runtime: Use correct quote policy for ROFL apps

runtime/src/attestation.rs

@@ -16,6 +16,7 @@ use crate::{
     host::Host,
     identity::Identity,
     policy::PolicyVerifier,
+    rofl::App,
     types::Body,
 };
 
@@ -26,7 +27,8 @@ pub struct Handler {
     host: Arc<dyn Host>,
     consensus_verifier: Arc<dyn Verifier>,
     runtime_id: Namespace,
-    version: Option<Version>,
+    version: Version,
+    app: Arc<dyn App>,
     logger: Logger,
 }
 
@@ -37,14 +39,16 @@ impl Handler {
         host: Arc<dyn Host>,
         consensus_verifier: Arc<dyn Verifier>,
         runtime_id: Namespace,
-        version: Option<Version>,
+        version: Version,
+        app: Arc<dyn App>,
     ) -> Self {
         Self {
             identity,
             host,
             consensus_verifier,
             runtime_id,
             version,
+            app,
             logger: get_logger("runtime/attestation"),
         }
     }
@@ -92,21 +96,34 @@ impl Handler {
         })
     }
 
-    async fn set_quote(&self, quote: Quote) -> Result<Body> {
-        if self.identity.quote_policy().is_none() {
-            info!(self.logger, "Configuring quote policy");
+    async fn set_quote_policy(&self) -> Result<()> {
+        info!(self.logger, "Configuring quote policy");
 
+        // Use the correct quote policy for verifying our own identity based on what kind of
+        // application this is. For ROFL, ask the application, for RONL, query consensus.
+        let policy = if self.app.is_supported() {
+            // ROFL, ask the app for policy.
+            self.app.quote_policy().await?
+        } else {
+            // RONL.
             // TODO: Make async.
             let consensus_verifier = self.consensus_verifier.clone();
             let version = self.version;
             let runtime_id = self.runtime_id;
-            let policy = tokio::task::block_in_place(move || {
+            tokio::task::block_in_place(move || {
                 // Obtain current quote policy from (verified) consensus state.
-                PolicyVerifier::new(consensus_verifier).quote_policy(&runtime_id, version)
-            })?;
+                PolicyVerifier::new(consensus_verifier).quote_policy(&runtime_id, Some(version))
+            })?
+        };
 
-            self.identity.set_quote_policy(policy)?;
-        }
+        self.identity.set_quote_policy(policy)?;
+
+        Ok(())
+    }
+
+    async fn set_quote(&self, quote: Quote) -> Result<Body> {
+        // Ensure a quote policy is configured.
+        self.set_quote_policy().await?;
 
         info!(
             self.logger,

runtime/src/dispatcher.rs

@@ -265,19 +265,12 @@ impl Dispatcher {
             error!(self.logger, "ROFL application initialization failed"; "err" => ?err);
         }
 
-        // Determine what runtime version to support during remote attestation. For runtimes that
-        // define a ROFL application, we use `None` to signal that the active version is used.
-        let version = if app.is_supported() {
-            None
-        } else {
-            Some(protocol.get_config().version)
-        };
-
+        let app: Arc<dyn rofl::App> = Arc::from(app);
         let state = State {
             protocol: protocol.clone(),
             consensus_verifier: consensus_verifier.clone(),
             dispatcher: self.clone(),
-            app: Arc::from(app),
+            app: app.clone(),
             rpc_demux: Arc::new(rpc_demux),
             rpc_dispatcher: Arc::new(rpc_dispatcher),
             txn_dispatcher: Arc::from(txn_dispatcher),
@@ -286,7 +279,8 @@ impl Dispatcher {
                 protocol.clone(),
                 consensus_verifier.clone(),
                 protocol.get_runtime_id(),
-                version,
+                protocol.get_config().version,
+                app,
             ),
             policy_verifier: Arc::new(PolicyVerifier::new(consensus_verifier)),
             cache_set: cache::CacheSet::new(protocol.clone()),

runtime/src/identity.rs

@@ -59,8 +59,6 @@ enum QuoteError {
     NonceMismatch,
     #[error("quote policy not set")]
     QuotePolicyNotSet,
-    #[error("quote policy already set")]
-    QuotePolicyAlreadySet,
     #[error("node identity not set")]
     NodeIdentityNotSet,
     #[error("endorsed quote mismatch")]
@@ -287,9 +285,6 @@ impl Identity {
     /// Configure the runtime quote policy.
     pub(crate) fn set_quote_policy(&self, policy: QuotePolicy) -> Result<()> {
         let mut inner = self.inner.write().unwrap();
-        if inner.quote_policy.is_some() {
-            return Err(QuoteError::QuotePolicyAlreadySet.into());
-        }
         inner.quote_policy = Some(Arc::new(policy));
 
         Ok(())

runtime/src/rofl.rs

@@ -5,6 +5,7 @@ use anyhow::{bail, Result};
 use async_trait::async_trait;
 
 use crate::{
+    common::sgx,
     consensus::roothash,
     dispatcher::{Initializer, PostInitState, PreInitState},
     host::Host,
@@ -25,6 +26,24 @@ pub trait App: Send + Sync {
         Ok(())
     }
 
+    /// Quote policy to use for verifying our own enclave identity.
+    async fn quote_policy(&self) -> Result<sgx::QuotePolicy> {
+        // Default implementation uses a sane policy.
+        Ok(sgx::QuotePolicy {
+            ias: Some(sgx::ias::QuotePolicy {
+                disabled: true, // Disable legacy EPID attestation.
+                ..Default::default()
+            }),
+            pcs: Some(sgx::pcs::QuotePolicy {
+                // Allow TDX since that is not part of the default policy.
+                tdx: Some(sgx::pcs::TdxQuotePolicy {
+                    allowed_tdx_modules: vec![],
+                }),
+                ..Default::default()
+            }),
+        })
+    }
+
     /// Called on new runtime block being received.
     async fn on_runtime_block(&self, blk: &roothash::AnnotatedBlock) -> Result<()> {
         // Default implementation does nothing.