Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go/runtime/host/sgx: Update QE target info during re-attestation #5239

Merged
merged 1 commit into from
Mar 25, 2023
Merged

go/runtime/host/sgx: Update QE target info during re-attestation #5239

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changelog/5239.bugfix.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
go/runtime/host/sgx: Update QE target info during re-attestation

This allows the node to continue working in case aesmd is upgraded while
the node is running. In this case the Quoting Enclave identity can
change and this requires the target info to be updated.
35 changes: 29 additions & 6 deletions go/runtime/host/sgx/sgx.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,17 @@ func (ts *teeState) init(ctx context.Context, sp *sgxProvisioner) ([]byte, error
return targetInfo, nil
}

func (ts *teeState) updateTargetInfo(ctx context.Context, sp *sgxProvisioner) ([]byte, error) {
if ts.impl == nil {
return nil, fmt.Errorf("not initialized")
}
return ts.impl.Init(ctx, sp, ts.runtimeID, ts.version)
}

func (ts *teeState) update(ctx context.Context, sp *sgxProvisioner, conn protocol.Connection, report []byte, nonce string) ([]byte, error) {
if ts.impl == nil {
return nil, fmt.Errorf("not initialized")
}
return ts.impl.Update(ctx, sp, conn, report, nonce)
}

Expand Down Expand Up @@ -295,25 +305,38 @@ func (s *sgxProvisioner) initCapabilityTEE(ctx context.Context, rt host.Runtime,
if err != nil {
return nil, fmt.Errorf("error while initializing TEE state: %w", err)
}
if err = s.updateTargetInfo(ctx, targetInfo, conn); err != nil {
return nil, fmt.Errorf("error while updating TEE target info: %w", err)
}

return &ts, nil
}

if _, err = conn.Call(
func (s *sgxProvisioner) updateTargetInfo(ctx context.Context, targetInfo []byte, conn protocol.Connection) error {
_, err := conn.Call(
ctx,
&protocol.Body{
RuntimeCapabilityTEERakInitRequest: &protocol.RuntimeCapabilityTEERakInitRequest{
TargetInfo: targetInfo,
},
},
); err != nil {
return nil, fmt.Errorf("error while initializing RAK: %w", err)
}

return &ts, nil
)
return err
}

func (s *sgxProvisioner) updateCapabilityTEE(ctx context.Context, logger *logging.Logger, ts *teeState, conn protocol.Connection) (*node.CapabilityTEE, error) {
ctx, cancel := context.WithTimeout(ctx, runtimeRAKTimeout)
defer cancel()

// Update report target info in case the QE identity has changed (e.g. aesmd upgrade).
targetInfo, err := ts.updateTargetInfo(ctx, s)
if err != nil {
return nil, fmt.Errorf("error while updating TEE target info: %w", err)
}
if err = s.updateTargetInfo(ctx, targetInfo, conn); err != nil {
return nil, fmt.Errorf("error while updating TEE target info: %w", err)
}

rakQuoteRes, err := conn.Call(
ctx,
&protocol.Body{
Expand Down