Add SgxIdentityExpectation and auxillary messages

This commit adds the `SgxIdentityExpectation`, `SgxIdentityMatchSpec`, and `SgxMachineConfigurationMatchSpec` messages, intended to closely resemble `CodeIdentityExpectation` and related messages. The reasoning behind mirroring the hierarchy found in the `CodeIdentity` messages (ie. introducing `SgxIdentityMatchSpec` which consists solely of the composition of the two children match specs, rather than just adding them as two additional fields to `SgxIdentityExpectation`) is because the `code_identity_util` API currently contains methods that operate on "match spec"-level messages; therefore, it makes the most sense to maintain this parity, since `SgxIdentity` is intended to eventually replace existing instances of `CodeIdentity`. PiperOrigin-RevId: 263855701 Change-Id: I156a95fb86043925a003fc479e128b9a83cc1d23
google · Aug 16, 2019 · 0f65286 · 0f65286
1 parent f9a6049
commit 0f65286
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/asylo/identity/sgx/sgx_identity.proto b/asylo/identity/sgx/sgx_identity.proto
@@ -26,10 +26,32 @@ message SgxMachineConfiguration {
   optional sgx.CpuSvn cpu_svn = 1;
 }
 
+// Specification of which fields from SgxMachineConfiguration to match.
+message SgxMachineConfigurationMatchSpec {
+  // Flag indicating whether to perform a match on |cpu_svn|.
+  optional bool is_cpu_svn_match_required = 1;
+}
+
 // A high-level representation of the identity of an SGX enclave, which includes
 // the properties of its code identity (sgx.CodeIdentity) and the security-
 // relevant properties of its execution environment (SgxMachineConfiguration).
 message SgxIdentity {
   optional sgx.CodeIdentity code_identity = 1;
   optional SgxMachineConfiguration machine_configuration = 2;
 }
+
+// Specification of which fields from SgxIdentity to match.
+message SgxIdentityMatchSpec {
+  optional sgx.CodeIdentityMatchSpec code_identity_match_spec = 1;
+  optional SgxMachineConfigurationMatchSpec machine_configuration_match_spec =
+      2;
+}
+
+// A verifier's expectation on an SgxIdentity.
+message SgxIdentityExpectation {
+  // Reference identity matched against the target identity per `match_spec`.
+  optional SgxIdentity reference_identity = 1;
+
+  // Specification of which fields from enclave identity to match.
+  optional SgxIdentityMatchSpec match_spec = 2;
+}