diff --git a/BUILD.md b/BUILD.md index 2c5af0f5..203a4e51 100644 --- a/BUILD.md +++ b/BUILD.md @@ -54,7 +54,7 @@ Here is an example that has only the `SecurityVersion` and `ProductID` set: "Packages": { "backend": { "SecurityVersion": 1, - "ProductID": [3] + "ProductID": 3 } }, "Infrastructures": { @@ -150,4 +150,12 @@ go test ./test/ -v -tags integration --args -b ../build/ -s ```bash go test ./test/ -v -tags integration --args -b ../build/ -s -noenclave -``` \ No newline at end of file +``` + +### Dockerimage + +You can build the docker image by providing a signing key: + +```bash +docker buildx build --secret id=repoaccess,src= --secret id=signingkey,src= --target release --tag ghcr.io/edgelesssys/coordinator:latest . +``` diff --git a/coordinator/quote/ert.go b/coordinator/quote/ert.go index 2b7acf10..63750e97 100644 --- a/coordinator/quote/ert.go +++ b/coordinator/quote/ert.go @@ -1,7 +1,6 @@ package quote import ( - "bytes" "strings" "github.com/google/go-cmp/cmp" @@ -17,7 +16,7 @@ type PackageProperties struct { // Hash of the enclave signer's public key SignerID string // Product ID of the package - ProductID []byte + ProductID *uint64 // Security version number of the package SecurityVersion *uint } @@ -46,7 +45,7 @@ func (required PackageProperties) IsCompliant(given PackageProperties) bool { if len(required.SignerID) > 0 && !strings.EqualFold(required.SignerID, given.SignerID) { return false } - if len(required.ProductID) > 0 && !bytes.Equal(required.ProductID, given.ProductID[:len(required.ProductID)]) { + if required.ProductID != nil && *required.ProductID != *given.ProductID { return false } if required.SecurityVersion != nil && *required.SecurityVersion > *given.SecurityVersion { diff --git a/coordinator/quote/ertvalidator/ertvalidator.go b/coordinator/quote/ertvalidator/ertvalidator.go index a0b4bf13..d9a7fcc8 100644 --- a/coordinator/quote/ertvalidator/ertvalidator.go +++ b/coordinator/quote/ertvalidator/ertvalidator.go @@ -3,6 +3,7 @@ package ertvalidator import ( "bytes" "crypto/sha256" + "encoding/binary" "encoding/hex" "fmt" @@ -34,11 +35,12 @@ func (m *ERTValidator) Validate(givenQuote []byte, cert []byte, pp quote.Package } // Verify PackageProperties + productID := binary.LittleEndian.Uint64(report.ProductID) reportedProps := quote.PackageProperties{ UniqueID: hex.EncodeToString(report.UniqueID), SignerID: hex.EncodeToString(report.SignerID), Debug: report.Debug, - ProductID: report.ProductID, + ProductID: &productID, SecurityVersion: &report.SecurityVersion, } if !pp.IsCompliant(reportedProps) { diff --git a/docs/add-service.md b/docs/add-service.md index a8f6bbe1..9739fdcd 100644 --- a/docs/add-service.md +++ b/docs/add-service.md @@ -26,7 +26,7 @@ The manifest contains a section with the information used to authenticate each s "backend": { "UniqueID": "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", "SignerID": "c0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ffee", - "ProductID": [1337], + "ProductID": 1337, "SecurityVersion": 1, "Debug": false }, @@ -46,9 +46,7 @@ You'll see something like this: ```json { "SecurityVersion": 1, - "ProductID": [ - 3 - ], + "ProductID": 3 "UniqueID": "6b2822ac2585040d4b9397675d54977a71ef292ab5b3c0a6acceca26074ae585", "SignerID": "5826218dbe96de0d7b3b1ccf70ece51457e71e886a3d4c1f18b27576d22cdc74" } @@ -61,7 +59,7 @@ You can add this directly to your `manifest.json` file like so: "backend": { "UniqueID": "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", "SignerID": "c0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ffee", - "ProductID": [1337], + "ProductID": 1337, "SecurityVersion": 1, "Debug": false }, diff --git a/docs/set-manifest.md b/docs/set-manifest.md index 5b1c9fd3..0d649fee 100644 --- a/docs/set-manifest.md +++ b/docs/set-manifest.md @@ -13,13 +13,13 @@ See the following manifest for example (manifest.jso "backend": { "UniqueID": "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", "SignerID": "c0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ffee", - "ProductID": [1337], + "ProductID": 1337, "SecurityVersion": 1, "Debug": false }, "frontend": { "UniqueID": "1f1e1d1c1b1a191817161514131211100f0e0d0c0b0a09080706050403020100", - "ProductID": [42], + "ProductID": 42, "SecurityVersion": 3, "Debug": true } diff --git a/test/integration_test.go b/test/integration_test.go index 0c5a6b45..d843673d 100644 --- a/test/integration_test.go +++ b/test/integration_test.go @@ -6,7 +6,6 @@ import ( "bytes" "crypto/tls" "crypto/x509" - "encoding/binary" "encoding/json" "flag" "fmt" @@ -80,7 +79,7 @@ func updateManifest() { SecurityVersion uint UniqueID string SignerID string - ProductID []uint64 + ProductID uint64 } if err := json.Unmarshal(config, &cfg); err != nil { panic(err) @@ -90,8 +89,7 @@ func updateManifest() { pkg.UniqueID = cfg.UniqueID pkg.SignerID = cfg.SignerID pkg.SecurityVersion = &cfg.SecurityVersion - pkg.ProductID = make([]byte, 8) - binary.LittleEndian.PutUint64(pkg.ProductID, cfg.ProductID[0]) + pkg.ProductID = &cfg.ProductID manifest.Packages["backend"] = pkg } diff --git a/test/manifests.go b/test/manifests.go index 043bdc6e..b417d447 100644 --- a/test/manifests.go +++ b/test/manifests.go @@ -9,7 +9,7 @@ const ManifestJSON string = `{ }, "frontend": { "SignerID": "1f1e1d1c1b1a191817161514131211100f0e0d0c0b0a09080706050403020100", - "ProductID": [44], + "ProductID": 44, "SecurityVersion": 3, "Debug": true } @@ -87,12 +87,12 @@ const IntegrationManifestJSON string = `{ "backend": { "Debug": true, "SecurityVersion": 1, - "ProductID": [3] + "ProductID": 3 }, "frontend": { "Debug": true, "SecurityVersion": 2, - "ProductID": [3] + "ProductID": 3 } }, "Infrastructures": { diff --git a/tools/create_config.py b/tools/create_config.py index 0929e774..4b9f9440 100755 --- a/tools/create_config.py +++ b/tools/create_config.py @@ -21,7 +21,7 @@ def parseSignInfo(info): m = re.findall(r"product_id=(\d+)", info) if len(m) <= 0: raise Exception("Couldn't find product_id in signature info") - config["ProductID"] = [int(m[0])] + config["ProductID"] = int(m[0]) m = re.findall(r"mrenclave=([abcdef\d]+)", info) if len(m) <= 0: