Skip to content

Commit

Permalink
feat(protocol): make AutomataDcapV3Attestation state variables public…
Browse files Browse the repository at this point in the history 
… and emit events (#17193)

Co-authored-by: dantaik <[email protected]>
Co-authored-by: smtmfft <[email protected]>
Co-authored-by: smtmfft <[email protected]>
  • Loading branch information
@dantaik @smtmfft
4 people authored May 15, 2024
1 parent 2792150 commit 3740dc0
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 45 deletions.
48 changes: 24 additions & 24 deletions packages/protocol/contract_layout.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -402,30 +402,30 @@
| __gap | uint256[48] | 303 | 0 | 1536 | contracts/team/airdrop/ERC20Airdrop.sol:ERC20Airdrop |

## AutomataDcapV3Attestation
| Name | Type | Slot | Offset | Bytes | Contract |
|--------------------------|-------------------------------------------------|------|--------|-------|----------------------------------------------------------------------------------------|
| _initialized | uint8 | 0 | 0 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _initializing | bool | 0 | 1 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[50] | 1 | 0 | 1600 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _owner | address | 51 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 52 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _pendingOwner | address | 101 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 102 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| addressManager | address | 151 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 152 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __reentry | uint8 | 201 | 0 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __paused | uint8 | 201 | 1 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| lastUnpausedAt | uint64 | 201 | 2 | 8 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 202 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| sigVerifyLib | contract ISigVerifyLib | 251 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| pemCertLib | contract IPEMCertChainLib | 252 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _checkLocalEnclaveReport | bool | 252 | 20 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _trustedUserMrEnclave | mapping(bytes32 => bool) | 253 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _trustedUserMrSigner | mapping(bytes32 => bool) | 254 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _serialNumIsRevoked | mapping(uint256 => mapping(bytes => bool)) | 255 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| tcbInfo | mapping(string => struct TCBInfoStruct.TCBInfo) | 256 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| qeIdentity | struct EnclaveIdStruct.EnclaveId | 257 | 0 | 128 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[39] | 261 | 0 | 1248 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| Name | Type | Slot | Offset | Bytes | Contract |
|-------------------------|-------------------------------------------------|------|--------|-------|----------------------------------------------------------------------------------------|
| _initialized | uint8 | 0 | 0 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _initializing | bool | 0 | 1 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[50] | 1 | 0 | 1600 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _owner | address | 51 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 52 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _pendingOwner | address | 101 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 102 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| addressManager | address | 151 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 152 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __reentry | uint8 | 201 | 0 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __paused | uint8 | 201 | 1 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| lastUnpausedAt | uint64 | 201 | 2 | 8 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 202 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| sigVerifyLib | contract ISigVerifyLib | 251 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| pemCertLib | contract IPEMCertChainLib | 252 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| checkLocalEnclaveReport | bool | 252 | 20 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| trustedUserMrEnclave | mapping(bytes32 => bool) | 253 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| trustedUserMrSigner | mapping(bytes32 => bool) | 254 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| serialNumIsRevoked | mapping(uint256 => mapping(bytes => bool)) | 255 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| tcbInfo | mapping(string => struct TCBInfoStruct.TCBInfo) | 256 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| qeIdentity | struct EnclaveIdStruct.EnclaveId | 257 | 0 | 128 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[39] | 261 | 0 | 1248 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |

## SgxVerifier
| Name | Type | Slot | Offset | Bytes | Contract |
Expand Down
55 changes: 34 additions & 21 deletions packages/protocol/contracts/automata-attestation/AutomataDcapV3Attestation.sol
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,23 +37,31 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
ISigVerifyLib public sigVerifyLib; // slot 1
IPEMCertChainLib public pemCertLib; // slot 2

bool private _checkLocalEnclaveReport; // slot 3
mapping(bytes32 enclave => bool trusted) private _trustedUserMrEnclave; // slot 4
mapping(bytes32 signer => bool trusted) private _trustedUserMrSigner; // slot 5
bool public checkLocalEnclaveReport; // slot 3
mapping(bytes32 enclave => bool trusted) public trustedUserMrEnclave; // slot 4
mapping(bytes32 signer => bool trusted) public trustedUserMrSigner; // slot 5

// Quote Collateral Configuration

// Index definition:
// 0 = Quote PCKCrl
// 1 = RootCrl
mapping(uint256 idx => mapping(bytes serialNum => bool revoked)) private _serialNumIsRevoked; // slot
mapping(uint256 idx => mapping(bytes serialNum => bool revoked)) public serialNumIsRevoked; // slot
// 6
// fmspc => tcbInfo
mapping(string fmspc => TCBInfoStruct.TCBInfo tcbInfo) public tcbInfo; // slot 7
EnclaveIdStruct.EnclaveId public qeIdentity; // takes 4 slots, slot 8,9,10,11

uint256[39] __gap;

event MrSignerUpdated(bytes32 indexed mrSigner, bool trusted);
event MrEnclaveUpdated(bytes32 indexed mrEnclave, bool trusted);
event TcbInfoJsonConfigured(string indexed fmspc, TCBInfoStruct.TCBInfo tcbInfoInput);
event QeIdentityConfigured(EnclaveIdStruct.EnclaveId qeIdentityInput);
event LocalReportCheckToggled(bool checkLocalEnclaveReport);
event RevokedCertSerialNumAdded(uint256 indexed index, bytes serialNum);
event RevokedCertSerialNumRemoved(uint256 indexed index, bytes serialNum);

// @notice Initializes the contract.
/// @param sigVerifyLibAddr Address of the signature verification library.
/// @param pemCertLibAddr Address of certificate library.
Expand All @@ -71,11 +79,13 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
}

function setMrSigner(bytes32 _mrSigner, bool _trusted) external onlyOwner {
_trustedUserMrSigner[_mrSigner] = _trusted;
trustedUserMrSigner[_mrSigner] = _trusted;
emit MrSignerUpdated(_mrSigner, _trusted);
}

function setMrEnclave(bytes32 _mrEnclave, bool _trusted) external onlyOwner {
_trustedUserMrEnclave[_mrEnclave] = _trusted;
trustedUserMrEnclave[_mrEnclave] = _trusted;
emit MrEnclaveUpdated(_mrEnclave, _trusted);
}

function addRevokedCertSerialNum(
Expand All @@ -86,10 +96,11 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
onlyOwner
{
for (uint256 i; i < serialNumBatch.length; ++i) {
if (_serialNumIsRevoked[index][serialNumBatch[i]]) {
if (serialNumIsRevoked[index][serialNumBatch[i]]) {
continue;
}
_serialNumIsRevoked[index][serialNumBatch[i]] = true;
serialNumIsRevoked[index][serialNumBatch[i]] = true;
emit RevokedCertSerialNumAdded(index, serialNumBatch[i]);
}
}

Expand All @@ -101,10 +112,11 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
onlyOwner
{
for (uint256 i; i < serialNumBatch.length; ++i) {
if (!_serialNumIsRevoked[index][serialNumBatch[i]]) {
if (!serialNumIsRevoked[index][serialNumBatch[i]]) {
continue;
}
delete _serialNumIsRevoked[index][serialNumBatch[i]];
delete serialNumIsRevoked[index][serialNumBatch[i]];
emit RevokedCertSerialNumRemoved(index, serialNumBatch[i]);
}
}

Expand All @@ -117,6 +129,7 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
{
// 2.2M gas
tcbInfo[fmspc] = tcbInfoInput;
emit TcbInfoJsonConfigured(fmspc, tcbInfoInput);
}

function configureQeIdentityJson(EnclaveIdStruct.EnclaveId calldata qeIdentityInput)
Expand All @@ -125,10 +138,12 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
{
// 250k gas
qeIdentity = qeIdentityInput;
emit QeIdentityConfigured(qeIdentityInput);
}

function toggleLocalReportCheck() external onlyOwner {
_checkLocalEnclaveReport = !_checkLocalEnclaveReport;
checkLocalEnclaveReport = !checkLocalEnclaveReport;
emit LocalReportCheckToggled(checkLocalEnclaveReport);
}

function _attestationTcbIsValid(TCBInfoStruct.TCBStatus status)
Expand All @@ -144,9 +159,8 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
|| status == TCBInfoStruct.TCBStatus.TCB_OUT_OF_DATE_CONFIGURATION_NEEDED;
}

function verifyAttestation(bytes calldata data) external view override returns (bool) {
(bool success,) = _verify(data);
return success;
function verifyAttestation(bytes calldata data) external view override returns (bool success) {
(success,) = _verify(data);
}

/// @dev Provide the raw quote binary as input
Expand Down Expand Up @@ -274,11 +288,11 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
issuer = certs[i + 1];
if (i == n - 2) {
// this cert is expected to be signed by the root
certRevoked = _serialNumIsRevoked[uint256(IPEMCertChainLib.CRL.ROOT)][certs[i]
certRevoked = serialNumIsRevoked[uint256(IPEMCertChainLib.CRL.ROOT)][certs[i]
.serialNumber];
} else if (certs[i].isPck) {
certRevoked = _serialNumIsRevoked[uint256(IPEMCertChainLib.CRL.PCK)][certs[i]
.serialNumber];
certRevoked =
serialNumIsRevoked[uint256(IPEMCertChainLib.CRL.PCK)][certs[i].serialNumber];
}
if (certRevoked) {
break;
Expand Down Expand Up @@ -391,11 +405,10 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {

// Step 2: Verify application enclave report MRENCLAVE and MRSIGNER
{
if (_checkLocalEnclaveReport) {
if (checkLocalEnclaveReport) {
// 4k gas
bool mrEnclaveIsTrusted =
_trustedUserMrEnclave[v3quote.localEnclaveReport.mrEnclave];
bool mrSignerIsTrusted = _trustedUserMrSigner[v3quote.localEnclaveReport.mrSigner];
bool mrEnclaveIsTrusted = trustedUserMrEnclave[v3quote.localEnclaveReport.mrEnclave];
bool mrSignerIsTrusted = trustedUserMrSigner[v3quote.localEnclaveReport.mrSigner];

if (!mrEnclaveIsTrusted || !mrSignerIsTrusted) {
return (false, retData);
Expand Down

0 comments on commit 3740dc0

Please sign in to comment.