go/common/sgx/pcs/policy: Ensure FMSPC whitelist is empty

Ensure the FMSPC whitelist in the quote policy remains empty
until the next feature version is enabled. Once that feature
is enabled, these changes can be removed.

Author: peternose

go/common/node/node.go

@@ -574,7 +574,7 @@ func HashRAK(rak signature.PublicKey) hash.Hash {
 }
 
 // Verify verifies the node's TEE capabilities, at the provided timestamp and height.
-func (c *CapabilityTEE) Verify(teeCfg *TEEFeatures, ts time.Time, height uint64, constraints []byte, nodeID signature.PublicKey) error {
+func (c *CapabilityTEE) Verify(teeCfg *TEEFeatures, ts time.Time, height uint64, constraints []byte, nodeID signature.PublicKey, isFeatureVersion242 bool) error {
 	switch c.Hardware {
 	case TEEHardwareIntelSGX:
 		// Parse SGX remote attestation.
@@ -591,7 +591,7 @@ func (c *CapabilityTEE) Verify(teeCfg *TEEFeatures, ts time.Time, height uint64,
 		if err := cbor.Unmarshal(constraints, &sc); err != nil {
 			return fmt.Errorf("node: malformed SGX constraints: %w", err)
 		}
-		if err := sc.ValidateBasic(teeCfg); err != nil {
+		if err := sc.ValidateBasic(teeCfg, isFeatureVersion242); err != nil {
 			return fmt.Errorf("node: malformed SGX constraints: %w", err)
 		}
 

go/common/node/sgx.go

@@ -97,7 +97,7 @@ func (sc *SGXConstraints) MarshalCBOR() ([]byte, error) {
 }
 
 // ValidateBasic performs basic structure validity checks.
-func (sc *SGXConstraints) ValidateBasic(cfg *TEEFeatures) error {
+func (sc *SGXConstraints) ValidateBasic(cfg *TEEFeatures, isFeatureVersion242 bool) error {
 	if cfg == nil {
 		cfg = &emptyFeatures
 	}
@@ -116,6 +116,13 @@ func (sc *SGXConstraints) ValidateBasic(cfg *TEEFeatures) error {
 		return fmt.Errorf("TDX policy not supported")
 	}
 
+	// Check that policy is compliant with the current feature version.
+	if sc.Policy != nil {
+		if err := sc.Policy.Validate(isFeatureVersion242); err != nil {
+			return fmt.Errorf("invalid policy: %w", err)
+		}
+	}
+
 	return nil
 }
 

go/common/node/sgx_test.go

@@ -27,7 +27,7 @@ func TestSGXConstraintsV0(t *testing.T) {
 	err = cbor.Unmarshal(raw, &sc)
 	require.NoError(err, "Decode V0 SGX constraints")
 
-	err = sc.ValidateBasic(nil)
+	err = sc.ValidateBasic(nil, true)
 	require.NoError(err, "ValidateBasic V0 SGX constraints")
 
 	enc := cbor.Marshal(sc)
@@ -60,11 +60,11 @@ func TestSGXConstraintsV1(t *testing.T) {
 			},
 		},
 	}
-	err = sc.ValidateBasic(nil)
+	err = sc.ValidateBasic(nil, true)
 	require.Error(err, "ValidateBasic V1 SGX constraints without PCS support")
-	err = sc.ValidateBasic(&TEEFeatures{})
+	err = sc.ValidateBasic(&TEEFeatures{}, true)
 	require.Error(err, "ValidateBasic V1 SGX constraints without PCS support")
-	err = sc.ValidateBasic(&TEEFeatures{SGX: TEEFeaturesSGX{PCS: true}})
+	err = sc.ValidateBasic(&TEEFeatures{SGX: TEEFeaturesSGX{PCS: true}}, true)
 	require.NoError(err, "ValidateBasic V1 SGX constraints")
 }
 

go/common/sgx/quote/quote.go

@@ -64,3 +64,20 @@ type Policy struct {
 	IAS *ias.QuotePolicy `json:"ias,omitempty" yaml:"ias,omitempty"`
 	PCS *pcs.QuotePolicy `json:"pcs,omitempty" yaml:"pcs,omitempty"`
 }
+
+// Validate validates the policy.
+func (p *Policy) Validate(isFeatureVersion242 bool) error {
+	if isFeatureVersion242 {
+		return nil
+	}
+
+	if p.PCS == nil {
+		return nil
+	}
+
+	if len(p.PCS.FMSPCWhitelist) == 0 {
+		return nil
+	}
+
+	return fmt.Errorf("fmspc whitelist should be empty")
+}

go/consensus/cometbft/apps/keymanager/common/genesis.go

@@ -16,7 +16,7 @@ func RegistryRuntimes(ctx *tmapi.Context, doc *genesis.Document, epoch beacon.Ep
 	regSt := doc.Registry
 	rtMap := make(map[common.Namespace]*registry.Runtime)
 	for _, rt := range regSt.Runtimes {
-		err := registry.VerifyRuntime(&regSt.Parameters, ctx.Logger(), rt, true, false, epoch)
+		err := registry.VerifyRuntime(&regSt.Parameters, ctx.Logger(), rt, true, false, epoch, true)
 		if err != nil {
 			ctx.Logger().Error("InitChain: Invalid runtime",
 				"err", err,

go/consensus/cometbft/apps/keymanager/secrets/epoch.go

@@ -10,8 +10,10 @@ import (
 	tmapi "github.com/oasisprotocol/oasis-core/go/consensus/cometbft/api"
 	secretsState "github.com/oasisprotocol/oasis-core/go/consensus/cometbft/apps/keymanager/secrets/state"
 	registryState "github.com/oasisprotocol/oasis-core/go/consensus/cometbft/apps/registry/state"
+	"github.com/oasisprotocol/oasis-core/go/consensus/cometbft/features"
 	"github.com/oasisprotocol/oasis-core/go/keymanager/secrets"
 	registry "github.com/oasisprotocol/oasis-core/go/registry/api"
+	"github.com/oasisprotocol/oasis-core/go/upgrade/migrations"
 )
 
 func (ext *secretsExt) onEpochChange(ctx *tmapi.Context, epoch beacon.EpochTime) error {
@@ -26,6 +28,11 @@ func (ext *secretsExt) onEpochChange(ctx *tmapi.Context, epoch beacon.EpochTime)
 		return fmt.Errorf("failed to get consensus parameters: %w", err)
 	}
 
+	isFeatureVersion242, err := features.IsFeatureVersion(ctx, migrations.Version242)
+	if err != nil {
+		return err
+	}
+
 	// Recalculate all the key manager statuses.
 	//
 	// Note: This assumes that once a runtime is registered, it never expires.
@@ -64,7 +71,7 @@ func (ext *secretsExt) onEpochChange(ctx *tmapi.Context, epoch beacon.EpochTime)
 			return fmt.Errorf("failed to query key manager master secret: %w", err)
 		}
 
-		newStatus := generateStatus(ctx, rt, oldStatus, secret, nodes, params, epoch)
+		newStatus := generateStatus(ctx, rt, oldStatus, secret, nodes, params, epoch, isFeatureVersion242)
 		if forceEmit || !bytes.Equal(cbor.Marshal(oldStatus), cbor.Marshal(newStatus)) {
 			ctx.Logger().Debug("status updated",
 				"id", newStatus.ID,

go/consensus/cometbft/apps/keymanager/secrets/status.go

@@ -32,6 +32,7 @@ func generateStatus( // nolint: gocyclo
 	nodes []*node.Node,
 	params *registry.ConsensusParameters,
 	epoch beacon.EpochTime,
+	isFeatureVersion242 bool,
 ) *secrets.Status {
 	status := &secrets.Status{
 		ID:            kmrt.ID,
@@ -111,7 +112,7 @@ nextNode:
 				continue nextNode
 			}
 
-			initResponse, err := VerifyExtraInfo(ctx.Logger(), n.ID, kmrt, nodeRt, ts, height, params)
+			initResponse, err := VerifyExtraInfo(ctx.Logger(), n.ID, kmrt, nodeRt, ts, height, params, isFeatureVersion242)
 			if err != nil {
 				ctx.Logger().Error("failed to validate ExtraInfo", append(vars, "err", err)...)
 				continue nextNode
@@ -231,8 +232,9 @@ func VerifyExtraInfo(
 	ts time.Time,
 	height uint64,
 	params *registry.ConsensusParameters,
+	isFeatureVersion242 bool,
 ) (*secrets.InitResponse, error) {
-	if err := registry.VerifyNodeRuntimeEnclaveIDs(logger, nodeID, nodeRt, rt, params.TEEFeatures, ts, height); err != nil {
+	if err := registry.VerifyNodeRuntimeEnclaveIDs(logger, nodeID, nodeRt, rt, params.TEEFeatures, ts, height, isFeatureVersion242); err != nil {
 		return nil, err
 	}
 	if nodeRt.ExtraInfo == nil {

go/consensus/cometbft/apps/keymanager/secrets/status_test.go

@@ -207,10 +207,10 @@ func TestGenerateStatus(t *testing.T) {
 	t.Run("No nodes", func(t *testing.T) {
 		require := require.New(t)
 
-		newStatus := generateStatus(ctx, runtimes[0], uninitializedStatus, nil, nodes[0:6], params, epoch)
+		newStatus := generateStatus(ctx, runtimes[0], uninitializedStatus, nil, nodes[0:6], params, epoch, true)
 		require.Equal(uninitializedStatus, newStatus, "key manager committee should be empty")
 
-		newStatus = generateStatus(ctx, runtimes[0], initializedStatus, nil, nodes[0:6], params, epoch)
+		newStatus = generateStatus(ctx, runtimes[0], initializedStatus, nil, nodes[0:6], params, epoch, true)
 		require.Equal(initializedStatus, newStatus, "key manager committee should be empty")
 	})
 
@@ -225,16 +225,16 @@ func TestGenerateStatus(t *testing.T) {
 			Policy:        &policy,
 			Nodes:         []signature.PublicKey{nodes[6].ID},
 		}
-		newStatus := generateStatus(ctx, runtimes[0], uninitializedStatus, nil, nodes[6:7], params, epoch)
+		newStatus := generateStatus(ctx, runtimes[0], uninitializedStatus, nil, nodes[6:7], params, epoch, true)
 		require.Equal(expStatus, newStatus, "node 6 should form the committee if key manager not initialized")
 
-		newStatus = generateStatus(ctx, runtimes[0], expStatus, nil, nodes[6:7], params, epoch)
+		newStatus = generateStatus(ctx, runtimes[0], expStatus, nil, nodes[6:7], params, epoch, true)
 		require.Equal(expStatus, newStatus, "node 6 should form the committee if key manager is not secure")
 
 		expStatus.IsSecure = true
 		expStatus.Checksum = checksum
 		expStatus.Nodes = nil
-		newStatus = generateStatus(ctx, runtimes[0], initializedStatus, nil, nodes[6:7], params, epoch)
+		newStatus = generateStatus(ctx, runtimes[0], initializedStatus, nil, nodes[6:7], params, epoch, true)
 		require.Equal(expStatus, newStatus, "node 6 should not be added to the committee if key manager is secure or checksum differs")
 	})
 
@@ -251,20 +251,20 @@ func TestGenerateStatus(t *testing.T) {
 			Policy:        &policy,
 			Nodes:         []signature.PublicKey{nodes[6].ID},
 		}
-		newStatus := generateStatus(ctx, runtimes[0], uninitializedStatus, nil, nodes, params, epoch)
+		newStatus := generateStatus(ctx, runtimes[0], uninitializedStatus, nil, nodes, params, epoch, true)
 		require.Equal(expStatus, newStatus, "node 6 should be the source of truth and form the committee")
 
 		// If the order is reversed, it should be the other way around.
 		expStatus.IsSecure = true
 		expStatus.Nodes = []signature.PublicKey{nodes[7].ID}
-		newStatus = generateStatus(ctx, runtimes[0], uninitializedStatus, nil, reverse(nodes), params, epoch)
+		newStatus = generateStatus(ctx, runtimes[0], uninitializedStatus, nil, reverse(nodes), params, epoch, true)
 		require.Equal(expStatus, newStatus, "node 7 should be the source of truth and form the committee")
 
 		// If the key manager is already initialized as secure with a checksum, then all nodes
 		// except 8 and 9 are ignored.
 		expStatus.Checksum = checksum
 		expStatus.Nodes = []signature.PublicKey{nodes[8].ID, nodes[9].ID}
-		newStatus = generateStatus(ctx, runtimes[0], initializedStatus, nil, nodes, params, epoch)
+		newStatus = generateStatus(ctx, runtimes[0], initializedStatus, nil, nodes, params, epoch, true)
 		require.Equal(expStatus, newStatus, "node 7 and 8 should form the committee if key manager is initialized as secure")
 
 		// The second key manager.
@@ -277,7 +277,7 @@ func TestGenerateStatus(t *testing.T) {
 			Nodes:         []signature.PublicKey{nodes[4].ID, nodes[9].ID},
 		}
 		initializedStatus.ID = runtimeIDs[1]
-		newStatus = generateStatus(ctx, runtimes[1], initializedStatus, nil, nodes, params, epoch)
+		newStatus = generateStatus(ctx, runtimes[1], initializedStatus, nil, nodes, params, epoch, true)
 		require.Equal(expStatus, newStatus, "node 4 and 9 should form the committee")
 	})
 }

go/consensus/cometbft/apps/keymanager/secrets/txs.go

@@ -76,11 +76,11 @@ func (ext *secretsExt) updatePolicy(
 	status.NextPolicy = sigPol
 
 	// Support legacy behavior where the policy was applied immediately.
-	ok, err := features.IsFeatureVersion(ctx, migrations.Version242)
+	isFeatureVersion242, err := features.IsFeatureVersion(ctx, migrations.Version242)
 	if err != nil {
 		return err
 	}
-	if !ok {
+	if !isFeatureVersion242 {
 		// Ok, as far as we can tell the new policy is valid, apply it.
 		//
 		// Note: The key manager cohort responsible for servicing this ID
@@ -104,7 +104,7 @@ func (ext *secretsExt) updatePolicy(
 
 		nodes, _ := regState.Nodes(ctx)
 		registry.SortNodeList(nodes)
-		status = generateStatus(ctx, kmRt, status, nil, nodes, regParams, epoch)
+		status = generateStatus(ctx, kmRt, status, nil, nodes, regParams, epoch, isFeatureVersion242)
 	}
 
 	if err := state.SetStatus(ctx, status); err != nil {

go/consensus/cometbft/apps/registry/genesis.go

@@ -55,7 +55,7 @@ func (app *Application) InitChain(ctx *abciAPI.Context, _ types.RequestInitChain
 			if rt == nil {
 				return fmt.Errorf("registry: genesis runtime index %d is nil", i)
 			}
-			err := registry.VerifyRuntime(&st.Parameters, ctx.Logger(), rt, ctx.IsInitChain(), false, epoch)
+			err := registry.VerifyRuntime(&st.Parameters, ctx.Logger(), rt, ctx.IsInitChain(), false, epoch, true)
 			if err != nil {
 				return err
 			}