Skip to content

Commit

Permalink
go: Reverse order of TCB update fetching
Browse files Browse the repository at this point in the history
  • Loading branch information
@jberci
jberci committed May 24, 2024
1 parent 7f4cb9a commit 09a2c65
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 6 deletions.
5 changes: 5 additions & 0 deletions .changelog/5704.internal.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
go: Reverse order of TCB update fetching

Early TCB updates are now tried first when updating TCB info. If
validation for an early update fails, the mechanism falls back to the
standard update.
2 changes: 1 addition & 1 deletion go/runtime/host/sgx/ecdsa.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,7 @@ func (ec *teeStateECDSA) Update(ctx context.Context, sp *sgxProvisioner, conn pr
return fresh, nil
}
var tcbBundle *pcs.TCBBundle
for _, update := range []pcs.UpdateType{pcs.UpdateStandard, pcs.UpdateEarly} {
for _, update := range []pcs.UpdateType{pcs.UpdateEarly, pcs.UpdateStandard} {
if tcbBundle, err = getTcbBundle(update); err == nil {
break
}
Expand Down
12 changes: 7 additions & 5 deletions go/runtime/host/sgx/epid.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,22 +124,24 @@ func (ep *teeStateEPID) update(
RuntimeID: ep.runtimeID,
Quote: quote,
Nonce: nonce,
EarlyTCBUpdate: true,

Check warning on line 127 in go/runtime/host/sgx/epid.go

View check run for this annotation

Codecov / codecov/patch

go/runtime/host/sgx/epid.go#L127 

Added line #L127 was not covered by tests
MinTCBEvaluationDataNumber: quotePolicy.MinTCBEvaluationDataNumber,
}

// First try with early updating. If that fails, fall back to normal.
avrBundle, err := iasClient.VerifyEvidence(ctx, &evidence)
if err != nil {
return nil, fmt.Errorf("error while verifying attestation evidence: %w", err)
return nil, fmt.Errorf("error while verifying attestation evidence with early update: %w", err)

Check warning on line 134 in go/runtime/host/sgx/epid.go

View check run for this annotation

Codecov / codecov/patch

go/runtime/host/sgx/epid.go#L134 

Added line #L134 was not covered by tests
}

// Decode the AVR so we can do further checks.
avr, decErr := cmnIAS.UnsafeDecodeAVR(avrBundle.Body)
if decErr == nil && avr.TCBEvaluationDataNumber < quotePolicy.MinTCBEvaluationDataNumber {
// Retry again with early updating.
evidence.EarlyTCBUpdate = true
if decErr == nil && avr.ISVEnclaveQuoteStatus != cmnIAS.QuoteOK && avr.ISVEnclaveQuoteStatus != cmnIAS.QuoteSwHardeningNeeded {

Check warning on line 139 in go/runtime/host/sgx/epid.go

View check run for this annotation

Codecov / codecov/patch

go/runtime/host/sgx/epid.go#L139 

Added line #L139 was not covered by tests
// Retry again without early updating.
evidence.EarlyTCBUpdate = false

Check warning on line 141 in go/runtime/host/sgx/epid.go

View check run for this annotation

Codecov / codecov/patch

go/runtime/host/sgx/epid.go#L141 

Added line #L141 was not covered by tests
avrBundle, err = iasClient.VerifyEvidence(ctx, &evidence)
if err != nil {
return nil, fmt.Errorf("error while verifying attestation evidence with early update: %w", err)
return nil, fmt.Errorf("error while verifying attestation evidence with normal update: %w", err)

Check warning on line 144 in go/runtime/host/sgx/epid.go

View check run for this annotation

Codecov / codecov/patch

go/runtime/host/sgx/epid.go#L144 

Added line #L144 was not covered by tests
}
avr, decErr = cmnIAS.UnsafeDecodeAVR(avrBundle.Body)
}
Expand Down

0 comments on commit 09a2c65

Please sign in to comment.