Skip to content

Commit a4cc99c

Browse files
committed
go: Validate attestation against compute policy before registration
1 parent 171bb40 commit a4cc99c

7 files changed

Lines changed: 98 additions & 57 deletions

File tree

go/oasis-node/cmd/node/node.go

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -205,12 +205,25 @@ func (n *Node) initRuntimeWorkers(genesisDoc *genesisAPI.Document) error {
205205
}
206206
n.svcMgr.Register(n.RuntimeRegistry)
207207

208+
// Determine whether hosted RONL components will be registered on the
209+
// consensus layer. This is the case for compute and observer nodes.
210+
var willRegisterComputeRuntime bool
211+
switch config.GlobalConfig.Mode {
212+
case config.ModeCompute:
213+
willRegisterComputeRuntime = true
214+
case config.ModeClient, config.ModeStatelessClient:
215+
if config.GlobalConfig.Registration.Entity != "" || config.GlobalConfig.Registration.EntityID != "" {
216+
willRegisterComputeRuntime = true // observer role
217+
}
218+
}
219+
208220
// Initialize the common worker.
209221
n.CommonWorker, err = workerCommon.New(
210222
n,
211223
n.dataDir,
212224
n.chainContext,
213225
n.Identity,
226+
willRegisterComputeRuntime,
214227
n.Consensus,
215228
n.LightService,
216229
n.P2P,

go/runtime/host/host.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,9 @@ type Config struct {
2222
// ID is the runtime identifier.
2323
ID common.Namespace
2424

25+
// Attestation contains attestation related configuration for the provisioned component.
26+
Attestation AttestationCfg
27+
2528
// Component is the component that should be provisioned.
2629
Component *bundle.ExplodedComponent
2730

@@ -38,6 +41,13 @@ type Config struct {
3841
Log *log.Log
3942
}
4043

44+
// AttestationCfg contains attestation related configuration for the provisioned component.
45+
type AttestationCfg struct {
46+
// UseComputePolicy specifies if the compute runtime quote policy
47+
// should be respected during local attestation verification.
48+
UseComputePolicy bool
49+
}
50+
4151
// Provisioner is the runtime provisioner interface.
4252
type Provisioner interface {
4353
// NewRuntime provisions a new runtime.

go/runtime/host/sgx/common/common.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ func GetQuotePolicy(
4848
return nil, fmt.Errorf("malformed runtime SGX constraints: %w", err)
4949
}
5050

51-
return sc.Policy, nil
51+
return sc.ResolvePolicy(cfg.Attestation.UseComputePolicy), nil
5252
}
5353
return fallbackPolicy, nil
5454
case component.ROFL:

go/runtime/registry/host.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ func NewRuntimeHostNode(runtime Runtime, provisioner host.Provisioner, handler h
4444
}
4545

4646
// ProvisionHostedRuntimeComponent provisions the given runtime component.
47-
func (n *RuntimeHostNode) ProvisionHostedRuntimeComponent(comp *bundle.ExplodedComponent) error {
47+
func (n *RuntimeHostNode) ProvisionHostedRuntimeComponent(comp *bundle.ExplodedComponent, attestationCfg host.AttestationCfg) error {
4848
n.mu.Lock()
4949
defer n.mu.Unlock()
5050

@@ -67,6 +67,7 @@ func (n *RuntimeHostNode) ProvisionHostedRuntimeComponent(comp *bundle.ExplodedC
6767

6868
cfg := host.Config{
6969
ID: n.runtime.ID(),
70+
Attestation: attestationCfg,
7071
Component: comp,
7172
MessageHandler: handler,
7273
LocalConfig: getLocalConfig(n.runtime.ID(), comp.ID()),

go/worker/common/committee/node.go

Lines changed: 40 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ import (
2424
roothash "github.com/oasisprotocol/oasis-core/go/roothash/api"
2525
"github.com/oasisprotocol/oasis-core/go/roothash/api/block"
2626
runtime "github.com/oasisprotocol/oasis-core/go/runtime/api"
27+
"github.com/oasisprotocol/oasis-core/go/runtime/bundle"
2728
"github.com/oasisprotocol/oasis-core/go/runtime/host"
2829
runtimeRegistry "github.com/oasisprotocol/oasis-core/go/runtime/registry"
2930
"github.com/oasisprotocol/oasis-core/go/runtime/txpool"
@@ -58,14 +59,15 @@ type Node struct {
5859

5960
HostNode control.NodeController
6061

61-
Identity *identity.Identity
62-
KeyManager keymanager.Backend
63-
KeyManagerClient *KeyManagerClientWrapper
64-
Consensus consensus.Service
65-
LightProvider consensus.LightProvider
66-
Group *Group
67-
P2P p2pAPI.Service
68-
TxPool txpool.TransactionPool
62+
Identity *identity.Identity
63+
WillRegisterComputeRuntime bool
64+
KeyManager keymanager.Backend
65+
KeyManagerClient *KeyManagerClientWrapper
66+
Consensus consensus.Service
67+
LightProvider consensus.LightProvider
68+
Group *Group
69+
P2P p2pAPI.Service
70+
TxPool txpool.TransactionPool
6971

7072
services *service.Group
7173
roflNotifier *runtimeRegistry.ROFLNotifier
@@ -391,7 +393,8 @@ func (n *Node) worker() { //nolint: gocyclo
391393

392394
// Provision all known components.
393395
for _, comp := range bundleRegistry.Components(n.Runtime.ID()) {
394-
if err := n.ProvisionHostedRuntimeComponent(comp); err != nil {
396+
attestCfg := n.attestationCfg(comp)
397+
if err := n.ProvisionHostedRuntimeComponent(comp, attestCfg); err != nil {
395398
n.logger.Error("failed to provision runtime component",
396399
"err", err,
397400
"id", comp.ID(),
@@ -474,7 +477,8 @@ func (n *Node) worker() { //nolint: gocyclo
474477
switch {
475478
case compNotify.Added != nil:
476479
// Received a new version of a runtime component.
477-
if err := n.ProvisionHostedRuntimeComponent(compNotify.Added); err != nil {
480+
attestCfg := n.attestationCfg(compNotify.Added)
481+
if err := n.ProvisionHostedRuntimeComponent(compNotify.Added, attestCfg); err != nil {
478482
n.logger.Error("failed to provision hosted runtime",
479483
"err", err,
480484
"id", compNotify.Added.ID(),
@@ -498,6 +502,12 @@ func (n *Node) worker() { //nolint: gocyclo
498502
}
499503
}
500504

505+
func (n *Node) attestationCfg(comp *bundle.ExplodedComponent) host.AttestationCfg {
506+
return host.AttestationCfg{
507+
UseComputePolicy: comp.ID().IsRONL() && n.WillRegisterComputeRuntime,
508+
}
509+
}
510+
501511
func (n *Node) handleCommittee(ctx context.Context, committee *scheduler.Committee) {
502512
if committee.Kind != scheduler.KindComputeExecutor {
503513
return
@@ -637,6 +647,7 @@ func NewNode(
637647
provisioner host.Provisioner,
638648
rtRegistry runtimeRegistry.Registry,
639649
identity *identity.Identity,
650+
willRegisterComputeRuntime bool,
640651
keymanager keymanager.Backend,
641652
consensus consensus.Service,
642653
lightProvider consensus.LightProvider,
@@ -659,24 +670,25 @@ func NewNode(
659670
txTopic := p2pProtocol.NewTopicKindTxID(chainContext, runtime.ID())
660671

661672
n := &Node{
662-
ChainContext: chainContext,
663-
HostNode: hostNode,
664-
Runtime: runtime,
665-
RuntimeRegistry: rtRegistry,
666-
Identity: identity,
667-
KeyManager: keymanager,
668-
Consensus: consensus,
669-
LightProvider: lightProvider,
670-
Group: group,
671-
P2P: p2pHost,
672-
txTopic: txTopic,
673-
ctx: ctx,
674-
cancelCtx: cancel,
675-
stopCh: make(chan struct{}),
676-
quitCh: make(chan struct{}),
677-
initCh: make(chan struct{}),
678-
dispatchInfoCh: make(chan struct{}, 1),
679-
logger: logging.GetLogger("worker/common/committee").With("runtime_id", runtime.ID()),
673+
ChainContext: chainContext,
674+
HostNode: hostNode,
675+
Runtime: runtime,
676+
RuntimeRegistry: rtRegistry,
677+
Identity: identity,
678+
WillRegisterComputeRuntime: willRegisterComputeRuntime,
679+
KeyManager: keymanager,
680+
Consensus: consensus,
681+
LightProvider: lightProvider,
682+
Group: group,
683+
P2P: p2pHost,
684+
txTopic: txTopic,
685+
ctx: ctx,
686+
cancelCtx: cancel,
687+
stopCh: make(chan struct{}),
688+
quitCh: make(chan struct{}),
689+
initCh: make(chan struct{}),
690+
dispatchInfoCh: make(chan struct{}, 1),
691+
logger: logging.GetLogger("worker/common/committee").With("runtime_id", runtime.ID()),
680692
}
681693

682694
// Prepare the key manager client wrapper.

go/worker/common/worker.go

Lines changed: 30 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -21,16 +21,17 @@ type Worker struct {
2121
enabled bool
2222
cfg Config
2323

24-
HostNode control.NodeController
25-
DataDir string
26-
ChainContext string
27-
Identity *identity.Identity
28-
Consensus consensus.Service
29-
LightProvider consensus.LightProvider
30-
P2P p2p.Service
31-
KeyManager keymanagerApi.Backend
32-
RuntimeRegistry runtimeRegistry.Registry
33-
Provisioner host.Provisioner
24+
HostNode control.NodeController
25+
DataDir string
26+
ChainContext string
27+
Identity *identity.Identity
28+
willRegisterComputeRuntime bool
29+
Consensus consensus.Service
30+
LightProvider consensus.LightProvider
31+
P2P p2p.Service
32+
KeyManager keymanagerApi.Backend
33+
RuntimeRegistry runtimeRegistry.Registry
34+
Provisioner host.Provisioner
3435

3536
runtimes map[common.Namespace]*committee.Node
3637

@@ -161,6 +162,7 @@ func (w *Worker) registerRuntime(runtime runtimeRegistry.Runtime) error {
161162
w.Provisioner,
162163
w.RuntimeRegistry,
163164
w.Identity,
165+
w.willRegisterComputeRuntime,
164166
w.KeyManager,
165167
w.Consensus,
166168
w.LightProvider,
@@ -185,6 +187,7 @@ func New(
185187
dataDir string,
186188
chainContext string,
187189
identity *identity.Identity,
190+
willRegisterComputeRuntime bool,
188191
consensus consensus.Service,
189192
lightProvider consensus.LightProvider,
190193
p2p p2p.Service,
@@ -209,22 +212,23 @@ func New(
209212
}
210213

211214
w := &Worker{
212-
enabled: enabled,
213-
cfg: *cfg,
214-
HostNode: hostNode,
215-
DataDir: dataDir,
216-
ChainContext: chainContext,
217-
Identity: identity,
218-
Consensus: consensus,
219-
LightProvider: lightProvider,
220-
P2P: p2p,
221-
KeyManager: keyManager,
222-
RuntimeRegistry: runtimeRegistry,
223-
Provisioner: provisioner,
224-
runtimes: make(map[common.Namespace]*committee.Node),
225-
quitCh: make(chan struct{}),
226-
initCh: make(chan struct{}),
227-
logger: logging.GetLogger("worker/common"),
215+
enabled: enabled,
216+
cfg: *cfg,
217+
HostNode: hostNode,
218+
DataDir: dataDir,
219+
ChainContext: chainContext,
220+
Identity: identity,
221+
willRegisterComputeRuntime: willRegisterComputeRuntime,
222+
Consensus: consensus,
223+
LightProvider: lightProvider,
224+
P2P: p2p,
225+
KeyManager: keyManager,
226+
RuntimeRegistry: runtimeRegistry,
227+
Provisioner: provisioner,
228+
runtimes: make(map[common.Namespace]*committee.Node),
229+
quitCh: make(chan struct{}),
230+
initCh: make(chan struct{}),
231+
logger: logging.GetLogger("worker/common"),
228232
}
229233

230234
if !enabled {

go/worker/keymanager/worker.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -453,7 +453,8 @@ func (w *Worker) worker() {
453453
"version", comp.Version,
454454
)
455455

456-
if err := w.ProvisionHostedRuntimeComponent(comp); err != nil {
456+
attestCfg := host.AttestationCfg{UseComputePolicy: false}
457+
if err := w.ProvisionHostedRuntimeComponent(comp, attestCfg); err != nil {
457458
w.logger.Error("failed to provision runtime component",
458459
"err", err,
459460
"id", comp.ID(),

0 commit comments

Comments
 (0)