Merge pull request #6469 from oasisprotocol/peternose/bugfix/pcesvn

go/common/sgx/pcs/tcb: Fix pcesvn validation

Author: peternose

.changelog/6469.bugfix.md

@@ -0,0 +1 @@
+go/common/sgx/pcs/tcb: Fix pcesvn validation

go/.nancy-ignore

@@ -2,4 +2,4 @@ CVE-2024-34478 # can be ignored as we only use a few crypto libraries from btcd
 CVE-2025-4673 until=2025-07-14  # no mitigation is currently available (2025-06-14)
 CVE-2021-43668 # the vulnerability does not affect us as we don't use LevelDB
 CVE-2025-11065 until=2025-12-01 # the vulnerability does not affect us
-CVE-2026-26014 until=2026-03-01 # requires upstream mitigation
+CVE-2026-26014 until=2026-04-01 # requires upstream mitigation

go/common/sgx/pcs/tcb.go

@@ -466,7 +466,7 @@ func (tl *TCBLevel) matches(sgxCompSvn [16]int32, tdxCompSvn *[16]byte, pcesvn u
 	//    in the TCB Level. If it is greater or equal to the value in TCB Level, read status
 	//    assigned to this TCB level (in case of SGX) or go to c (in case of TDX). Otherwise, move
 	//    to the next item on TCB Levels list.
-	if tl.TCB.PCESVN < pcesvn {
+	if pcesvn < tl.TCB.PCESVN {
 		return false
 	}
 

go/common/sgx/pcs/tcb_test.go

@@ -0,0 +1,95 @@
+package pcs
+
+import "testing"
+
+func TestTCBLevelMatches(t *testing.T) {
+	pcesvn := uint16(10)
+	sgxSvn := [16]int32{0, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30}
+	tdxSvn := [16]byte{1, 3, 5, 7, 9, 11, 13, 15, 17, 19, 21, 23, 25, 27, 29, 31}
+
+	var tl TCBLevel
+	tl.TCB.PCESVN = pcesvn
+	for i := range 16 {
+		tl.TCB.SGXComponents[i].SVN = sgxSvn[i]
+		tl.TCB.TDXComponents[i].SVN = int32(tdxSvn[i])
+	}
+
+	tcs := []struct {
+		name    string
+		pcesvn  uint16
+		sgxSvn  [16]int32
+		tdxSvn  *[16]byte
+		matches bool
+		msg     string
+	}{
+		{
+			name:    "same values",
+			pcesvn:  pcesvn,
+			sgxSvn:  sgxSvn,
+			tdxSvn:  &tdxSvn,
+			matches: true,
+		},
+		{
+			name:    "higher pcesvn",
+			pcesvn:  pcesvn + 1,
+			sgxSvn:  sgxSvn,
+			tdxSvn:  &tdxSvn,
+			matches: true,
+		},
+		{
+			name:    "lower pcesvn",
+			pcesvn:  pcesvn - 1,
+			sgxSvn:  sgxSvn,
+			tdxSvn:  &tdxSvn,
+			matches: false,
+		},
+		{
+			name:    "higher sgx svn",
+			pcesvn:  pcesvn,
+			sgxSvn:  func() [16]int32 { ss := sgxSvn; ss[5] += 1; return ss }(),
+			tdxSvn:  &tdxSvn,
+			matches: true,
+		},
+		{
+			name:    "lower sgx svn",
+			pcesvn:  pcesvn,
+			sgxSvn:  func() [16]int32 { ss := sgxSvn; ss[5] -= 1; return ss }(),
+			tdxSvn:  &tdxSvn,
+			matches: false,
+		},
+		{
+			name:    "higher tdx svn",
+			pcesvn:  pcesvn,
+			sgxSvn:  sgxSvn,
+			tdxSvn:  func() *[16]byte { ts := tdxSvn; ts[5] += 1; return &ts }(),
+			matches: true,
+		},
+		{
+			name:    "lower tdx svn",
+			pcesvn:  pcesvn,
+			sgxSvn:  sgxSvn,
+			tdxSvn:  func() *[16]byte { ts := tdxSvn; ts[5] -= 1; return &ts }(),
+			matches: false,
+		},
+		{
+			name:    "no tdx svn",
+			pcesvn:  pcesvn,
+			sgxSvn:  sgxSvn,
+			tdxSvn:  nil,
+			matches: true,
+		},
+	}
+
+	for _, tc := range tcs {
+		t.Run(tc.name, func(t *testing.T) {
+			if tl.matches(tc.sgxSvn, tc.tdxSvn, tc.pcesvn) != tc.matches {
+				switch tc.matches {
+				case true:
+					t.Errorf("tcb level should match")
+				case false:
+					t.Errorf("tcb level should not match")
+				}
+			}
+		})
+	}
+}

runtime/src/common/sgx/pcs/tcb.rs

@@ -370,7 +370,7 @@ impl TCBLevel {
         //    in the TCB Level. If it is greater or equal to the value in TCB Level, read status
         //    assigned to this TCB level (in case of SGX) or go to c (in case of TDX). Otherwise,
         //    move to the next item on TCB Levels list.
-        if self.tcb.pcesvn < pcesvn {
+        if pcesvn < self.tcb.pcesvn {
             return false;
         }
 
@@ -694,3 +694,115 @@ pub struct EnclaveTCBVersions {
     #[serde(rename = "isvsvn")]
     pub isv_svn: u16,
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_tcb_level_matches() {
+        let pcesvn: u32 = 10;
+        let sgx_svn: [u32; 16] = [0, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30];
+        let tdx_svn: [u32; 16] = [1, 3, 5, 7, 9, 11, 13, 15, 17, 19, 21, 23, 25, 27, 29, 31];
+
+        let mut tl = TCBLevel::default();
+        tl.tcb.pcesvn = pcesvn;
+
+        for i in 0..16 {
+            tl.tcb.sgx_components[i].svn = sgx_svn[i];
+            tl.tcb.tdx_components[i].svn = tdx_svn[i];
+        }
+
+        struct TestCase {
+            name: &'static str,
+            pcesvn: u32,
+            sgx_svn: [u32; 16],
+            tdx_svn: Option<[u32; 16]>,
+            matches: bool,
+        }
+
+        let tcs = vec![
+            TestCase {
+                name: "same values",
+                pcesvn,
+                sgx_svn,
+                tdx_svn: Some(tdx_svn),
+                matches: true,
+            },
+            TestCase {
+                name: "higher pcesvn",
+                pcesvn: pcesvn + 1,
+                sgx_svn,
+                tdx_svn: Some(tdx_svn),
+                matches: true,
+            },
+            TestCase {
+                name: "lower pcesvn",
+                pcesvn: pcesvn - 1,
+                sgx_svn,
+                tdx_svn: Some(tdx_svn),
+                matches: false,
+            },
+            TestCase {
+                name: "higher sgx svn",
+                pcesvn,
+                sgx_svn: {
+                    let mut ss = sgx_svn;
+                    ss[5] += 1;
+                    ss
+                },
+                tdx_svn: Some(tdx_svn),
+                matches: true,
+            },
+            TestCase {
+                name: "lower sgx svn",
+                pcesvn,
+                sgx_svn: {
+                    let mut ss = sgx_svn;
+                    ss[5] -= 1;
+                    ss
+                },
+                tdx_svn: Some(tdx_svn),
+                matches: false,
+            },
+            TestCase {
+                name: "higher tdx svn",
+                pcesvn,
+                sgx_svn,
+                tdx_svn: {
+                    let mut ts = tdx_svn;
+                    ts[5] += 1;
+                    Some(ts)
+                },
+                matches: true,
+            },
+            TestCase {
+                name: "lower tdx svn",
+                pcesvn,
+                sgx_svn,
+                tdx_svn: {
+                    let mut ts = tdx_svn;
+                    ts[5] -= 1;
+                    Some(ts)
+                },
+                matches: false,
+            },
+            TestCase {
+                name: "no tdx svn",
+                pcesvn,
+                sgx_svn,
+                tdx_svn: None,
+                matches: true,
+            },
+        ];
+
+        for tc in tcs {
+            let result = tl.matches(&tc.sgx_svn, tc.tdx_svn.as_ref(), tc.pcesvn);
+            if tc.matches {
+                assert!(result, "tcb level should match when {}", tc.name);
+            } else {
+                assert!(!result, "tcb level should not match when {}", tc.name);
+            }
+        }
+    }
+}