Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bind TEE attestations to nodes and enforce freshness #4926

Merged
merged 2 commits into from
Sep 18, 2022
Merged

Bind TEE attestations to nodes and enforce freshness #4926

merged 2 commits into from
Sep 18, 2022

Conversation

kostko
Copy link
Member

@kostko kostko commented Sep 9, 2022

Based on #4922

@kostko kostko force-pushed the kostko/feature/tee-consensus-nonce branch 3 times, most recently from de5bac5 to de331d6 Compare September 9, 2022 12:07
@peternose peternose force-pushed the peternose/feature/client-freshness-verification branch 4 times, most recently from e729284 to d80da34 Compare September 12, 2022 13:36
Base automatically changed from peternose/feature/client-freshness-verification to master September 12, 2022 15:00
@kostko kostko force-pushed the kostko/feature/tee-consensus-nonce branch 2 times, most recently from 72fc693 to 3a3dddc Compare September 13, 2022 08:40
@codecov
Copy link

codecov bot commented Sep 13, 2022
edited
Loading

Codecov Report

Merging #4926 (f6ce0d6) into master (06012a8) will increase coverage by 0.11%.
The diff coverage is 70.39%.

@@            Coverage Diff             @@
##           master    #4926      +/-   ##
==========================================
+ Coverage   66.64%   66.76%   +0.11%     
==========================================
  Files         464      464              
  Lines       51204    51221      +17     
==========================================
+ Hits        34127    34199      +72     
+ Misses      12891    12845      -46     
+ Partials     4186     4177       -9
Impacted Files Coverage Δ
go/common/version/version.go 80.26% <ø> (ø)
go/consensus/tendermint/apps/roothash/api.go 100.00% <ø> (ø)
go/keymanager/api/api.go 80.64% <0.00%> (ø)
go/registry/api/api.go 57.46% <0.00%> (ø)
go/runtime/host/protocol/types.go 54.54% <ø> (ø)
go/runtime/host/sgx/ecdsa.go 7.29% <0.00%> (-0.41%) ⬇️
go/worker/common/committee/runtime_host.go 83.33% <ø> (+27.77%) ⬆️
go/worker/keymanager/worker.go 65.50% <ø> (-0.45%) ⬇️
go/common/node/sgx.go 75.22% <51.28%> (-12.62%) ⬇️
go/runtime/registry/host.go 69.32% <63.63%> (-0.20%) ⬇️
... and 67 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@kostko kostko marked this pull request as ready for review September 13, 2022 09:58
@kostko kostko requested a review from peternose September 13, 2022 09:58
peternose
peternose reviewed Sep 14, 2022
View reviewed changes
Copy link
Contributor

@peternose peternose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great 💯 Just left some minor observations, not sure if we need to address them.
Didn't test this though as I'm not sure if I can without the SGX.

go/runtime/registry/registry.go Show resolved Hide resolved
go/runtime/registry/registry.go Outdated Show resolved Hide resolved
go/common/node/node.go Outdated Show resolved Hide resolved
go/common/node/node.go Outdated Show resolved Hide resolved
go/common/node/sgx.go
@@ -95,6 +103,11 @@ func (sc *SGXConstraints) ValidateBasic(cfg *TEEFeatures) error {
if !cfg.SGX.PCS && sc.V != 0 {
return fmt.Errorf("unsupported SGX constraints version: %d", sc.V)
}
// Sanity check version (should never fail as deserialization already checks this).
if sc.V > LatestSGXConstraintsVersion {
return fmt.Errorf("unsupported SGX constraints version: %d", sc.V)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could merge with previous if since both errors are the same (could also change the error). Same below.

go/common/node/sgx.go Outdated Show resolved Hide resolved
go/common/node/sgx.go Show resolved Hide resolved
go/common/node/sgx.go Outdated Show resolved Hide resolved
go/common/node/tee_test.go Show resolved Hide resolved
go/oasis-node/cmd/genesis/genesis.go
regSt.Parameters.TEEFeatures = &node.TEEFeatures{}
}
regSt.Parameters.TEEFeatures.SGX.SignedAttestations = true
regSt.Parameters.TEEFeatures.SGX.DefaultMaxAttestationAge = 1200 // ~2 hours at 6 sec per block.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Value 1200 could also be moved to a constant as we are using it on 3 places.

@kostko kostko force-pushed the kostko/feature/tee-consensus-nonce branch from 3a3dddc to f6ce0d6 Compare September 14, 2022 11:39
@kostko kostko merged commit 59c0d20 into master Sep 18, 2022
@kostko kostko deleted the kostko/feature/tee-consensus-nonce branch September 18, 2022 07:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peternose peternose peternose approved these changes

@Yawning Yawning Yawning approved these changes

@peterjgilbert peterjgilbert Awaiting requested review from peterjgilbert peterjgilbert is a code owner

@pro-wh pro-wh Awaiting requested review from pro-wh pro-wh is a code owner

@ptrus ptrus Awaiting requested review from ptrus ptrus is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kostko @Yawning @peternose