keymanager: Validate latest trust root height in key manager requests

[peternose]

Key manager requests should include latest consensus trust root

The key manager protocol should add the latest known trust root (or just the height) to (private key) EnclaveRPC requests. This would allow the key manager to detect whether the runtimes querying it have a fresh enough state (e.g. within 50 blocks) and reject operations if not.

Obviously the bad view can be either on the key manager side (Byzantine key manager operator) or the runtime side (Byzantine runtime operator). In case the key manager node is Byzantine the runtime can just switch to a different one (this already happens automatically when key manager requests fail).

This should be supported in a backwards compatible manner by making the new field optional.

Test

Happy path is already covered with e2e tests. Unhappy path was tested locally.

• If key manager client is not up to date, height is not sent and after decoding takes a default value of None. Validation is skipped.
• If key manager client is up to date but height is lower than trust root's height, the client will receive an error, e.g. private ephemeral key not available: call failed: height is not fresh.
• If key manager is not up to date, the client will send height but it will not decode properly. The client will again receive an error, e.g. private ephemeral key not available: call failed: unknown field.

[codecov]

Codecov Report

Merging #4910 (e1df6f9) into master (5a149fc) will decrease coverage by 0.02%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #4910      +/-   ##
==========================================
- Coverage   66.60%   66.57%   -0.03%     
==========================================
  Files         464      464              
  Lines       50981    50981              
==========================================
- Hits        33955    33940      -15     
- Misses      12834    12844      +10     
- Partials     4192     4197       +5     

Impacted Files	Coverage Δ
go/genesis/api/api.go	73.91% <100.00%> (ø)
go/worker/keymanager/worker.go	65.31% <100.00%> (+0.21%)	⬆️
...onsensus/tendermint/apps/beacon/state/state_vrf.go	73.33% <0.00%> (-13.34%)	⬇️
.../worker/compute/executor/committee/transactions.go	84.09% <0.00%> (-6.82%)	⬇️
go/worker/common/committee/p2p.go	70.00% <0.00%> (-6.67%)	⬇️
go/runtime/host/sandbox/sandbox.go	60.40% <0.00%> (-6.49%)	⬇️
go/common/grpc/auth/auth.go	94.73% <0.00%> (-5.27%)	⬇️
go/worker/beacon/tx_retry.go	90.47% <0.00%> (-4.77%)	⬇️
go/common/sgx/common.go	66.01% <0.00%> (-3.89%)	⬇️
... and 16 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[kostko]

Looks good, just remove the height checks from public key queries as those have no authentication anyway.