Changes to Fix Ledger APIs used to set Contract Enclave atttestation …

…policy. Changes to address Review Comments have been squashed into the same commit. (#467) Signed-off-by: Prakash Narayana Moorthy <[email protected]>
hyperledger-labs · Feb 26, 2024 · 955e2b7 · 955e2b7
1 parent 0085dab
commit 955e2b7
Show file tree

Hide file tree

Showing 10 changed files with 271 additions and 135 deletions.
diff --git a/eservice/bin/register-with-ledger.sh b/eservice/bin/register-with-ledger.sh
@@ -88,8 +88,10 @@ function Register {
         : "PDO_IAS_KEY_PEM" "${PDO_IAS_KEY_PEM:?Registration failed! PDO_IAS_KEY_PEM environment variable not set}"
 
         if [ ${PDO_LEDGER_TYPE} == "ccf" ]; then
-            try ${SRCDIR}/ledgers/ccf/scripts/register_enclave_attestation_verification_policy.py --logfile __screen__ --loglevel INFO \
-                --check_attestation --mrenclave ${VAR_MRENCLAVE} --basename  ${VAR_BASENAME} --ias-public-key "$(cat $PDO_IAS_KEY_PEM)"
+            source ${PDO_INSTALL_ROOT}/bin/activate
+            try ${PDO_INSTALL_ROOT}/bin/ccf_set_expected_sgx_measurements \
+                --logfile __screen__ --loglevel INFO --mrenclave ${VAR_MRENCLAVE} \
+                --basename  ${VAR_BASENAME} --ias-public-key "$(cat $PDO_IAS_KEY_PEM)"
         else
             die unsupported ledger ${PDO_LEDGER_TYPE}
         fi

diff --git a/ledgers/ccf/MANIFEST b/ledgers/ccf/MANIFEST
@@ -7,6 +7,7 @@ pdo/ledgers/ccf/common.py
 pdo/ledgers/ccf/scripts/__init__.py
 pdo/ledgers/ccf/scripts/fetch_ledger_authority.py
 pdo/ledgers/ccf/scripts/ping_test.py
-pdo/ledgers/ccf/scripts/register_enclave_attestation_verification_policy.py
+pdo/ledgers/ccf/scripts/set_attestation_check_flag.py
+pdo/ledgers/ccf/scripts/set_expected_sgx_measurements.py
 pdo/ledgers/ccf/scripts/generate_ledger_authority.py
 pdo/ledgers/ccf/scripts/configure_ccf_network.py
diff --git a/ledgers/ccf/pdo/ledgers/ccf/scripts/register_enclave_attestation_verification_policy.py b/ledgers/ccf/pdo/ledgers/ccf/scripts/register_enclave_attestation_verification_policy.py
diff --git a/ledgers/ccf/pdo/ledgers/ccf/scripts/set_attestation_check_flag.py b/ledgers/ccf/pdo/ledgers/ccf/scripts/set_attestation_check_flag.py
@@ -0,0 +1,67 @@
+#!/usr/bin/env python
+
+# Copyright 2023 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import http
+import sys
+
+from loguru import logger as LOG
+
+from pdo.ledgers.ccf.common import parse_common_arguments
+
+
+# -----------------------------------------------------------------
+def set_contract_enclave_check_attestation_flag(client, options):
+
+    params = {}
+    params['check_attestation'] = options.attestation
+
+    r = client.post("/app/set_contract_enclave_check_attestatation_flag", params)
+    if r.status_code != http.HTTPStatus.OK.value:
+        LOG.error('failed to set contract enclave check-attestation flag: {}, code: {}'.format(
+            r.body, r.status_code))
+        sys.exit(-1)
+
+# -----------------------------------------------------------------
+def Main() :
+
+    (_, unprocessed_args, member_client) = parse_common_arguments(
+        sys.argv[1:], 'Set contract enclave attestation check flag', True)
+
+    # Parse the arguments that are unique to the script
+    parser = argparse.ArgumentParser(description='Set contract enclave attestation check flag')
+    check_attestation_group = parser.add_mutually_exclusive_group(required=True)
+    check_attestation_group.add_argument('--attestation', dest='attestation', 
+                                         help="enable attestation verification", action='store_true')
+    check_attestation_group.add_argument('--no-attestation', dest='attestation', 
+                                         help="disable attestation verification", action='store_false')
+    local_options = parser.parse_args(unprocessed_args)
+
+    # -----------------------------------------------------------------
+    try :
+
+        set_contract_enclave_check_attestation_flag(member_client, local_options)
+    except Exception as e:
+        while e.__context__ : e = e.__context__
+        LOG.error('failed to set contract enclave attestation check flag: {}', str(e))
+        sys.exit(-1)
+
+    LOG.info('successfully set contract enclave check-attestation flag ')
+    sys.exit(0)
+
+# -----------------------------------------------------------------
+# -----------------------------------------------------------------
+Main()
diff --git a/ledgers/ccf/pdo/ledgers/ccf/scripts/set_expected_sgx_measurements.py b/ledgers/ccf/pdo/ledgers/ccf/scripts/set_expected_sgx_measurements.py
@@ -0,0 +1,74 @@
+#!/usr/bin/env python
+
+# Copyright 2023 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import argparse
+import http
+import sys
+
+from loguru import logger as LOG
+
+from pdo.ledgers.ccf.common import parse_common_arguments
+
+
+# -----------------------------------------------------------------
+def set_contract_enclave_expected_sgx_measurements(client, options):
+
+    params = {}
+    params['mrenclave'] = options.mrenclave
+    params['basename'] = options.basename
+    params['ias_public_key'] = options.ias_public_key
+
+    r = client.post("/app/set_contract_enclave_expected_sgx_measurements", params)
+    if r.status_code != http.HTTPStatus.OK.value:
+        LOG.error('failed to set contract enclave expected sgx measurements: {}, code: {}'.format(
+            r.body, r.status_code))
+        sys.exit(-1)
+
+# -----------------------------------------------------------------
+def Main() :
+
+    (_, unprocessed_args, member_client) = parse_common_arguments(
+        sys.argv[1:], 'Set contract enclave expected sgx measurements', True)
+
+    # Parse the arguments that are unique to the script
+
+    parser = argparse.ArgumentParser(description='Set contract enclave expected sgx measurements')
+    parser.add_argument('--mrenclave', help="Expected MRENCLAVE of pdo enclaves", type=str)
+    parser.add_argument('--basename', help="PDO enclave basename", type=str)
+    parser.add_argument('--ias-public-key', 
+                        help="IAS public key derived from cert used to verify report signatures", type=str)
+
+    local_options = parser.parse_args(unprocessed_args)
+
+    if (not local_options.mrenclave) or (not local_options.basename) or (not local_options.ias_public_key):
+        parser.print_help()
+        sys.exit(-1)
+
+
+     # -----------------------------------------------------------------
+    try :
+        set_contract_enclave_expected_sgx_measurements(member_client, local_options)
+    except Exception as e:
+        while e.__context__ : e = e.__context__
+        LOG.error('failed to set contract enclave expected sgx measurements: {}', str(e))
+        sys.exit(-1)
+
+    LOG.info('successfully set contract enclave expected sgx measurements')
+    sys.exit(0)
+
+# -----------------------------------------------------------------
+# -----------------------------------------------------------------
+Main()
diff --git a/ledgers/ccf/scripts/start_ccf_network.sh b/ledgers/ccf/scripts/start_ccf_network.sh
@@ -152,10 +152,15 @@ try ${F_CCF_PDO_DIR}/bin/ccf_generate_ledger_authority \
 # enclave is built.
 
 if [ "${SGX_MODE}" == "SIM" ]; then
-    say set check_attestation to false in SGX SIM mode
-    try ${F_CCF_PDO_DIR}/bin/ccf_register_enclave_policy \
+    say setting check_attestation to false in SGX SIM mode
+    try ${F_CCF_PDO_DIR}/bin/ccf_set_attestation_check_flag \
         --logfile __screen__ --loglevel WARNING \
-        --interface ${F_INTERFACE_ADDRESS} --port ${F_PORT}
+        --interface ${F_INTERFACE_ADDRESS} --port ${F_PORT} --no-attestation
+else
+    say setting check_attestation to true
+    try ${F_CCF_PDO_DIR}/bin/ccf_set_attestation_check_flag \
+        --logfile __screen__ --loglevel WARNING \
+        --interface ${F_INTERFACE_ADDRESS} --port ${F_PORT} --attestation
 fi
 
 say save the ledger authority key

diff --git a/ledgers/ccf/setup.py b/ledgers/ccf/setup.py
@@ -71,7 +71,8 @@
             'ccf_ping_test=pdo.ledgers.ccf.scripts.ping_test:Main',
             'ccf_generate_ledger_authority=pdo.ledgers.ccf.scripts.generate_ledger_authority:Main',
             'ccf_fetch_ledger_authority=pdo.ledgers.ccf.scripts.fetch_ledger_authority:Main',
-            'ccf_register_enclave_policy=pdo.ledgers.ccf.scripts.register_enclave_attestation_verification_policy:Main',
+            'ccf_set_attestation_check_flag=pdo.ledgers.ccf.scripts.set_attestation_check_flag:Main',
+            'ccf_set_expected_sgx_measurements=pdo.ledgers.ccf.scripts.set_expected_sgx_measurements:Main',
         ]
     }
 )
diff --git a/ledgers/ccf/transaction_processor/enclave_registry.h b/ledgers/ccf/transaction_processor/enclave_registry.h
@@ -19,17 +19,22 @@ using namespace std;
 
 namespace ccf
 {
-
-  struct ContractEnclaveAttestationVerificationPolicy {
+  struct ContractEnclaveAttestionCheckFlag {
     bool check_attestation;
+  };
+
+  DECLARE_JSON_TYPE(ContractEnclaveAttestionCheckFlag);
+  DECLARE_JSON_REQUIRED_FIELDS(ContractEnclaveAttestionCheckFlag,
+    check_attestation);
+
+  struct ContractEnclaveExpectedSGXMeasurements {
     string mrenclave;
     string basename;
     string ias_public_key;
   };
 
-  DECLARE_JSON_TYPE(ContractEnclaveAttestationVerificationPolicy);
-  DECLARE_JSON_REQUIRED_FIELDS(ContractEnclaveAttestationVerificationPolicy,
-    check_attestation,
+  DECLARE_JSON_TYPE(ContractEnclaveExpectedSGXMeasurements);
+  DECLARE_JSON_REQUIRED_FIELDS(ContractEnclaveExpectedSGXMeasurements,
     mrenclave,
     basename,
     ias_public_key);
@@ -118,9 +123,14 @@ namespace ccf
     };
   };
 
-  struct RegisterContractEnclaveAttestationVerificationPolicy {
+  struct RegisterContractEnclaveAttestionCheckFlag {
     struct In {
       bool check_attestation;
+    };
+  };
+
+   struct RegisterContractEnclaveExpectedSGXMeasurements {
+    struct In {
       string mrenclave;
       string basename;
       string ias_public_key;
@@ -138,7 +148,10 @@ namespace ccf
   DECLARE_JSON_REQUIRED_FIELDS(Verify_enclave::Out, verifying_key, encryption_key, proof_data, last_registration_block_context, \
     owner_id, signature);
 
-  DECLARE_JSON_TYPE(RegisterContractEnclaveAttestationVerificationPolicy::In);
-  DECLARE_JSON_REQUIRED_FIELDS(RegisterContractEnclaveAttestationVerificationPolicy::In, check_attestation, mrenclave, basename, ias_public_key);
+  DECLARE_JSON_TYPE(RegisterContractEnclaveAttestionCheckFlag::In);
+  DECLARE_JSON_REQUIRED_FIELDS(RegisterContractEnclaveAttestionCheckFlag::In, check_attestation);
+
+  DECLARE_JSON_TYPE(RegisterContractEnclaveExpectedSGXMeasurements::In);
+  DECLARE_JSON_REQUIRED_FIELDS(RegisterContractEnclaveExpectedSGXMeasurements::In, mrenclave, basename, ias_public_key);
 
 }