harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 15:13:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: update collateral handling

Browse source 
- Simplify collateral handling by removing unnecessary references and matches.
- Add `collateral` field to `QuoteVerificationResult` for improved data clarity.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
This commit is contained in:
Harald Hoyer 2025-03-06 15:25:15 +01:00
parent a677615474
commit 8cf7651781
Signed by: harald
GPG key ID: F519A1143B3FBE32
7 changed files with 34 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

2
bin/vault-admin/src/main.rs
View file

@ -21,7 +21,7 @@ use teepot::{
server::signatures::verify_sig,
sgx::sign::Signature,
};
use tracing::{error, info, level_filters::LevelFilter};
use tracing::{error, level_filters::LevelFilter};
#[derive(Args, Debug)]
struct SendArgs {

2
bin/verify-attestation/src/main.rs
View file

@ -127,7 +127,7 @@ fn verify_attestation_quote(attestation_quote_bytes: &[u8]) -> Result<QuoteVerif
let unix_time: i64 = std::time::SystemTime::now()
.duration_since(UNIX_EPOCH)?
.as_secs() as _;
verify_quote_with_collateral(attestation_quote_bytes, Some(&collateral), unix_time)
verify_quote_with_collateral(attestation_quote_bytes, Some(collateral), unix_time)
.context("Failed to verify quote with collateral")
}

2
bin/verify-era-proof-attestation/src/verification.rs
View file

@ -129,7 +129,7 @@ pub fn verify_attestation_quote(attestation_quote_bytes: &[u8]) -> Result<QuoteV
let unix_time: i64 = std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)?
.as_secs() as _;
verify_quote_with_collateral(attestation_quote_bytes, Some(&collateral), unix_time)
verify_quote_with_collateral(attestation_quote_bytes, Some(collateral), unix_time)
.context("Failed to verify quote with collateral!")
}

3
crates/teepot/src/client/mod.rs
View file

@ -201,8 +201,7 @@ impl TeeConnection {
advisories,
earliest_expiration_date,
..
} = verify_quote_with_collateral(quote_bytes, collateral.as_ref(), current_time)
.unwrap();
} = verify_quote_with_collateral(quote_bytes, collateral, current_time).unwrap();
let Report::SgxEnclave(report_body) = quote.report else {
return Err(Error::General("TDX quote and not SGX quote".into()));

23
crates/teepot/src/quote/mod.rs
View file

@ -1,5 +1,5 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2024 Matter Labs
// Copyright (c) 2023-2025 Matter Labs
// Parts of it are Copyright (c) 2024 Phala Network
// and copied from https://github.com/Phala-Network/dcap-qvl
@ -627,6 +627,8 @@ pub fn get_quote(report_data: &[u8]) -> Result<(TEEType, Box<[u8]>), QuoteError>
/// The result of the quote verification
pub struct QuoteVerificationResult {
/// the used collateral
pub collateral: Collateral,
/// the raw result
pub result: sgx_ql_qv_result_t,
/// indicates if the collateral is expired
@ -644,7 +646,7 @@ pub struct QuoteVerificationResult {
/// Verifies a quote with optional collateral material
pub fn verify_quote_with_collateral(
quote: &[u8],
collateral: Option<&Collateral>,
collateral: Option<Collateral>,
current_time: i64,
) -> Result<QuoteVerificationResult, QuoteError> {
let mut supp_data: mem::MaybeUninit<sgx_ql_qv_supplemental_t> = mem::MaybeUninit::zeroed();
@ -689,9 +691,19 @@ pub fn verify_quote_with_collateral(
trace!("tee_verify_quote");
let (collateral_expiration_status, result) =
tee_verify_quote(quote, collateral, current_time, None, p_supplemental_data)
.context("tee_verify_quote")?;
let collateral = match collateral {
None => tee_qv_get_collateral(quote).context("tee_qv_get_collateral")?,
Some(c) => c,
};
let (collateral_expiration_status, result) = tee_verify_quote(
quote,
Some(&collateral),
current_time,
None,
p_supplemental_data,
)
.context("tee_verify_quote")?;
trace!("tee_verify_quote end");
@ -721,6 +733,7 @@ pub fn verify_quote_with_collateral(
let quote = Quote::parse(quote)?;
let res = QuoteVerificationResult {
collateral,
collateral_expired: collateral_expiration_status != 0,
earliest_expiration_date,
tcb_level_date_tag,

6
crates/teepot/src/server/attestation.rs
View file

@ -1,5 +1,5 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2024 Matter Labs
// Copyright (c) 2023-2025 Matter Labs
//! Common attestation API for all TEEs
@ -68,7 +68,9 @@ pub fn get_quote_and_collateral(
tcb_level_date_tag,
quote,
advisories,
} = verify_quote_with_collateral(&myquote, Some(&collateral), unix_time.saturating_add(60))
collateral,
..
} = verify_quote_with_collateral(&myquote, Some(collateral), unix_time.saturating_add(60))
.context("Failed to verify own quote with collateral")?;
debug!(tcb_level_date_tag);

15
crates/teepot/tests/sgx_quote_verification.rs
View file

@ -1,5 +1,5 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2024 Matter Labs
// Copyright (c) 2024-2025 Matter Labs
mod sgx {
use anyhow::{Context, Result};
@ -13,7 +13,7 @@ mod sgx {
fn check_quote(
quote: &[u8],
collateral: Option<&Collateral>,
collateral: Option<Collateral>,
current_time: i64,
expected_mrsigner: &[u8],
expected_reportdata: &[u8],
@ -26,6 +26,7 @@ mod sgx {
quote,
advisories,
tcb_level_date_tag,
..
} = verify_quote_with_collateral(quote, collateral, current_time)?;
if collateral_expired || result != sgx_ql_qv_result_t::SGX_QL_QV_RESULT_OK {
@ -1140,7 +1141,7 @@ mod sgx {
check_quote(
&quote,
Some(&collateral),
Some(collateral),
current_time,
&mrsigner,
&report_data,
@ -2211,7 +2212,7 @@ mod sgx {
check_quote(
&quote,
Some(&collateral),
Some(collateral),
current_time,
&mrsigner,
&report_data,
@ -2594,7 +2595,7 @@ mod sgx {
check_quote(
&quote,
Some(&collateral),
Some(collateral),
current_time,
&mrsigner,
&report_data,
@ -3677,7 +3678,7 @@ mod sgx {
check_quote(
&quote,
Some(&collateral),
Some(collateral),
current_time,
&mrsigner,
&report_data,
@ -4805,7 +4806,7 @@ mod sgx {
check_quote(
&quote,
Some(&collateral),
Some(collateral),
current_time as i64,
&mrsigner,
&report_data,