[TOB] DEV-3793: Time-Insensitive Content Hash for EnclaveIdentity and FMSPC TCBInfo JSON Collaterals #27
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
preston4896
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
21
to
28
| function _storeIdentityContentHash(bytes32 identityKey, bytes32 contentHash) internal override { | ||
| // write content hash to storage anyway regardless of whether it changes | ||
| // it is still cheaper to directly write the unchanged non-zero values to the same slot | ||
| // instead of, SLOAD-ing and comparing the values, then write to storage slot | ||
| // this saves gas by skipping SLOAD | ||
| bytes32 contentHashKey = _computeContentHashKey(identityKey); | ||
| resolver.attest(contentHashKey, abi.encodePacked(contentHash), bytes32(0)); | ||
| } |
Check warning
Code scanning / Slither
Unused return
Comment on lines
48
to
55
| function _storeFmspcTcbContentHash(bytes32 tcbKey, bytes32 contentHash) internal override { | ||
| // write content hash to storage anyway regardless of whether it changes | ||
| // it is still cheaper to directly write the unchanged non-zero values to the same slot | ||
| // instead of, SLOAD-ing and comparing the values, then write to storage slot | ||
| // this saves gas by skipping SLOAD | ||
| bytes32 contentHashKey = _computeContentHashKey(tcbKey); | ||
| resolver.attest(contentHashKey, abi.encodePacked(contentHash), bytes32(0)); | ||
| } |
Check warning
Code scanning / Slither
Unused return
src/helpers/FmspcTcbHelper.sol
Outdated
Comment on lines
110
to
135
| function generateFmspcTcbContentHash( | ||
| TcbInfoBasic memory tcbInfoContent, | ||
| string memory tcbLevelsString, | ||
| string memory tdxModuleString, | ||
| string memory tdxModuleIdentitiesString | ||
| ) external pure returns (bytes32 contentHash) { | ||
| bytes memory content = abi.encodePacked( | ||
| tcbInfoContent.tcbType, | ||
| tcbInfoContent.id, | ||
| tcbInfoContent.version, | ||
| tcbInfoContent.evaluationDataNumber, | ||
| tcbInfoContent.fmspc, | ||
| tcbInfoContent.pceid, | ||
| bytes(tcbLevelsString) | ||
| ); | ||
|
|
||
| if (bytes(tdxModuleString).length > 0) { | ||
| content = abi.encodePacked(content, bytes(tdxModuleString)); | ||
| } | ||
|
|
||
| if (bytes(tdxModuleIdentitiesString).length > 0) { | ||
| content = abi.encodePacked(content, bytes(tdxModuleIdentitiesString)); | ||
| } | ||
|
|
||
| contentHash = keccak256(content); | ||
| } |
Check failure
Code scanning / Slither
ABI encodePacked Collision
src/helpers/FmspcTcbHelper.sol
Outdated
Comment on lines
110
to
135
| function generateFmspcTcbContentHash( | ||
| TcbInfoBasic memory tcbInfoContent, | ||
| string memory tcbLevelsString, | ||
| string memory tdxModuleString, | ||
| string memory tdxModuleIdentitiesString | ||
| ) external pure returns (bytes32 contentHash) { | ||
| bytes memory content = abi.encodePacked( | ||
| tcbInfoContent.tcbType, | ||
| tcbInfoContent.id, | ||
| tcbInfoContent.version, | ||
| tcbInfoContent.evaluationDataNumber, | ||
| tcbInfoContent.fmspc, | ||
| tcbInfoContent.pceid, | ||
| bytes(tcbLevelsString) | ||
| ); | ||
|
|
||
| if (bytes(tdxModuleString).length > 0) { | ||
| content = abi.encodePacked(content, bytes(tdxModuleString)); | ||
| } | ||
|
|
||
| if (bytes(tdxModuleIdentitiesString).length > 0) { | ||
| content = abi.encodePacked(content, bytes(tdxModuleIdentitiesString)); | ||
| } | ||
|
|
||
| contentHash = keccak256(content); | ||
| } |
Check failure
Code scanning / Slither
ABI encodePacked Collision
preston4896
force-pushed
the
development
branch
from
33baea4 to
838a536
Compare
|
Not within the scope of FR, but TOB has given us the green light for this changes. cc @Liao1 |
Liao1
approved these changes
Mar 3, 2025
|
Merged to |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The goal of this PR is to create another attestation entry for JSON collaterals, to store "time-insensitive" and content-specific hash of a JSON Collateral, which we describe it as "content hashes".
The content hash of a JSON collateral is computed by simply taking all values, omitting
issueDateandnextUpdatefields, to only keep track of content-specific changes (such as the TCB Status), regardless of when the JSON collateral is being issued.This allows us to treat both JSON collaterals (same TCBLevel, but issued at different timestamps) as identical.