@@ -35,32 +35,32 @@ contract KmsAuth is
3535 // Mapping of registered apps
3636 mapping (address => AppConfig) public apps;
3737
38- // Mapping of allowed aggregated MR measurements
39- mapping (bytes32 => bool ) public allowedAggregatedMrs;
38+ // Mapping of allowed aggregated MR measurements for running KMS
39+ mapping (bytes32 => bool ) public kmsAllowedAggregatedMrs;
40+
41+ // Mapping of allowed KMS device IDs
42+ mapping (bytes32 => bool ) public kmsAllowedDeviceIds;
4043
4144 // Mapping of allowed image measurements
42- mapping (bytes32 => bool ) public allowedImages ;
45+ mapping (bytes32 => bool ) public appAllowedImages ;
4346
4447 // Mapping of allowed KMS compose hashes
45- mapping (bytes32 => bool ) public allowedKmsComposeHashes;
46-
47- // Mapping of allowed KMS device IDs
48- mapping (bytes32 => bool ) public allowedKmsDeviceIds;
48+ mapping (bytes32 => bool ) public appAllowedSystemMrs;
4949
5050 // Sequence number for app IDs - per user
5151 mapping (address => uint256 ) public nextAppSequence;
5252
5353 // Events
5454 event AppRegistered (address appId );
5555 event KmsInfoSet (bytes k256Pubkey );
56- event AggregatedMrRegistered (bytes32 mrAggregated );
57- event AggregatedMrDeregistered (bytes32 mrAggregated );
58- event ImageRegistered (bytes32 mrImage );
59- event ImageDeregistered (bytes32 mrImage );
60- event KmsComposeHashRegistered (bytes32 composeHash );
61- event KmsComposeHashDeregistered (bytes32 composeHash );
62- event KmsDeviceIdRegistered (bytes32 deviceId );
63- event KmsDeviceIdDeregistered (bytes32 deviceId );
56+ event KmsAggregatedMrAdded (bytes32 mrAggregated );
57+ event KmsAggregatedMrRemoved (bytes32 mrAggregated );
58+ event KmsDeviceAdded (bytes32 deviceId );
59+ event KmsDeviceRemoved (bytes32 deviceId );
60+ event AppImageMrAdded (bytes32 mrImage );
61+ event AppImageMrRemoved (bytes32 mrImage );
62+ event AppSystemMrAdded (bytes32 mrSystem );
63+ event AppSystemMrRemoved (bytes32 mrSystem );
6464 event TproxyAppIdSet (string tproxyAppId );
6565
6666 /// @custom:oz-upgrades-unsafe-allow constructor
@@ -104,7 +104,11 @@ contract KmsAuth is
104104 // View next app id
105105 function nextAppId () public view returns (address appId ) {
106106 bytes32 fullHash = keccak256 (
107- abi.encodePacked (address (this ), msg .sender , nextAppSequence[msg .sender ])
107+ abi.encodePacked (
108+ address (this ),
109+ msg .sender ,
110+ nextAppSequence[msg .sender ]
111+ )
108112 );
109113 return address (uint160 (uint256 (fullHash)));
110114 }
@@ -121,69 +125,66 @@ contract KmsAuth is
121125 }
122126
123127 // Function to register an aggregated MR measurement
124- function registerAggregatedMr (bytes32 mrAggregated ) external onlyOwner {
125- allowedAggregatedMrs [mrAggregated] = true ;
126- emit AggregatedMrRegistered (mrAggregated);
128+ function addKmsAggregatedMr (bytes32 mrAggregated ) external onlyOwner {
129+ kmsAllowedAggregatedMrs [mrAggregated] = true ;
130+ emit KmsAggregatedMrAdded (mrAggregated);
127131 }
128132
129133 // Function to deregister an aggregated MR measurement
130- function deregisterAggregatedMr (bytes32 mrAggregated ) external onlyOwner {
131- allowedAggregatedMrs[mrAggregated] = false ;
132- emit AggregatedMrDeregistered (mrAggregated);
134+ function removeKmsAggregatedMr (
135+ bytes32 mrAggregated
136+ ) external onlyOwner {
137+ kmsAllowedAggregatedMrs[mrAggregated] = false ;
138+ emit KmsAggregatedMrRemoved (mrAggregated);
133139 }
134140
135- // Function to register an image measurement
136- function registerImage (bytes32 mrImage ) external onlyOwner {
137- allowedImages[mrImage ] = true ;
138- emit ImageRegistered (mrImage );
141+ // Function to register a KMS device ID
142+ function addKmsDevice (bytes32 deviceId ) external onlyOwner {
143+ kmsAllowedDeviceIds[deviceId ] = true ;
144+ emit KmsDeviceAdded (deviceId );
139145 }
140146
141- // Function to deregister an image measurement
142- function deregisterImage (bytes32 mrImage ) external onlyOwner {
143- allowedImages[mrImage ] = false ;
144- emit ImageDeregistered (mrImage );
147+ // Function to deregister a KMS device ID
148+ function removeKmsDevice (bytes32 deviceId ) external onlyOwner {
149+ kmsAllowedDeviceIds[deviceId ] = false ;
150+ emit KmsDeviceRemoved (deviceId );
145151 }
146152
147- // Function to register a KMS compose hash
148- function registerKmsComposeHash (bytes32 composeHash ) external onlyOwner {
149- allowedKmsComposeHashes[composeHash ] = true ;
150- emit KmsComposeHashRegistered (composeHash );
153+ // Function to register an image measurement
154+ function addAppImageMr (bytes32 mrImage ) external onlyOwner {
155+ appAllowedImages[mrImage ] = true ;
156+ emit AppImageMrAdded (mrImage );
151157 }
152158
153- // Function to deregister a KMS compose hash
154- function deregisterKmsComposeHash (bytes32 composeHash ) external onlyOwner {
155- allowedKmsComposeHashes[composeHash ] = false ;
156- emit KmsComposeHashDeregistered (composeHash );
159+ // Function to deregister an image measurement
160+ function removeAppImageMr (bytes32 mrImage ) external onlyOwner {
161+ appAllowedImages[mrImage ] = false ;
162+ emit AppImageMrRemoved (mrImage );
157163 }
158164
159- // Function to register a KMS device ID
160- function registerKmsDeviceId (bytes32 deviceId ) external onlyOwner {
161- allowedKmsDeviceIds[deviceId ] = true ;
162- emit KmsDeviceIdRegistered (deviceId );
165+ // Function to register a system MR measurement
166+ function addAppSystemMr (bytes32 mrSystem ) external onlyOwner {
167+ appAllowedSystemMrs[mrSystem ] = true ;
168+ emit AppSystemMrAdded (mrSystem );
163169 }
164170
165- // Function to deregister a KMS device ID
166- function deregisterKmsDeviceId (bytes32 deviceId ) external onlyOwner {
167- allowedKmsDeviceIds[deviceId ] = false ;
168- emit KmsDeviceIdDeregistered (deviceId );
171+ // Function to deregister a system MR measurement
172+ function removeAppSystemMr (bytes32 mrSystem ) external onlyOwner {
173+ appAllowedSystemMrs[mrSystem ] = false ;
174+ emit AppSystemMrRemoved (mrSystem );
169175 }
170176
171177 // Function to check if KMS is allowed to boot
172178 function isKmsAllowed (
173179 AppBootInfo calldata bootInfo
174180 ) external view returns (bool isAllowed , string memory reason ) {
175181 // Check if the aggregated MR is allowed
176- if (! allowedAggregatedMrs [bootInfo.mrAggregated]) {
182+ if (! kmsAllowedAggregatedMrs [bootInfo.mrAggregated]) {
177183 return (false , "Aggregated MR not allowed " );
178184 }
179185
180- // Check if the KMS compose hash is allowed
181- if (! allowedKmsComposeHashes[bootInfo.composeHash]) {
182- return (false , "KMS compose hash not allowed " );
183- }
184-
185186 // Check if the KMS device ID is allowed
186- if (! allowedKmsDeviceIds [bootInfo.deviceId]) {
187+ if (! kmsAllowedDeviceIds [bootInfo.deviceId]) {
187188 return (false , "KMS is not allowed to boot on this device " );
188189 }
189190
@@ -201,10 +202,10 @@ contract KmsAuth is
201202
202203 // Check aggregated MR and image measurements
203204 if (
204- ! allowedAggregatedMrs [bootInfo.mrAggregated ] &&
205- ! allowedImages [bootInfo.mrImage]
205+ ! appAllowedSystemMrs [bootInfo.mrSystem ] &&
206+ ! appAllowedImages [bootInfo.mrImage]
206207 ) {
207- return (false , "Neither aggregated MR nor image is allowed " );
208+ return (false , "Neither system MR nor image is allowed " );
208209 }
209210
210211 // Ask the app controller if the app is allowed to boot
0 commit comments