Key manager should use runtime quote policy

[kostko]

Currently the key manager runtime takes its own quote policy into account for all incoming EnclaveRPC connections. It should instead support using runtime quote policies in order to allow independent policies (eg. maybe a stricter quote policy for the key manager runtime itself, and more relaxed quote policy for runtimes).

[martintomazic]

Currently the key manager runtime takes its own quote policy into account for all incoming EnclaveRPC connections. It should instead support using per-runtime quote policies in order to allow independent policies...

Initially, I thought that if key-manager serves a secret for a runtime A, then all it cares during EnclaveRPC is that client (e.g. compute node) provides attestation that passes SGX constraints defined in the consensus for runtime A. This should be safe as secrets are derived per-runtime, moreover runtimes should have freedom (and responsibility) for setting suitable trust.

Looking at #6387 motivation:

This would allow a more relaxed general policy but stricter requirements for nodes that can access the key manager (e.g. compute/observer nodes).

Would it make sense to have it implemented this way? In fact when I started working on #6410, this was my initial idea/understanding.

[kostko]

That is exactly the idea mentioned in the issue -- eg. the key manager should use the runtime policies when deriving keys for downstream compute runtimes while it currently uses its own policy.

[martintomazic]

So this will also make MayQuery field from the key manager's EnclavePolicySGX struct redundant, given this will be now fetched form the consensus sgx constraints?

My initial understanding (wrong) was that this issues was about adding per-runtime sgx-constraints into the EnclavePolicySGX which obviously wouldn't make sense :).

Still we probably need to keep at least runtime ID, to give key-manager owner ability to choose, which runtime it is willing to serve.