Skip to content

Commit d0c991e

Browse files
committed
go/common: Add compute runtime policy sanity test
1 parent a4cc99c commit d0c991e

2 files changed

Lines changed: 56 additions & 0 deletions

File tree

go/common/node/sgx_test.go

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import (
44
"encoding/hex"
55
"os"
66
"testing"
7+
"time"
78

89
"github.com/stretchr/testify/require"
910

@@ -248,6 +249,55 @@ func TestHashAttestation(t *testing.T) {
248249
require.EqualValues("9a288bd33ba7a4c2eefdee68e4c08c1a34c369302ef8176a3bfdb4fedcec333e", hex.EncodeToString(h))
249250
}
250251

252+
// TestComputePolicySanity checks that attestation verification uses the stricter
253+
// compute policy when requested and falls back to the default policy otherwise.
254+
func TestComputePolicySanity(t *testing.T) {
255+
require := require.New(t)
256+
257+
pcs.SetSkipVerify()
258+
defer pcs.UnsetSkipVerify()
259+
260+
// Build a raw SGX report (384 bytes) with a known RAK hash in ReportData.
261+
var rak signature.PublicKey
262+
rakHash := HashRAK(rak)
263+
264+
var rawReport [384]byte
265+
copy(rawReport[320:], rakHash[:])
266+
267+
mockQuote, err := pcs.NewMockQuote(rawReport[:])
268+
require.NoError(err, "NewMockQuote")
269+
270+
sa := SGXAttestation{
271+
Versioned: cbor.NewVersioned(LatestSGXAttestationVersion),
272+
Quote: quote.Quote{
273+
PCS: &pcs.QuoteBundle{
274+
Quote: mockQuote,
275+
},
276+
},
277+
}
278+
279+
sc := SGXConstraints{
280+
Versioned: cbor.NewVersioned(1),
281+
Enclaves: []sgx.EnclaveIdentity{{}},
282+
Policy: &quote.Policy{
283+
PCS: &pcs.QuotePolicy{},
284+
},
285+
ComputePolicy: &quote.Policy{
286+
PCS: &pcs.QuotePolicy{Disabled: true},
287+
},
288+
}
289+
290+
var nodeID signature.PublicKey
291+
cfg := &TEEFeatures{SGX: TEEFeaturesSGX{PCS: true}}
292+
293+
err = sa.Verify(cfg, time.Now(), 0, &sc, rak, nil, nodeID, true)
294+
require.Error(err, "attestation should be rejected when compute policy is used")
295+
require.ErrorContains(err, "PCS quotes are disabled by policy")
296+
297+
err = sa.Verify(cfg, time.Now(), 0, &sc, rak, nil, nodeID, false)
298+
require.NoError(err, "attestation should pass when falling back to default policy")
299+
}
300+
251301
func FuzzSGXConstraints(f *testing.F) {
252302
// Add some V0 constraints.
253303
raw, err := os.ReadFile("testdata/sgx_constraints_v0.bin")

go/common/sgx/pcs/pcs.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,12 @@ func SetSkipVerify() {
5555
unsafeSkipVerify = true
5656
}
5757

58+
// UnsetSkipVerify will enable quote signature verification for the remainder of the process'
59+
// lifetime.
60+
func UnsetSkipVerify() {
61+
unsafeSkipVerify = false
62+
}
63+
5864
// SetAllowDebugEnclaves will enable running and communicating with enclaves with debug flag enabled
5965
// in report body for the remainder of the process' lifetime.
6066
func SetAllowDebugEnclaves() {

0 commit comments

Comments
 (0)