Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(protocol): check if addresses ever reregistered in SGXProver #15665

Merged
merged 4 commits into from
Feb 6, 2024
Merged

feat(protocol): check if addresses ever reregistered in SGXProver #15665

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6714394
Prevent re-registration of the same attestation
Feb 6, 2024
32dfa97
More comments
Feb 6, 2024
6e02500
Add check to address registry by owner too
Feb 6, 2024
194e91f
move back var init
Feb 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 15 additions & 4 deletions packages/protocol/contracts/verifiers/SgxVerifier.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,14 +52,21 @@ contract SgxVerifier is EssentialContract, IVerifier {
/// public key shall expire after some time. (For now it is a long enough 6
/// months setting.)
mapping(uint256 instanceId => Instance) public instances; // slot 2
/// @dev One address shall be registered (during attestation) only once, otherwise it could
/// bypass this contract's expiry check by always registering with the same attestation and
/// getting multiple valid instanceIds. While during proving, it is technically possible to
/// register the old addresses, it is less of a problem, because the instanceId would be the
/// same for those addresses and if deleted - the attestation cannot be reused anyways.
Brechtpd marked this conversation as resolved.
Show resolved Hide resolved
mapping(address instanceAddress => bool alreadyAttested) public attestationRegistered; // slot 3
dantaik marked this conversation as resolved.
Show resolved Hide resolved

uint256[48] private __gap;
uint256[47] private __gap;

event InstanceAdded(
uint256 indexed id, address indexed instance, address replaced, uint256 validSince
);
event InstanceDeleted(uint256 indexed id, address indexed instance);

error SGX_ALREADY_ATTESTED();
error SGX_DELETE_NOT_AUTHORIZED();
error SGX_INVALID_ATTESTATION();
error SGX_INVALID_INSTANCE();
Expand Down Expand Up @@ -115,13 +122,17 @@ contract SgxVerifier is EssentialContract, IVerifier {
revert SGX_RA_NOT_SUPPORTED();
}

address[] memory _address = new address[](1);
_address[0] = address(bytes20(attestation.localEnclaveReport.reportData));

if (attestationRegistered[_address[0]]) revert SGX_ALREADY_ATTESTED();

attestationRegistered[_address[0]] = true;

(bool verified,) = IAttestation(automataDcapAttestation).verifyParsedQuote(attestation);

if (!verified) revert SGX_INVALID_ATTESTATION();

address[] memory _address = new address[](1);
_address[0] = address(bytes20(attestation.localEnclaveReport.reportData));

return _addInstances(_address, false)[0];
}

Expand Down
12 changes: 12 additions & 0 deletions packages/protocol/test/verifiers/SgxVerifier.t.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,18 @@ contract TestSgxVerifier is TaikoL1TestBase, AttestationBase {
sv.registerInstance(v3quote);
}

function test_registerInstanceTwiceWithSameAttestation() external {
V3Struct.ParsedV3QuoteStruct memory v3quote =
ParseV3QuoteBytes(address(pemCertChainLib), sampleQuote);

vm.prank(Bob, Bob);
sv.registerInstance(v3quote);

vm.expectRevert(SgxVerifier.SGX_ALREADY_ATTESTED.selector);
vm.prank(Carol, Carol);
sv.registerInstance(v3quote);
}

function _getSignature(
address _newInstance,
address[] memory _instances,
Expand Down
Loading