validates the resources configuration for correctness.
-func (r *ResourcesConfig) Validate() error {
+func (r *ResourcesConfig) Validate(tee string) error {
 	if r.Memory < 16 {
 		return fmt.Errorf("memory size must be at least 16M")
 	}
 	if r.CPUCount < 1 {
 		return fmt.Errorf("vCPU count must be at least 1")
 	}
+
+	if tee == TEETypeSGX && r.Storage != nil {
+		return fmt.Errorf("SGX apps do not support disk storage")
+	}
+
 	if r.Storage != nil {
 		err := r.Storage.Validate()
 		if err != nil {
diff --git a/cmd/rofl/mgmt.go b/cmd/rofl/mgmt.go
@@ -110,6 +110,14 @@ var (
 
 			switch manifest.TEE {
 			case buildRofl.TEETypeTDX:
+				// TDX requires storage settings.
+				if !reset {
+					manifest.Resources.Storage = &buildRofl.StorageConfig{
+						Kind: buildRofl.StorageKindDiskPersistent,
+						Size: 512,
+					}
+				}
+
 				switch appKind {
 				case buildRofl.AppKindRaw:
 					artifacts := buildRofl.LatestBasicArtifacts // Copy.
@@ -235,6 +243,12 @@ var (
 					debugMode = params.DebugAllowTestRuntimes
 				}
 
+				// For TDX assign empty quote policies by default.
+				var tdxQuotePolicy *pcs.TdxQuotePolicy
+				if manifest.TEE == buildRofl.TEETypeTDX {
+					tdxQuotePolicy = &pcs.TdxQuotePolicy{}
+				}
+
 				// Generate manifest and a default policy which does not accept any enclaves.
 				deployment = &buildRofl.Deployment{
 					Network:  npa.NetworkName,
@@ -246,7 +260,7 @@ var (
 							PCS: &pcs.QuotePolicy{
 								TCBValidityPeriod:          30,
 								MinTCBEvaluationDataNumber: 18,
-								TDX:                        &pcs.TdxQuotePolicy{},
+								TDX:                        tdxQuotePolicy,
 							},
 						},
 						Endorsements: []rofl.AllowedEndorsement{

Original file line number	Diff line number	Diff line change
`@@ -167,7 +167,7 @@ func (m *Manifest) Validate() error {`
`167`	`167`	`return fmt.Errorf("unsupported app kind: %s", m.Kind)`
`168`	`168`	`}`
`169`	`169`
`170`		`- if err := m.Resources.Validate(); err != nil {`
	`170`	`+ if err := m.Resources.Validate(m.TEE); err != nil {`
`171`	`171`	`return fmt.Errorf("bad resources config: %w", err)`
`172`	`172`	`}`
`173`	`173`
`@@ -443,13 +443,18 @@ type ResourcesConfig struct {`
`443`	`443`	`}`
`444`	`444`
`445`	`445`	`// Validate validates the resources configuration for correctness.`
`446`		`-func (r *ResourcesConfig) Validate() error {`
	`446`	`+func (r *ResourcesConfig) Validate(tee string) error {`
`447`	`447`	`if r.Memory < 16 {`
`448`	`448`	`return fmt.Errorf("memory size must be at least 16M")`
`449`	`449`	`}`
`450`	`450`	`if r.CPUCount < 1 {`
`451`	`451`	`return fmt.Errorf("vCPU count must be at least 1")`
`452`	`452`	`}`
	`453`	`+`
	`454`	`+ if tee == TEETypeSGX && r.Storage != nil {`
	`455`	`+ return fmt.Errorf("SGX apps do not support disk storage")`
	`456`	`+ }`
	`457`	`+`
`453`	`458`	`if r.Storage != nil {`
`454`	`459`	`err := r.Storage.Validate()`
`455`	`460`	`if err != nil {`