Merge pull request #5578 from oasisprotocol/kostko/feature/pcs-update…

…-early sgx: Support early updates for ECDSA TCB infos
oasisprotocol · Feb 28, 2024 · 0a0529d · 0a0529d
2 parents 8a75487 + ea412e2
commit 0a0529d
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 11 deletions.
diff --git a/.changelog/5578.feature.md b/.changelog/5578.feature.md
@@ -0,0 +1 @@
+sgx: Support early updates for ECDSA TCB infos
diff --git a/go/common/sgx/pcs/http.go b/go/common/sgx/pcs/http.go
@@ -88,15 +88,14 @@ func (hc *httpClient) getUrl(p string) *url.URL { // nolint: revive
 	return &u
 }
 
-func (hc *httpClient) GetTCBBundle(ctx context.Context, fmspc []byte) (*TCBBundle, error) {
-	// TODO: Cache based on FMSPC, with TTL that is less than expiration time.
-
+func (hc *httpClient) GetTCBBundle(ctx context.Context, fmspc []byte, update UpdateType) (*TCBBundle, error) {
 	var tcbBundle TCBBundle
 
 	// First fetch TCB info.
 	u := hc.getUrl(pcsAPIGetTCBInfoPath)
 	q := u.Query()
 	q.Set("fmspc", hex.EncodeToString(fmspc))
+	q.Set("update", string(update))
 	u.RawQuery = q.Encode()
 	rsp, err := hc.doPCSRequest(ctx, u, http.MethodGet, "", nil, false)
 	if err != nil {
@@ -120,6 +119,9 @@ func (hc *httpClient) GetTCBBundle(ctx context.Context, fmspc []byte) (*TCBBundl
 
 	// Then fetch QE identity.
 	u = hc.getUrl(pcsAPIGetQEIdentityPath)
+	q = u.Query()
+	q.Set("update", string(update))
+	u.RawQuery = q.Encode()
 	rsp, err = hc.doPCSRequest(ctx, u, http.MethodGet, "", nil, false)
 	if err != nil {
 		return nil, fmt.Errorf("pcs: QE identity request failed: %w", err)

diff --git a/go/common/sgx/pcs/mock.go b/go/common/sgx/pcs/mock.go
diff --git a/go/common/sgx/pcs/pcs.go b/go/common/sgx/pcs/pcs.go
@@ -14,10 +14,22 @@ var (
 	mrSignerBlacklist = make(map[sgx.MrSigner]bool)
 )
 
+// UpdateType is the type of update to TCB info.
+type UpdateType string
+
+const (
+	// UpdateStandard indicates standard access to updated TCB Info provided as part of a TCB
+	// recovery event.
+	UpdateStandard UpdateType = "standard"
+	// UpdateEarly indicates an early access to updated TCB Info provided as part of a TCB recovery
+	// event.
+	UpdateEarly UpdateType = "early"
+)
+
 // Client is an Intel SGX PCS client interface.
 type Client interface {
 	// GetTCBBundle retrieves the signed TCB artifacts needed to verify a quote.
-	GetTCBBundle(ctx context.Context, fmspc []byte) (*TCBBundle, error)
+	GetTCBBundle(ctx context.Context, fmspc []byte, update UpdateType) (*TCBBundle, error)
 
 	// GetPCKCertificateChain retrieves the PCK certificate chain for the given platform data or PPID.
 	//

diff --git a/go/runtime/host/sgx/ecdsa.go b/go/runtime/host/sgx/ecdsa.go
@@ -144,14 +144,15 @@ func (ec *teeStateECDSA) Update(ctx context.Context, sp *sgxProvisioner, conn pr
 	// also do their own verification).
 	// Check bundles in order: fresh first, then cached, then try downloading again if there was
 	// no scheduled refresh this time.
-	tcbBundle, err := func() (*pcs.TCBBundle, error) {
+	getTcbBundle := func(update pcs.UpdateType) (*pcs.TCBBundle, error) {
 		var fresh *pcs.TCBBundle
 
 		cached, refresh := ec.tcbCache.check(pckInfo.FMSPC)
 		if refresh {
-			if fresh, err = sp.pcs.GetTCBBundle(ctx, pckInfo.FMSPC); err != nil {
+			if fresh, err = sp.pcs.GetTCBBundle(ctx, pckInfo.FMSPC, update); err != nil {
 				sp.logger.Warn("error downloading TCB refresh",
 					"err", err,
+					"update", update,
 				)
 			}
 			if err = ec.verifyBundle(quote, quotePolicy, fresh, sp, "fresh"); err == nil {
@@ -160,6 +161,7 @@ func (ec *teeStateECDSA) Update(ctx context.Context, sp *sgxProvisioner, conn pr
 			}
 			sp.logger.Warn("error verifying downloaded TCB refresh",
 				"err", err,
+				"update", update,
 			)
 		}
 
@@ -169,13 +171,18 @@ func (ec *teeStateECDSA) Update(ctx context.Context, sp *sgxProvisioner, conn pr
 
 		// If downloaded already, don't try again but just return the last error.
 		if refresh {
+			sp.logger.Warn("error verifying cached TCB",
+				"err", err,
+				"update", update,
+			)
 			return nil, fmt.Errorf("both fresh and cached TCB bundles failed verification, cached error: %w", err)
 		}
 
 		// If not downloaded yet this time round, try forcing. Any errors are fatal.
-		if fresh, err = sp.pcs.GetTCBBundle(ctx, pckInfo.FMSPC); err != nil {
+		if fresh, err = sp.pcs.GetTCBBundle(ctx, pckInfo.FMSPC, update); err != nil {
 			sp.logger.Warn("error downloading TCB",
 				"err", err,
+				"update", update,
 			)
 			return nil, err
 		}
@@ -184,7 +191,13 @@ func (ec *teeStateECDSA) Update(ctx context.Context, sp *sgxProvisioner, conn pr
 		}
 		ec.tcbCache.cache(fresh, pckInfo.FMSPC)
 		return fresh, nil
-	}()
+	}
+	var tcbBundle *pcs.TCBBundle
+	for _, update := range []pcs.UpdateType{pcs.UpdateStandard, pcs.UpdateEarly} {
+		if tcbBundle, err = getTcbBundle(update); err == nil {
+			break
+		}
+	}
 	if err != nil {
 		return nil, err
 	}