rune/libcontainer: Collect and sanity check attestation parameters

Signed-off-by: N Yilin Li <YiLin.Li@linux.alibaba.com>

rune/libcontainer: Collect and sanity check attestation parameters
Signed-off-by: N Yilin Li <YiLin.Li@linux.alibaba.com>
fee7b69b · hustliyilin · GitHub · a9d4c594 · fee7b69b · fee7b69b
3 changed file
--- a/rune/libcontainer/configs/validate/validator.go
+++ b/rune/libcontainer/configs/validate/validator.go
@@ -226,16 +226,22 @@ func (v *ConfigValidator) enclave(config *configs.Config) error {
 		return err
 	}
+	if config.Enclave.RaType != sgx.UnknownRaType {
 		if config.Enclave.IsProductEnclave == sgx.InvalidEnclaveType {
-		return fmt.Errorf("Unsupported enclave.is_product_enclave Configuration %v!\n", config.Enclave.IsProductEnclave)
+			return fmt.Errorf("Unsupported enclave.is_product_enclave Configuration!\n")
 		}
-	if config.Enclave.RaType == sgx.InvalidRaType {
+		if config.Enclave.RaEpidSpid == "" {
-		return fmt.Errorf("Unsupported enclave.attestation.ra_type Configuration %v!\n", config.Enclave.RaType)
+			return fmt.Errorf("The enclave.attestation.ra_epid_spid Configuration isn't set!\n")
+		}
+		if config.Enclave.RaEpidSubscriptionKey == "" {
+			return fmt.Errorf("The enclave.attestation.ra_epid_subscription_key Configuration isn't set!\n")
 		}
 		if config.Enclave.RaEpidIsLinkable == intelsgx.InvalidQuoteSignatureType {
-		return fmt.Errorf("Unsupported enclave.attestation.ra_epid_is_linkable Configuration %v!\n", config.Enclave.RaEpidIsLinkable)
+			return fmt.Errorf("Unsupported enclave.attestation.ra_epid_is_linkable Configuration!\n")
+		}
 	}
 	return nil

--- a/rune/libcontainer/specconv/spec_linux.go
+++ b/rune/libcontainer/specconv/spec_linux.go
@@ -334,53 +334,49 @@ func createEnclaveConfig(spec *specs.Spec, config *configs.Config) {
 		args = strings.Join(a, " ")
 	}
-	isProductEnclave := filterOut(env, "ENCLAVE_IS_PRODUCT_ENCLAVE")
-	if isProductEnclave == "" {
-		isProductEnclave = libcontainerUtils.SearchLabels(config.Labels, "enclave.is_product_enclave")
-	}
-	var is_product_enclave uint32
-	if strings.EqualFold(isProductEnclave, "false") {
-		is_product_enclave = sgx.DebugEnclave
-	} else if strings.EqualFold(isProductEnclave, "true") {
-		is_product_enclave = sgx.ProductEnclave
-	} else {
-		is_product_enclave = sgx.InvalidEnclaveType
-	}
 	raType := filterOut(env, "ENCLAVE_RA_TYPE")
 	if raType == "" {
 		raType = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_type")
 	}
-	var ra_type uint32
+	var enclaveRaType, sgxEnclaveType, raEpidIsLinkable uint32 = sgx.UnknownRaType, sgx.InvalidEnclaveType, intelsgx.InvalidQuoteSignatureType
+	var raEpidSpid, raEpidSubscriptionKey string
+	if raType != "" {
 		if strings.EqualFold(raType, "EPID") {
-		ra_type = sgx.EPID
+			enclaveRaType = sgx.EPID
 		} else if strings.EqualFold(raType, "DCAP") {
-		ra_type = sgx.DCAP
+			enclaveRaType = sgx.DCAP
-	} else {
-		ra_type = sgx.InvalidRaType
 		}
-	ra_epid_spid := filterOut(env, "ENCLAVE_RA_EPID_SPID")
+		isProductEnclave := filterOut(env, "ENCLAVE_IS_PRODUCT_ENCLAVE")
-	if ra_epid_spid == "" {
+		if isProductEnclave == "" {
-		ra_epid_spid = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_spid")
+			isProductEnclave = libcontainerUtils.SearchLabels(config.Labels, "enclave.is_product_enclave")
+		}
+		if strings.EqualFold(isProductEnclave, "false") {
+			sgxEnclaveType = sgx.DebugEnclave
+		} else if strings.EqualFold(isProductEnclave, "true") {
+			sgxEnclaveType = sgx.ProductEnclave
+		}
+		raEpidSpid = filterOut(env, "ENCLAVE_RA_EPID_SPID")
+		if raEpidSpid == "" {
+			raEpidSpid = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_spid")
 		}
-	ra_epid_subscription_key := filterOut(env, "ENCLAVE_RA_EPID_SUB_KEY")
+		raEpidSubscriptionKey = filterOut(env, "ENCLAVE_RA_EPID_SUB_KEY")
-	if ra_epid_subscription_key == "" {
+		if raEpidSubscriptionKey == "" {
-		ra_epid_subscription_key = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_subscription_key")
+			raEpidSubscriptionKey = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_subscription_key")
 		}
 		linkable := filterOut(env, "ENCLAVE_RA_EPID_IS_LINKABLE")
 		if linkable == "" {
 			linkable = libcontainerUtils.SearchLabels(config.Labels, "enclave.attestation.ra_epid_is_linkable")
 		}
-	var ra_epid_is_linkable uint32
 		if strings.EqualFold(linkable, "true") {
-		ra_epid_is_linkable = intelsgx.QuoteSignatureTypeLinkable
+			raEpidIsLinkable = intelsgx.QuoteSignatureTypeLinkable
 		} else if strings.EqualFold(linkable, "false") {
-		ra_epid_is_linkable = intelsgx.QuoteSignatureTypeUnlinkable
+			raEpidIsLinkable = intelsgx.QuoteSignatureTypeUnlinkable
-	} else {
+		}
-		ra_epid_is_linkable = intelsgx.InvalidQuoteSignatureType
 	}
 	if etype != "" {
@@ -388,11 +384,11 @@ func createEnclaveConfig(spec *specs.Spec, config *configs.Config) {
 			Type:                  etype,
 			Path:                  path,
 			Args:                  args,
-			IsProductEnclave:      is_product_enclave,
+			IsProductEnclave:      sgxEnclaveType,
-			RaType:                ra_type,
+			RaType:                enclaveRaType,
-			RaEpidSpid:            ra_epid_spid,
+			RaEpidSpid:            raEpidSpid,
-			RaEpidSubscriptionKey: ra_epid_subscription_key,
+			RaEpidSubscriptionKey: raEpidSubscriptionKey,
-			RaEpidIsLinkable:      ra_epid_is_linkable,
+			RaEpidIsLinkable:      raEpidIsLinkable,
 		}
 	}
 }

--- a/rune/libenclave/attestation/sgx/attest.go
+++ b/rune/libenclave/attestation/sgx/attest.go
@@ -2,7 +2,7 @@ package sgx // import "github.com/opencontainers/runc/libenclave/attestation/sgx
 // RA Type
 const (
-	InvalidRaType = iota
+	UnknownRaType = iota
 	EPID
 	DCAP
 )