-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
runtime/src/enclave_rpc: Verify RPC quotes with key manager quote policy #5092
Conversation
3ac1830
to
28b322f
Compare
Every deployment has its own quote policy which cannot change while the runtime is running. Fetching the policy on every attestation is time consuming and can be done only once, even before the protocol is fully initialized.
Verify that the policy belongs to the key manager and that it has been published in the consensus layer.
When multiple key managers were running, the last known status of the runtime's key manager was overwritten with each status update. On runtime (re)starts, this resulted in the wrong policy being set.
28b322f
to
52abc7e
Compare
Codecov Report
@@ Coverage Diff @@
## master #5092 +/- ##
==========================================
+ Coverage 67.18% 67.45% +0.26%
==========================================
Files 501 501
Lines 53381 53459 +78
==========================================
+ Hits 35864 36059 +195
+ Misses 13163 13074 -89
+ Partials 4354 4326 -28
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
@@ -321,6 +325,9 @@ pub struct Features { | |||
/// Schedule control feature. | |||
#[cbor(optional)] | |||
pub schedule_control: Option<FeatureScheduleControl>, | |||
/// A feature specifying that the runtime supports updating key manager's quote policy. | |||
#[cbor(optional)] | |||
pub key_manager_quote_policy_updates: bool, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably implement a custom Default
that sets this to true
.
stCh, stSub := n.consensus.KeyManager().WatchStatuses() | ||
defer stSub.Close() | ||
|
||
// Subscribe to runtime host events. | ||
// Subscribe to epoch transitions (quote policy might change). | ||
epoCh, sub, err := n.consensus.Beacon().WatchEpochs(ctx) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kostko As key managers have different upgrade procedure as compute runtimes, changing the quote policy on epoch transitions might not be ok as every key manager can run its own version (which might not be the active one, can be higher or lower). I see few options:
- Keep the way it is and expect key manager upgrades to follow versioning.
- Follow versions of key manager nodes and use the latest one.
- Use quote policy of the key manager we are talking to (we would probably need to fetch the quote policy during session initialization, as we cannot know to which key manager the p2p stack will send the request).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm good point. I think using the active deployment for the quote policy makes the most sense.
52abc7e
to
d9ed76b
Compare
Currently EnclaveRPC session establishment always uses the default quote verification policy to verify quotes. When the runtime is configured with a consensus layer trust root it could instead use the quote verification policy specified in the consensus layer for the key manager runtime.
How things work: