Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verifiers/sgx-ecdsa: fix QvE report and identity verification #140

Merged
merged 3 commits into from
Jan 29, 2023
Merged

verifiers/sgx-ecdsa: fix QvE report and identity verification #140

merged 3 commits into from
Jan 29, 2023

Conversation

imlk0
Copy link
Collaborator

@imlk0 imlk0 commented Jan 13, 2023
edited
Loading

This PR moves sgx_tvl_verify_qve_report_and_identity() into the enclave to fix QvE report and identity verification. Additionally, it updates the qve_isvsvn_threshold from 3 to 7. These changes are expected to have no impact on the sgx-ecdsa-qve verifier compiled in occlum mode. As a result, the enclave_id field is no longer necessary and has been removed from the rats_tls_conf_t structure and all *_ctx structures.

Additionally, this PR adds a check for collateral_expiration_status to the sgx-ecdsa verifier, which serves as an enhancement to the existing verification policy. This change is expected to affect the sgx-ecdsa/sgx-ecdsa-qve verifier in occlum, SGX, and host mode.

@imlk0

This comment was marked as resolved.

Sign in to view
@imlk0
verifiers/sgx-ecdsa: fix QvE report and identity verification
0efb990 
To make sgx-ecdsa-qve work correctly, sgx_tvl_verify_qve_report_and_identity() should be called in enclave.

Signed-off-by: Kun Lai <me@imlk.top>
@imlk0
Delete the no longer needed enclave_id field
5fd9653 
Signed-off-by: Kun Lai <me@imlk.top>
@imlk0
verifiers/sgx-ecdsa: add check for collateral_expiration_status
fae856a 
This is an enhancement to the existing verification policy. According to
Intel(R) ECDSA Quote Library API document, the expiration_check_date is
used to check if any collateral is expired. And if there is an expired
collateral, the collateral_expiration_status will be set to a non-zero
value.

Signed-off-by: Kun Lai <me@imlk.top>
@imlk0 imlk0 requested a review from zeuson0 January 17, 2023 05:38
@imlk0 imlk0 added the bug Something isn't working label Jan 28, 2023
@jiazhang0 jiazhang0 merged commit f617d6e into inclavare-containers:master Jan 29, 2023
@imlk0 imlk0 mentioned this pull request Feb 1, 2023
Closed
15 tasks
@imlk0 imlk0 mentioned this pull request Feb 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YangLiang3 YangLiang3 Awaiting requested review from YangLiang3

@houhuiting houhuiting Awaiting requested review from houhuiting

@jiazhang0 jiazhang0 Awaiting requested review from jiazhang0

@zeuson0 zeuson0 Awaiting requested review from zeuson0

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@imlk0 @jiazhang0