From fee7b69bf2abcfa2536558e4148f28c659004973 Mon Sep 17 00:00:00 2001
From: hustliyilin <YiLin.Li@linux.alibaba.com>
Date: Sat, 25 Jul 2020 11:11:18 +0800
Subject: [PATCH] rune/libcontainer: Collect and sanity check attestation
 parameters

Signed-off-by: Yilin Li <YiLin.Li@linux.alibaba.com>
---
 .../configs/validate/validator.go             | 22 +++--
 rune/libcontainer/specconv/spec_linux.go      | 86 +++++++++----------
 rune/libenclave/attestation/sgx/attest.go     |  2 +-
 3 files changed, 56 insertions(+), 54 deletions(-)

diff --git a/rune/libcontainer/configs/validate/validator.go b/rune/libcontainer/configs/validate/validator.go
index c456f60..b032e51 100644
--- a/rune/libcontainer/configs/validate/validator.go
+++ b/rune/libcontainer/configs/validate/validator.go
@@ -226,16 +226,22 @@ func (v *ConfigValidator) enclave(config *configs.Config) error {
 		return err
 	}
 
-	if config.Enclave.IsProductEnclave == sgx.InvalidEnclaveType {
-		return fmt.Errorf("Unsupported enclave.is_product_enclave Configuration %v!\n", config.Enclave.IsProductEnclave)
-	}
+	if config.Enclave.RaType != sgx.UnknownRaType {
+		if config.Enclave.IsProductEnclave == sgx.InvalidEnclaveType {
+			return fmt.Errorf("Unsupported enclave.is_product_enclave Configuration!\n")
+		}
 
-	if config.Enclave.RaType == sgx.InvalidRaType {
-		return fmt.Errorf("Unsupported enclave.attestation.ra_type Configuration %v!\n", config.Enclave.RaType)
-	}
+		if config.Enclave.RaEpidSpid == "" {
+			return fmt.Errorf("The enclave.attestation.ra_epid_spid Configuration isn't set!\n")
+		}
 
-	if config.Enclave.RaEpidIsLinkable == intelsgx.InvalidQuoteSignatureType {
-		return fmt.Errorf("Unsupported enclave.attestation.ra_epid_is_linkable Configuration %v!\n", config.Enclave.RaEpidIsLinkable)
+		if config.Enclave.RaEpidSubscriptionKey == "" {
+			return fmt.Errorf("The enclave.attestation.ra_epid_subscription_key Configuration isn't set!\n")
+		}
+
+		if config.Enclave.RaEpidIsLinkable == intelsgx.InvalidQuoteSignatureType {
+			return fmt.Errorf("Unsupported enclave.attestation.ra_epid_is_linkable Configuration!\n")
+		}
 	}
 
 	return nil
diff --git a/rune/libcontainer/specconv/spec_linux.go b/rune/libcontainer/specconv/spec_linux.go
index cb7d12f..901903b 100644
--- a/rune/libcontainer/specconv/spec_linux.go
+++ b/rune/libcontainer/specconv/spec_linux.go
@@ -334,53 +334,49 @@ func createEnclaveConfig(spec *specs.Spec, config *configs.Config) {
 		args = strings.Join(a, " ")
 	}
 
-	isProductEnclave := filterOut(env, "ENCLAVE_IS_PRODUCT_ENCLAVE")
-	if isProductEnclave == "" {
-		isProductEnclave = libcontainerUtils.SearchLabels(config.Labels, "enclave.is_product_enclave")
-	}
-	var is_product_enclave uint32
-	if strings.EqualFold(isProductEnclave, "false") {
-		is_product_enclave = sgx.DebugEnclave
-	} else if strings.EqualFold(isProductEnclave, "true") {
-		is_product_enclave = sgx.ProductEnclave
-	} else {
-		is_product_enclave = sgx.InvalidEnclaveType
-	}
-
 	raType := filterOut(env, "ENCLAVE_RA_TYPE")
 	if raType == "" {
 		raType = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_type")
 	}
-	var ra_type uint32
-	if strings.EqualFold(raType, "EPID") {
-		ra_type = sgx.EPID
-	} else if strings.EqualFold(raType, "DCAP") {
-		ra_type = sgx.DCAP
-	} else {
-		ra_type = sgx.InvalidRaType
-	}
 
-	ra_epid_spid := filterOut(env, "ENCLAVE_RA_EPID_SPID")
-	if ra_epid_spid == "" {
-		ra_epid_spid = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_spid")
-	}
+	var enclaveRaType, sgxEnclaveType, raEpidIsLinkable uint32 = sgx.UnknownRaType, sgx.InvalidEnclaveType, intelsgx.InvalidQuoteSignatureType
+	var raEpidSpid, raEpidSubscriptionKey string
+	if raType != "" {
+		if strings.EqualFold(raType, "EPID") {
+			enclaveRaType = sgx.EPID
+		} else if strings.EqualFold(raType, "DCAP") {
+			enclaveRaType = sgx.DCAP
+		}
 
-	ra_epid_subscription_key := filterOut(env, "ENCLAVE_RA_EPID_SUB_KEY")
-	if ra_epid_subscription_key == "" {
-		ra_epid_subscription_key = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_subscription_key")
-	}
+		isProductEnclave := filterOut(env, "ENCLAVE_IS_PRODUCT_ENCLAVE")
+		if isProductEnclave == "" {
+			isProductEnclave = libcontainerUtils.SearchLabels(config.Labels, "enclave.is_product_enclave")
+		}
+		if strings.EqualFold(isProductEnclave, "false") {
+			sgxEnclaveType = sgx.DebugEnclave
+		} else if strings.EqualFold(isProductEnclave, "true") {
+			sgxEnclaveType = sgx.ProductEnclave
+		}
 
-	linkable := filterOut(env, "ENCLAVE_RA_EPID_IS_LINKABLE")
-	if linkable == "" {
-		linkable = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_is_linkable")
-	}
-	var ra_epid_is_linkable uint32
-	if strings.EqualFold(linkable, "true") {
-		ra_epid_is_linkable = intelsgx.QuoteSignatureTypeLinkable
-	} else if strings.EqualFold(linkable, "false") {
-		ra_epid_is_linkable = intelsgx.QuoteSignatureTypeUnlinkable
-	} else {
-		ra_epid_is_linkable = intelsgx.InvalidQuoteSignatureType
+		raEpidSpid = filterOut(env, "ENCLAVE_RA_EPID_SPID")
+		if raEpidSpid == "" {
+			raEpidSpid = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_spid")
+		}
+
+		raEpidSubscriptionKey = filterOut(env, "ENCLAVE_RA_EPID_SUB_KEY")
+		if raEpidSubscriptionKey == "" {
+			raEpidSubscriptionKey = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_subscription_key")
+		}
+
+		linkable := filterOut(env, "ENCLAVE_RA_EPID_IS_LINKABLE")
+		if linkable == "" {
+			linkable = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_is_linkable")
+		}
+		if strings.EqualFold(linkable, "true") {
+			raEpidIsLinkable = intelsgx.QuoteSignatureTypeLinkable
+		} else if strings.EqualFold(linkable, "false") {
+			raEpidIsLinkable = intelsgx.QuoteSignatureTypeUnlinkable
+		}
 	}
 
 	if etype != "" {
@@ -388,11 +384,11 @@ func createEnclaveConfig(spec *specs.Spec, config *configs.Config) {
 			Type:                  etype,
 			Path:                  path,
 			Args:                  args,
-			IsProductEnclave:      is_product_enclave,
-			RaType:                ra_type,
-			RaEpidSpid:            ra_epid_spid,
-			RaEpidSubscriptionKey: ra_epid_subscription_key,
-			RaEpidIsLinkable:      ra_epid_is_linkable,
+			IsProductEnclave:      sgxEnclaveType,
+			RaType:                enclaveRaType,
+			RaEpidSpid:            raEpidSpid,
+			RaEpidSubscriptionKey: raEpidSubscriptionKey,
+			RaEpidIsLinkable:      raEpidIsLinkable,
 		}
 	}
 }
diff --git a/rune/libenclave/attestation/sgx/attest.go b/rune/libenclave/attestation/sgx/attest.go
index 27ceddb..219bfaa 100644
--- a/rune/libenclave/attestation/sgx/attest.go
+++ b/rune/libenclave/attestation/sgx/attest.go
@@ -2,7 +2,7 @@ package sgx // import "github.com/opencontainers/runc/libenclave/attestation/sgx
 
 // RA Type
 const (
-	InvalidRaType = iota
+	UnknownRaType = iota
 	EPID
 	DCAP
 )
-- 
GitLab