Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(protocol): make AutomataDcapV3Attestation state variables public and emit events #17193

Merged
merged 8 commits into from
May 15, 2024
Merged

feat(protocol): make AutomataDcapV3Attestation state variables public and emit events #17193

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
90d5aae
some suggested changes
dantaik May 15, 2024
82760f9
Update code4rena-2024-03-taiko-final-report.md
dantaik May 15, 2024
badeb64
forge fmt & update contract layout table
dantaik May 15, 2024
bf4bf68
Update code4rena-2024-03-taiko-final-report.md
dantaik May 15, 2024
ee37226
feat(protocol): add more events in automata (#17195)
smtmfft May 15, 2024
33c2e93
Update AutomataDcapV3Attestation.sol
dantaik May 15, 2024
e40ee30
Merge branch 'main' into suggest_changes_in_AutomataDcapV3Attestation
dantaik May 15, 2024
3b1831e
follow name convension
smtmfft May 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 24 additions & 24 deletions packages/protocol/contract_layout.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -402,30 +402,30 @@
| __gap | uint256[48] | 303 | 0 | 1536 | contracts/team/airdrop/ERC20Airdrop.sol:ERC20Airdrop |

## AutomataDcapV3Attestation
| Name | Type | Slot | Offset | Bytes | Contract |
|--------------------------|-------------------------------------------------|------|--------|-------|----------------------------------------------------------------------------------------|
| _initialized | uint8 | 0 | 0 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _initializing | bool | 0 | 1 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[50] | 1 | 0 | 1600 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _owner | address | 51 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 52 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _pendingOwner | address | 101 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 102 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| addressManager | address | 151 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 152 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __reentry | uint8 | 201 | 0 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __paused | uint8 | 201 | 1 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| lastUnpausedAt | uint64 | 201 | 2 | 8 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 202 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| sigVerifyLib | contract ISigVerifyLib | 251 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| pemCertLib | contract IPEMCertChainLib | 252 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _checkLocalEnclaveReport | bool | 252 | 20 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _trustedUserMrEnclave | mapping(bytes32 => bool) | 253 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _trustedUserMrSigner | mapping(bytes32 => bool) | 254 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _serialNumIsRevoked | mapping(uint256 => mapping(bytes => bool)) | 255 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| tcbInfo | mapping(string => struct TCBInfoStruct.TCBInfo) | 256 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| qeIdentity | struct EnclaveIdStruct.EnclaveId | 257 | 0 | 128 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[39] | 261 | 0 | 1248 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| Name | Type | Slot | Offset | Bytes | Contract |
|-------------------------|-------------------------------------------------|------|--------|-------|----------------------------------------------------------------------------------------|
| _initialized | uint8 | 0 | 0 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _initializing | bool | 0 | 1 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[50] | 1 | 0 | 1600 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _owner | address | 51 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 52 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| _pendingOwner | address | 101 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 102 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| addressManager | address | 151 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 152 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __reentry | uint8 | 201 | 0 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __paused | uint8 | 201 | 1 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| lastUnpausedAt | uint64 | 201 | 2 | 8 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[49] | 202 | 0 | 1568 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| sigVerifyLib | contract ISigVerifyLib | 251 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| pemCertLib | contract IPEMCertChainLib | 252 | 0 | 20 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| checkLocalEnclaveReport | bool | 252 | 20 | 1 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| trustedUserMrEnclave | mapping(bytes32 => bool) | 253 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| trustedUserMrSigner | mapping(bytes32 => bool) | 254 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| serialNumIsRevoked | mapping(uint256 => mapping(bytes => bool)) | 255 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| tcbInfo | mapping(string => struct TCBInfoStruct.TCBInfo) | 256 | 0 | 32 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| qeIdentity | struct EnclaveIdStruct.EnclaveId | 257 | 0 | 128 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |
| __gap | uint256[39] | 261 | 0 | 1248 | contracts/automata-attestation/AutomataDcapV3Attestation.sol:AutomataDcapV3Attestation |

## SgxVerifier
| Name | Type | Slot | Offset | Bytes | Contract |
Expand Down
55 changes: 34 additions & 21 deletions packages/protocol/contracts/automata-attestation/AutomataDcapV3Attestation.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,23 +37,31 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
ISigVerifyLib public sigVerifyLib; // slot 1
IPEMCertChainLib public pemCertLib; // slot 2

bool private _checkLocalEnclaveReport; // slot 3
mapping(bytes32 enclave => bool trusted) private _trustedUserMrEnclave; // slot 4
mapping(bytes32 signer => bool trusted) private _trustedUserMrSigner; // slot 5
bool public checkLocalEnclaveReport; // slot 3
mapping(bytes32 enclave => bool trusted) public trustedUserMrEnclave; // slot 4
mapping(bytes32 signer => bool trusted) public trustedUserMrSigner; // slot 5

// Quote Collateral Configuration

// Index definition:
// 0 = Quote PCKCrl
// 1 = RootCrl
mapping(uint256 idx => mapping(bytes serialNum => bool revoked)) private _serialNumIsRevoked; // slot
mapping(uint256 idx => mapping(bytes serialNum => bool revoked)) public serialNumIsRevoked; // slot
// 6
// fmspc => tcbInfo
mapping(string fmspc => TCBInfoStruct.TCBInfo tcbInfo) public tcbInfo; // slot 7
EnclaveIdStruct.EnclaveId public qeIdentity; // takes 4 slots, slot 8,9,10,11

uint256[39] __gap;

event MrSignerUpdated(bytes32 indexed mrSigner, bool trusted);
event MrEnclaveUpdated(bytes32 indexed mrEnclave, bool trusted);
event TcbInfoJsonConfigured(string indexed fmspc, TCBInfoStruct.TCBInfo tcbInfoInput);
event QeIdentityConfigured(EnclaveIdStruct.EnclaveId qeIdentityInput);
event LocalReportCheckToggled(bool checkLocalEnclaveReport);
event RevokedCertSerialNumAdded(uint256 indexed index, bytes serialNum);
event RevokedCertSerialNumRemoved(uint256 indexed index, bytes serialNum);

// @notice Initializes the contract.
/// @param sigVerifyLibAddr Address of the signature verification library.
/// @param pemCertLibAddr Address of certificate library.
Expand All @@ -71,11 +79,13 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
}

function setMrSigner(bytes32 _mrSigner, bool _trusted) external onlyOwner {
_trustedUserMrSigner[_mrSigner] = _trusted;
trustedUserMrSigner[_mrSigner] = _trusted;
emit MrSignerUpdated(_mrSigner, _trusted);
}

function setMrEnclave(bytes32 _mrEnclave, bool _trusted) external onlyOwner {
_trustedUserMrEnclave[_mrEnclave] = _trusted;
trustedUserMrEnclave[_mrEnclave] = _trusted;
emit MrEnclaveUpdated(_mrEnclave, _trusted);
}

function addRevokedCertSerialNum(
Expand All @@ -86,10 +96,11 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
onlyOwner
{
for (uint256 i; i < serialNumBatch.length; ++i) {
if (_serialNumIsRevoked[index][serialNumBatch[i]]) {
if (serialNumIsRevoked[index][serialNumBatch[i]]) {
continue;
}
_serialNumIsRevoked[index][serialNumBatch[i]] = true;
serialNumIsRevoked[index][serialNumBatch[i]] = true;
emit RevokedCertSerialNumAdded(index, serialNumBatch[i]);
}
}

Expand All @@ -101,10 +112,11 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
onlyOwner
{
for (uint256 i; i < serialNumBatch.length; ++i) {
if (!_serialNumIsRevoked[index][serialNumBatch[i]]) {
if (!serialNumIsRevoked[index][serialNumBatch[i]]) {
continue;
}
delete _serialNumIsRevoked[index][serialNumBatch[i]];
delete serialNumIsRevoked[index][serialNumBatch[i]];
emit RevokedCertSerialNumRemoved(index, serialNumBatch[i]);
}
}

Expand All @@ -117,6 +129,7 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
{
// 2.2M gas
tcbInfo[fmspc] = tcbInfoInput;
emit TcbInfoJsonConfigured(fmspc, tcbInfoInput);
}

function configureQeIdentityJson(EnclaveIdStruct.EnclaveId calldata qeIdentityInput)
Expand All @@ -125,10 +138,12 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
{
// 250k gas
qeIdentity = qeIdentityInput;
emit QeIdentityConfigured(qeIdentityInput);
}

function toggleLocalReportCheck() external onlyOwner {
_checkLocalEnclaveReport = !_checkLocalEnclaveReport;
checkLocalEnclaveReport = !checkLocalEnclaveReport;
emit LocalReportCheckToggled(checkLocalEnclaveReport);
}

function _attestationTcbIsValid(TCBInfoStruct.TCBStatus status)
Expand All @@ -144,9 +159,8 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
|| status == TCBInfoStruct.TCBStatus.TCB_OUT_OF_DATE_CONFIGURATION_NEEDED;
}

function verifyAttestation(bytes calldata data) external view override returns (bool) {
(bool success,) = _verify(data);
return success;
function verifyAttestation(bytes calldata data) external view override returns (bool success) {
(success,) = _verify(data);
}

/// @dev Provide the raw quote binary as input
Expand Down Expand Up @@ -274,11 +288,11 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {
issuer = certs[i + 1];
if (i == n - 2) {
// this cert is expected to be signed by the root
certRevoked = _serialNumIsRevoked[uint256(IPEMCertChainLib.CRL.ROOT)][certs[i]
certRevoked = serialNumIsRevoked[uint256(IPEMCertChainLib.CRL.ROOT)][certs[i]
.serialNumber];
} else if (certs[i].isPck) {
certRevoked = _serialNumIsRevoked[uint256(IPEMCertChainLib.CRL.PCK)][certs[i]
.serialNumber];
certRevoked =
serialNumIsRevoked[uint256(IPEMCertChainLib.CRL.PCK)][certs[i].serialNumber];
}
if (certRevoked) {
break;
Expand Down Expand Up @@ -391,11 +405,10 @@ contract AutomataDcapV3Attestation is IAttestation, EssentialContract {

// Step 2: Verify application enclave report MRENCLAVE and MRSIGNER
{
if (_checkLocalEnclaveReport) {
if (checkLocalEnclaveReport) {
// 4k gas
bool mrEnclaveIsTrusted =
_trustedUserMrEnclave[v3quote.localEnclaveReport.mrEnclave];
bool mrSignerIsTrusted = _trustedUserMrSigner[v3quote.localEnclaveReport.mrSigner];
bool mrEnclaveIsTrusted = trustedUserMrEnclave[v3quote.localEnclaveReport.mrEnclave];
bool mrSignerIsTrusted = trustedUserMrSigner[v3quote.localEnclaveReport.mrSigner];

if (!mrEnclaveIsTrusted || !mrSignerIsTrusted) {
return (false, retData);
Expand Down