Harden SGX-mode registration

* Handle missing SGX verification status CONFIGURATION_AND_SW_HARDENING_NEEDED Signed-off-by: Michael Steiner <[email protected]>
hyperledger-labs · Apr 9, 2024 · b42682d · b42682d
1 parent f34f9a0
commit b42682d
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 3 deletions.
diff --git a/eservice/pdo/eservice/pdo_enclave.py b/eservice/pdo/eservice/pdo_enclave.py
@@ -309,6 +309,8 @@ def create_signup_info(originator_public_key_hash, nonce):
                 logger.warning("Quote has GROUP_OUT_OF_DATE status (update your BIOS/microcode!!!) keep going")
             elif _ias.last_verification_error() == "SW_HARDENING_NEEDED":
                 logger.warning("Quote has SW_HARDENING_NEEDED status (update your platform!!!) keep going")
+            elif _ias.last_verification_error() == "CONFIGURATION_AND_SW_HARDENING_NEEDED":
+                logger.warning("Quote has CONFIGURATION_AND_SW_HARDENING_NEEDED status (update your platform!!!) keep going")
             else:
                 logger.error("invalid report fields")
                 return None

diff --git a/ledgers/ccf/transaction_processor/pdo_tp.cpp b/ledgers/ccf/transaction_processor/pdo_tp.cpp
@@ -293,8 +293,10 @@ namespace ccfapp
                 // Verify the verification report enclave quote status
                 transform(verification_report.isvEnclaveQuoteStatus.begin(), verification_report.isvEnclaveQuoteStatus.end(),
                     verification_report.isvEnclaveQuoteStatus.begin(), ::toupper);
-                if ((verification_report.isvEnclaveQuoteStatus != OK_QUOTE_STATUS) && (verification_report.isvEnclaveQuoteStatus != GROUP_OUT_OF_DATE_QUOTE_STATUS) &&
-                     (verification_report.isvEnclaveQuoteStatus != SW_HARDENING_NEEDED_QUOTE_STATUS))  {
+                if ((verification_report.isvEnclaveQuoteStatus != OK_QUOTE_STATUS) && 
+                    (verification_report.isvEnclaveQuoteStatus != GROUP_OUT_OF_DATE_QUOTE_STATUS) &&
+                    (verification_report.isvEnclaveQuoteStatus != SW_HARDENING_NEEDED_QUOTE_STATUS) && 
+                    (verification_report.isvEnclaveQuoteStatus != CONFIGURATION_AND_SW_HARDENING_NEEDED_QUOTE_STATUS))  {
                     return ccf::make_error(
                         HTTP_STATUS_BAD_REQUEST, ccf::errors::InvalidInput, "Enclave attestation report verification Failed. Invalid quote status");
                 }

diff --git a/ledgers/ccf/transaction_processor/pdo_tp.h b/ledgers/ccf/transaction_processor/pdo_tp.h
@@ -61,6 +61,7 @@ namespace ccfapp
     const string OK_QUOTE_STATUS{"OK"};
     const string GROUP_OUT_OF_DATE_QUOTE_STATUS{"GROUP_OUT_OF_DATE"};
     const string SW_HARDENING_NEEDED_QUOTE_STATUS{"SW_HARDENING_NEEDED"};
+    const string CONFIGURATION_AND_SW_HARDENING_NEEDED_QUOTE_STATUS{"CONFIGURATION_AND_SW_HARDENING_NEEDED"};
     const int BASENAME_SIZE{32};
     const int ORIGINATOR_KEY_HASH_SIZE{64};
 

diff --git a/pservice/lib/libpdo_enclave/secret_enclave.cpp b/pservice/lib/libpdo_enclave/secret_enclave.cpp
@@ -613,7 +613,7 @@ pdo_err_t VerifyEnclaveInfo(const std::string& enclaveInfo,
     int r;
     // verify quote (group-of-date is considered ok)
     r = verify_enclave_quote_status(verificationReport.c_str(), verificationReport.length(),
-            QSF_ACCEPT_GROUP_OUT_OF_DATE | QSF_ACCEPT_SW_HARDENING_NEEDED);
+            QSF_ACCEPT_GROUP_OUT_OF_DATE | QSF_ACCEPT_SW_HARDENING_NEEDED | QSF_ACCEPT_CONFIGURATION_AND_SW_HARDENING_NEEDED);
     pdo::error::ThrowIf<pdo::error::ValueError>(
         r!=VERIFY_SUCCESS, "Invalid Enclave Quote");