oasisprotocol · martintomazic · Nov 24, 2025 · Jan 13, 2026 · Jan 12, 2026 · Nov 24, 2025
@@ -111,14 +111,20 @@ func (sc *SGXConstraints) ValidateBasic(cfg *TEEFeatures, isFeatureVersion242 bo
 		return fmt.Errorf("unsupported SGX constraints version: %d", sc.V)
 	}
 
-	// Check for TDX enablement.
-	if !cfg.SGX.TDX && sc.Policy.PCS != nil && sc.Policy.PCS.TDX != nil {
-		return fmt.Errorf("TDX policy not supported")
+	validatePolicy := func(policy *quote.Policy) error {
+		// Check for TDX enablement.
+		if !cfg.SGX.TDX && policy.PCS != nil && policy.PCS.TDX != nil {
+			return fmt.Errorf("TDX policy not supported")
+		}
+		if err := policy.Validate(isFeatureVersion242); err != nil {
+			return fmt.Errorf("invalid policy: %w", err)
+		}
+		return nil
 	}
 
-	// Check that policy is compliant with the current feature version.
+	// Check default policy.
 	if sc.Policy != nil {
-		if err := sc.Policy.Validate(isFeatureVersion242); err != nil {
+		if err := validatePolicy(sc.Policy); err != nil {
 			return fmt.Errorf("invalid policy: %w", err)
 		}
 	}

@@ -34,18 +34,7 @@ type TEEFeaturesSGX struct {
 
 // ApplyDefaultConstraints applies configured SGX constraint defaults to the given structure.
 func (fs *TEEFeaturesSGX) ApplyDefaultConstraints(sc *SGXConstraints) {
-	// Default policy.
-	if fs.DefaultPolicy != nil {
-		if sc.Policy == nil {
-			sc.Policy = &quote.Policy{}
-		}
-		if sc.Policy.IAS == nil {
-			sc.Policy.IAS = fs.DefaultPolicy.IAS
-		}
-		if sc.Policy.PCS == nil && fs.PCS {
-			sc.Policy.PCS = fs.DefaultPolicy.PCS
-		}
-	}
+	sc.Policy = sc.Policy.ApplyDefault(fs.DefaultPolicy, fs.PCS)
 
 	// Default maximum attestation age.
 	if sc.MaxAttestationAge == 0 {

@@ -2,6 +2,8 @@ package pcs
 
 import (
 	"fmt"
+	"maps"
+	"slices"
 )
 
 // QuotePolicy is the quote validity policy.
@@ -28,6 +30,68 @@ type QuotePolicy struct {
 	TDX *TdxQuotePolicy `json:"tdx,omitempty" yaml:"tdx,omitempty"`
 }
 
+// Merge merges two QuotePolicies into one, taking more restrictive configuration into account.
+//
+// TODO:
+//   - What if FMSCPWhitelist has no intersection (same applies for TDXQuotePolicy)?
+//   - Should we even allow registration of such runtime descriptor?
+//   - Finish TDX quote policy merge (ugly).
+//   - Unit tests.
+//   - Merge should produce independent copies to not accidentally mutate stuff.
+func (p *QuotePolicy) Merge(o *QuotePolicy) *QuotePolicy {
+	if p == nil {
+		return o
+	}
+
+	if o == nil {
+		return p
+	}
+
+	merged := &QuotePolicy{
+		Disabled:                   p.Disabled || o.Disabled,
+		TCBValidityPeriod:          min(p.TCBValidityPeriod, o.TCBValidityPeriod),
+		MinTCBEvaluationDataNumber: max(p.MinTCBEvaluationDataNumber, o.MinTCBEvaluationDataNumber),
+	}
+
+	func() {
+		if len(p.FMSPCWhitelist) == 0 {
+			merged.FMSPCWhitelist = o.FMSPCWhitelist
+			return
+		}
+
+		if len(o.FMSPCWhitelist) == 0 {
+			merged.FMSPCWhitelist = p.FMSPCWhitelist
+			return
+		}
+
+		intersect := make(map[string]struct{}, len(p.FMSPCWhitelist))
+		for _, fmspc := range p.FMSPCWhitelist {
+			intersect[fmspc] = struct{}{}
+		}
+		for _, fmspc := range o.FMSPCWhitelist {
+			if _, ok := intersect[fmspc]; ok {
+				merged.FMSPCWhitelist = append(merged.FMSPCWhitelist, fmspc)
+			}
+		}
+
+		// Preventing no intersection meaning allow any.
+		if len(merged.FMSPCWhitelist) == 0 {
+			merged.Disabled = true
+		}
+
+	}()
+
+	union := make(map[string]struct{}, len(p.FMSPCBlacklist)+len(o.FMSPCBlacklist))
+	for _, fmspc := range append(p.FMSPCBlacklist, o.FMSPCBlacklist...) {
+		union[fmspc] = struct{}{}
+	}
+	merged.FMSPCBlacklist = slices.Collect(maps.Keys(union))
+	slices.Sort(merged.FMSPCBlacklist)
+
+	merged.TDX = p.TDX.Merge(o.TDX)
+	return merged
+}
+
 // TdxQuotePolicy is the TDX-specific quote policy.
 type TdxQuotePolicy struct {
 	// AllowedTdxModules are the allowed TDX modules. Empty to allow ANY Intel-signed module.
@@ -56,6 +120,25 @@ func (tp *TdxQuotePolicy) verifyTdxModule(report *TdReport) error {
 	return fmt.Errorf("pcs/quote: TDX module not allowed")
 }
 
+func (tp *TdxQuotePolicy) Merge(o *TdxQuotePolicy) *TdxQuotePolicy {
+	if tp == nil || o == nil {
+		return nil
+	}
+
+	if len(tp.AllowedTdxModules) == 0 {
+		return o
+	}
+
+	if len(o.AllowedTdxModules) == 0 {
+		return tp
+	}
+
+	// TODO
+	// Merge the TDXQuotePolicy.
+
+	return o
+}
+
 // TDX_MrSigner_Intel is the TDX module MRSIGNER for Intel (000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000).
 var TDX_MrSigner_Intel [48]byte // nolint: revive
 

@@ -81,3 +81,22 @@ func (p *Policy) Validate(isFeatureVersion242 bool) error {
 
 	return fmt.Errorf("fmspc whitelist should be empty")
 }
+
+func (p *Policy) ApplyDefault(d *Policy, pcsEnabled bool) *Policy {
+	if d == nil {
+		return p
+	}
+
+	if p == nil {
+		p = &Policy{}
+	}
+
+	if p.IAS == nil {
+		p.IAS = d.IAS
+	}
+	if p.PCS == nil && pcsEnabled {
+		p.PCS = d.PCS
+	}
+
+	return p
+}