From 1ea6c4438f78deaec168906015bce0eaadf08b99 Mon Sep 17 00:00:00 2001
From: ptrus <ptrusr@gmail.com>
Date: Fri, 31 Jul 2020 17:22:25 +0200
Subject: [PATCH] go/registry: Require SGX for non-test compute runtimes using
 km

---
 .changelog/3159.breaking.md |  5 +++++
 go/genesis/genesis_test.go  |  6 ++++++
 go/registry/api/api.go      |  9 +++++++++
 go/registry/tests/tester.go | 30 +++++++++++++++++++++++++++++-
 4 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 .changelog/3159.breaking.md

diff --git a/.changelog/3159.breaking.md b/.changelog/3159.breaking.md
new file mode 100644
index 00000000000..f18582d0fb4
--- /dev/null
+++ b/.changelog/3159.breaking.md
@@ -0,0 +1,5 @@
+go/registry: Require SGX for non-test compute runtimes using a key manager
+
+Note: Existing deployments might need to alter the state dump to fix any
+existing compute runtimes that registered without SGX hardware and have
+keymanager runtime configured.
diff --git a/go/genesis/genesis_test.go b/go/genesis/genesis_test.go
index 1f8c1686eeb..a6c162510a1 100644
--- a/go/genesis/genesis_test.go
+++ b/go/genesis/genesis_test.go
@@ -224,6 +224,12 @@ func TestGenesisSanityCheck(t *testing.T) {
 		AdmissionPolicy: registry.RuntimeAdmissionPolicy{
 			AnyNode: &registry.AnyNodeRuntimeAdmissionPolicy{},
 		},
+		TEEHardware: node.TEEHardwareIntelSGX,
+		Version: registry.VersionInfo{
+			TEE: cbor.Marshal(registry.VersionInfoIntelSGX{
+				Enclaves: []sgx.EnclaveIdentity{{}},
+			}),
+		},
 	}
 	signedTestRuntime := signRuntimeOrDie(signer, testRuntime)
 
diff --git a/go/registry/api/api.go b/go/registry/api/api.go
index 9f518b6cf35..81876fa3242 100644
--- a/go/registry/api/api.go
+++ b/go/registry/api/api.go
@@ -1247,6 +1247,15 @@ func VerifyRegisterComputeRuntimeArgs(ctx context.Context, logger *logging.Logge
 			)
 			return ErrInvalidArgument
 		}
+
+		// Currently the keymanager implementation assumes SGX. Unless this is a
+		// test runtime, using a keymanager without using SGX is unsupported.
+		if !rt.ID.IsTest() && rt.TEEHardware != node.TEEHardwareIntelSGX {
+			logger.Error("RegisterRuntime: runtime without SGX using key manager",
+				"id", rt.ID,
+			)
+			return fmt.Errorf("%w: compute runtime without SGX using key manager", ErrInvalidArgument)
+		}
 	}
 
 	return nil
diff --git a/go/registry/tests/tester.go b/go/registry/tests/tester.go
index 74e16c0b22f..6e3cfc3052a 100644
--- a/go/registry/tests/tester.go
+++ b/go/registry/tests/tester.go
@@ -684,7 +684,35 @@ func testRegistryRuntime(t *testing.T, backend api.Backend, consensus consensusA
 			true,
 			true,
 		},
-		// Runtime with key manager set.
+		// Runtime with key manager set, without SGX.
+		{
+			"NoSGXWithKM",
+			func(rt *api.Runtime) {
+				rt.KeyManager = &rtMapByName["KeyManager"].ID
+				// Set non-test runtime.
+				rt.ID = newNamespaceFromSeed([]byte("NoSGXWithKM"), 0)
+			},
+			false,
+			false,
+		},
+		// SGX Runtime with key manager set.
+		{
+			"SGXWithKM",
+			func(rt *api.Runtime) {
+				rt.KeyManager = &rtMapByName["KeyManager"].ID
+				rt.TEEHardware = node.TEEHardwareIntelSGX
+
+				vi := api.VersionInfoIntelSGX{
+					Enclaves: []sgx.EnclaveIdentity{{}},
+				}
+				rt.Version.TEE = cbor.Marshal(vi)
+				// Set non-test runtime.
+				rt.ID = newNamespaceFromSeed([]byte("SGXWithKM"), 0)
+			},
+			false,
+			true,
+		},
+		// Test Runtime with key manager set.
 		{
 			"WithKM",
 			func(rt *api.Runtime) {