Merge pull request #5678 from oasisprotocol/peternose/stable/23.0.x/b…

…ackport-5660

[BACKPORT/23.0.x] 5610 5625 5660

.buildkite/code.pipeline.yml

@@ -228,7 +228,7 @@ steps:
       - .buildkite/scripts/test_e2e.sh --timeout 20m --scenario e2e/runtime/runtime-encryption --scenario e2e/runtime/trust-root/.+ --scenario e2e/runtime/keymanager-.+
     env:
       # Unsafe flags needed as the trust-root test rebuilds the enclave with embedded trust root data.
-      OASIS_UNSAFE_SKIP_AVR_VERIFY: "1"
+      OASIS_UNSAFE_LAX_AVR_VERIFY: "1"
       OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES: "1"
       OASIS_E2E_COVERAGE: enable
       TEST_BASE_DIR: /tmp
@@ -255,7 +255,7 @@ steps:
       - .buildkite/scripts/test_e2e.sh --timeout 20m --scenario e2e/runtime/.*
     env:
       # Unsafe flags needed as the trust-root test rebuilds the enclave with embedded trust root data.
-      OASIS_UNSAFE_SKIP_AVR_VERIFY: "1"
+      OASIS_UNSAFE_LAX_AVR_VERIFY: "1"
       OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES: "1"
       OASIS_E2E_COVERAGE: enable
       OASIS_EXCLUDE_E2E: e2e/runtime/txsource-multi,e2e/runtime/txsource-multi-short
@@ -309,28 +309,6 @@ steps:
     plugins:
       <<: *docker_plugin
 
-  ###########################################
-  # E2E test - sgx1 with IAS (only on master)
-  ###########################################
-  - label: E2E tests - sgx1 - IAS
-    branches: master stable/*
-    command:
-      - trap 'buildkite-agent artifact upload "coverage-merged-e2e-*.txt;/tmp/e2e/**/*.log;/tmp/e2e/**/genesis.json;/tmp/e2e/**/runtime_genesis.json"' EXIT
-      - .buildkite/scripts/sgx_ias_tests.sh --timeout 20m
-    # A unique string to identify the step. The value is available in the
-    # BUILDKITE_STEP_KEY and is used to ensure the generated coverage file
-    # names are unique across this pipeline.
-    key: sgx-ias
-    env:
-      OASIS_E2E_COVERAGE: enable
-      TEST_BASE_DIR: /tmp
-    agents:
-      queue: sgx1
-    retry:
-      <<: *retry_agent_failure
-    plugins:
-      <<: *docker_plugin_sgx1
-
   ####################################
   # Rust coverage job.
   ####################################
@@ -386,7 +364,7 @@ steps:
           - .buildkite/scripts/test_upgrade.sh
         env:
           # Unsafe flags needed as the trust-root test rebuilds the enclave with embedded trust root data.
-          OASIS_UNSAFE_SKIP_AVR_VERIFY: "1"
+          OASIS_UNSAFE_LAX_AVR_VERIFY: "1"
           OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES: "1"
           TEST_BASE_DIR: /tmp
         agents:

.buildkite/rust/common.sh

@@ -7,6 +7,6 @@ source .buildkite/scripts/common.sh
 ####################
 # Set up environment
 ####################
-export OASIS_UNSAFE_SKIP_AVR_VERIFY="1"
+export OASIS_UNSAFE_LAX_AVR_VERIFY="1"
 export OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES="1"
 export RUST_BACKTRACE="1"

.changelog/5610.internal.md

@@ -0,0 +1 @@
+ci: Update SGX tests to run DCAP

.changelog/5625.feature.2.md

@@ -0,0 +1 @@
+go: Bump go-libp2p to v0.33.2

.changelog/5625.feature.md

@@ -0,0 +1 @@
+go: Bump github.com/quic-go/quic-go to v0.42.0

.changelog/5660.bugfix.md

@@ -0,0 +1 @@
+go/worker/compute/executor/committee: Retry scheduling on failure

go/common/sgx/pcs/tcb.go

@@ -27,11 +27,21 @@ const (
 	requiredQEIdentityVersion = 2
 )
 
+// If set, the TCB verification will be done in a more lax manner.
+var unsafeLaxVerify bool
+
 // TimestampFormat is the format of the TCB timestamp, suitable for use with time.Parse.
 //
 // Workaround for https://github.com/golang/go/issues/21990
 const TimestampFormat = "2006-01-02T15:04:05.999999999Z"
 
+// SetUnsafeLaxVerify enables the unsafe, more lax TCB status verification.
+//
+// OutOfDate and OutOfDateConfigurationNeeded TCB statuses will be treated as valid.
+func SetUnsafeLaxVerify() {
+	unsafeLaxVerify = true
+}
+
 // TCBBundle contains all the required components to verify a quote's TCB.
 type TCBBundle struct {
 	TCBInfo      SignedTCBInfo    `json:"tcb_info"`
@@ -271,15 +281,21 @@ func (ti *TCBInfo) validateTCBLevel(
 	switch tcbLevel.Status {
 	case StatusUpToDate, StatusSWHardeningNeeded:
 		// These are ok.
-	default:
-		return &TCBOutOfDateError{
-			Kind:        TCBKindPlatform,
-			Status:      tcbLevel.Status,
-			AdvisoryIDs: tcbLevel.AdvisoryIDs,
+		return nil
+	case StatusOutOfDate, StatusConfigurationNeeded, StatusOutOfDateConfigurationNeeded:
+		// Ok if lax verification.
+		if unsafeLaxVerify {
+			return nil
 		}
+	default:
+		// Not ok.
 	}
 
-	return nil
+	return &TCBOutOfDateError{
+		Kind:        TCBKindPlatform,
+		Status:      tcbLevel.Status,
+		AdvisoryIDs: tcbLevel.AdvisoryIDs,
+	}
 }
 
 func (ti *TCBInfo) getTCBLevel(

go/go.mod

@@ -31,16 +31,16 @@ require (
 	github.com/hashicorp/go-plugin v1.4.6
 	github.com/hpcloud/tail v1.0.0
 	github.com/ipfs/go-log/v2 v2.5.1
-	github.com/libp2p/go-libp2p v0.32.2
+	github.com/libp2p/go-libp2p v0.33.2
 	github.com/libp2p/go-libp2p-pubsub v0.10.0
-	github.com/multiformats/go-multiaddr v0.12.0
+	github.com/multiformats/go-multiaddr v0.12.3
 	github.com/oasisprotocol/curve25519-voi v0.0.0-20230110094441-db37f07504ce
 	github.com/oasisprotocol/deoxysii v0.0.0-20220228165953-2091330c22b7
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/powerman/rpc-codec v1.2.2
-	github.com/prometheus/client_golang v1.17.0
-	github.com/prometheus/common v0.44.0
-	github.com/prometheus/procfs v0.11.1
+	github.com/prometheus/client_golang v1.19.0
+	github.com/prometheus/common v0.52.2
+	github.com/prometheus/procfs v0.12.0
 	github.com/seccomp/libseccomp-golang v0.10.0
 	github.com/spf13/cast v1.5.0
 	github.com/spf13/cobra v1.7.0
@@ -50,10 +50,10 @@ require (
 	github.com/thepudds/fzgo v0.2.2
 	github.com/tidwall/btree v1.6.0
 	github.com/tyler-smith/go-bip39 v1.1.0
-	go.uber.org/zap v1.26.0
-	golang.org/x/crypto v0.17.0
-	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
-	golang.org/x/net v0.17.0
+	go.uber.org/zap v1.27.0
+	golang.org/x/crypto v0.21.0
+	golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8
+	golang.org/x/net v0.23.0
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d
 	google.golang.org/grpc v1.59.0
 	google.golang.org/grpc/security/advancedtls v0.0.0-20221004221323-12db695f1648
@@ -73,16 +73,16 @@ require (
 	github.com/creachadair/taskgroup v0.3.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/davidlazar/go-crypto v0.0.0-20200604182044-b73af7476f6c // indirect
-	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
 	github.com/dgraph-io/badger/v2 v2.2007.4 // indirect
 	github.com/dgraph-io/ristretto v0.1.1 // indirect
 	github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
 	github.com/eapache/queue v1.1.0 // indirect
-	github.com/elastic/gosigar v0.14.2 // indirect
+	github.com/elastic/gosigar v0.14.3 // indirect
 	github.com/fatih/color v1.13.0 // indirect
-	github.com/flynn/noise v1.0.0 // indirect
+	github.com/flynn/noise v1.1.0 // indirect
 	github.com/francoispqt/gojay v1.2.13 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-kit/kit v0.12.0 // indirect
@@ -96,9 +96,9 @@ require (
 	github.com/google/gofuzz v1.0.0 // indirect
 	github.com/google/gopacket v1.1.19 // indirect
 	github.com/google/orderedcode v0.0.1 // indirect
-	github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b // indirect
-	github.com/google/uuid v1.3.1 // indirect
-	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/google/pprof v0.0.0-20240402174815-29b9bb013b0f // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/gorilla/websocket v1.5.1 // indirect
 	github.com/gtank/merlin v0.1.1 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.5 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
@@ -112,14 +112,13 @@ require (
 	github.com/jbenet/goprocess v0.1.4 // indirect
 	github.com/jmhodges/levigo v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.17.2 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
+	github.com/klauspost/compress v1.17.7 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
 	github.com/koron/go-ssdp v0.0.4 // indirect
 	github.com/lib/pq v1.10.7 // indirect
 	github.com/libp2p/go-buffer-pool v0.1.0 // indirect
-	github.com/libp2p/go-cidranger v1.1.0 // indirect
 	github.com/libp2p/go-flow-metrics v0.1.0 // indirect
-	github.com/libp2p/go-libp2p-asn-util v0.3.0 // indirect
+	github.com/libp2p/go-libp2p-asn-util v0.4.1 // indirect
 	github.com/libp2p/go-msgio v0.3.0 // indirect
 	github.com/libp2p/go-nat v0.2.0 // indirect
 	github.com/libp2p/go-netroute v0.2.1 // indirect
@@ -130,8 +129,7 @@ require (
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.9 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/miekg/dns v1.1.56 // indirect
+	github.com/miekg/dns v1.1.58 // indirect
 	github.com/mikioh/tcpinfo v0.0.0-20190314235526-30a79bb1804b // indirect
 	github.com/mikioh/tcpopt v0.0.0-20190314235656-172688c1accc // indirect
 	github.com/mimoo/StrobeGo v0.0.0-20210601165009-122bf33a46e0 // indirect
@@ -153,18 +151,17 @@ require (
 	github.com/multiformats/go-varint v0.0.7 // indirect
 	github.com/oasisprotocol/safeopen v0.0.0-20200528085122-e01cfdfc7661 // indirect
 	github.com/oklog/run v1.0.0 // indirect
-	github.com/onsi/ginkgo/v2 v2.13.0 // indirect
-	github.com/opencontainers/runtime-spec v1.1.0 // indirect
+	github.com/onsi/ginkgo/v2 v2.17.1 // indirect
+	github.com/opencontainers/runtime-spec v1.2.0 // indirect
 	github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
 	github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-20 v0.3.4 // indirect
-	github.com/quic-go/quic-go v0.39.4 // indirect
-	github.com/quic-go/webtransport-go v0.6.0 // indirect
+	github.com/quic-go/quic-go v0.42.0 // indirect
+	github.com/quic-go/webtransport-go v0.7.0 // indirect
 	github.com/raulk/go-watchdog v1.3.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/rs/cors v1.8.2 // indirect
@@ -179,18 +176,18 @@ require (
 	go.etcd.io/bbolt v1.3.6 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.uber.org/dig v1.17.1 // indirect
-	go.uber.org/fx v1.20.1 // indirect
-	go.uber.org/mock v0.3.0 // indirect
+	go.uber.org/fx v1.21.0 // indirect
+	go.uber.org/mock v0.4.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/mod v0.13.0 // indirect
-	golang.org/x/sync v0.4.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/mod v0.16.0 // indirect
+	golang.org/x/sync v0.6.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/tools v0.14.0 // indirect
+	golang.org/x/tools v0.19.0 // indirect
 	gopkg.in/fsnotify.v1 v1.4.7 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
-	lukechampine.com/blake3 v1.2.1 // indirect
+	lukechampine.com/blake3 v1.2.2 // indirect
 )
 
 go 1.21.8