Merge pull request #5610 from oasisprotocol/ptrus/feature/tests-dcap

testing: buildkite dcap
oasisprotocol · Mar 22, 2024 · 0dedeaf · 0dedeaf
2 parents 0595537 + d6aa083
commit 0dedeaf
Show file tree

Hide file tree

Showing 10 changed files with 60 additions and 56 deletions.
diff --git a/.buildkite/code.pipeline.yml b/.buildkite/code.pipeline.yml
@@ -228,7 +228,7 @@ steps:
       - .buildkite/scripts/test_e2e.sh --timeout 20m --scenario e2e/runtime/runtime-encryption --scenario e2e/runtime/trust-root/.+ --scenario e2e/runtime/keymanager-.+
     env:
       # Unsafe flags needed as the trust-root test rebuilds the enclave with embedded trust root data.
-      OASIS_UNSAFE_SKIP_AVR_VERIFY: "1"
+      OASIS_UNSAFE_LAX_AVR_VERIFY: "1"
       OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES: "1"
       OASIS_E2E_COVERAGE: enable
       TEST_BASE_DIR: /tmp
@@ -255,7 +255,7 @@ steps:
       - .buildkite/scripts/test_e2e.sh --timeout 20m --scenario e2e/runtime/.*
     env:
       # Unsafe flags needed as the trust-root test rebuilds the enclave with embedded trust root data.
-      OASIS_UNSAFE_SKIP_AVR_VERIFY: "1"
+      OASIS_UNSAFE_LAX_AVR_VERIFY: "1"
       OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES: "1"
       OASIS_E2E_COVERAGE: enable
       OASIS_EXCLUDE_E2E: e2e/runtime/txsource-multi,e2e/runtime/txsource-multi-short
@@ -309,28 +309,6 @@ steps:
     plugins:
       <<: *docker_plugin
 
-  ###########################################
-  # E2E test - sgx1 with IAS (only on master)
-  ###########################################
-  - label: E2E tests - sgx1 - IAS
-    branches: master stable/*
-    command:
-      - trap 'buildkite-agent artifact upload "coverage-merged-e2e-*.txt;/tmp/e2e/**/*.log;/tmp/e2e/**/genesis.json;/tmp/e2e/**/runtime_genesis.json"' EXIT
-      - .buildkite/scripts/sgx_ias_tests.sh --timeout 20m
-    # A unique string to identify the step. The value is available in the
-    # BUILDKITE_STEP_KEY and is used to ensure the generated coverage file
-    # names are unique across this pipeline.
-    key: sgx-ias
-    env:
-      OASIS_E2E_COVERAGE: enable
-      TEST_BASE_DIR: /tmp
-    agents:
-      queue: sgx1
-    retry:
-      <<: *retry_agent_failure
-    plugins:
-      <<: *docker_plugin_sgx1
-
   ####################################
   # Rust coverage job.
   ####################################
@@ -387,7 +365,7 @@ steps:
           - .buildkite/scripts/test_upgrade.sh
         env:
           # Unsafe flags needed as the trust-root test rebuilds the enclave with embedded trust root data.
-          OASIS_UNSAFE_SKIP_AVR_VERIFY: "1"
+          OASIS_UNSAFE_LAX_AVR_VERIFY: "1"
           OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES: "1"
           TEST_BASE_DIR: /tmp
         agents:

diff --git a/.buildkite/rust/common.sh b/.buildkite/rust/common.sh
@@ -7,6 +7,6 @@ source .buildkite/scripts/common.sh
 ####################
 # Set up environment
 ####################
-export OASIS_UNSAFE_SKIP_AVR_VERIFY="1"
+export OASIS_UNSAFE_LAX_AVR_VERIFY="1"
 export OASIS_UNSAFE_ALLOW_DEBUG_ENCLAVES="1"
 export RUST_BACKTRACE="1"
diff --git a/.buildkite/scripts/sgx_ias_tests.sh b/.buildkite/scripts/sgx_ias_tests.sh
diff --git a/.changelog/5610.internal.md b/.changelog/5610.internal.md
@@ -0,0 +1 @@
+ci: Update SGX tests to run DCAP
diff --git a/go/common/sgx/pcs/tcb.go b/go/common/sgx/pcs/tcb.go
@@ -27,11 +27,21 @@ const (
 	requiredQEIdentityVersion = 2
 )
 
+// If set, the TCB verification will be done in a more lax manner.
+var unsafeLaxVerify bool
+
 // TimestampFormat is the format of the TCB timestamp, suitable for use with time.Parse.
 //
 // Workaround for https://github.com/golang/go/issues/21990
 const TimestampFormat = "2006-01-02T15:04:05.999999999Z"
 
+// SetUnsafeLaxVerify enables the unsafe, more lax TCB status verification.
+//
+// OutOfDate and OutOfDateConfigurationNeeded TCB statuses will be treated as valid.
+func SetUnsafeLaxVerify() {
+	unsafeLaxVerify = true
+}
+
 // TCBBundle contains all the required components to verify a quote's TCB.
 type TCBBundle struct {
 	TCBInfo      SignedTCBInfo    `json:"tcb_info"`
@@ -271,15 +281,21 @@ func (ti *TCBInfo) validateTCBLevel(
 	switch tcbLevel.Status {
 	case StatusUpToDate, StatusSWHardeningNeeded:
 		// These are ok.
-	default:
-		return &TCBOutOfDateError{
-			Kind:        TCBKindPlatform,
-			Status:      tcbLevel.Status,
-			AdvisoryIDs: tcbLevel.AdvisoryIDs,
+		return nil
+	case StatusOutOfDate, StatusConfigurationNeeded, StatusOutOfDateConfigurationNeeded:
+		// Ok if lax verification.
+		if unsafeLaxVerify {
+			return nil
 		}
+	default:
+		// Not ok.
 	}
 
-	return nil
+	return &TCBOutOfDateError{
+		Kind:        TCBKindPlatform,
+		Status:      tcbLevel.Status,
+		AdvisoryIDs: tcbLevel.AdvisoryIDs,
+	}
 }
 
 func (ti *TCBInfo) getTCBLevel(

diff --git a/go/oasis-node/cmd/common/common.go b/go/oasis-node/cmd/common/common.go
@@ -33,6 +33,8 @@ const (
 	CfgDebugAllowTestKeys = "debug.allow_test_keys"
 	// CfgDebugAllowDebugEnclaves is the command line flag to enable debug enclaves.
 	CfgDebugAllowDebugEnclaves = "debug.allow_debug_enclaves"
+	// CfgDebugTCBLaxVerify is the command line flag to enable lax verification of PCS TCB statuses.
+	CfgDebugTCBLaxVerify = "debug.tcb_lax_verify"
 
 	// RequiredRlimit is the minimum required RLIMIT_NOFILE as too low of a
 	// limit can cause problems with BadgerDB.
@@ -106,6 +108,7 @@ func Init() error {
 		initLogging,
 		initPublicKeyBlacklist,
 		initDebugEnclaves,
+		initDebugTCBLaxVerify,
 		initRlimit,
 	}
 
@@ -128,8 +131,10 @@ func Logger() *logging.Logger {
 func init() {
 	debugFlags.Bool(CfgDebugAllowTestKeys, false, "allow test keys (UNSAFE)")
 	debugFlags.Bool(CfgDebugAllowDebugEnclaves, false, "allow debug enclaves (UNSAFE)")
+	debugFlags.Bool(CfgDebugTCBLaxVerify, false, "allow lax verification of TCB statuses (UNSAFE)")
 	_ = debugFlags.MarkHidden(CfgDebugAllowTestKeys)
 	_ = debugFlags.MarkHidden(CfgDebugAllowDebugEnclaves)
+	_ = debugFlags.MarkHidden(CfgDebugTCBLaxVerify)
 	_ = viper.BindPFlags(debugFlags)
 
 	RootFlags.StringVar(&cfgFile, CfgConfigFile, "", "config file")
@@ -197,6 +202,14 @@ func initDebugEnclaves() error {
 	return nil
 }
 
+func initDebugTCBLaxVerify() error {
+	if flags.DebugDontBlameOasis() && viper.GetBool(CfgDebugTCBLaxVerify) {
+		rootLog.Warn("`debug.tcb_lax_verify` set, TCB lax verification will be done")
+		pcs.SetUnsafeLaxVerify()
+	}
+	return nil
+}
+
 func initRlimit() error {
 	// Suppress this for tooling, as it likely does not matter.
 	if !IsNodeCmd() {

diff --git a/go/oasis-test-runner/oasis/args.go b/go/oasis-test-runner/oasis/args.go
@@ -80,6 +80,13 @@ func (args *argBuilder) debugAllowDebugEnclaves() *argBuilder {
 	return args
 }
 
+func (args *argBuilder) debugTCBLaxVerify() *argBuilder {
+	args.vec = append(args.vec, Argument{
+		Name: cmdCommon.CfgDebugTCBLaxVerify,
+	})
+	return args
+}
+
 func (args *argBuilder) grpcServerPort(port uint16) *argBuilder {
 	args.vec = append(args.vec, Argument{
 		Name:   grpc.CfgServerPort,

diff --git a/go/oasis-test-runner/oasis/network.go b/go/oasis-test-runner/oasis/network.go
@@ -676,6 +676,11 @@ func (net *Network) startOasisNode(
 		cfg.Consensus.UpgradeStopDelay = 10 * time.Second
 
 		extraArgs = extraArgs.debugAllowDebugEnclaves()
+		// XXX: We reuse the IAS specific variable (OASIS_UNSAFE_LAX_AVR_VERIFY) to avoid having
+		// an additional environment variable. Rename the variable when IAS support is removed.
+		if os.Getenv("OASIS_UNSAFE_LAX_AVR_VERIFY") != "" {
+			extraArgs = extraArgs.debugTCBLaxVerify()
+		}
 	} else {
 		baseArgs = append(baseArgs, "--"+cmdFlags.CfgGenesisFile, net.GenesisPath())
 	}

diff --git a/go/oasis-test-runner/scenario/e2e/runtime/keymanager_rotation_failure.go b/go/oasis-test-runner/scenario/e2e/runtime/keymanager_rotation_failure.go
@@ -212,7 +212,7 @@ func (sc *kmRotationFailureImpl) extendKeymanagerRegistrations(ctx context.Conte
 		if err != nil {
 			return err
 		}
-		tx := registry.NewRegisterNodeTx(nonce, &transaction.Fee{Gas: 11000}, sigNode)
+		tx := registry.NewRegisterNodeTx(nonce, &transaction.Fee{Gas: 50000}, sigNode)
 		sigTx, err := transaction.Sign(identity.NodeSigner, tx)
 		if err != nil {
 			return err

diff --git a/runtime/src/common/sgx/pcs.rs b/runtime/src/common/sgx/pcs.rs
@@ -205,8 +205,15 @@ impl QuoteBundle {
             .map_err(|err| Error::VerificationFailed(err.to_string()))?;
 
         // Validate TCB level.
+        // XXX: We reuse the IAS specific variable (OASIS_UNSAFE_LAX_AVR_VERIFY) to avoid having
+        // an additional environment variable. Rename the variable when IAS support is removed.
+        let tcb_lax_verify = option_env!("OASIS_UNSAFE_LAX_AVR_VERIFY").is_some();
         match verifier.tcb_level.ok_or(Error::TCBMismatch)?.status {
             TCBStatus::UpToDate | TCBStatus::SWHardeningNeeded => {}
+            TCBStatus::OutOfDate
+            | TCBStatus::ConfigurationNeeded
+            | TCBStatus::OutOfDateConfigurationNeeded
+                if tcb_lax_verify => {}
             _ => {
                 return Err(Error::TCBOutOfDate);
             }