Conversation
✅ Deploy Preview for oasisprotocol-oasis-core canceled.
|
| // PerRolePolicy defines additional role specific quote policies, that overwrite | ||
| // Policy when node with these roles does an attestation. | ||
| // | ||
| // A valid entry is for either [RoleComputeWorker] or [RoleObserver]. Single entry | ||
| // should not encode multiple roles. | ||
| PerRolePolicy map[RolesMask]quote.Policy `json:"per_role_policy,omitempty"` |
There was a problem hiding this comment.
Given that:
- We only allow it for observer and compute roles
- Keymanager runtime kind does not allow it
- We don't see discriminating observer/compute access, as they both have access to same secrets,
How about simplifying things further and instead have ComputePolicy *quote.Policy that only applies for the compute runtimes for the observer/compute roles.
This should simplify assumptions, tests, comments, validations and avoid the need for new "at most one runtime sgx role" invariant.
|
|
||
| // Verify verifies the node's TEE capabilities, at the provided timestamp and height. | ||
| func (c *CapabilityTEE) Verify(teeCfg *TEEFeatures, ts time.Time, height uint64, constraints []byte, nodeID signature.PublicKey, isFeatureVersion242 bool) error { | ||
| func (c *CapabilityTEE) Verify(teeCfg *TEEFeatures, ts time.Time, height uint64, constraints []byte, nodeID signature.PublicKey, nodeRoles RolesMask, isFeatureVersion242 bool) error { |
There was a problem hiding this comment.
NIT: All this functions should accept validation options structs?
|
|
||
| // ValidateBasic performs basic descriptor validity checks. | ||
| func (n *Node) ValidateBasic(strictVersion bool) error { | ||
| func (n *Node) ValidateBasic(strictVersion bool, isFeatureVersion242 bool) error { |
There was a problem hiding this comment.
Nit: There is not such thing as ValidateBasic. Only Validate with clear invariants and tests for the invariants the Validate will check. Moreover, the validation params should probably be passes as part of the validation options struct. Possibly this check could also be part of the VerifyRegisterNodeArgs directly which avoids some additional changes, but feels off there.
martintomazic
force-pushed
the
martin/feature/per-role-quote-policies-v2
branch
from
64ef9a0 to
a790a46
Compare
| if r.Kind == KindKeyManager && cs.PerRolePolicy != nil { | ||
| return fmt.Errorf("%w: invalid SGX TEE constraints: keymanager runtime with per-role policies", ErrInvalidArgument) | ||
| } |
There was a problem hiding this comment.
Or make it part of the ValidateBasic, again this should be Validate with validate option struct so that it is clear what we are validating.
go/common/node/sgx.go
Outdated
| // PolicyFor returns a matching per-role policy when present, or otherwise falls back to the default policy. | ||
| // | ||
| // This function expects role mask that has at most one runtime SGX role. | ||
| func (s *SGXConstraints) PolicyFor(roles RolesMask) *quote.Policy { |
There was a problem hiding this comment.
It would be so much nicer if we would have RuntimeSGXRole type so that comments, invariants and corner cases are instead captured by the type system. Even per role policies could use this type as a key. Not sure there is practical / idiomatic way to achieve this in go.
martintomazic
force-pushed
the
martin/feature/per-role-quote-policies-v2
branch
from
a790a46 to
efbc5bc
Compare
1 participant
Replaces #6410 following simplifications agreed in the #6387.
Considerations: