Conversation
✅ Deploy Preview for oasisprotocol-oasis-core canceled.
|
| // PerRolePolicy defines additional role specific quote policies, that overwrite | ||
| // Policy when node with these roles does an attestation. | ||
| // | ||
| // A valid entry is for either [RoleComputeWorker] or [RoleObserver]. Single entry | ||
| // should not encode multiple roles. | ||
| PerRolePolicy map[RolesMask]quote.Policy `json:"per_role_policy,omitempty"` |
There was a problem hiding this comment.
Given that:
- We only allow it for observer and compute roles
- Keymanager runtime kind does not allow it
- We don't see discriminating observer/compute access, as they both have access to same secrets,
How about simplifying things further and instead have ComputePolicy *quote.Policy that only applies for the compute runtimes for the observer/compute roles.
This should simplify assumptions, tests, comments, validations and avoid the need for new "at most one runtime sgx role" invariant.
There was a problem hiding this comment.
That makes sense to me, no need to have a general map that introduces unnecessary complexity.
|
|
||
| // Verify verifies the node's TEE capabilities, at the provided timestamp and height. | ||
| func (c *CapabilityTEE) Verify(teeCfg *TEEFeatures, ts time.Time, height uint64, constraints []byte, nodeID signature.PublicKey, isFeatureVersion242 bool) error { | ||
| func (c *CapabilityTEE) Verify(teeCfg *TEEFeatures, ts time.Time, height uint64, constraints []byte, nodeID signature.PublicKey, nodeRoles RolesMask, isFeatureVersion242 bool) error { |
There was a problem hiding this comment.
NIT: All this functions should accept validation options structs?
There was a problem hiding this comment.
Agreed, this is why we introduced the TEEFeatures struct a while back (which is now somewhat obsolete due to the use of feature versions). There are already too many parameters everywhere.
|
|
||
| // ValidateBasic performs basic descriptor validity checks. | ||
| func (n *Node) ValidateBasic(strictVersion bool) error { | ||
| func (n *Node) ValidateBasic(strictVersion bool, isFeatureVersion242 bool) error { |
There was a problem hiding this comment.
Nit: There is not such thing as ValidateBasic. Only Validate with clear invariants and tests for the invariants the Validate will check. Moreover, the validation params should probably be passes as part of the validation options struct. Possibly this check could also be part of the VerifyRegisterNodeArgs directly which avoids some additional changes, but feels off there.
martintomazic
force-pushed
the
martin/feature/per-role-quote-policies-v2
branch
from
64ef9a0 to
a790a46
Compare
| if r.Kind == KindKeyManager && cs.PerRolePolicy != nil { | ||
| return fmt.Errorf("%w: invalid SGX TEE constraints: keymanager runtime with per-role policies", ErrInvalidArgument) | ||
| } |
There was a problem hiding this comment.
Or make it part of the ValidateBasic, again this should be Validate with validate option struct so that it is clear what we are validating.
go/common/node/sgx.go
Outdated
| // PolicyFor returns a matching per-role policy when present, or otherwise falls back to the default policy. | ||
| // | ||
| // This function expects role mask that has at most one runtime SGX role. | ||
| func (s *SGXConstraints) PolicyFor(roles RolesMask) *quote.Policy { |
There was a problem hiding this comment.
It would be so much nicer if we would have RuntimeSGXRole type so that comments, invariants and corner cases are instead captured by the type system. Even per role policies could use this type as a key. Not sure there is practical / idiomatic way to achieve this in go.
martintomazic
force-pushed
the
martin/feature/per-role-quote-policies-v2
branch
from
a790a46 to
efbc5bc
Compare
|
Ready for the first round of reviews. Please focus on the considerations outlined in the context and existing threads. Given motivation and intended usage of this feature, I am in favor of replacing per-role policies with a single compute runtime policy that applies to both observer and compute roles. |
| @@ -0,0 +1,4 @@ | |||
| go/registry/api: Allow at most one runtime SGX role | |||
There was a problem hiding this comment.
| go/registry/api: Allow at most one runtime SGX role | |
| go/registry/api: Allow at most one runtime TEE role |
|
|
||
| // AtMostOneRuntimeSGXRole returns true when RoleMask has at most one SGX runtime role. | ||
| func (m RolesMask) AtMostOneRuntimeSGXRole() bool { | ||
| sgxRoles := m & (RoleComputeWorker | RoleObserver | RoleKeyManager) |
There was a problem hiding this comment.
The set of roles should be a top-level constant. Also note that these are not SGX-specific so you should use "TEE" instead of "SGX".
|
|
||
| // Verify verifies the node's TEE capabilities, at the provided timestamp and height. | ||
| func (c *CapabilityTEE) Verify(teeCfg *TEEFeatures, ts time.Time, height uint64, constraints []byte, nodeID signature.PublicKey, isFeatureVersion242 bool) error { | ||
| func (c *CapabilityTEE) Verify(teeCfg *TEEFeatures, ts time.Time, height uint64, constraints []byte, nodeID signature.PublicKey, nodeRoles RolesMask, isFeatureVersion242 bool) error { |
There was a problem hiding this comment.
Agreed, this is why we introduced the TEEFeatures struct a while back (which is now somewhat obsolete due to the use of feature versions). There are already too many parameters everywhere.
| // PerRolePolicy defines additional role specific quote policies, that overwrite | ||
| // Policy when node with these roles does an attestation. | ||
| // | ||
| // A valid entry is for either [RoleComputeWorker] or [RoleObserver]. Single entry | ||
| // should not encode multiple roles. | ||
| PerRolePolicy map[RolesMask]quote.Policy `json:"per_role_policy,omitempty"` |
There was a problem hiding this comment.
That makes sense to me, no need to have a general map that introduces unnecessary complexity.
2 participants
Replaces #6410 following simplifications agreed in the #6387.
Considerations: