Add SNP-style virtual attestations, restoring code update tests (#6770)

Co-authored-by: Amaury Chamayou <[email protected]>
Co-authored-by: Amaury Chamayou <[email protected]>

Author: eddyashton

CMakeLists.txt

@@ -301,8 +301,6 @@ set(CCF_JS_SOURCES
     ${CCF_DIR}/src/js/registry.cpp
 )
 
-set(OE_BINDIR "")
-
 if(COMPILE_TARGET STREQUAL "snp")
   add_host_library(ccf_js.snp "${CCF_JS_SOURCES}")
   add_san(ccf_js.snp)
@@ -1020,8 +1018,6 @@ if(BUILD_TESTS)
       PYTHON_SCRIPT ${CMAKE_SOURCE_DIR}/tests/e2e_suite.py
       LABEL suite
       ADDITIONAL_ARGS
-        --oe-binary
-        ${OE_BINDIR}
         --ledger-recovery-timeout
         20
         --test-duration
@@ -1099,9 +1095,8 @@ if(BUILD_TESTS)
       NAME governance_test
       PYTHON_SCRIPT ${CMAKE_SOURCE_DIR}/tests/governance.py
       CONSTITUTION ${CONSTITUTION_ARGS}
-      ADDITIONAL_ARGS
-        --oe-binary ${OE_BINDIR} --initial-operator-count 1
-        --jinja-templates-path ${CMAKE_SOURCE_DIR}/samples/templates
+      ADDITIONAL_ARGS --initial-operator-count 1 --jinja-templates-path
+                      ${CMAKE_SOURCE_DIR}/samples/templates
     )
 
     add_e2e_test(
@@ -1113,8 +1108,11 @@ if(BUILD_TESTS)
     add_e2e_test(
       NAME code_update_test
       PYTHON_SCRIPT ${CMAKE_SOURCE_DIR}/tests/code_update.py
-      ADDITIONAL_ARGS --oe-binary ${OE_BINDIR} --js-app-bundle
-                      ${CMAKE_SOURCE_DIR}/samples/apps/logging/js
+      ADDITIONAL_ARGS
+        --js-app-bundle
+        ${CMAKE_SOURCE_DIR}/samples/apps/logging/js
+        --constitution
+        ${CMAKE_SOURCE_DIR}/samples/constitutions/virtual/virtual_attestation_actions.js
     )
 
     if(BUILD_TPCC)
@@ -1249,9 +1247,7 @@ if(BUILD_TESTS)
         ${CMAKE_SOURCE_DIR}/python/config_1_x.ini
     )
 
-    list(APPEND LTS_TEST_ARGS --oe-binary ${OE_BINDIR} --ccf-version
-         ${CCF_VERSION}
-    )
+    list(APPEND LTS_TEST_ARGS --ccf-version ${CCF_VERSION})
     if(LONG_TESTS)
       list(APPEND LTS_TEST_ARGS --check-ledger-compatibility)
     endif()
@@ -1261,7 +1257,10 @@ if(BUILD_TESTS)
         NAME lts_compatibility
         PYTHON_SCRIPT ${CMAKE_SOURCE_DIR}/tests/lts_compatibility.py
         LABEL e2e
-        ADDITIONAL_ARGS ${LTS_TEST_ARGS}
+        ADDITIONAL_ARGS
+          ${LTS_TEST_ARGS}
+          --constitution
+          ${CMAKE_SOURCE_DIR}/samples/constitutions/virtual/virtual_attestation_actions.js
       )
       set_property(
         TEST lts_compatibility

doc/audit/builtin_maps.rst

@@ -138,10 +138,30 @@ DEPRECATED. Previously contained versions of the code allowed to join the curren
    * - ``cae46d1...bb908b64e``
      - ``ALLOWED_TO_JOIN``
 
+``nodes.virtual.host_data``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Map mimicking SNP host_data for virtual nodes, restricting which host_data values may be presented by new nodes joining the network.
+
+**Key** Host data: The host data.
+
+**Value** Metadata: The platform specific meaning of the host data.
+
+``nodes.virtual.measurements``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Trusted virtual measurements for new nodes allowed to join the network. Virtual measurements are constructed by CCF to test and debug code update flows on hardware without TEE protections.
+
+.. warning:: Since virtual nodes provide no protection, this should be empty on production instances.
+
+**Key** Measurement, represented as a base64 hex-encoded string (length: 64).
+
+**Value** Status represented as JSON.
+
 ``nodes.snp.host_data``
 ~~~~~~~~~~~~~~~~~~~~~~~
 
-Trusted attestation report host data field for new nodes allowed to join the network (:doc:`SNP <../operations/platforms/snp>` only).
+Trusted attestation report host data field for new nodes allowed to join the network (:doc:`SNP <../operations/platforms/snp>` only). Only the presence of the joiner's host data key is checked, so the metadata is optional and may be empty for space-saving or privacy reasons.
 
 **Key** Host data: The host data.
 
@@ -150,7 +170,7 @@ Trusted attestation report host data field for new nodes allowed to join the net
 ``nodes.snp.measurements``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Trusted measurements for new nodes allowed to join the network (:doc:`SNP <../operations/platforms/snp>` only).
+Trusted SNP measurements for new nodes allowed to join the network (:doc:`SNP <../operations/platforms/snp>` only).
 
 .. note:: For improved serviceability on confidential ACI deployments, see :ref:`audit/builtin_maps:``nodes.snp.uvm_endorsements``` map.
 
@@ -387,7 +407,7 @@ JWT signing keys, used until 6.0.
 **Value** List of (DER-encoded certificate, issuer, constraint), represented as JSON.
 
 ``jwt.public_signing_keys_metadata_v2``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 JWT signing keys, from 6.0.0 onwards.
 

doc/schemas/gov/2024-07-01/gov.json

@@ -1708,11 +1708,16 @@
         "snp": {
           "$ref": "#/definitions/ServiceState.SnpJoinPolicy",
           "description": "Policy applied to nodes running in AMD SEV-SNP containers."
+        },
+        "virtual": {
+          "$ref": "#/definitions/ServiceState.VirtualJoinPolicy",
+          "description": "Policy applied to virtual nodes (insecure, intended for debugging)."
         }
       },
       "required": [
         "sgx",
-        "snp"
+        "snp",
+        "virtual"
       ]
     },
     "ServiceState.JoinPolicy": {
@@ -2232,6 +2237,32 @@
       ],
       "x-ms-discriminator-value": "OE_SGX_v1"
     },
+    "ServiceState.VirtualJoinPolicy": {
+      "type": "object",
+      "description": "Join policy fields specific to nodes running on virtual nodes with no hardware protection.",
+      "properties": {
+        "measurements": {
+          "type": "array",
+          "description": "Code measurements of acceptable enclaves.",
+          "items": {
+            "type": "string",
+            "format": "byte"
+          }
+        },
+        "hostData": {
+          "type": "array",
+          "description": "Collection of acceptable host data values.",
+          "items": {
+            "type": "string",
+            "format": "byte"
+          }
+        }
+      },
+      "required": [
+        "measurements",
+        "hostData"
+      ]
+    },
     "ServiceState.SnpJoinPolicy": {
       "type": "object",
       "description": "Join policy fields specific to nodes running on AMD SEV-SNP hardware.",

doc/schemas/gov_openapi.json

@@ -1240,6 +1240,12 @@
       "string": {
         "type": "string"
       },
+      "string_to_CodeStatus": {
+        "additionalProperties": {
+          "$ref": "#/components/schemas/CodeStatus"
+        },
+        "type": "object"
+      },
       "string_to_JwtIssuerMetadata": {
         "additionalProperties": {
           "$ref": "#/components/schemas/JwtIssuerMetadata"
@@ -1331,7 +1337,7 @@
   "info": {
     "description": "This API is used to submit and query proposals which affect CCF's public governance tables.",
     "title": "CCF Governance API",
-    "version": "4.5.0"
+    "version": "4.5.1"
   },
   "openapi": "3.0.0",
   "paths": {
@@ -2153,6 +2159,49 @@
         }
       }
     },
+    "/gov/kv/nodes/virtual/host_data": {
+      "get": {
+        "deprecated": true,
+        "operationId": "GetGovKvNodesVirtualHostData",
+        "responses": {
+          "200": {
+            "description": "Default response description"
+          },
+          "default": {
+            "$ref": "#/components/responses/default"
+          }
+        },
+        "summary": "This route is auto-generated from the KV schema.",
+        "x-ccf-forwarding": {
+          "$ref": "#/components/x-ccf-forwarding/sometimes"
+        }
+      }
+    },
+    "/gov/kv/nodes/virtual/measurements": {
+      "get": {
+        "deprecated": true,
+        "operationId": "GetGovKvNodesVirtualMeasurements",
+        "responses": {
+          "200": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/string_to_CodeStatus"
+                }
+              }
+            },
+            "description": "Default response description"
+          },
+          "default": {
+            "$ref": "#/components/responses/default"
+          }
+        },
+        "summary": "This route is auto-generated from the KV schema.",
+        "x-ccf-forwarding": {
+          "$ref": "#/components/x-ccf-forwarding/sometimes"
+        }
+      }
+    },
     "/gov/kv/proposals": {
       "get": {
         "deprecated": true,

doc/schemas/node_openapi.json

@@ -576,7 +576,7 @@
           "format": {
             "$ref": "#/components/schemas/QuoteFormat"
           },
-          "mrenclave": {
+          "measurement": {
             "$ref": "#/components/schemas/string"
           },
           "node_id": {
@@ -858,7 +858,7 @@
   "info": {
     "description": "This API provides public, uncredentialed access to service and node state.",
     "title": "CCF Public Node API",
-    "version": "4.11.0"
+    "version": "4.12.0"
   },
   "openapi": "3.0.0",
   "paths": {

include/ccf/ds/quote_info.h

@@ -32,7 +32,7 @@ namespace ccf
     std::vector<uint8_t> endorsements;
     /// UVM endorsements (SNP-only)
     std::optional<std::vector<uint8_t>> uvm_endorsements;
-    /// Endorsed TCB (hex-encoded)
+    /// Endorsed TCB (hex-encoded) (SNP-only)
     std::optional<std::string> endorsed_tcb = std::nullopt;
   };