Skip to content

Commit

Permalink
optionally validate coordinator in verify phase
Browse files Browse the repository at this point in the history
  • Loading branch information
@burgerdev
burgerdev committed Jan 30, 2024
1 parent 96a5972 commit b10890a
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 3 deletions.
3 changes: 2 additions & 1 deletion cli/set.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,8 @@ func runSet(cmd *cobra.Command, args []string) error {
}
log.Debug("Using KDS cache dir", "dir", kdsDir)

validateOptsGen := newCoordinatorValidateOptsGen()
// TODO(burgerdev): validate coordinator from flag or manifest
validateOptsGen := newCoordinatorValidateOptsGen(nil)
kdsCache := fsstore.New(kdsDir, log.WithGroup("kds-cache"))
kdsGetter := snp.NewCachedHTTPSGetter(kdsCache, snp.NeverGCTicker, log.WithGroup("kds-getter"))
validator := snp.NewValidator(validateOptsGen, kdsGetter, log.WithGroup("snp-validator"))
Expand Down
18 changes: 16 additions & 2 deletions cli/verify.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package main

import (
"crypto/sha256"
"encoding/hex"
"fmt"
"net"
"os"
Expand Down Expand Up @@ -40,6 +41,8 @@ func newVerifyCmd() *cobra.Command {
cmd.Flags().StringP("output", "o", verifyDir, "directory to write files to")
cmd.Flags().StringP("coordinator", "c", "", "endpoint the coordinator can be reached at")
must(cobra.MarkFlagRequired(cmd.Flags(), "coordinator"))
// TODO(burgerdev): default --policy should be derived from released artifacts.
cmd.Flags().String("policy", "", "expected policy hash of the coordinator (64 hex-encoded bytes, will not be checked if empty)")

return cmd
}
Expand All @@ -62,7 +65,7 @@ func runVerify(cmd *cobra.Command, _ []string) error {
}
log.Debug("Using KDS cache dir", "dir", kdsDir)

validateOptsGen := newCoordinatorValidateOptsGen()
validateOptsGen := newCoordinatorValidateOptsGen(flags.policy)
kdsCache := fsstore.New(kdsDir, log.WithGroup("kds-cache"))
kdsGetter := snp.NewCachedHTTPSGetter(kdsCache, snp.NeverGCTicker, log.WithGroup("kds-getter"))
validator := snp.NewValidator(validateOptsGen, kdsGetter, log.WithGroup("snp-validator"))
Expand Down Expand Up @@ -107,6 +110,7 @@ func runVerify(cmd *cobra.Command, _ []string) error {
type verifyFlags struct {
coordinator string
outputDir string
policy []byte
}

func parseVerifyFlags(cmd *cobra.Command) (*verifyFlags, error) {
Expand All @@ -118,14 +122,23 @@ func parseVerifyFlags(cmd *cobra.Command) (*verifyFlags, error) {
if err != nil {
return nil, err
}
policyString, err := cmd.Flags().GetString("policy")
if err != nil {
return nil, err
}
policy, err := hex.DecodeString(policyString)
if err != nil {
return nil, fmt.Errorf("hex-decoding policy flag: %w", err)
}

return &verifyFlags{
coordinator: coordinator,
outputDir: outputDir,
policy: policy,
}, nil
}

func newCoordinatorValidateOptsGen() *snp.StaticValidateOptsGenerator {
func newCoordinatorValidateOptsGen(hostData []byte) *snp.StaticValidateOptsGenerator {
defaultManifest := manifest.Default()
trustedIDKeyDigests, err := (&defaultManifest.ReferenceValues.SNP.TrustedIDKeyHashes).ByteSlices()
if err != nil {
Expand All @@ -134,6 +147,7 @@ func newCoordinatorValidateOptsGen() *snp.StaticValidateOptsGenerator {

return &snp.StaticValidateOptsGenerator{
Opts: &validate.Options{
HostData: hostData,
GuestPolicy: abi.SnpPolicy{
Debug: false,
SMT: true,
Expand Down

0 comments on commit b10890a

Please sign in to comment.