Harden SGX-mode registration

* Handle missing SGX verification status CONFIGURATION_AND_SW_HARDENING_NEEDED * Honor PDO_LOG_LEVEL in registration script Signed-off-by: Michael Steiner <[email protected]>
hyperledger-labs · Mar 15, 2024 · 4c560fc · 4c560fc
1 parent 35b267a
commit 4c560fc
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 4 deletions.
diff --git a/eservice/bin/register-with-ledger.sh b/eservice/bin/register-with-ledger.sh
@@ -70,7 +70,7 @@ function Store {
     try eservice-enclave-info \
         --spid ${SPID} \
         --save ${eservice_enclave_info_file} \
-        --loglevel warn \
+        --loglevel ${PDO_LOG_LEVEL} \
         --identity ${ESERVICE_IDENTITY} \
         --config ${ESERVICE_TOML} ${ENCLAVE_TOML} \
         --config-dir ${ETCDIR}

diff --git a/eservice/pdo/eservice/pdo_enclave.py b/eservice/pdo/eservice/pdo_enclave.py
@@ -303,6 +303,8 @@ def create_signup_info(originator_public_key_hash, nonce):
                 logger.warning("Quote has GROUP_OUT_OF_DATE status (update your BIOS/microcode!!!) keep going")
             elif _ias.last_verification_error() == "SW_HARDENING_NEEDED":
                 logger.warning("Quote has SW_HARDENING_NEEDED status (update your platform!!!) keep going")
+            elif _ias.last_verification_error() == "CONFIGURATION_AND_SW_HARDENING_NEEDED":
+                logger.warning("Quote has CONFIGURATION_AND_SW_HARDENING_NEEDED status (update your platform!!!) keep going")
             else:
                 logger.error("invalid report fields")
                 return None

diff --git a/ledgers/ccf/transaction_processor/pdo_tp.cpp b/ledgers/ccf/transaction_processor/pdo_tp.cpp
@@ -293,8 +293,10 @@ namespace ccfapp
                 // Verify the verification report enclave quote status
                 transform(verification_report.isvEnclaveQuoteStatus.begin(), verification_report.isvEnclaveQuoteStatus.end(),
                     verification_report.isvEnclaveQuoteStatus.begin(), ::toupper);
-                if ((verification_report.isvEnclaveQuoteStatus != OK_QUOTE_STATUS) && (verification_report.isvEnclaveQuoteStatus != GROUP_OUT_OF_DATE_QUOTE_STATUS) &&
-                     (verification_report.isvEnclaveQuoteStatus != SW_HARDENING_NEEDED_QUOTE_STATUS))  {
+                if ((verification_report.isvEnclaveQuoteStatus != OK_QUOTE_STATUS) && 
+                    (verification_report.isvEnclaveQuoteStatus != GROUP_OUT_OF_DATE_QUOTE_STATUS) &&
+                    (verification_report.isvEnclaveQuoteStatus != SW_HARDENING_NEEDED_QUOTE_STATUS) && 
+                    (verification_report.isvEnclaveQuoteStatus != CONFIGURATION_AND_SW_HARDENING_NEEDED_QUOTE_STATUS))  {
                     return ccf::make_error(
                         HTTP_STATUS_BAD_REQUEST, ccf::errors::InvalidInput, "Enclave attestation report verification Failed. Invalid quote status");
                 }

diff --git a/ledgers/ccf/transaction_processor/pdo_tp.h b/ledgers/ccf/transaction_processor/pdo_tp.h
@@ -61,6 +61,7 @@ namespace ccfapp
     const string OK_QUOTE_STATUS{"OK"};
     const string GROUP_OUT_OF_DATE_QUOTE_STATUS{"GROUP_OUT_OF_DATE"};
     const string SW_HARDENING_NEEDED_QUOTE_STATUS{"SW_HARDENING_NEEDED"};
+    const string CONFIGURATION_AND_SW_HARDENING_NEEDED_QUOTE_STATUS{"CONFIGURATION_AND_SW_HARDENING_NEEDED"};
     const int BASENAME_SIZE{32};
     const int ORIGINATOR_KEY_HASH_SIZE{64};
 

diff --git a/pservice/lib/libpdo_enclave/secret_enclave.cpp b/pservice/lib/libpdo_enclave/secret_enclave.cpp
@@ -613,7 +613,7 @@ pdo_err_t VerifyEnclaveInfo(const std::string& enclaveInfo,
     int r;
     // verify quote (group-of-date is considered ok)
     r = verify_enclave_quote_status(verificationReport.c_str(), verificationReport.length(),
-            QSF_ACCEPT_GROUP_OUT_OF_DATE | QSF_ACCEPT_SW_HARDENING_NEEDED);
+            QSF_ACCEPT_GROUP_OUT_OF_DATE | QSF_ACCEPT_SW_HARDENING_NEEDED | QSF_ACCEPT_CONFIGURATION_AND_SW_HARDENING_NEEDED);
     pdo::error::ThrowIf<pdo::error::ValueError>(
         r!=VERIFY_SUCCESS, "Invalid Enclave Quote");