datachainlab
diff --git a/‎app/src/commands/enclave.rs‎
Lines changed: 1 addition & 0 deletions b/‎app/src/commands/enclave.rs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎modules/attestation-report/src/lib.rs‎
Lines changed: 1 addition & 1 deletion b/‎modules/attestation-report/src/lib.rs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎modules/attestation-report/src/report.rs‎
Lines changed: 17 additions & 10 deletions b/‎modules/attestation-report/src/report.rs‎
Lines changed: 17 additions & 10 deletions
diff --git a/‎modules/keymanager/src/lib.rs‎
Lines changed: 72 additions & 25 deletions b/‎modules/keymanager/src/lib.rs‎
Lines changed: 72 additions & 25 deletions
diff --git a/‎modules/service/src/enclave.rs‎
Lines changed: 1 addition & 0 deletions b/‎modules/service/src/enclave.rs‎
Lines changed: 1 addition & 0 deletions
@@ -125,6 +125,7 @@ fn run_list_keys<E: EnclaveCommandAPI<S>, S: CommitStore>(
     let list = if input.available_only {
         km.available_keys(
             enclave.metadata()?.enclave_css.body.enclave_hash.m.into(),
+            input.enclave.is_debug(),
             None,
         )?
     } else {
 
@@ -23,7 +23,7 @@ mod prelude {
 pub use dcap::{DCAPQuote, Risc0ZKVMProof, ZKDCAPQuote, ZKVMProof};
 pub use errors::Error;
 pub use ias::{verify_ias_report, IASAttestationVerificationReport, IASSignedReport};
-pub use report::{QEType, Quote, RAQuote, RAType, ReportData};
+pub use report::{is_enclave_debug_enabled, QEType, Quote, RAQuote, RAType, ReportData};
 
 pub(crate) mod serde_base64 {
     use crate::prelude::*;
 
@@ -6,6 +6,7 @@ use core::str::FromStr;
 use crypto::Address;
 use lcp_types::Time;
 use serde::{Deserialize, Serialize};
+use sgx_types::sgx_report_body_t;
 use sgx_types::{metadata::metadata_t, sgx_measurement_t, sgx_quote_t, sgx_report_data_t};
 
 pub const REPORT_DATA_V1: u8 = 1;
@@ -63,25 +64,25 @@ impl FromStr for QEType {
 pub enum RAType {
     IAS,
     DCAP,
-    ZKDCAP,
-    MockZKDCAP,
+    ZKDCAPRisc0,
+    MockZKDCAPRisc0,
 }
 
 impl RAType {
     pub fn as_u32(&self) -> u32 {
         match self {
             Self::IAS => 1,
             Self::DCAP => 2,
-            Self::ZKDCAP => 3,
-            Self::MockZKDCAP => 4,
+            Self::ZKDCAPRisc0 => 3,
+            Self::MockZKDCAPRisc0 => 4,
         }
     }
     pub fn from_u32(v: u32) -> Result<Self, Error> {
         match v {
             1 => Ok(Self::IAS),
             2 => Ok(Self::DCAP),
-            3 => Ok(Self::ZKDCAP),
-            4 => Ok(Self::MockZKDCAP),
+            3 => Ok(Self::ZKDCAPRisc0),
+            4 => Ok(Self::MockZKDCAPRisc0),
             _ => Err(Error::invalid_ra_type(v)),
         }
     }
@@ -95,8 +96,8 @@ impl Display for RAType {
             match self {
                 Self::IAS => "ias",
                 Self::DCAP => "dcap",
-                Self::ZKDCAP => "zkdcap",
-                Self::MockZKDCAP => "mock_zkdcap",
+                Self::ZKDCAPRisc0 => "zkdcap_risc0",
+                Self::MockZKDCAPRisc0 => "mock_zkdcap_risc0",
             }
         )
     }
@@ -116,10 +117,11 @@ impl RAQuote {
             RAQuote::IAS(_) => RAType::IAS,
             RAQuote::DCAP(_) => RAType::DCAP,
             RAQuote::ZKDCAP(quote) => {
+                // currently only support Risc0
                 if quote.mock {
-                    RAType::MockZKDCAP
+                    RAType::MockZKDCAPRisc0
                 } else {
-                    RAType::ZKDCAP
+                    RAType::ZKDCAPRisc0
                 }
             }
         }
@@ -250,3 +252,8 @@ impl Quote {
         }
     }
 }
+
+/// Checks if the enclave debug flag is enabled for the given report body
+pub fn is_enclave_debug_enabled(report_body: &sgx_report_body_t) -> bool {
+    report_body.attributes.flags & sgx_types::SGX_FLAGS_DEBUG != 0
+}
@@ -1,7 +1,7 @@
 pub mod errors;
 pub use crate::errors::Error;
 use anyhow::anyhow;
-use attestation_report::{QEType, RAQuote, RAType, ReportData};
+use attestation_report::{is_enclave_debug_enabled, QEType, RAQuote, RAType, ReportData};
 use crypto::{Address, SealedEnclaveKey};
 use lcp_types::{
     deserialize_bytes,
@@ -18,13 +18,19 @@ use serde_with::serde_as;
 use sgx_types::sgx_report_t;
 use std::{path::Path, sync::Mutex, time::Duration};
 
+/// Key Manager database file name
 pub static KEY_MANAGER_DB: &str = "km.sqlite";
 
+/// Enclave Key Manager to manage sealed enclave key and attestation verification reports for the keys
 pub struct EnclaveKeyManager {
     conn: Mutex<Connection>,
 }
 
 impl EnclaveKeyManager {
+    /// Create a new Key Manager instance
+    ///
+    /// # Arguments
+    /// - `home_dir` - The directory where the LCP's home directory is located
     pub fn new(home_dir: &Path) -> Result<Self, Error> {
         let km_db = home_dir.join(KEY_MANAGER_DB);
         let db_exists = km_db.exists();
@@ -37,6 +43,7 @@ impl EnclaveKeyManager {
         Ok(this)
     }
 
+    /// Create a new Key Manager instance with an in-memory database
     #[cfg(test)]
     pub fn new_in_memory() -> Result<Self, Error> {
         let conn = Mutex::new(Connection::open_in_memory()?);
@@ -59,6 +66,7 @@ impl EnclaveKeyManager {
                 ek_sealed BLOB NOT NULL,
                 mrenclave TEXT NOT NULL,
                 report BLOB NOT NULL,
+                enclave_debug INTEGER NOT NULL,
                 qe_type INTEGER NOT NULL,
                 ra_type INTEGER,
                 ra_quote TEXT,
@@ -81,7 +89,7 @@ impl EnclaveKeyManager {
             .map_err(|e| Error::mutex_lock(e.to_string()))?;
         let mut stmt = conn.prepare(
             r#"
-            SELECT ek_sealed, mrenclave, report, qe_type, ra_quote
+            SELECT ek_sealed, mrenclave, report, qe_type, enclave_debug, ra_quote
             FROM enclave_keys
             WHERE ek_address = ?1
             "#,
@@ -118,7 +126,8 @@ impl EnclaveKeyManager {
                         anyhow!("qe_type: {:?}", e).into(),
                     )
                 })?,
-                ra_quote: match row.get::<_, Option<String>>(4) {
+                enclave_debug: row.get::<_, i64>(4)? != 0,
+                ra_quote: match row.get::<_, Option<String>>(5) {
                     Ok(None) => None,
                     Ok(Some(ra_quote)) => Some(RAQuote::from_json(&ra_quote).map_err(|e| {
                         rusqlite::Error::FromSqlConversionFailure(
@@ -147,8 +156,8 @@ impl EnclaveKeyManager {
             .map_err(|e| Error::mutex_lock(e.to_string()))?;
         let mut stmt = conn.prepare(
             r#"
-            INSERT INTO enclave_keys(ek_address, ek_sealed, mrenclave, report, qe_type)
-            VALUES (?1, ?2, ?3, ?4, ?5)
+            INSERT INTO enclave_keys(ek_address, ek_sealed, mrenclave, report, enclave_debug, qe_type)
+            VALUES (?1, ?2, ?3, ?4, ?5, ?6)
             "#,
         )?;
         let rd = ReportData::from(report.body.report_data);
@@ -157,6 +166,7 @@ impl EnclaveKeyManager {
             sealed_ek.to_vec(),
             Mrenclave::from(report.body.mr_enclave).to_hex_string(),
             serialize_bytes(&report),
+            is_enclave_debug_enabled(&report.body),
             qe_type.as_u32()
         ])?;
         Ok(())
@@ -188,6 +198,7 @@ impl EnclaveKeyManager {
     pub fn available_keys(
         &self,
         mrenclave: Mrenclave,
+        enclave_debug: bool,
         ra_type: Option<RAType>,
     ) -> Result<Vec<SealedEnclaveKeyInfo>, Error> {
         let conn = self
@@ -199,25 +210,25 @@ impl EnclaveKeyManager {
             (
                 conn.prepare(
                     r#"
-                SELECT ek_address, ek_sealed, mrenclave, report, qe_type, ra_quote
+                SELECT ek_address, ek_sealed, mrenclave, report, qe_type, enclave_debug, ra_quote
                 FROM enclave_keys
-                WHERE attested_at IS NOT NULL AND mrenclave = ?1 AND ra_type = ?2
+                WHERE attested_at IS NOT NULL AND mrenclave = ?1 AND enclave_debug = ?2 AND ra_type = ?3
                 ORDER BY attested_at DESC
                 "#,
                 )?,
-                params![mrenclave.to_hex_string(), ra_type.as_u32()],
+                params![mrenclave.to_hex_string(), enclave_debug, ra_type.as_u32()],
             )
         } else {
             (
                 conn.prepare(
                     r#"
-                SELECT ek_address, ek_sealed, mrenclave, report, qe_type, ra_quote
+                SELECT ek_address, ek_sealed, mrenclave, report, qe_type, enclave_debug, ra_quote
                 FROM enclave_keys
-                WHERE attested_at IS NOT NULL AND mrenclave = ?1
+                WHERE attested_at IS NOT NULL AND mrenclave = ?1 AND enclave_debug = ?2
                 ORDER BY attested_at DESC
                 "#,
                 )?,
-                params![mrenclave.to_hex_string()],
+                params![mrenclave.to_hex_string(), enclave_debug],
             )
         };
 
@@ -264,7 +275,8 @@ impl EnclaveKeyManager {
                             anyhow!("qe_type: {:?}", e).into(),
                         )
                     })?,
-                    ra_quote: match row.get::<_, Option<String>>(5) {
+                    enclave_debug: row.get::<_, i64>(5)? != 0,
+                    ra_quote: match row.get::<_, Option<String>>(6) {
                         Ok(None) => None,
                         Ok(Some(ra_quote)) => Some(RAQuote::from_json(&ra_quote).map_err(|e| {
                             rusqlite::Error::FromSqlConversionFailure(
@@ -289,7 +301,7 @@ impl EnclaveKeyManager {
             .map_err(|e| Error::mutex_lock(e.to_string()))?;
         let mut stmt = conn.prepare(
             r#"
-            SELECT ek_address, ek_sealed, mrenclave, report, qe_type, ra_quote
+            SELECT ek_address, ek_sealed, mrenclave, report, qe_type, enclave_debug, ra_quote
             FROM enclave_keys
             ORDER BY updated_at DESC
             "#,
@@ -337,7 +349,8 @@ impl EnclaveKeyManager {
                             anyhow!("qe_type: {:?}", e).into(),
                         )
                     })?,
-                    ra_quote: match row.get::<_, Option<String>>(5) {
+                    enclave_debug: row.get::<_, i64>(5)? != 0,
+                    ra_quote: match row.get::<_, Option<String>>(6) {
                         Ok(None) => None,
                         Ok(Some(avr)) => Some(RAQuote::from_json(&avr).map_err(|e| {
                             rusqlite::Error::FromSqlConversionFailure(
@@ -376,6 +389,7 @@ pub struct SealedEnclaveKeyInfo {
     #[serde_as(as = "BytesTransmuter<sgx_report_t>")]
     pub report: sgx_report_t,
     pub qe_type: QEType,
+    pub enclave_debug: bool,
     pub ra_quote: Option<RAQuote>,
 }
 
@@ -461,14 +475,16 @@ mod tests {
         let mrenclave = create_mrenclave();
         let address_0 = {
             let address = create_address();
-            let report = create_report(mrenclave, address);
+            let report = create_report(mrenclave, address, false);
             let sealed_ek = create_sealed_sk();
             assert_eq!(km.all_keys().unwrap().len(), 0);
             km.save(sealed_ek, report, QEType::QE).unwrap();
-            assert!(km.load(address).unwrap().ra_quote.is_none());
+            let eki = km.load(address).unwrap();
+            assert!(eki.ra_quote.is_none());
+            assert!(!eki.enclave_debug);
             assert_eq!(km.all_keys().unwrap().len(), 1);
             assert_eq!(
-                km.available_keys(mrenclave, Some(RAType::IAS))
+                km.available_keys(mrenclave, false, Some(RAType::IAS))
                     .unwrap()
                     .len(),
                 0
@@ -478,7 +494,7 @@ mod tests {
             assert!(km.load(address).unwrap().ra_quote.is_some());
             assert_eq!(km.all_keys().unwrap().len(), 1);
             assert_eq!(
-                km.available_keys(mrenclave, Some(RAType::IAS))
+                km.available_keys(mrenclave, false, Some(RAType::IAS))
                     .unwrap()
                     .len(),
                 1
@@ -487,14 +503,14 @@ mod tests {
         };
         {
             let address = create_address();
-            let report = create_report(mrenclave, address);
+            let report = create_report(mrenclave, address, false);
             let sealed_ek = create_sealed_sk();
             assert_eq!(km.all_keys().unwrap().len(), 1);
             km.save(sealed_ek, report, QEType::QE).unwrap();
             assert!(km.load(address).unwrap().ra_quote.is_none());
             assert_eq!(km.all_keys().unwrap().len(), 2);
             assert_eq!(
-                km.available_keys(mrenclave, Some(RAType::IAS))
+                km.available_keys(mrenclave, false, Some(RAType::IAS))
                     .unwrap()
                     .len(),
                 1
@@ -504,29 +520,58 @@ mod tests {
             assert!(km.load(address).unwrap().ra_quote.is_some());
             assert_eq!(km.all_keys().unwrap().len(), 2);
             assert_eq!(
-                km.available_keys(mrenclave, Some(RAType::IAS))
+                km.available_keys(mrenclave, false, Some(RAType::IAS))
                     .unwrap()
                     .len(),
                 2
             );
         }
         // there are no keys available for the mrenclave
         assert_eq!(
-            km.available_keys(create_mrenclave(), Some(RAType::IAS))
+            km.available_keys(create_mrenclave(), false, Some(RAType::IAS))
                 .unwrap()
                 .len(),
             0
         );
         assert_eq!(km.prune(30).unwrap(), 1);
         assert_eq!(km.all_keys().unwrap().len(), 1);
         assert_eq!(
-            km.available_keys(mrenclave, Some(RAType::IAS))
+            km.available_keys(mrenclave, false, Some(RAType::IAS))
                 .unwrap()
                 .first()
                 .unwrap()
                 .address,
             address_0
         );
+        // create enclave_debug enabled key
+        {
+            let address = create_address();
+            let report = create_report(mrenclave, address, true);
+            let sealed_ek = create_sealed_sk();
+            km.save(sealed_ek, report, QEType::QE).unwrap();
+            assert_eq!(km.all_keys().unwrap().len(), 2);
+            let ki = km.load(address).unwrap();
+            assert!(ki.enclave_debug);
+
+            let ias_report = create_ias_report(get_time(Duration::zero()));
+            km.save_ra_quote(address, ias_report.into()).unwrap();
+            assert!(km.load(address).unwrap().ra_quote.is_some());
+            assert_eq!(km.all_keys().unwrap().len(), 2);
+            // if `enclave_debug` is true, should return only the key with enclave_debug enabled
+            assert_eq!(
+                km.available_keys(mrenclave, true, Some(RAType::IAS))
+                    .unwrap()
+                    .len(),
+                1
+            );
+            // if `enclave_debug` is false, should return only the key with enclave_debug disabled
+            assert_eq!(
+                km.available_keys(mrenclave, false, Some(RAType::IAS))
+                    .unwrap()
+                    .len(),
+                1
+            )
+        }
     }
 
     #[test]
@@ -535,7 +580,7 @@ mod tests {
         let mrenclave = create_mrenclave();
         let sealed_ek = create_sealed_sk();
         let address = create_address();
-        let report = create_report(mrenclave, address);
+        let report = create_report(mrenclave, address, false);
         km.save(sealed_ek, report, QEType::QE).unwrap();
         let key_info = km.load(address).unwrap();
         assert!(ProtoEnclaveKeyInfo::try_from(key_info).is_err());
@@ -560,10 +605,11 @@ mod tests {
         SealedEnclaveKey::new_from_bytes(&sealed_sk).unwrap()
     }
 
-    fn create_report(mrenclave: Mrenclave, ek_addr: Address) -> sgx_report_t {
+    fn create_report(mrenclave: Mrenclave, ek_addr: Address, enclave_debug: bool) -> sgx_report_t {
         let mut report = sgx_report_t::default();
         report.body.mr_enclave = mrenclave.into();
         report.body.report_data = ReportData::new(ek_addr, None).into();
+        report.body.attributes.flags = sgx_types::SGX_FLAGS_DEBUG * enclave_debug as u64;
         report
     }
 
@@ -574,6 +620,7 @@ mod tests {
     }
 
     fn create_ias_report(timestamp: DateTime<Utc>) -> IASSignedReport {
+        // TODO set correct quote body
         IASSignedReport {
             avr: IASAttestationVerificationReport {
                 version: 4,
 
@@ -27,6 +27,7 @@ where
             .get_key_manager()
             .available_keys(
                 Mrenclave::try_from(req.mrenclave).map_err(|e| Status::aborted(e.to_string()))?,
+                req.enclave_debug,
                 if req.ra_type == 0 {
                     None
                 } else {
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ use core::str::FromStr;`
`6`	`6`	`use crypto::Address;`
`7`	`7`	`use lcp_types::Time;`
`8`	`8`	`use serde::{Deserialize, Serialize};`
	`9`	`+use sgx_types::sgx_report_body_t;`
`9`	`10`	`use sgx_types::{metadata::metadata_t, sgx_measurement_t, sgx_quote_t, sgx_report_data_t};`
`10`	`11`
`11`	`12`	`pub const REPORT_DATA_V1: u8 = 1;`
`@@ -63,25 +64,25 @@ impl FromStr for QEType {`
`63`	`64`	`pub enum RAType {`
`64`	`65`	`IAS,`
`65`	`66`	`DCAP,`
`66`		`- ZKDCAP,`
`67`		`- MockZKDCAP,`
	`67`	`+ ZKDCAPRisc0,`
	`68`	`+ MockZKDCAPRisc0,`
`68`	`69`	`}`
`69`	`70`
`70`	`71`	`impl RAType {`
`71`	`72`	`pub fn as_u32(&self) -> u32 {`
`72`	`73`	`match self {`
`73`	`74`	`Self::IAS => 1,`
`74`	`75`	`Self::DCAP => 2,`
`75`		`- Self::ZKDCAP => 3,`
`76`		`- Self::MockZKDCAP => 4,`
	`76`	`+ Self::ZKDCAPRisc0 => 3,`
	`77`	`+ Self::MockZKDCAPRisc0 => 4,`
`77`	`78`	`}`
`78`	`79`	`}`
`79`	`80`	`pub fn from_u32(v: u32) -> Result<Self, Error> {`
`80`	`81`	`match v {`
`81`	`82`	`1 => Ok(Self::IAS),`
`82`	`83`	`2 => Ok(Self::DCAP),`
`83`		`- 3 => Ok(Self::ZKDCAP),`
`84`		`- 4 => Ok(Self::MockZKDCAP),`
	`84`	`+ 3 => Ok(Self::ZKDCAPRisc0),`
	`85`	`+ 4 => Ok(Self::MockZKDCAPRisc0),`
`85`	`86`	`_ => Err(Error::invalid_ra_type(v)),`
`86`	`87`	`}`
`87`	`88`	`}`
`@@ -95,8 +96,8 @@ impl Display for RAType {`
`95`	`96`	`match self {`
`96`	`97`	`Self::IAS => "ias",`
`97`	`98`	`Self::DCAP => "dcap",`
`98`		`- Self::ZKDCAP => "zkdcap",`
`99`		`- Self::MockZKDCAP => "mock_zkdcap",`
	`99`	`+ Self::ZKDCAPRisc0 => "zkdcap_risc0",`
	`100`	`+ Self::MockZKDCAPRisc0 => "mock_zkdcap_risc0",`
`100`	`101`	`}`
`101`	`102`	`)`
`102`	`103`	`}`
`@@ -116,10 +117,11 @@ impl RAQuote {`
`116`	`117`	`RAQuote::IAS(_) => RAType::IAS,`
`117`	`118`	`RAQuote::DCAP(_) => RAType::DCAP,`
`118`	`119`	`RAQuote::ZKDCAP(quote) => {`
	`120`	`+ // currently only support Risc0`
`119`	`121`	`if quote.mock {`
`120`		`- RAType::MockZKDCAP`
	`122`	`+ RAType::MockZKDCAPRisc0`
`121`	`123`	`} else {`
`122`		`- RAType::ZKDCAP`
	`124`	`+ RAType::ZKDCAPRisc0`
`123`	`125`	`}`
`124`	`126`	`}`
`125`	`127`	`}`
`@@ -250,3 +252,8 @@ impl Quote {`
`250`	`252`	`}`
`251`	`253`	`}`
`252`	`254`	`}`
	`255`	`+`
	`256`	`+/// Checks if the enclave debug flag is enabled for the given report body`
	`257`	`+pub fn is_enclave_debug_enabled(report_body: &sgx_report_body_t) -> bool {`
	`258`	`+ report_body.attributes.flags & sgx_types::SGX_FLAGS_DEBUG != 0`
	`259`	`+}`