From a163a471a5967a67a46b44e3783614cb06091012 Mon Sep 17 00:00:00 2001
From: Peter Nose <peter.nose@gmail.com>
Date: Mon, 16 Jan 2023 01:09:33 +0100
Subject: [PATCH] runtime/src/consensus/registry: Add runtime encryption key
 (REK)

---
 .changelog/5137.internal.md       | 4 ++++
 runtime/src/consensus/registry.rs | 4 ++++
 2 files changed, 8 insertions(+)
 create mode 100644 .changelog/5137.internal.md

diff --git a/.changelog/5137.internal.md b/.changelog/5137.internal.md
new file mode 100644
index 00000000000..15f8d2c60e3
--- /dev/null
+++ b/.changelog/5137.internal.md
@@ -0,0 +1,4 @@
+runtime/src/consensus/registry: Add runtime encryption key (REK)
+
+Added REK to the node TEE capability descriptor to ensure old enclaves won't
+panic when new ones register with a non-nil REK.
diff --git a/runtime/src/consensus/registry.rs b/runtime/src/consensus/registry.rs
index ee49d89688b..d31805fd076 100644
--- a/runtime/src/consensus/registry.rs
+++ b/runtime/src/consensus/registry.rs
@@ -112,6 +112,10 @@ pub struct CapabilityTEE {
     /// Runtime attestation key.
     pub rak: PublicKey,
 
+    /// Runtime encryption key.
+    #[cbor(optional)]
+    pub rek: Option<[u8; 32]>,
+
     /// Attestation.
     pub attestation: Vec<u8>,
 }