go/common/sgx/pcs/policy: Ensure FMSPC whitelist is empty

Ensure the FMSPC whitelist in the quote policy remains empty
until the next feature version is enabled. Once that feature
is enabled, these changes can be removed.

Author: peternose

go/common/sgx/quote/quote.go

@@ -64,3 +64,16 @@ type Policy struct {
 	IAS *ias.QuotePolicy `json:"ias,omitempty" yaml:"ias,omitempty"`
 	PCS *pcs.QuotePolicy `json:"pcs,omitempty" yaml:"pcs,omitempty"`
 }
+
+// VerifyFMSPCWhitelist verifies that the FMSPC whitelist is empty.
+func (p *Policy) VerifyFMSPCWhitelist() error {
+	if p.PCS == nil {
+		return nil
+	}
+
+	if len(p.PCS.FMSPCWhitelist) == 0 {
+		return nil
+	}
+
+	return fmt.Errorf("fmspc whitelist should be empty")
+}

go/consensus/cometbft/apps/registry/messages.go

@@ -6,8 +6,10 @@ import (
 	"github.com/oasisprotocol/oasis-core/go/common/cbor"
 	"github.com/oasisprotocol/oasis-core/go/consensus/cometbft/api"
 	registryState "github.com/oasisprotocol/oasis-core/go/consensus/cometbft/apps/registry/state"
+	"github.com/oasisprotocol/oasis-core/go/consensus/cometbft/features"
 	governance "github.com/oasisprotocol/oasis-core/go/governance/api"
 	registry "github.com/oasisprotocol/oasis-core/go/registry/api"
+	"github.com/oasisprotocol/oasis-core/go/upgrade/migrations"
 )
 
 func (app *Application) changeParameters(ctx *api.Context, msg any, apply bool) (any, error) {
@@ -41,6 +43,9 @@ func (app *Application) changeParameters(ctx *api.Context, msg any, apply bool)
 	if err = params.SanityCheck(); err != nil {
 		return nil, fmt.Errorf("registry: failed to validate consensus parameters: %w", err)
 	}
+	if err = sanityCheckFMSPCWhitelist(ctx, &changes); err != nil {
+		return nil, fmt.Errorf("registry: failed to validate quote policy changes: %w", err)
+	}
 
 	// Apply changes.
 	if apply {
@@ -52,3 +57,30 @@ func (app *Application) changeParameters(ctx *api.Context, msg any, apply bool)
 	// Non-nil response signals that changes are valid and were successfully applied (if required).
 	return struct{}{}, nil
 }
+
+func sanityCheckFMSPCWhitelist(ctx *api.Context, changes *registry.ConsensusParameterChanges) error {
+	if changes.TEEFeatures == nil {
+		return nil
+	}
+
+	teeFeatures := *changes.TEEFeatures
+	if teeFeatures == nil {
+		return nil
+	}
+
+	defaultPolicy := teeFeatures.SGX.DefaultPolicy
+	if defaultPolicy == nil {
+		return nil
+	}
+
+	// Allow non-empty `fmpcs_whitelist` when this feature is available.
+	isFeatureVersion242, err := features.IsFeatureVersion(ctx, migrations.Version242)
+	if err != nil {
+		return err
+	}
+	if isFeatureVersion242 {
+		return nil
+	}
+
+	return defaultPolicy.VerifyFMSPCWhitelist()
+}

go/consensus/cometbft/apps/registry/transactions.go

@@ -12,8 +12,10 @@ import (
 	registryApi "github.com/oasisprotocol/oasis-core/go/consensus/cometbft/apps/registry/api"
 	registryState "github.com/oasisprotocol/oasis-core/go/consensus/cometbft/apps/registry/state"
 	stakingState "github.com/oasisprotocol/oasis-core/go/consensus/cometbft/apps/staking/state"
+	"github.com/oasisprotocol/oasis-core/go/consensus/cometbft/features"
 	registry "github.com/oasisprotocol/oasis-core/go/registry/api"
 	staking "github.com/oasisprotocol/oasis-core/go/staking/api"
+	"github.com/oasisprotocol/oasis-core/go/upgrade/migrations"
 )
 
 func (app *Application) registerEntity(
@@ -226,6 +228,11 @@ func (app *Application) registerNode( // nolint: gocyclo
 		return err
 	}
 
+	isFeatureVersion242, err := features.IsFeatureVersion(ctx, migrations.Version242)
+	if err != nil {
+		return err
+	}
+
 	newNode, paidRuntimes, err := registry.VerifyRegisterNodeArgs(
 		ctx,
 		params,
@@ -239,6 +246,7 @@ func (app *Application) registerNode( // nolint: gocyclo
 		epoch,
 		state,
 		state,
+		isFeatureVersion242,
 	)
 	if err != nil {
 		return err
@@ -579,7 +587,12 @@ func (app *Application) registerRuntime( // nolint: gocyclo
 		return nil, err
 	}
 
-	if err = registry.VerifyRuntime(params, ctx.Logger(), rt, ctx.IsInitChain(), false, epoch); err != nil {
+	isFeatureVersion242, err := features.IsFeatureVersion(ctx, migrations.Version242)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = registry.VerifyRuntime(params, ctx.Logger(), rt, ctx.IsInitChain(), false, epoch, isFeatureVersion242); err != nil {
 		return nil, err
 	}
 
@@ -629,7 +642,7 @@ func (app *Application) registerRuntime( // nolint: gocyclo
 	switch {
 	case existingRt != nil:
 		// Existing runtime, verify update.
-		err = registry.VerifyRuntimeUpdate(ctx.Logger(), existingRt, rt, epoch, params)
+		err = registry.VerifyRuntimeUpdate(ctx.Logger(), existingRt, rt, epoch, params, isFeatureVersion242)
 	default:
 		// New runtime, verify new descriptor.
 		err = registry.VerifyRuntimeNew(ctx.Logger(), rt, epoch, params, ctx.IsInitChain())

go/registry/api/api.go

@@ -11,6 +11,7 @@ import (
 
 	beacon "github.com/oasisprotocol/oasis-core/go/beacon/api"
 	"github.com/oasisprotocol/oasis-core/go/common"
+	"github.com/oasisprotocol/oasis-core/go/common/cbor"
 	"github.com/oasisprotocol/oasis-core/go/common/crypto/hash"
 	"github.com/oasisprotocol/oasis-core/go/common/crypto/signature"
 	"github.com/oasisprotocol/oasis-core/go/common/entity"
@@ -497,6 +498,7 @@ func VerifyRegisterNodeArgs( // nolint: gocyclo
 	epoch beacon.EpochTime,
 	runtimeLookup RuntimeLookup,
 	nodeLookup NodeLookup,
+	isFeatureVersion242 bool,
 ) (*node.Node, []*Runtime, error) {
 	var n node.Node
 	if sigNode == nil {
@@ -621,6 +623,11 @@ func VerifyRegisterNodeArgs( // nolint: gocyclo
 			if err := VerifyNodeRuntimeEnclaveIDs(logger, n.ID, rt, regRt, params.TEEFeatures, now, height); err != nil && !isSanityCheck && !isGenesis {
 				return nil, nil, err
 			}
+			if !isFeatureVersion242 {
+				if err := VerifyNodeRuntimeCapabilities(rt, regRt); err != nil {
+					return nil, nil, err
+				}
+			}
 
 			// Enforce what kinds of runtimes are allowed.
 			if regRt.Kind == KindKeyManager && !n.HasRoles(KeyManagerRuntimeAllowedRoles) {
@@ -849,6 +856,44 @@ func VerifyNodeRuntimeEnclaveIDs(
 	return fmt.Errorf("%w: node running unknown runtime enclave version", ErrInvalidArgument)
 }
 
+// VerifyNodeRuntimeCapabilities verifies that the node's runtimes' capabilities
+// have valid FMSPC whitelists.
+func VerifyNodeRuntimeCapabilities(rt *node.Runtime, regRt *Runtime) error {
+	if rt.Capabilities.TEE == nil {
+		return nil
+	}
+
+	for _, rtVersionInfo := range regRt.Deployments {
+		if rtVersionInfo.Version != rt.Version {
+			continue
+		}
+		if err := VerifyNodeRuntimeCapability(rt.Capabilities.TEE, rtVersionInfo.TEE); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// VerifyNodeRuntimeCapability verifies that the node's runtime capabilities
+// have valid FMSPC whitelist.
+func VerifyNodeRuntimeCapability(c *node.CapabilityTEE, constraints []byte) error {
+	switch c.Hardware {
+	case node.TEEHardwareIntelSGX:
+		var sc node.SGXConstraints
+		if err := cbor.Unmarshal(constraints, &sc); err != nil {
+			return fmt.Errorf("node: malformed SGX constraints: %w", err)
+		}
+		if sc.Policy == nil {
+			return nil
+		}
+		if err := sc.Policy.VerifyFMSPCWhitelist(); err != nil {
+			return fmt.Errorf("node: malformed SGX constraints: %w", err)
+		}
+	default:
+		return nil
+	}
+}
+
 // VerifyAddress verifies a node address.
 func VerifyAddress(addr node.Address, allowUnroutable bool) error {
 	if !allowUnroutable {
@@ -1097,6 +1142,7 @@ func VerifyRuntime( // nolint: gocyclo
 	isGenesis bool,
 	isSanityCheck bool,
 	now beacon.EpochTime,
+	isFeatureVersion242 bool,
 ) error {
 	if rt == nil {
 		return fmt.Errorf("%w: no runtime given", ErrInvalidArgument)
@@ -1141,7 +1187,7 @@ func VerifyRuntime( // nolint: gocyclo
 
 	// Validate the deployments.  This also handles validating that the
 	// appropriate TEE configuration is present in each deployment.
-	if err := rt.ValidateDeployments(now, params); err != nil {
+	if err := rt.ValidateDeployments(now, params, isFeatureVersion242); err != nil {
 		logger.Error("RegisterRuntime: invalid deployments",
 			"runtime_id", rt.ID,
 			"err", err,
@@ -1215,6 +1261,7 @@ func VerifyRuntimeUpdate(
 	currentRt, newRt *Runtime,
 	now beacon.EpochTime,
 	params *ConsensusParameters,
+	isFeatureVersion242 bool,
 ) error {
 	if !currentRt.ID.Equal(&newRt.ID) {
 		logger.Error("RegisterRuntime: trying to update runtime ID",
@@ -1270,7 +1317,7 @@ func VerifyRuntimeUpdate(
 
 	// Validate the deployments.
 	activeDeployment := currentRt.ActiveDeployment(now)
-	if err := currentRt.ValidateDeployments(now, params); err != nil {
+	if err := currentRt.ValidateDeployments(now, params, isFeatureVersion242); err != nil {
 		// Invariant violation, this should NEVER happen.
 		logger.Error("RegisterRuntime: malformed deployments present in state",
 			"runtime_id", currentRt.ID,
@@ -1284,7 +1331,7 @@ func VerifyRuntimeUpdate(
 	}
 
 	newActiveDeployment := newRt.ActiveDeployment(now)
-	if err := newRt.ValidateDeployments(now, params); err != nil {
+	if err := newRt.ValidateDeployments(now, params, isFeatureVersion242); err != nil {
 		logger.Error("RegisterRuntime: malformed deployments",
 			"runtime_id", currentRt.ID,
 			"err", err,

go/registry/api/api_test.go

@@ -211,7 +211,7 @@ func TestVerifyRegisterNodeArgs(t *testing.T) {
 			&tc.n,
 		)
 		require.NoError(err, "singing node")
-		_, _, err = VerifyRegisterNodeArgs(context.Background(), params, logger, signedNode, entity, time.Now(), 1, false, false, beacon.EpochTime(10), rtLookup, ndLookup)
+		_, _, err = VerifyRegisterNodeArgs(context.Background(), params, logger, signedNode, entity, time.Now(), 1, false, false, beacon.EpochTime(10), rtLookup, ndLookup, true)
 		switch {
 		case tc.err == nil:
 			require.NoError(err, tc.msg)

go/registry/api/runtime.go

@@ -526,7 +526,7 @@ func (r *Runtime) DeploymentForVersion(v version.Version) *VersionInfo {
 
 // ValidateDeployments validates a runtime descriptor's Deployments field
 // at the specified epoch.
-func (r *Runtime) ValidateDeployments(now beacon.EpochTime, params *ConsensusParameters) error {
+func (r *Runtime) ValidateDeployments(now beacon.EpochTime, params *ConsensusParameters, isFeatureVersion242 bool) error {
 	// The runtime descriptor's deployments field is considered valid
 	// if:
 	//  * There is at least one entry present.
@@ -600,6 +600,13 @@ func (r *Runtime) ValidateDeployments(now beacon.EpochTime, params *ConsensusPar
 			if len(cs.Enclaves) == 0 {
 				return fmt.Errorf("%w: invalid SGX TEE constraints", ErrNoEnclaveForRuntime)
 			}
+			if !isFeatureVersion242 {
+				if cs.Policy != nil {
+					if err := cs.Policy.VerifyFMSPCWhitelist(); err != nil {
+						return fmt.Errorf("%w: invalid SGX TEE constraints: %v", ErrInvalidArgument, err)
+					}
+				}
+			}
 		default:
 			return fmt.Errorf("%w: invalid TEE hardware", ErrInvalidArgument)
 		}

go/registry/api/runtime_test.go

@@ -656,7 +656,7 @@ func TestVerifyRuntime(t *testing.T) {
 			tc.cpFn(&cp)
 		}
 
-		err := VerifyRuntime(&cp, logging.GetLogger("runtime/tests"), &tc.rr, false, true, beacon.EpochTime(10))
+		err := VerifyRuntime(&cp, logging.GetLogger("runtime/tests"), &tc.rr, false, true, beacon.EpochTime(10), true)
 		switch {
 		case tc.err == nil:
 			require.NoError(err, tc.msg)

go/registry/api/sanity_check.go

@@ -138,15 +138,15 @@ func SanityCheckRuntimes(
 	// First go through all runtimes and perform general sanity checks.
 	seenRuntimes := []*Runtime{}
 	for _, rt := range runtimes {
-		if err := VerifyRuntime(params, logger, rt, isGenesis, true, now); err != nil {
+		if err := VerifyRuntime(params, logger, rt, isGenesis, true, now, true); err != nil {
 			return nil, fmt.Errorf("runtime sanity check failed: %w", err)
 		}
 		seenRuntimes = append(seenRuntimes, rt)
 	}
 
 	seenSuspendedRuntimes := []*Runtime{}
 	for _, rt := range suspendedRuntimes {
-		if err := VerifyRuntime(params, logger, rt, isGenesis, true, now); err != nil {
+		if err := VerifyRuntime(params, logger, rt, isGenesis, true, now, true); err != nil {
 			return nil, fmt.Errorf("runtime sanity check failed: %w", err)
 		}
 		seenSuspendedRuntimes = append(seenSuspendedRuntimes, rt)
@@ -218,6 +218,7 @@ func SanityCheckNodes(
 			epoch,
 			runtimesLookup,
 			nodeLookup,
+			true,
 		)
 		if err != nil {
 			return nil, fmt.Errorf("registry: node sanity check failed: ID: %s, error: %w", n.ID.String(), err)