|
4 | 4 | "encoding/hex" |
5 | 5 | "os" |
6 | 6 | "testing" |
| 7 | + "time" |
7 | 8 |
|
8 | 9 | "github.com/stretchr/testify/require" |
9 | 10 |
|
@@ -248,6 +249,55 @@ func TestHashAttestation(t *testing.T) { |
248 | 249 | require.EqualValues("9a288bd33ba7a4c2eefdee68e4c08c1a34c369302ef8176a3bfdb4fedcec333e", hex.EncodeToString(h)) |
249 | 250 | } |
250 | 251 |
|
| 252 | +// TestComputePolicySanity checks that attestation verification uses the stricter |
| 253 | +// compute policy when requested and falls back to the default policy otherwise. |
| 254 | +func TestComputePolicySanity(t *testing.T) { |
| 255 | + require := require.New(t) |
| 256 | + |
| 257 | + pcs.SetSkipVerify() |
| 258 | + defer pcs.UnsetSkipVerify() |
| 259 | + |
| 260 | + // Build a raw SGX report (384 bytes) with a known RAK hash in ReportData. |
| 261 | + var rak signature.PublicKey |
| 262 | + rakHash := HashRAK(rak) |
| 263 | + |
| 264 | + var rawReport [384]byte |
| 265 | + copy(rawReport[320:], rakHash[:]) |
| 266 | + |
| 267 | + mockQuote, err := pcs.NewMockQuote(rawReport[:]) |
| 268 | + require.NoError(err, "NewMockQuote") |
| 269 | + |
| 270 | + sa := SGXAttestation{ |
| 271 | + Versioned: cbor.NewVersioned(LatestSGXAttestationVersion), |
| 272 | + Quote: quote.Quote{ |
| 273 | + PCS: &pcs.QuoteBundle{ |
| 274 | + Quote: mockQuote, |
| 275 | + }, |
| 276 | + }, |
| 277 | + } |
| 278 | + |
| 279 | + sc := SGXConstraints{ |
| 280 | + Versioned: cbor.NewVersioned(1), |
| 281 | + Enclaves: []sgx.EnclaveIdentity{{}}, |
| 282 | + Policy: "e.Policy{ |
| 283 | + PCS: &pcs.QuotePolicy{}, |
| 284 | + }, |
| 285 | + ComputePolicy: "e.Policy{ |
| 286 | + PCS: &pcs.QuotePolicy{Disabled: true}, |
| 287 | + }, |
| 288 | + } |
| 289 | + |
| 290 | + var nodeID signature.PublicKey |
| 291 | + cfg := &TEEFeatures{SGX: TEEFeaturesSGX{PCS: true}} |
| 292 | + |
| 293 | + err = sa.Verify(cfg, time.Now(), 0, &sc, rak, nil, nodeID, true) |
| 294 | + require.Error(err, "attestation should be rejected when compute policy is used") |
| 295 | + require.ErrorContains(err, "PCS quotes are disabled by policy") |
| 296 | + |
| 297 | + err = sa.Verify(cfg, time.Now(), 0, &sc, rak, nil, nodeID, false) |
| 298 | + require.NoError(err, "attestation should pass when falling back to default policy") |
| 299 | +} |
| 300 | + |
251 | 301 | func FuzzSGXConstraints(f *testing.F) { |
252 | 302 | // Add some V0 constraints. |
253 | 303 | raw, err := os.ReadFile("testdata/sgx_constraints_v0.bin") |
|
0 commit comments