mirror/libsignal
0
0
Fork 0
mirror of https://github.com/signalapp/libsignal.git synced 2024-09-19 19:42:19 +02:00
Code

SVR3: Support production enclaves

Browse Source
This commit is contained in:
moiseev-signal 2024-05-28 10:09:18 -07:00 committed by GitHub
parent 31d6015522
commit 71031786dc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 175 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
rust/attest/src/constants.rs
View File

@ -19,9 +19,9 @@ pub const ENCLAVE_ID_SVR3_NITRO_STAGING: &[u8] = b"ffe631d7.52b91975.a4544fb5";
pub const ENCLAVE_ID_SVR3_TPM2SNP_STAGING: &[u8] = b"0.20240510.172959";
pub const ENCLAVE_ID_SVR3_SGX_PROD: &[u8] =
&hex!("0000000000000000000000000000000000000000000000000000000000000000");
pub const ENCLAVE_ID_SVR3_NITRO_PROD: &[u8] = b"00000000.00000000.00000000";
pub const ENCLAVE_ID_SVR3_TPM2SNP_PROD: &[u8] = b"0.00000000.000000";
&hex!("0899bf951b57f27b5cd3d2dd4dbe5a144a4a62154853a4e352ac2c93ecfe6a2c");
pub const ENCLAVE_ID_SVR3_NITRO_PROD: &[u8] = ENCLAVE_ID_SVR3_NITRO_STAGING;
pub const ENCLAVE_ID_SVR3_TPM2SNP_PROD: &[u8] = ENCLAVE_ID_SVR3_TPM2SNP_STAGING;
pub const ENCLAVE_ID_CDSI_PROD: &[u8] = ENCLAVE_ID_CDSI_STAGING;
pub const ENCLAVE_ID_SVR2_PROD: &[u8] =
@ -60,7 +60,7 @@ pub(crate) const TPM2SNP_EXPECTED_PCRS: SmallMap<&'static [u8], &'static tpm2snp
/// Map from MREnclave to intel SW advisories that are known to be mitigated in the
/// build with that MREnclave value
pub(crate) const ACCEPTABLE_SW_ADVISORIES: &SmallMap<&'static [u8], &'static [&'static str], 3> =
pub(crate) const ACCEPTABLE_SW_ADVISORIES: &SmallMap<&'static [u8], &'static [&'static str], 4> =
&SmallMap::new([
(
ENCLAVE_ID_SVR2_STAGING,
@ -74,6 +74,10 @@ pub(crate) const ACCEPTABLE_SW_ADVISORIES: &SmallMap<&'static [u8], &'static [&'
ENCLAVE_ID_SVR3_SGX_STAGING,
&["INTEL-SA-00615", "INTEL-SA-00657"] as &[&str],
),
(
ENCLAVE_ID_SVR3_SGX_PROD,
&["INTEL-SA-00615", "INTEL-SA-00657"] as &[&str],
),
]);
/// SW advisories known to be mitigated by default. If an MREnclave is provided that
@ -81,51 +85,61 @@ pub(crate) const ACCEPTABLE_SW_ADVISORIES: &SmallMap<&'static [u8], &'static [&'
pub(crate) const DEFAULT_SW_ADVISORIES: &[&str] = &[];
/// Expected raft configuration for a given enclave.
pub(crate) static EXPECTED_RAFT_CONFIG: SmallMap<&'static [u8], &'static RaftConfig, 5> =
pub const RAFT_CONFIG_SVR2_STAGING: &RaftConfig = &RaftConfig {
min_voting_replicas: 3,
max_voting_replicas: 5,
super_majority: 0,
group_id: 16934825672495360159,
};
pub const RAFT_CONFIG_SVR2_PROD: &RaftConfig = &RaftConfig {
min_voting_replicas: 4,
max_voting_replicas: 7,
super_majority: 2,
group_id: 1230918306983775578,
};
pub const RAFT_CONFIG_SVR3_SGX_STAGING: &RaftConfig = &RaftConfig {
min_voting_replicas: 3,
max_voting_replicas: 9,
super_majority: 0,
group_id: 15742431669367858463,
};
pub const RAFT_CONFIG_SVR3_NITRO_STAGING: &RaftConfig = &RaftConfig {
group_id: 10298929430185113734,
min_voting_replicas: 3,
max_voting_replicas: 9,
super_majority: 0,
};
pub const RAFT_CONFIG_SVR3_TPM2SNP_STAGING: &RaftConfig = &RaftConfig {
group_id: 8572438378773168949,
min_voting_replicas: 3,
max_voting_replicas: 9,
super_majority: 0,
};
pub const RAFT_CONFIG_SVR3_SGX_PROD: &RaftConfig = &RaftConfig {
min_voting_replicas: 4,
max_voting_replicas: 13,
super_majority: 2,
group_id: 9590812984166600424,
};
pub const RAFT_CONFIG_SVR3_NITRO_PROD: &RaftConfig = &RaftConfig {
group_id: 13958530449904196066,
min_voting_replicas: 4,
max_voting_replicas: 13,
super_majority: 2,
};
pub const RAFT_CONFIG_SVR3_TPM2SNP_PROD: &RaftConfig = &RaftConfig {
group_id: 6899183880775443455,
min_voting_replicas: 4,
max_voting_replicas: 13,
super_majority: 2,
};
// This is left here primarily to support SVR2 bridging code that does
// not expose the notion of environment to the clients.
pub(crate) static EXPECTED_RAFT_CONFIG_SVR2: SmallMap<&'static [u8], &'static RaftConfig, 2> =
SmallMap::new([
(
ENCLAVE_ID_SVR2_STAGING,
&RaftConfig {
min_voting_replicas: 3,
max_voting_replicas: 5,
super_majority: 0,
group_id: 16934825672495360159,
},
),
(
ENCLAVE_ID_SVR2_PROD,
&RaftConfig {
min_voting_replicas: 4,
max_voting_replicas: 7,
super_majority: 2,
group_id: 1230918306983775578,
},
),
(
ENCLAVE_ID_SVR3_SGX_STAGING,
&RaftConfig {
min_voting_replicas: 3,
max_voting_replicas: 9,
super_majority: 0,
group_id: 15742431669367858463,
},
),
(
ENCLAVE_ID_SVR3_NITRO_STAGING,
&RaftConfig {
group_id: 10298929430185113734,
min_voting_replicas: 3,
max_voting_replicas: 9,
super_majority: 0,
},
),
(
ENCLAVE_ID_SVR3_TPM2SNP_STAGING,
&RaftConfig {
group_id: 8572438378773168949,
min_voting_replicas: 3,
max_voting_replicas: 9,
super_majority: 0,
},
),
(ENCLAVE_ID_SVR2_STAGING, RAFT_CONFIG_SVR2_STAGING),
(ENCLAVE_ID_SVR2_PROD, RAFT_CONFIG_SVR2_PROD),
]);

5
rust/attest/src/nitro.rs
View File

@ -17,7 +17,7 @@ use subtle::ConstantTimeEq;
use crate::enclave::{self, Claims, Handshake};
use crate::proto;
use crate::svr2::{expected_raft_config, RaftConfig};
use crate::svr2::RaftConfig;
use crate::util::SmallMap;
use crate::constants::NITRO_EXPECTED_PCRS;
@ -55,9 +55,8 @@ pub fn new_handshake(
mr_enclave: &[u8],
attestation_msg: &[u8],
now: SystemTime,
raft_config_override: Option<&'static RaftConfig>,
expected_raft_config: &'static RaftConfig,
) -> Result<Handshake, enclave::Error> {
let expected_raft_config = expected_raft_config(mr_enclave, raft_config_override)?;
let handshake_start = proto::svr::ClientHandshakeStart::decode(attestation_msg)?;
let handshake = Handshake::for_nitro(
mr_enclave,

57
rust/attest/src/svr2.rs
View File

@ -3,7 +3,9 @@
// SPDX-License-Identifier: AGPL-3.0-only
//
use crate::constants::{ACCEPTABLE_SW_ADVISORIES, DEFAULT_SW_ADVISORIES, EXPECTED_RAFT_CONFIG};
use crate::constants::{
ACCEPTABLE_SW_ADVISORIES, DEFAULT_SW_ADVISORIES, EXPECTED_RAFT_CONFIG_SVR2,
};
use prost::Message;
use crate::enclave::{Error, Handshake, Result};
@ -27,38 +29,41 @@ impl PartialEq<svr::RaftGroupConfig> for RaftConfig {
}
}
pub(crate) fn expected_raft_config(
mr_enclave: &[u8],
config_override: Option<&'static RaftConfig>,
) -> Result<&'static RaftConfig> {
config_override
.or_else(|| EXPECTED_RAFT_CONFIG.get(&mr_enclave).copied())
.ok_or(Error::AttestationDataError {
reason: format!("unknown mrenclave {:?}", mr_enclave),
})
}
/// Lookup the group id constant associated with the `mrenclave`
pub fn lookup_groupid(mrenclave: &[u8]) -> Option<u64> {
EXPECTED_RAFT_CONFIG
EXPECTED_RAFT_CONFIG_SVR2
.get(&mrenclave)
.map(|config| config.group_id)
}
// Must only be used for SVR2 bridging code that does
// not expose the notion of environment to the clients.
pub fn new_handshake_with_raft_config_lookup(
mrenclave: &[u8],
attestation_msg: &[u8],
current_time: std::time::SystemTime,
) -> Result<Handshake> {
let expected_raft_config =
EXPECTED_RAFT_CONFIG_SVR2
.get(&mrenclave)
.copied()
.ok_or(Error::AttestationDataError {
reason: format!("unknown mrenclave {:?}", &mrenclave),
})?;
new_handshake(
mrenclave,
attestation_msg,
current_time,
expected_raft_config,
)
}
pub fn new_handshake(
mrenclave: &[u8],
attestation_msg: &[u8],
current_time: std::time::SystemTime,
expected_raft_config: &'static RaftConfig,
) -> Result<Handshake> {
new_handshake_with_override(mrenclave, attestation_msg, current_time, None)
}
pub fn new_handshake_with_override(
mrenclave: &[u8],
attestation_msg: &[u8],
current_time: std::time::SystemTime,
raft_config_override: Option<&'static RaftConfig>,
) -> Result<Handshake> {
let expected_raft_config = expected_raft_config(mrenclave, raft_config_override)?;
new_handshake_with_constants(
mrenclave,
attestation_msg,
@ -105,7 +110,13 @@ mod tests {
let current_time = SystemTime::UNIX_EPOCH + Duration::from_secs(1709245753);
let mrenclave_bytes =
hex!("acb1973aa0bbbd14b3b4e06f145497d948fd4a98efc500fcce363b3b743ec482");
new_handshake(&mrenclave_bytes, HANDSHAKE_BYTES, current_time).unwrap();
let raft_config: &RaftConfig = &RaftConfig {
min_voting_replicas: 3,
max_voting_replicas: 5,
super_majority: 0,
group_id: 16934825672495360159,
};
new_handshake(&mrenclave_bytes, HANDSHAKE_BYTES, current_time, raft_config).unwrap();
}
#[test]

10
rust/attest/src/tpm2snp.rs
View File

@ -14,7 +14,7 @@ use crate::cert_chain::{self, CertChain};
use crate::enclave::{Claims, Error, Handshake, Result, UnvalidatedHandshake};
use crate::expireable::Expireable as _;
use crate::proto::{svr, svr3};
use crate::svr2::expected_raft_config;
use crate::svr2::RaftConfig;
use crate::constants::TPM2SNP_EXPECTED_PCRS;
@ -25,8 +25,12 @@ pub(crate) use tpm2::{Error as Tpm2Error, PcrMap};
const GOOG_AKCERT_ROOT_PEM: &[u8] = include_bytes!("../res/goog_akcert_root.pem");
pub fn new_handshake(enclave: &[u8], attestation_msg: &[u8], now: SystemTime) -> Result<Handshake> {
let expected_raft_config = expected_raft_config(enclave, None)?;
pub fn new_handshake(
enclave: &[u8],
attestation_msg: &[u8],
now: SystemTime,
expected_raft_config: &'static RaftConfig,
) -> Result<Handshake> {
let handshake_start = svr::ClientHandshakeStart::decode(attestation_msg)?;
Handshake::for_tpm2snp(
enclave,

6
rust/bridge/shared/src/net.rs
View File

@ -103,11 +103,7 @@ impl ConnectionManager {
) -> EnclaveEndpointConnection<E, MultiRouteConnectionManager> {
let params = endpoint.domain_config.connection_params_with_fallback();
let params = add_user_agent_header(params, user_agent);
EnclaveEndpointConnection::new_multi(
endpoint.mr_enclave,
params,
ONE_ROUTE_CONNECTION_TIMEOUT,
)
EnclaveEndpointConnection::new_multi(endpoint, params, ONE_ROUTE_CONNECTION_TIMEOUT)
}
}

2
rust/bridge/shared/src/svr2.rs
View File

@ -20,7 +20,7 @@ fn new_client(
attestation_msg: &[u8],
current_time: std::time::SystemTime,
) -> Result<SgxClientState> {
SgxClientState::new(svr2::new_handshake(
SgxClientState::new(svr2::new_handshake_with_raft_config_lookup(
mrenclave,
attestation_msg,
current_time,

17
rust/net/examples/svr3_2xsgx.rs
View File

@ -33,7 +33,7 @@ use libsignal_net::svr3::{OpaqueMaskedShareSet, PpssOps};
const TEST_SERVER_CERT: RootCertificates = RootCertificates::FromDer(Cow::Borrowed(
include_bytes!("../res/sgx_test_server_cert.cer"),
));
const TEST_SERVER_RAFT_CONFIG: RaftConfig = RaftConfig {
const TEST_SERVER_RAFT_CONFIG: &RaftConfig = &RaftConfig {
min_voting_replicas: 1,
max_voting_replicas: 3,
super_majority: 0,
@ -104,6 +104,7 @@ async fn main() {
mr_enclave: MrEnclave::new(&hex!(
"acb1973aa0bbbd14b3b4e06f145497d948fd4a98efc500fcce363b3b743ec482"
)),
raft_config: Some(TEST_SERVER_RAFT_CONFIG),
};
TwoForTwoEnv(endpoint.clone(), endpoint)
};
@ -112,21 +113,15 @@ async fn main() {
let connect = || async {
let connector = TcpSslTransportConnector::new(DnsResolver::default());
let connection_a = EnclaveEndpointConnection::with_custom_properties(
two_sgx_env.0.clone(),
Duration::from_secs(10),
Some(&TEST_SERVER_RAFT_CONFIG),
);
let connection_a =
EnclaveEndpointConnection::new(two_sgx_env.0.clone(), Duration::from_secs(10));
let a = SvrConnection::connect(make_auth(uid_a), &connection_a, connector.clone())
.await
.expect("can attestedly connect");
let connection_b = EnclaveEndpointConnection::with_custom_properties(
two_sgx_env.1.clone(),
Duration::from_secs(10),
Some(&TEST_SERVER_RAFT_CONFIG),
);
let connection_b =
EnclaveEndpointConnection::new(two_sgx_env.1.clone(), Duration::from_secs(10));
let b = SvrConnection::connect(make_auth(uid_b), &connection_b, connector)
.await

88
rust/net/src/enclave.rs
View File

@ -30,6 +30,7 @@ use crate::svr::SvrConnection;
pub trait EnclaveKind {
fn url_path(enclave: &[u8]) -> PathAndQuery;
}
pub trait Svr3Flavor: EnclaveKind {}
pub enum Cdsi {}
@ -177,6 +178,7 @@ impl<Bytes: AsRef<[u8]>, S> AsRef<[u8]> for MrEnclave<Bytes, S> {
pub struct EnclaveEndpoint<'a, E: EnclaveKind> {
pub domain_config: DomainConfig,
pub mr_enclave: MrEnclave<&'a [u8], E>,
pub raft_config: Option<&'a RaftConfig>,
}
pub trait NewHandshake {
@ -190,21 +192,7 @@ pub trait NewHandshake {
pub struct EndpointParams<E: EnclaveKind> {
pub(crate) mr_enclave: MrEnclave<&'static [u8], E>,
pub(crate) raft_config_override: Option<&'static RaftConfig>,
}
impl<E: EnclaveKind> EndpointParams<E> {
pub const fn new(mr_enclave: MrEnclave<&'static [u8], E>) -> Self {
Self {
mr_enclave,
raft_config_override: None,
}
}
pub fn with_raft_override(mut self, raft_config: &'static RaftConfig) -> Self {
self.raft_config_override = Some(raft_config);
self
}
pub(crate) raft_config: Option<&'static RaftConfig>,
}
pub struct EnclaveEndpointConnection<E: EnclaveKind, C> {
@ -280,14 +268,6 @@ impl<E: EnclaveKind + NewHandshake, C: ConnectionManager> EnclaveEndpointConnect
impl<E: EnclaveKind> EnclaveEndpointConnection<E, SingleRouteThrottlingConnectionManager> {
pub fn new(endpoint: EnclaveEndpoint<'static, E>, connect_timeout: Duration) -> Self {
Self::with_custom_properties(endpoint, connect_timeout, None)
}
pub fn with_custom_properties(
endpoint: EnclaveEndpoint<'static, E>,
connect_timeout: Duration,
raft_config_override: Option<&'static RaftConfig>,
) -> Self {
Self {
endpoint_connection: EndpointConnection {
manager: SingleRouteThrottlingConnectionManager::new(
@ -298,7 +278,7 @@ impl<E: EnclaveKind> EnclaveEndpointConnection<E, SingleRouteThrottlingConnectio
},
params: EndpointParams {
mr_enclave: endpoint.mr_enclave,
raft_config_override,
raft_config: endpoint.raft_config,
},
}
}
@ -306,7 +286,7 @@ impl<E: EnclaveKind> EnclaveEndpointConnection<E, SingleRouteThrottlingConnectio
impl<E: EnclaveKind> EnclaveEndpointConnection<E, MultiRouteConnectionManager> {
pub fn new_multi(
mr_enclave: MrEnclave<&'static [u8], E>,
endpoint: &EnclaveEndpoint<'static, E>,
connection_params: impl IntoIterator<Item = ConnectionParams>,
one_route_connect_timeout: Duration,
) -> Self {
@ -314,11 +294,14 @@ impl<E: EnclaveKind> EnclaveEndpointConnection<E, MultiRouteConnectionManager> {
endpoint_connection: EndpointConnection::new_multi(
connection_params,
one_route_connect_timeout,
make_ws_config(E::url_path(mr_enclave.as_ref()), one_route_connect_timeout),
make_ws_config(
E::url_path(endpoint.mr_enclave.as_ref()),
one_route_connect_timeout,
),
),
params: EndpointParams {
mr_enclave,
raft_config_override: None,
mr_enclave: endpoint.mr_enclave,
raft_config: endpoint.raft_config,
},
}
}
@ -329,11 +312,13 @@ impl NewHandshake for Sgx {
params: &EndpointParams<Self>,
attestation_message: &[u8],
) -> enclave::Result<enclave::Handshake> {
attest::svr2::new_handshake_with_override(
attest::svr2::new_handshake(
params.mr_enclave.as_ref(),
attestation_message,
SystemTime::now(),
params.raft_config_override,
params
.raft_config
.expect("Raft config must be present for SGX"),
)
}
}
@ -360,7 +345,9 @@ impl NewHandshake for Nitro {
params.mr_enclave.as_ref(),
attestation_message,
SystemTime::now(),
params.raft_config_override,
params
.raft_config
.expect("Raft config must be present for Nitro"),
)
}
}
@ -374,6 +361,9 @@ impl NewHandshake for Tpm2Snp {
params.mr_enclave.as_ref(),
attestation_message,
SystemTime::now(),
params
.raft_config
.expect("Raft config must be present for Tpm2Snp"),
)
}
}
@ -412,16 +402,26 @@ mod test {
}
const CONNECT_TIMEOUT: Duration = Duration::from_secs(10);
const TEST_RAFT_CONFIG: &RaftConfig = &RaftConfig {
min_voting_replicas: 0,
max_voting_replicas: 0,
super_majority: 0,
group_id: 0,
};
async fn enclave_connect<C: ConnectionManager>(
manager: C,
) -> Result<AttestedConnection<SslStream<TcpStream>>, Error> {
let mr_enclave = MrEnclave::new(b"abcdef".as_slice());
let connection = EnclaveEndpointConnection {
endpoint_connection: EndpointConnection {
manager,
config: make_ws_config(PathAndQuery::from_static("/endpoint"), CONNECT_TIMEOUT),
},
params: EndpointParams::<Cdsi>::new(MrEnclave::new(b"abcdef")),
params: EndpointParams::<Cdsi> {
mr_enclave,
raft_config: Some(TEST_RAFT_CONFIG),
},
};
connection
@ -464,12 +464,12 @@ mod test {
#[tokio::test]
async fn multi_route_enclave_connect_failure() {
let result = enclave_connect(MultiRouteConnectionManager::new(vec![
SingleRouteThrottlingConnectionManager::new(
fake_connection_params(),
CONNECT_TIMEOUT
);
3
]))
SingleRouteThrottlingConnectionManager::new(
fake_connection_params(),
CONNECT_TIMEOUT,
);
3
]))
.await;
assert_matches!(result, Err(Error::ConnectionTimedOut));
}
@ -479,12 +479,12 @@ mod test {
#[tokio::test]
async fn multi_route_enclave_connect_cooldown() {
let connection_manager = MultiRouteConnectionManager::new(vec![
SingleRouteThrottlingConnectionManager::new(
fake_connection_params(),
CONNECT_TIMEOUT
);
3
]);
SingleRouteThrottlingConnectionManager::new(
fake_connection_params(),
CONNECT_TIMEOUT,
);
3
]);
// Repeatedly try connecting unsuccessfully until all the inner routes
// are throttling, with a max count to prevent infinite looping.

22
rust/net/src/env.rs
View File

@ -89,9 +89,9 @@ const DOMAIN_CONFIG_SVR2_STAGING: DomainConfig = DomainConfig {
};
const DOMAIN_CONFIG_SVR3_SGX: DomainConfig = DomainConfig {
hostname: "svr3.signal.org",
hostname: "backend1.svr3.signal.org",
port: DEFAULT_HTTPS_PORT,
ip_v4: &[ip_addr!(v4, "143.244.220.150")],
ip_v4: &[ip_addr!(v4, "40.112.138.96")],
ip_v6: &[],
cert: RootCertificates::Signal,
proxy_path: "/svr3-sgx",
@ -107,9 +107,9 @@ const DOMAIN_CONFIG_SVR3_SGX_STAGING: DomainConfig = DomainConfig {
};
const DOMAIN_CONFIG_SVR3_NITRO: DomainConfig = DomainConfig {
hostname: "devnull.signal.org",
hostname: "backend2.svr3.signal.org",
port: DEFAULT_HTTPS_PORT,
ip_v4: &[],
ip_v4: &[ip_addr!(v4, "75.2.91.98")],
ip_v6: &[],
cert: RootCertificates::Signal,
proxy_path: "/svr3-nitro",
@ -125,9 +125,9 @@ const DOMAIN_CONFIG_SVR3_NITRO_STAGING: DomainConfig = DomainConfig {
};
pub const DOMAIN_CONFIG_SVR3_TPM2SNP: DomainConfig = DomainConfig {
hostname: "devnull.signal.org",
hostname: "backend3.svr3.signal.org",
port: DEFAULT_HTTPS_PORT,
ip_v4: &[],
ip_v4: &[ip_addr!(v4, "34.144.241.251")],
ip_v6: &[],
cert: RootCertificates::Signal,
proxy_path: "/svr3-tpm2snp",
@ -300,23 +300,28 @@ pub const STAGING: Env<'static, Svr3Env> = Env {
cdsi: EnclaveEndpoint {
domain_config: DOMAIN_CONFIG_CDSI_STAGING,
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_CDSI_STAGING),
raft_config: None,
},
svr2: EnclaveEndpoint {
domain_config: DOMAIN_CONFIG_SVR2_STAGING,
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR2_STAGING),
raft_config: Some(attest::constants::RAFT_CONFIG_SVR2_STAGING),
},
svr3: Svr3Env(
EnclaveEndpoint {
domain_config: DOMAIN_CONFIG_SVR3_SGX_STAGING,
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR3_SGX_STAGING),
raft_config: Some(attest::constants::RAFT_CONFIG_SVR3_SGX_STAGING),
},
EnclaveEndpoint {
domain_config: DOMAIN_CONFIG_SVR3_NITRO_STAGING,
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR3_NITRO_STAGING),
raft_config: Some(attest::constants::RAFT_CONFIG_SVR3_NITRO_STAGING),
},
EnclaveEndpoint {
domain_config: DOMAIN_CONFIG_SVR3_TPM2SNP_STAGING,
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR3_TPM2SNP_STAGING),
raft_config: Some(attest::constants::RAFT_CONFIG_SVR3_TPM2SNP_STAGING),
},
),
};
@ -326,23 +331,28 @@ pub const PROD: Env<'static, Svr3Env> = Env {
cdsi: EnclaveEndpoint {
domain_config: DOMAIN_CONFIG_CDSI,
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_CDSI_PROD),
raft_config: None,
},
svr2: EnclaveEndpoint {
domain_config: DOMAIN_CONFIG_SVR2,
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR2_PROD),
raft_config: Some(attest::constants::RAFT_CONFIG_SVR2_PROD),
},
svr3: Svr3Env(
EnclaveEndpoint {
domain_config: DOMAIN_CONFIG_SVR3_SGX,
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR3_SGX_PROD),
raft_config: Some(attest::constants::RAFT_CONFIG_SVR3_SGX_PROD),
},
EnclaveEndpoint {
domain_config: DOMAIN_CONFIG_SVR3_NITRO,
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR3_NITRO_PROD),
raft_config: Some(attest::constants::RAFT_CONFIG_SVR3_NITRO_PROD),
},
EnclaveEndpoint {
domain_config: DOMAIN_CONFIG_SVR3_TPM2SNP,
mr_enclave: MrEnclave::new(attest::constants::ENCLAVE_ID_SVR3_TPM2SNP_PROD),
raft_config: Some(attest::constants::RAFT_CONFIG_SVR3_TPM2SNP_PROD),
},
),
};