Warning:
this component has no documented requirements. A new requirements page should be created and linked to this component.
|
Contents |
The SGX TEE verifier contract is the contract that handles the verification of the attestation quote from the SGX TEE.
This function will verify the attestation quote from the SGX TEE and check that the reportDataHash is the hash of the data that was signed by the TEE. The function works as follows: - Calls the V3QuoteVerifier contract from automata labs to verify the attestation quote - Then it checks that the mr enclave of the attestation matches one of the registered enclave hashes in the contract - Further verifies that the report data hash of the attestation matches the hash of the data that was signed by the TEE
1 function verify(rawQuote,reportDataHash) 2 { 3 // Call the automata V3QuoteVerifier contract to verify the quote 4 (bool success,) = quoteVerifier.verifyQuote(header, rawQuote); 5 if (!success) { 6 revert InvalidQuote(); 7 } 8 // Check that mrEnclave match 9 if (!registeredEnclaveHash[localReport.mrEnclave]) { 10 revert InvalidEnclaveHash(); 11 } 12 13 // Verify that the reportDataHash if the hash signed by the TEE 14 // We do not check the signature because ‘quoteVerifier.verifyQuote‘ 15 // already does that 16 if (reportDataHash != localReport.reportDataHash) { 17 revert InvalidReportDataHash(); 18 } 19 20 }
This function will register a new signer in the contract by verifying the attestation quote from the SGX TEE. It works as follows: - Calls the verify function to verify the quote and checks that the TEE has signed over the keccak256 hash of the signer address Note: Its important to sign over the keccak256 hash to prevent any cryptographic attacks - After the verification is successful, register the signer - Finally emit an event that the signer has been registered for the given enclave hash
1 function registerSigner(attestation, data) 2 { 3 bytes32 signerAddressHash = keccak256(data); 4 EnclaveReport memory localReport = verify(attestation, signerAddressHash); 5 address signer = address(uint160(bytes20(data[:20]))); 6 7 // Mark the signer as registered 8 if (!registeredSigners[signer]) { 9 registeredSigners[signer] = true; 10 emit SignerRegistered(signer, localReport.mrEnclave); 11 } 12 }
This function will either set or unset the enclave hash in the contract. Note: This will be an owner only function.
1 function setEnclaveHash(enclaveHash, valid) 2 { 3 registeredEnclaveHash[enclaveHash] = valid; 4 emit EnclaveHashSet(enclaveHash, valid); 5 }
This function removes a specified set of signers from the registered signers mapping. Note: This is an owner-only function. This function is crucial in cases where an enclave hash is identified as belonging to a potentially vulnerable enclave. In such situations, we can use it to remove all signers associated with that enclave hash. The signers linked to a particular enclave hash can be determined by querying the emitted logs from the ‘registerSigner‘ function.
1 function deleteRegisteredSigners(signers) 2 { 3 for (uint i = 0; i < signers.length; i++) { 4 if (registeredSigners[signers[i]]) { 5 registeredSigners[signers[i]] = false; 6 emit SignerDeleted(signers[i]); 7 } 8 } 9 }