Fixup: Remove redundant UseKMAPolicy flag (tentative)

Author: martintomazic

go/common/node/node.go

@@ -566,10 +566,6 @@ type CapabilityTEEVerifyParams struct {
 	// NodeID is the node identity the TEE capability must be bound to.
 	NodeID signature.PublicKey
 
-	// UseKMAPolicy specifies whether optional key manager access policy
-	// overrides default policy.
-	UseKMAPolicy bool
-
 	// IsFeatureVersion261 is true for consensus at version 26.1 or higher.
 	IsFeatureVersion261 bool
 }
@@ -620,7 +616,6 @@ func (c *CapabilityTEE) Verify(params CapabilityTEEVerifyParams) error {
 			c.RAK,
 			c.REK,
 			params.NodeID,
-			params.UseKMAPolicy,
 		)
 	default:
 		return ErrInvalidTEEHardware

go/common/node/sgx.go

@@ -258,7 +258,6 @@ func (sa *SGXAttestation) Verify(
 	rak signature.PublicKey,
 	rek *x25519.PublicKey,
 	nodeID signature.PublicKey,
-	useKMAPolicy bool,
 ) error {
 	if cfg == nil {
 		cfg = &emptyFeatures
@@ -269,7 +268,7 @@ func (sa *SGXAttestation) Verify(
 	// See https://github.com/oasisprotocol/oasis-core/issues/6459.
 	cfg.SGX.ApplyDefaultConstraints(sc)
 
-	policy := sc.ResolvePolicy(useKMAPolicy)
+	policy := sc.ResolvePolicy(true)
 
 	// Verify the quote.
 	verifiedQuote, err := sa.Quote.Verify(policy, ts)

go/common/node/sgx_test.go

@@ -291,12 +291,9 @@ func TestKeyManagerAccessPolicySanity(t *testing.T) {
 	var nodeID signature.PublicKey
 	cfg := &TEEFeatures{SGX: TEEFeaturesSGX{PCS: true}}
 
-	err = sa.Verify(cfg, time.Now(), 0, &sc, rak, nil, nodeID, true)
+	err = sa.Verify(cfg, time.Now(), 0, &sc, rak, nil, nodeID)
 	require.Error(err, "attestation should be rejected when key manager access policy is used")
 	require.ErrorContains(err, "PCS quotes are disabled by policy")
-
-	err = sa.Verify(cfg, time.Now(), 0, &sc, rak, nil, nodeID, false)
-	require.NoError(err, "attestation should pass when falling back to default policy")
 }
 
 func FuzzSGXConstraints(f *testing.F) {

go/consensus/cometbft/apps/scheduler/scheduler.go

@@ -443,7 +443,6 @@ func isSuitableExecutorWorker(
 				Height:              uint64(ctx.LastHeight()),
 				Constraints:         activeDeployment.TEE,
 				NodeID:              n.node.ID,
-				UseKMAPolicy:        true,
 				IsFeatureVersion261: isFeatureVersion261,
 			}); err != nil {
 				ctx.Logger().Warn("failed to verify node TEE attestation",

go/registry/api/api.go

@@ -840,17 +840,12 @@ func VerifyNodeRuntimeEnclaveIDs(
 			continue
 		}
 
-		// Use the key manager access policy (if it exists) for compute runtimes.
-		// This is safe because only nodes with TEE capabilities reach this point,
-		// which implies a compute or observer role.
-		useKMAPolicy := regRt.Kind == KindCompute
 		if err := rt.Capabilities.TEE.Verify(node.CapabilityTEEVerifyParams{
 			Features:            teeCfg,
 			Time:                ts,
 			Height:              height,
 			Constraints:         rtVersionInfo.TEE,
 			NodeID:              nodeID,
-			UseKMAPolicy:        useKMAPolicy,
 			IsFeatureVersion261: isFeatureVersion261,
 		}); err != nil {
 			logger.Error("VerifyNodeRuntimeEnclaveIDs: failed to validate attestation",