go/oasis-test-runner: Add e2e test for compute runtime quote policy

martintomazic · martintomazic · commit 859e7a8e339e · 2026-03-17T15:35:08.000+01:00
diff --git a/.buildkite/code.pipeline.yml b/.buildkite/code.pipeline.yml
@@ -356,7 +356,10 @@ steps:
     command:
       - trap 'buildkite-agent artifact upload "coverage-merged-e2e-*.txt;/tmp/e2e/**/*.log;/tmp/e2e/**/genesis.json;/tmp/e2e/**/runtime_genesis.json"' EXIT
       - .buildkite/scripts/download_e2e_test_artifacts_mocksgx.sh
-      - .buildkite/scripts/test_e2e.sh --timeout 20m --scenario e2e/runtime/runtime-encryption
+      - .buildkite/scripts/test_e2e.sh --timeout 20m
+        --scenario e2e/runtime/runtime-encryption
+        --scenario e2e/runtime/compute-policy
+
     env:
       OASIS_TEE_HARDWARE: intel-sgx
       OASIS_UNSAFE_MOCK_TEE: "1"
diff --git a/go/oasis-test-runner/oasis/fixture.go b/go/oasis-test-runner/oasis/fixture.go
@@ -9,6 +9,7 @@ import (
 	"github.com/oasisprotocol/oasis-core/go/common/crypto/hash"
 	"github.com/oasisprotocol/oasis-core/go/common/node"
 	"github.com/oasisprotocol/oasis-core/go/common/sgx"
+	"github.com/oasisprotocol/oasis-core/go/common/sgx/quote"
 	"github.com/oasisprotocol/oasis-core/go/consensus/cometbft/config"
 	"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/env"
 	"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/log"
@@ -247,6 +248,9 @@ type RuntimeFixture struct {
 
 	GovernanceModel registry.RuntimeGovernanceModel `json:"governance_model"`
 
+	// ComputePolicy is an optional compute runtime quote policy.
+	ComputePolicy *quote.Policy `json:"compute_policy,omitempty"`
+
 	Pruner RuntimePrunerCfg `json:"pruner,omitempty"`
 
 	ExcludeFromGenesis bool `json:"exclude_from_genesis,omitempty"`
@@ -279,6 +283,7 @@ func (f *RuntimeFixture) Create(netFixture *NetworkFixture, net *Network) (*Runt
 		Keymanager:         km,
 		TEEHardware:        netFixture.TEE.Hardware,
 		MrSigner:           netFixture.TEE.MrSigner,
+		ComputePolicy:      f.ComputePolicy,
 		Executor:           f.Executor,
 		TxnScheduler:       f.TxnScheduler,
 		Storage:            f.Storage,
diff --git a/go/oasis-test-runner/oasis/runtime.go b/go/oasis-test-runner/oasis/runtime.go
@@ -14,6 +14,7 @@ import (
 	"github.com/oasisprotocol/oasis-core/go/common/crypto/hash"
 	"github.com/oasisprotocol/oasis-core/go/common/node"
 	"github.com/oasisprotocol/oasis-core/go/common/sgx"
+	"github.com/oasisprotocol/oasis-core/go/common/sgx/quote"
 	"github.com/oasisprotocol/oasis-core/go/common/version"
 	"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/env"
 	registry "github.com/oasisprotocol/oasis-core/go/registry/api"
@@ -48,8 +49,9 @@ type Runtime struct {
 	// of this file is discouraged (if not entirely forbidden).
 	cfgSave runtimeCfgSave
 
-	teeHardware node.TEEHardware
-	mrSigner    *sgx.MrSigner
+	teeHardware   node.TEEHardware
+	mrSigner      *sgx.MrSigner
+	computePolicy *quote.Policy
 
 	pruner RuntimePrunerCfg
 
@@ -59,12 +61,13 @@ type Runtime struct {
 
 // RuntimeCfg is the Oasis runtime provisioning configuration.
 type RuntimeCfg struct {
-	ID          common.Namespace
-	Kind        registry.RuntimeKind
-	Entity      *Entity
-	Keymanager  *Runtime
-	TEEHardware node.TEEHardware
-	MrSigner    *sgx.MrSigner
+	ID            common.Namespace
+	Kind          registry.RuntimeKind
+	Entity        *Entity
+	Keymanager    *Runtime
+	TEEHardware   node.TEEHardware
+	MrSigner      *sgx.MrSigner
+	ComputePolicy *quote.Policy
 
 	Deployments      []DeploymentCfg
 	GenesisRound     uint64
@@ -231,12 +234,14 @@ func (rt *Runtime) toRuntimeBundle(index int, cfg *deploymentCfg) (*bundle.Bundl
 		}
 
 		cfg.versionInfo.TEE = cbor.Marshal(node.SGXConstraints{
+			Versioned: cbor.NewVersioned(1),
 			Enclaves: []sgx.EnclaveIdentity{
 				{
 					MrEnclave: *mrEnclave,
 					MrSigner:  *rt.mrSigner,
 				},
 			},
+			ComputePolicy: rt.computePolicy,
 		})
 		cfg.mrEnclave = mrEnclave
 		return nil
@@ -371,6 +376,7 @@ func (net *Network) NewRuntime(cfg *RuntimeCfg) (*Runtime, error) {
 		kind:               cfg.Kind,
 		teeHardware:        cfg.TEEHardware,
 		mrSigner:           cfg.MrSigner,
+		computePolicy:      cfg.ComputePolicy,
 		pruner:             cfg.Pruner,
 		excludeFromGenesis: cfg.ExcludeFromGenesis,
 		descriptor:         descriptor,
diff --git a/go/oasis-test-runner/scenario/e2e/runtime/compute_policy.go b/go/oasis-test-runner/scenario/e2e/runtime/compute_policy.go
@@ -0,0 +1,54 @@
+package runtime
+
+import (
+	"context"
+
+	"github.com/oasisprotocol/oasis-core/go/common/sgx/pcs"
+	"github.com/oasisprotocol/oasis-core/go/common/sgx/quote"
+	"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/env"
+	"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/oasis"
+	"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/scenario"
+)
+
+// ComputePolicy is the compute runtime quote policy e2e test scenario.
+var ComputePolicy scenario.Scenario = newComputePolicyImpl()
+
+type computePolicyImpl struct {
+	Scenario
+}
+
+func newComputePolicyImpl() scenario.Scenario {
+	return &computePolicyImpl{
+		Scenario: *NewScenario("compute-policy", NewTestClient().WithScenario(SimpleScenario)),
+	}
+}
+
+func (sc *computePolicyImpl) Clone() scenario.Scenario {
+	return &computePolicyImpl{
+		Scenario: *sc.Scenario.Clone().(*Scenario),
+	}
+}
+
+func (sc *computePolicyImpl) Fixture() (*oasis.NetworkFixture, error) {
+	f, err := sc.Scenario.Fixture()
+	if err != nil {
+		return nil, err
+	}
+
+	f.Runtimes[1].ComputePolicy = &quote.Policy{
+		PCS: &pcs.QuotePolicy{
+			TCBValidityPeriod:          90,
+			MinTCBEvaluationDataNumber: 12,
+		},
+	}
+
+	return f, nil
+}
+
+func (sc *computePolicyImpl) Run(ctx context.Context, childEnv *env.Env) error {
+	if err := sc.StartNetworkAndTestClient(ctx, childEnv); err != nil {
+		return err
+	}
+
+	return sc.WaitTestClientAndCheckLogs()
+}
diff --git a/go/oasis-test-runner/scenario/e2e/runtime/scenario.go b/go/oasis-test-runner/scenario/e2e/runtime/scenario.go
@@ -419,6 +419,8 @@ func RegisterScenarios() error {
 		// it is identical to the txsource-multi-short, only using fewer nodes
 		// due to SGX CI instance resource constrains.
 		TxSourceMultiShortSGX,
+		// SGXConstraints tests.
+		ComputePolicy,
 	} {
 		if err := cmd.RegisterNondefault(s); err != nil {
 			return err
diff --git a/runtime/src/consensus/registry.rs b/runtime/src/consensus/registry.rs
@@ -703,6 +703,10 @@ pub enum SGXConstraints {
         #[cbor(optional)]
         policy: sgx::QuotePolicy,
 
+        /// The compute runtime quote policy.
+        #[cbor(optional)]
+        compute_policy: sgx::QuotePolicy,
+
         /// The maximum attestation age (in blocks).
         #[cbor(optional)]
         max_attestation_age: u64,
