Skip to content

Commit

Permalink
go/runtime/host/sgx: Update QE target info during re-attestation
Browse files Browse the repository at this point in the history 
This allows the node to continue working in case aesmd is upgraded while
the node is running. In this case the Quoting Enclave identity can
change and this requires the target info to be updated.
  • Loading branch information
@kostko
kostko committed Mar 23, 2023
1 parent d941074 commit 5f6e961
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 6 deletions.
5 changes: 5 additions & 0 deletions .changelog/5239.bugfix.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
go/runtime/host/sgx: Update QE target info during re-attestation

This allows the node to continue working in case aesmd is upgraded while
the node is running. In this case the Quoting Enclave identity can
change and this requires the target info to be updated.
35 changes: 29 additions & 6 deletions go/runtime/host/sgx/sgx.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,17 @@ func (ts *teeState) init(ctx context.Context, sp *sgxProvisioner) ([]byte, error
return targetInfo, nil
}

func (ts *teeState) updateTargetInfo(ctx context.Context, sp *sgxProvisioner) ([]byte, error) {
if ts.impl == nil {
return nil, fmt.Errorf("not initialized")
}
return ts.impl.Init(ctx, sp, ts.runtimeID, ts.version)
}

func (ts *teeState) update(ctx context.Context, sp *sgxProvisioner, conn protocol.Connection, report []byte, nonce string) ([]byte, error) {
if ts.impl == nil {
return nil, fmt.Errorf("not initialized")
}
return ts.impl.Update(ctx, sp, conn, report, nonce)
}

Expand Down Expand Up @@ -295,25 +305,38 @@ func (s *sgxProvisioner) initCapabilityTEE(ctx context.Context, rt host.Runtime,
if err != nil {
return nil, fmt.Errorf("error while initializing TEE state: %w", err)
}
if err = s.updateTargetInfo(ctx, targetInfo, conn); err != nil {
return nil, fmt.Errorf("error while updating TEE target info: %w", err)
}

return &ts, nil
}

if _, err = conn.Call(
func (s *sgxProvisioner) updateTargetInfo(ctx context.Context, targetInfo []byte, conn protocol.Connection) error {
_, err := conn.Call(
ctx,
&protocol.Body{
RuntimeCapabilityTEERakInitRequest: &protocol.RuntimeCapabilityTEERakInitRequest{
TargetInfo: targetInfo,
},
},
); err != nil {
return nil, fmt.Errorf("error while initializing RAK: %w", err)
}

return &ts, nil
)
return err
}

func (s *sgxProvisioner) updateCapabilityTEE(ctx context.Context, logger *logging.Logger, ts *teeState, conn protocol.Connection) (*node.CapabilityTEE, error) {
ctx, cancel := context.WithTimeout(ctx, runtimeRAKTimeout)
defer cancel()

// Update report target info in case the QE identity has changed (e.g. aesmd upgrade).
targetInfo, err := ts.updateTargetInfo(ctx, s)
if err != nil {
return nil, fmt.Errorf("error while updating TEE target info: %w", err)
}
if err = s.updateTargetInfo(ctx, targetInfo, conn); err != nil {
return nil, fmt.Errorf("error while updating TEE target info: %w", err)
}

rakQuoteRes, err := conn.Call(
ctx,
&protocol.Body{
Expand Down

0 comments on commit 5f6e961

Please sign in to comment.