diff --git a/packages/protocol/contract_layout.md b/packages/protocol/contract_layout.md index d4a822850cb..da91a01b845 100644 --- a/packages/protocol/contract_layout.md +++ b/packages/protocol/contract_layout.md @@ -402,30 +402,30 @@ | __gap | uint256[48] | 303 | 0 | 1536 | contracts/team/airdrop/ERC20Airdrop.sol:ERC20Airdrop | ## AutomataDcapV3Attestation -| Name | Type | Slot | Offset | Bytes | Contract | -|--------------------------|-------------------------------------------------|------|--------|-------|----------------------------------------------------------------------------------------| -| _initialized | uint8 | 0 | 0 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| _initializing | bool | 0 | 1 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| __gap | uint256[50] | 1 | 0 | 1600 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| _owner | address | 51 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| __gap | uint256[49] | 52 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| _pendingOwner | address | 101 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| __gap | uint256[49] | 102 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| addressManager | address | 151 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| __gap | uint256[49] | 152 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| __reentry | uint8 | 201 | 0 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| __paused | uint8 | 201 | 1 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| lastUnpausedAt | uint64 | 201 | 2 | 8 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| __gap | uint256[49] | 202 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| sigVerifyLib | contract ISigVerifyLib | 251 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| pemCertLib | contract IPEMCertChainLib | 252 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| _checkLocalEnclaveReport | bool | 252 | 20 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| _trustedUserMrEnclave | mapping(bytes32 => bool) | 253 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| _trustedUserMrSigner | mapping(bytes32 => bool) | 254 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| _serialNumIsRevoked | mapping(uint256 => mapping(bytes => bool)) | 255 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| tcbInfo | mapping(string => struct TCBInfoStruct.TCBInfo) | 256 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| qeIdentity | struct EnclaveIdStruct.EnclaveId | 257 | 0 | 128 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | -| __gap | uint256[39] | 261 | 0 | 1248 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| Name | Type | Slot | Offset | Bytes | Contract | +|-------------------------|-------------------------------------------------|------|--------|-------|----------------------------------------------------------------------------------------| +| _initialized | uint8 | 0 | 0 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| _initializing | bool | 0 | 1 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| __gap | uint256[50] | 1 | 0 | 1600 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| _owner | address | 51 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| __gap | uint256[49] | 52 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| _pendingOwner | address | 101 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| __gap | uint256[49] | 102 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| addressManager | address | 151 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| __gap | uint256[49] | 152 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| __reentry | uint8 | 201 | 0 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| __paused | uint8 | 201 | 1 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| lastUnpausedAt | uint64 | 201 | 2 | 8 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| __gap | uint256[49] | 202 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| sigVerifyLib | contract ISigVerifyLib | 251 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| pemCertLib | contract IPEMCertChainLib | 252 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| checkLocalEnclaveReport | bool | 252 | 20 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| trustedUserMrEnclave | mapping(bytes32 => bool) | 253 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| trustedUserMrSigner | mapping(bytes32 => bool) | 254 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| serialNumIsRevoked | mapping(uint256 => mapping(bytes => bool)) | 255 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| tcbInfo | mapping(string => struct TCBInfoStruct.TCBInfo) | 256 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| qeIdentity | struct EnclaveIdStruct.EnclaveId | 257 | 0 | 128 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | +| __gap | uint256[39] | 261 | 0 | 1248 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation | ## SgxVerifier | Name | Type | Slot | Offset | Bytes | Contract | diff --git a/packages/protocol/contracts/automata-attestation/AutomataDcapV3Attestation.sol b/packages/protocol/contracts/automata-attestation/AutomataDcapV3Attestation.sol index 27240f72499..900ade36002 100644 --- a/packages/protocol/contracts/automata-attestation/AutomataDcapV3Attestation.sol +++ b/packages/protocol/contracts/automata-attestation/AutomataDcapV3Attestation.sol @@ -37,16 +37,16 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract { ISigVerifyLib public sigVerifyLib; // slot 1 IPEMCertChainLib public pemCertLib; // slot 2 - bool private _checkLocalEnclaveReport; // slot 3 - mapping(bytes32 enclave => bool trusted) private _trustedUserMrEnclave; // slot 4 - mapping(bytes32 signer => bool trusted) private _trustedUserMrSigner; // slot 5 + bool public checkLocalEnclaveReport; // slot 3 + mapping(bytes32 enclave => bool trusted) public trustedUserMrEnclave; // slot 4 + mapping(bytes32 signer => bool trusted) public trustedUserMrSigner; // slot 5 // Quote Collateral Configuration // Index definition: // 0 = Quote PCKCrl // 1 = RootCrl - mapping(uint256 idx => mapping(bytes serialNum => bool revoked)) private _serialNumIsRevoked; // slot + mapping(uint256 idx => mapping(bytes serialNum => bool revoked)) public serialNumIsRevoked; // slot // 6 // fmspc => tcbInfo mapping(string fmspc => TCBInfoStruct.TCBInfo tcbInfo) public tcbInfo; // slot 7 @@ -54,6 +54,14 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract { uint256[39] __gap; + event MrSignerUpdated(bytes32 indexed mrSigner, bool trusted); + event MrEnclaveUpdated(bytes32 indexed mrEnclave, bool trusted); + event TcbInfoJsonConfigured(string indexed fmspc, TCBInfoStruct.TCBInfo tcbInfoInput); + event QeIdentityConfigured(EnclaveIdStruct.EnclaveId qeIdentityInput); + event LocalReportCheckToggled(bool checkLocalEnclaveReport); + event RevokedCertSerialNumAdded(uint256 indexed index, bytes serialNum); + event RevokedCertSerialNumRemoved(uint256 indexed index, bytes serialNum); + // @notice Initializes the contract. /// @param sigVerifyLibAddr Address of the signature verification library. /// @param pemCertLibAddr Address of certificate library. @@ -71,11 +79,13 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract { } function setMrSigner(bytes32 _mrSigner, bool _trusted) external onlyOwner { - _trustedUserMrSigner[_mrSigner] = _trusted; + trustedUserMrSigner[_mrSigner] = _trusted; + emit MrSignerUpdated(_mrSigner, _trusted); } function setMrEnclave(bytes32 _mrEnclave, bool _trusted) external onlyOwner { - _trustedUserMrEnclave[_mrEnclave] = _trusted; + trustedUserMrEnclave[_mrEnclave] = _trusted; + emit MrEnclaveUpdated(_mrEnclave, _trusted); } function addRevokedCertSerialNum( @@ -86,10 +96,11 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract { onlyOwner { for (uint256 i; i < serialNumBatch.length; ++i) { - if (_serialNumIsRevoked[index][serialNumBatch[i]]) { + if (serialNumIsRevoked[index][serialNumBatch[i]]) { continue; } - _serialNumIsRevoked[index][serialNumBatch[i]] = true; + serialNumIsRevoked[index][serialNumBatch[i]] = true; + emit RevokedCertSerialNumAdded(index, serialNumBatch[i]); } } @@ -101,10 +112,11 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract { onlyOwner { for (uint256 i; i < serialNumBatch.length; ++i) { - if (!_serialNumIsRevoked[index][serialNumBatch[i]]) { + if (!serialNumIsRevoked[index][serialNumBatch[i]]) { continue; } - delete _serialNumIsRevoked[index][serialNumBatch[i]]; + delete serialNumIsRevoked[index][serialNumBatch[i]]; + emit RevokedCertSerialNumRemoved(index, serialNumBatch[i]); } } @@ -117,6 +129,7 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract { { // 2.2M gas tcbInfo[fmspc] = tcbInfoInput; + emit TcbInfoJsonConfigured(fmspc, tcbInfoInput); } function configureQeIdentityJson(EnclaveIdStruct.EnclaveId calldata qeIdentityInput) @@ -125,10 +138,12 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract { { // 250k gas qeIdentity = qeIdentityInput; + emit QeIdentityConfigured(qeIdentityInput); } function toggleLocalReportCheck() external onlyOwner { - _checkLocalEnclaveReport = !_checkLocalEnclaveReport; + checkLocalEnclaveReport = !checkLocalEnclaveReport; + emit LocalReportCheckToggled(checkLocalEnclaveReport); } function _attestationTcbIsValid(TCBInfoStruct.TCBStatus status) @@ -144,9 +159,8 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract { || status == TCBInfoStruct.TCBStatus.TCB_OUT_OF_DATE_CONFIGURATION_NEEDED; } - function verifyAttestation(bytes calldata data) external view override returns (bool) { - (bool success,) = _verify(data); - return success; + function verifyAttestation(bytes calldata data) external view override returns (bool success) { + (success,) = _verify(data); } /// @dev Provide the raw quote binary as input @@ -274,11 +288,11 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract { issuer = certs[i + 1]; if (i == n - 2) { // this cert is expected to be signed by the root - certRevoked = _serialNumIsRevoked[uint256(IPEMCertChainLib.CRL.ROOT)][certs[i] + certRevoked = serialNumIsRevoked[uint256(IPEMCertChainLib.CRL.ROOT)][certs[i] .serialNumber]; } else if (certs[i].isPck) { - certRevoked = _serialNumIsRevoked[uint256(IPEMCertChainLib.CRL.PCK)][certs[i] - .serialNumber]; + certRevoked = + serialNumIsRevoked[uint256(IPEMCertChainLib.CRL.PCK)][certs[i].serialNumber]; } if (certRevoked) { break; @@ -391,11 +405,10 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract { // Step 2: Verify application enclave report MRENCLAVE and MRSIGNER { - if (_checkLocalEnclaveReport) { + if (checkLocalEnclaveReport) { // 4k gas - bool mrEnclaveIsTrusted = - _trustedUserMrEnclave[v3quote.localEnclaveReport.mrEnclave]; - bool mrSignerIsTrusted = _trustedUserMrSigner[v3quote.localEnclaveReport.mrSigner]; + bool mrEnclaveIsTrusted = trustedUserMrEnclave[v3quote.localEnclaveReport.mrEnclave]; + bool mrSignerIsTrusted = trustedUserMrSigner[v3quote.localEnclaveReport.mrSigner]; if (!mrEnclaveIsTrusted || !mrSignerIsTrusted) { return (false, retData);