Skip to content

Commit 70b93b0

Browse files
author
vlad
committed
on-chain machine-id WIP(2)
1 parent c687921 commit 70b93b0

File tree

1 file changed

+61
-1
lines changed

1 file changed

+61
-1
lines changed

cosmwasm/enclaves/execute/src/registration/offchain.rs

Lines changed: 61 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -720,6 +720,54 @@ fn calculate_machine_id_evidence(machine_id: &[u8]) -> [u8; HASH_SIZE] {
720720
ret
721721
}
722722

723+
fn is_msg_machine_id(msg_in_block: &[u8], machine_id: &[u8]) -> bool {
724+
trace!("*** block msg: {:?}", hex::encode(msg_in_block));
725+
726+
// we expect a message of the form:
727+
// 0a 2d (addr, len=45 bytes) 100f1a14 (machine_id 20 bytes)
728+
729+
if msg_in_block.len() != 71 {
730+
trace!("len mismatch: {}", msg_in_block.len());
731+
return false;
732+
}
733+
734+
if &msg_in_block[0..2] != [0x0a, 0x2d].as_slice() {
735+
trace!("wrong sub1");
736+
return false;
737+
}
738+
739+
if &msg_in_block[47..51] != [0x10, 0x0f, 0x1a, 0x14].as_slice() {
740+
trace!("wrong sub2");
741+
return false;
742+
}
743+
744+
if &msg_in_block[51..71] != machine_id {
745+
trace!("wrong mrenclave");
746+
return false;
747+
}
748+
749+
true
750+
}
751+
752+
#[cfg(feature = "light-client-validation")]
753+
fn check_machine_id_in_block(msg_slice: &[u8]) -> bool {
754+
let mut verified_msgs = VERIFIED_BLOCK_MESSAGES.lock().unwrap();
755+
756+
while verified_msgs.remaining() > 0 {
757+
if let Some(verified_msg) = verified_msgs.get_next() {
758+
if is_msg_machine_id(&verified_msg, msg_slice) {
759+
return true;
760+
}
761+
}
762+
}
763+
false
764+
}
765+
766+
#[cfg(not(feature = "light-client-validation"))]
767+
fn check_machine_id_in_block(_msg_slice: &[u8]) -> bool {
768+
true
769+
}
770+
723771
#[no_mangle]
724772
pub unsafe extern "C" fn ecall_onchain_approve_machine_id(
725773
p_id: *const u8,
@@ -739,11 +787,17 @@ pub unsafe extern "C" fn ecall_onchain_approve_machine_id(
739787
let proof = calculate_machine_id_evidence(machine_id);
740788

741789
if is_on_chain {
790+
if !check_machine_id_in_block(machine_id) {
791+
error!("machine ID not approved");
792+
return sgx_types::sgx_status_t::SGX_ERROR_UNEXPECTED;
793+
}
794+
742795
// TODO: ensure message was in the signed block
743796
slice::from_raw_parts_mut(p_proof, HASH_SIZE).copy_from_slice(&proof);
744797
} else {
745798
// compare
746799
if proof != slice::from_raw_parts(p_proof, HASH_SIZE) {
800+
error!("machine ID not approved earlier");
747801
return sgx_types::sgx_status_t::SGX_ERROR_UNEXPECTED;
748802
}
749803
}
@@ -752,7 +806,13 @@ pub unsafe extern "C" fn ecall_onchain_approve_machine_id(
752806
let mut set = crate::registration::attestation::PPID_WHITELIST
753807
.lock()
754808
.unwrap();
755-
set.insert(machine_id.try_into().unwrap());
809+
810+
let arg: &[u8; 20] = machine_id.try_into().unwrap();
811+
812+
if !set.contains(arg) {
813+
println!("Onchain added machine ID: {}", hex::encode(arg));
814+
set.insert(*arg);
815+
}
756816
}
757817

758818
sgx_types::sgx_status_t::SGX_SUCCESS

0 commit comments

Comments
 (0)