Allow TCBlevels to be set from manifest file

edgelesssys · Jan 5, 2023 · 6335f3d · 6335f3d
1 parent eff75a5
commit 6335f3d
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 6 deletions.
diff --git a/coordinator/clientapi/clientapi.go b/coordinator/clientapi/clientapi.go
@@ -493,11 +493,12 @@ func (a *ClientAPI) UpdateManifest(rawUpdateManifest []byte, updater *user.User)
 		if currentPackages[pkgName].SecurityVersion == nil {
 			currentPkg := currentPackages[pkgName]
 			currentPackages[pkgName] = quote.PackageProperties{
-				Debug:           currentPkg.Debug,
-				UniqueID:        currentPkg.UniqueID,
-				SecurityVersion: pkg.SecurityVersion,
-				ProductID:       currentPkg.ProductID,
-				SignerID:        currentPkg.SignerID,
+				Debug:             currentPkg.Debug,
+				UniqueID:          currentPkg.UniqueID,
+				SecurityVersion:   pkg.SecurityVersion,
+				ProductID:         currentPkg.ProductID,
+				SignerID:          currentPkg.SignerID,
+				AcceptedTCBLevels: currentPkg.AcceptedTCBLevels,
 			}
 		} else {
 			*currentPackages[pkgName].SecurityVersion = *pkg.SecurityVersion

diff --git a/coordinator/quote/ert.go b/coordinator/quote/ert.go
@@ -26,6 +26,8 @@ type PackageProperties struct {
 	ProductID *uint64
 	// Security version number of the package.
 	SecurityVersion *uint
+	// Accepted TCB levels
+	AcceptedTCBLevels []string
 }
 
 // InfrastructureProperties contains the infrastructure-specific properties of a SGX DCAP quote.

diff --git a/coordinator/quote/ertvalidator/ertvalidator.go b/coordinator/quote/ertvalidator/ertvalidator.go
@@ -11,9 +11,12 @@ import (
 	"crypto/sha256"
 	"encoding/binary"
 	"encoding/hex"
+	"errors"
 	"fmt"
 
+	"github.com/edgelesssys/ego/attestation"
 	"github.com/edgelesssys/ego/enclave"
+	"github.com/edgelesssys/era/util"
 	"github.com/edgelesssys/marblerun/coordinator/quote"
 )
 
@@ -30,7 +33,11 @@ func (m *ERTValidator) Validate(givenQuote []byte, cert []byte, pp quote.Package
 	// Verify Quote
 	report, err := enclave.VerifyRemoteReport(givenQuote)
 	if err != nil {
-		return fmt.Errorf("verifying quote failed: %v", err)
+		if errors.Is(err, attestation.ErrTCBLevelInvalid) && util.StringSliceContains(pp.AcceptedTCBLevels, report.TCBStatus.String()) {
+			fmt.Println("Warning: TCB level invalid, but accepted by configuration")
+		} else {
+			return fmt.Errorf("verifying quote failed: %v", err)
+		}
 	}
 
 	// Check that cert is equal