Skip to content

Commit 0d870ac

Browse files
committed
go/common: Add keymanager access policy sanity test
1 parent 489ff9b commit 0d870ac

2 files changed

Lines changed: 57 additions & 0 deletions

File tree

go/common/node/sgx_test.go

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import (
44
"encoding/hex"
55
"os"
66
"testing"
7+
"time"
78

89
"github.com/stretchr/testify/require"
910

@@ -248,6 +249,56 @@ func TestHashAttestation(t *testing.T) {
248249
require.EqualValues("9a288bd33ba7a4c2eefdee68e4c08c1a34c369302ef8176a3bfdb4fedcec333e", hex.EncodeToString(h))
249250
}
250251

252+
// TestKeyManagerAccessPolicySanity checks that attestation verification uses
253+
// the stricter key manager access policy when requested and falls back to the
254+
// default policy otherwise.
255+
func TestKeyManagerAccessPolicySanity(t *testing.T) {
256+
require := require.New(t)
257+
258+
pcs.SetSkipVerify()
259+
defer pcs.UnsetSkipVerify()
260+
261+
// Build a raw SGX report (384 bytes) with a known RAK hash in ReportData.
262+
var rak signature.PublicKey
263+
rakHash := HashRAK(rak)
264+
265+
var rawReport [384]byte
266+
copy(rawReport[320:], rakHash[:])
267+
268+
mockQuote, err := pcs.NewMockQuote(rawReport[:])
269+
require.NoError(err, "NewMockQuote")
270+
271+
sa := SGXAttestation{
272+
Versioned: cbor.NewVersioned(LatestSGXAttestationVersion),
273+
Quote: quote.Quote{
274+
PCS: &pcs.QuoteBundle{
275+
Quote: mockQuote,
276+
},
277+
},
278+
}
279+
280+
sc := SGXConstraints{
281+
Versioned: cbor.NewVersioned(1),
282+
Enclaves: []sgx.EnclaveIdentity{{}},
283+
Policy: &quote.Policy{
284+
PCS: &pcs.QuotePolicy{},
285+
},
286+
KeyManagerAccessPolicy: &quote.Policy{
287+
PCS: &pcs.QuotePolicy{Disabled: true},
288+
},
289+
}
290+
291+
var nodeID signature.PublicKey
292+
cfg := &TEEFeatures{SGX: TEEFeaturesSGX{PCS: true}}
293+
294+
err = sa.Verify(cfg, time.Now(), 0, &sc, rak, nil, nodeID, true)
295+
require.Error(err, "attestation should be rejected when key manager access policy is used")
296+
require.ErrorContains(err, "PCS quotes are disabled by policy")
297+
298+
err = sa.Verify(cfg, time.Now(), 0, &sc, rak, nil, nodeID, false)
299+
require.NoError(err, "attestation should pass when falling back to default policy")
300+
}
301+
251302
func FuzzSGXConstraints(f *testing.F) {
252303
// Add some V0 constraints.
253304
raw, err := os.ReadFile("testdata/sgx_constraints_v0.bin")

go/common/sgx/pcs/pcs.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,12 @@ func SetSkipVerify() {
5555
unsafeSkipVerify = true
5656
}
5757

58+
// UnsetSkipVerify will enable quote signature verification for the remainder of the process'
59+
// lifetime.
60+
func UnsetSkipVerify() {
61+
unsafeSkipVerify = false
62+
}
63+
5864
// SetAllowDebugEnclaves will enable running and communicating with enclaves with debug flag enabled
5965
// in report body for the remainder of the process' lifetime.
6066
func SetAllowDebugEnclaves() {

0 commit comments

Comments
 (0)