sgx_ecdsa: set the load_policy at most once

[JamesMenetrey]

Dear librats developers,

While using WAMR and more specifically the sample of SGX-RA as found here, I realized that validating evidence more than once (can be the same, or new evidence) throws the following error in the console:

[ERROR] rats_ocall_ecdsa_verify_evidence()@L88: failed to set enclave load policy by sgx qv: e00c
[ERROR] ecdsa_verify_evidence()@L124: rats_ocall_ecdsa_verify_evidence() failed. sgx_status: 0, err: 0xb000e00c, collateral_expiration_status: 0, quote_verification_result: 0
[ERROR] sgx_ecdsa_verify_evidence()@L468: failed to verify ecdsa, cfffffff
[ERROR] librats_verify_evidence_from_json()@L144: failed to librats_verify_evidence return 0xcfffffff
ERROR: Evidence is not trusted, error code: 0xcfffffff.

The notable information here is that the error is thrown when calling the function sgx_qv_set_enclave_load_policy, which raises the error 0xe00c ( SGX_QL_UNSUPPORTED_LOADING_POLICY).

The issue can be reproduced by duplicating the validation calls of the sample (these ones).

After some investigations, I found out that calling sgx_qv_set_enclave_load_policy more than once with SGX_QL_DEFAULT (=SGX_QL_PERSISTENT) as an argument throws this error. So, I would suggest a patch in the verification OCALL that checks whether the load policy has already been set, and if so, don't set it more than once.

This patch solved this issue on my hardware (SGX2-enabled Intel NUC).

Cheers

[imlk0]

@JamesMenetrey Thank you for your contribution. Could you please add a sign-off tag to the commit message?

[JamesMenetrey]

@KB5201314 I sign it off! Thanks!