diff --git a/cmake/common.cmake b/cmake/common.cmake index 23b8b313d..7f5910b5b 100644 --- a/cmake/common.cmake +++ b/cmake/common.cmake @@ -502,7 +502,6 @@ target_link_libraries(cchost.virtual PRIVATE ccfcrypto.host merkle_tree.host ) -enable_quote_code(cchost.virtual) # Client executable add_executable(client ${CCF_DIR}/src/clients/client.cpp) diff --git a/src/host/main.cpp b/src/host/main.cpp index c6cd42cb6..5c3283223 100644 --- a/src/host/main.cpp +++ b/src/host/main.cpp @@ -61,8 +61,9 @@ int main(int argc, char** argv) std::string quote_file("quote.bin"); app.add_option("-q,--quote-file", quote_file, "SGX quote file", true); - std::string quote_cert("nodecert.pem"); - app.add_option("-c,--quote-cert", quote_cert, "SGX quote certificate", true); + std::string quoted_data("nodecert.pem"); + app.add_option( + "-c,--quoted-data", quoted_data, "SGX quoted certificate", true); size_t sig_max_tx = 1000; app.add_option( @@ -201,7 +202,7 @@ int main(int argc, char** argv) if (start == "verify") { auto q = files::slurp(quote_file); - auto d = files::slurp(quote_cert); + auto d = files::slurp(quoted_data); auto passed = enclave.verify_quote(q, d); if (!passed) @@ -261,18 +262,15 @@ int main(int argc, char** argv) LOG_INFO << "Created new node." << std::endl; -#ifdef GET_QUOTE - auto enclave_ok = enclave.verify_quote(quote, node_cert); - if (!enclave_ok) - LOG_FATAL << "Verification of local node quote failed" << std::endl; -#endif - // Write the node cert and quote to disk. Actors can use the node cert // as a CA on their end of the TLS connection. files::dump(node_cert, node_cert_file); #ifdef GET_QUOTE files::dump(quote, quote_file); + + if (!enclave.verify_quote(quote, node_cert)) + LOG_FATAL << "Verification of local node quote failed" << std::endl; #endif // ledger diff --git a/tests/infra/remote.py b/tests/infra/remote.py index 940072d45..a409c16dd 100644 --- a/tests/infra/remote.py +++ b/tests/infra/remote.py @@ -378,9 +378,11 @@ class CCFRemote(object): self.raft_port = raft_port self.tls_port = tls_port self.pem = "{}.pem".format(node_id) - self.quote = expect_quote + self.quote = None self.node_status = node_status - if expect_quote: + # Only expect a quote if the enclave is not virtual and quotes have + # not been explictly disabled + if enclave_type != "virtual" and expect_quote: self.quote = "quote{}.bin".format(node_id) self.BIN = infra.path.build_bin_path(self.BIN, enclave_type) self.ledger_file = ledger_file @@ -427,8 +429,9 @@ class CCFRemote(object): cmd += ["--notify-server-host={}".format(notify_server_host)] cmd += ["--notify-server-port={}".format(notify_server_port[0])] - if expect_quote: + if self.quote is not None: cmd.append("--quote-file={}".format(self.quote)) + self.remote = remote_class( node_id, host, diff --git a/tests/quote_verification.py b/tests/quote_verification.py index 025b019d9..18b41fe12 100644 --- a/tests/quote_verification.py +++ b/tests/quote_verification.py @@ -57,7 +57,7 @@ def create_node(lib_path, node_id, quote_path, cert_path): proc.wait() -def verify_quote(lib_path, quote_path, cert_path, should_fail=False): +def verify_quote(lib_path, quote_path, quoted_path, should_fail=False): # As per OE 0.4.0, oe_verify_report() on the host leaks memory. # Turn ASAN leak check off for now until OE fixes it. asan_env_disable_leak = {"ASAN_OPTIONS": "detect_leaks=0"} @@ -66,7 +66,7 @@ def verify_quote(lib_path, quote_path, cert_path, should_fail=False): "--enclave-file={}".format(lib_path), "--start=verify", "--quote-file={}".format(quote_path), - "--quote-cert={}".format(cert_path), + "--quoted-data={}".format(quoted_path), ] print(">> {} &".format(" ".join(cmd))) proc = Popen(