go: Per-role quote policies #6410
Conversation
✅ Deploy Preview for oasisprotocol-oasis-core canceled.
|
| rak signature.PublicKey, | ||
| rek *x25519.PublicKey, | ||
| nodeID signature.PublicKey, | ||
| n *Node, |
There was a problem hiding this comment.
NIT: Followed the pattern from the admission policy. Alternative is to pass nodeID and roles (bitmask) by value.
Passing whole struct by reference feels dangerous as accidental mutations in the helper functions (possibly in the future) may affect the logic upstream.
martintomazic
added
the
c:breaking/consensus
martintomazic
force-pushed
the
martin/feature/per-role-quote-policies
branch
from
fddedc5 to
9e35bd3
Compare
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## master #6410 +/- ##
===========================================
+ Coverage 0 64.51% +64.51%
===========================================
Files 0 698 +698
Lines 0 68130 +68130
===========================================
+ Hits 0 43955 +43955
- Misses 0 19130 +19130
- Partials 0 5045 +5045 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
martintomazic
force-pushed
the
martin/feature/per-role-quote-policies
branch
2 times, most recently
from
13d201f to
5aec2d9
Compare
runtime/src/identity.rs
Outdated
| // TODO Add per role quote policy. | ||
| // But if the runtime cannot trust the host how can it obtain the "role" that is being used for? | ||
| // Query consensus registry using `node_id`, to obtain the current node struct and thus it's roles? | ||
| // But the host could set any node_id... |
There was a problem hiding this comment.
It needs to query verified consensus state via the consensus verifier.
The host cannot spoof the node ID as it is included in the TEE capability which includes a node ID which is checked during on-chain registration.
Binding generated during attestation:
oasis-core/runtime/src/attestation.rs
Lines 143 to 150 in f73f73c
And verified by consensus during each registration refresh:
oasis-core/go/common/node/sgx.go
Line 250 in f73f73c
We could also change the way the host returns its identity by having the runtime produce a nonce which the host must sign using a special context and return the signature together with the public key. This would prove the host has access to the private key.
martintomazic
force-pushed
the
martin/feature/per-role-quote-policies
branch
from
5aec2d9 to
db8d2a6
Compare
Observe that already prior to this commit consensus and runtime quote verification with regards to runtime constaints were not symetric. Consensus part in addition to the runtime constrains may also apply default constaints from the consensus parameters. The runtime part on the other hand only applies runtime constraints. Currently, this is not problematic as as default policy as per the consensus parameters is nil, but this may change in the future. Nit: I would change to sc.ApplyDefaultConstraints(cfg.SGX), as normaly the mutated part should be pointer receiver.
Alternative would be to pass the expected roles during initialization and bypass using host protocol.
This verification was redundant, possibly causing confusing logs.
martintomazic
force-pushed
the
martin/feature/per-role-quote-policies
branch
from
db8d2a6 to
750e25a
Compare
Wip.
Closes #6387, follows #6331
Status:
This is ready for preliminary high level review, mainly I would like us to focus on the TODO, that I also explained under Challenges in the design doc.
Once we align on the requirements, and finalize some implementation/design decision I will write the final code and thorough test suite, given this is security critical PR. Please ignore style and code quality until then.