Merge pull request #3159 from oasisprotocol/ptrus/feature/runtime-km-sgx

go/registry: Require SGX for non-test compute runtimes using km
oasisprotocol · Aug 3, 2020 · 936912f · 936912f
2 parents 35b95b8 + 1ea6c44
commit 936912f
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 1 deletion.
diff --git a/.changelog/3159.breaking.md b/.changelog/3159.breaking.md
@@ -0,0 +1,5 @@
+go/registry: Require SGX for non-test compute runtimes using a key manager
+
+Note: Existing deployments might need to alter the state dump to fix any
+existing compute runtimes that registered without SGX hardware and have
+keymanager runtime configured.
diff --git a/go/genesis/genesis_test.go b/go/genesis/genesis_test.go
@@ -224,6 +224,12 @@ func TestGenesisSanityCheck(t *testing.T) {
 		AdmissionPolicy: registry.RuntimeAdmissionPolicy{
 			AnyNode: &registry.AnyNodeRuntimeAdmissionPolicy{},
 		},
+		TEEHardware: node.TEEHardwareIntelSGX,
+		Version: registry.VersionInfo{
+			TEE: cbor.Marshal(registry.VersionInfoIntelSGX{
+				Enclaves: []sgx.EnclaveIdentity{{}},
+			}),
+		},
 	}
 	signedTestRuntime := signRuntimeOrDie(signer, testRuntime)
 

diff --git a/go/registry/api/api.go b/go/registry/api/api.go
@@ -1247,6 +1247,15 @@ func VerifyRegisterComputeRuntimeArgs(ctx context.Context, logger *logging.Logge
 			)
 			return ErrInvalidArgument
 		}
+
+		// Currently the keymanager implementation assumes SGX. Unless this is a
+		// test runtime, using a keymanager without using SGX is unsupported.
+		if !rt.ID.IsTest() && rt.TEEHardware != node.TEEHardwareIntelSGX {
+			logger.Error("RegisterRuntime: runtime without SGX using key manager",
+				"id", rt.ID,
+			)
+			return fmt.Errorf("%w: compute runtime without SGX using key manager", ErrInvalidArgument)
+		}
 	}
 
 	return nil

diff --git a/go/registry/tests/tester.go b/go/registry/tests/tester.go
@@ -684,7 +684,35 @@ func testRegistryRuntime(t *testing.T, backend api.Backend, consensus consensusA
 			true,
 			true,
 		},
-		// Runtime with key manager set.
+		// Runtime with key manager set, without SGX.
+		{
+			"NoSGXWithKM",
+			func(rt *api.Runtime) {
+				rt.KeyManager = &rtMapByName["KeyManager"].ID
+				// Set non-test runtime.
+				rt.ID = newNamespaceFromSeed([]byte("NoSGXWithKM"), 0)
+			},
+			false,
+			false,
+		},
+		// SGX Runtime with key manager set.
+		{
+			"SGXWithKM",
+			func(rt *api.Runtime) {
+				rt.KeyManager = &rtMapByName["KeyManager"].ID
+				rt.TEEHardware = node.TEEHardwareIntelSGX
+
+				vi := api.VersionInfoIntelSGX{
+					Enclaves: []sgx.EnclaveIdentity{{}},
+				}
+				rt.Version.TEE = cbor.Marshal(vi)
+				// Set non-test runtime.
+				rt.ID = newNamespaceFromSeed([]byte("SGXWithKM"), 0)
+			},
+			false,
+			true,
+		},
+		// Test Runtime with key manager set.
 		{
 			"WithKM",
 			func(rt *api.Runtime) {