Remove UVM endorsement descriptor hardcoding at Start and Recovery (#6869)

achamayou · web-flow · commit 0a3ba2bf4cb1 · 2025-03-04T11:58:40.000Z
diff --git a/.snpcc_canary b/.snpcc_canary
@@ -3,5 +3,3 @@
    O     \     o      |    /     |
 /-xXx--//-----x=x--/-xXx--/---x-/--->>>--/
 ...
-/\/\d(-_-)b/\/\
-----vmpl----
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 - `ccf.ledger`/`read_ledger.py` previously enforced too strict a condition on node membership when validating ledger files (#6849).
 - Restore low CPU usage on idle nodes, which had increased in dev20 (#6816).
+- Nodes in Start and Recovery modes no longer enforce specific UVM descriptors, and will instead derive one from UVM endorsements if found. The consortium must check that the value is acceptable, record their agreement by opening the network (#6869).
 
 ## [6.0.0-dev20]
 
diff --git a/src/node/node_state.h b/src/node/node_state.h
@@ -347,9 +347,21 @@ namespace ccf
           {
             auto uvm_endorsements_raw = ccf::crypto::raw_from_b64(
               config.attestation.environment.uvm_endorsements.value());
-            snp_uvm_endorsements =
-              verify_uvm_endorsements(uvm_endorsements_raw, node_measurement);
+            // A node at this stage does not have a notion of what UVM
+            // descriptor is acceptable. That is decided either by the Joinee,
+            // or by Consortium endorsing the Start or Recovery node. For that
+            // reason, we extract an endorsement descriptor from the UVM
+            // endorsements and make it available in the ledger's initial or
+            // recovery transaction.
+            snp_uvm_endorsements = verify_uvm_endorsements(
+              uvm_endorsements_raw,
+              node_measurement,
+              {},
+              false /* Do not check roots of trust */);
             quote_info.uvm_endorsements = uvm_endorsements_raw;
+            LOG_INFO_FMT(
+              "Successfully verified attested UVM endorsements: {}",
+              snp_uvm_endorsements->to_str());
           }
           catch (const std::exception& e)
           {
diff --git a/src/node/uvm_endorsements.h b/src/node/uvm_endorsements.h
@@ -26,6 +26,11 @@ namespace ccf
     std::string svn;
 
     bool operator==(const UVMEndorsements&) const = default;
+
+    inline std::string to_str()
+    {
+      return fmt::format("did: {}, feed: {}, svn: {}", did, feed, svn);
+    }
   };
   DECLARE_JSON_TYPE(UVMEndorsements);
   DECLARE_JSON_REQUIRED_FIELDS(UVMEndorsements, did, feed, svn);
@@ -269,7 +274,8 @@ namespace ccf
     const std::vector<uint8_t>& uvm_endorsements_raw,
     const pal::PlatformAttestationMeasurement& uvm_measurement,
     const std::vector<UVMEndorsements>& uvm_roots_of_trust =
-      default_uvm_roots_of_trust)
+      default_uvm_roots_of_trust,
+    bool enforce_uvm_roots_of_trust = true)
   {
     auto phdr = cose::decode_protected_header(uvm_endorsements_raw);
 
@@ -368,7 +374,9 @@ namespace ccf
 
     UVMEndorsements end{did, phdr.feed, payload.sevsnpvm_guest_svn};
 
-    if (!matches_uvm_roots_of_trust(end, uvm_roots_of_trust))
+    if (
+      enforce_uvm_roots_of_trust &&
+      !matches_uvm_roots_of_trust(end, uvm_roots_of_trust))
     {
       throw std::logic_error(fmt::format(
         "UVM endorsements did {}, feed {}, svn {} "
diff --git a/tests/e2e_operations.py b/tests/e2e_operations.py
@@ -7,6 +7,7 @@
 import infra.logging_app as app
 import infra.e2e_args
 import infra.network
+import infra.snp
 import ccf.ledger
 from ccf.tx_id import TxID
 import base64
@@ -959,6 +960,86 @@ def run_empty_ledger_dir_check(args):
                 )
 
 
+def run_initial_uvm_descriptor_checks(args):
+    with infra.network.network(
+        args.nodes,
+        args.binary_dir,
+        args.debug_nodes,
+        args.perf_nodes,
+        pdb=args.pdb,
+    ) as network:
+        LOG.info("Start a network and stop it")
+        network.start_and_open(args)
+        primary, _ = network.find_primary()
+        old_common = infra.network.get_common_folder_name(args.workspace, args.label)
+        snapshots_dir = network.get_committed_snapshots(primary)
+        network.stop_all_nodes()
+        LOG.info("Check that the a UVM descriptor is present")
+
+        ledger_dirs = primary.remote.ledger_paths()
+        ledger = ccf.ledger.Ledger(ledger_dirs)
+        first_chunk = next(iter(ledger))
+        first_tx = next(first_chunk)
+        tables = first_tx.get_public_domain().get_tables()
+        endorsements = tables["public:ccf.gov.nodes.snp.uvm_endorsements"]
+        assert len(endorsements) == 1, endorsements
+        (key,) = endorsements.keys()
+        assert key.startswith(b"did:x509:"), key
+        LOG.info(f"Initial UVM endorsement found in ledger: {endorsements[key]}")
+
+        LOG.info("Start a recovery network and stop it")
+        current_ledger_dir, committed_ledger_dirs = primary.get_ledger()
+        recovered_network = infra.network.Network(
+            args.nodes,
+            args.binary_dir,
+            args.debug_nodes,
+            args.perf_nodes,
+            existing_network=network,
+        )
+
+        args.previous_service_identity_file = os.path.join(
+            old_common, "service_cert.pem"
+        )
+        recovered_network.start_in_recovery(
+            args,
+            ledger_dir=current_ledger_dir,
+            committed_ledger_dirs=committed_ledger_dirs,
+            snapshots_dir=snapshots_dir,
+        )
+        recovered_primary, _ = recovered_network.find_primary()
+        LOG.info("Check that the UVM descriptor is present in the recovery tx")
+        recovery_seqno = None
+        with recovered_primary.client() as c:
+            r = c.get("/node/network").body.json()
+            recovery_seqno = int(r["current_service_create_txid"].split(".")[1])
+        network.stop_all_nodes()
+        ledger = ccf.ledger.Ledger(
+            recovered_primary.remote.ledger_paths(),
+            committed_only=False,
+            read_recovery_files=True,
+        )
+        for chunk in ledger:
+            _, chunk_end_seqno = chunk.get_seqnos()
+            if chunk_end_seqno < recovery_seqno:
+                continue
+            for tx in chunk:
+                tables = tx.get_public_domain().get_tables()
+                seqno = tx.get_public_domain().get_seqno()
+                if seqno < recovery_seqno:
+                    continue
+                else:
+                    tables = tx.get_public_domain().get_tables()
+                    endorsements = tables["public:ccf.gov.nodes.snp.uvm_endorsements"]
+                    assert len(endorsements) == 1, endorsements
+                    (key,) = endorsements.keys()
+                    assert key.startswith(b"did:x509:"), key
+                    LOG.info(
+                        f"Recovery UVM endorsement found in ledger: {endorsements[key]}"
+                    )
+                    return
+        assert False, "No UVM endorsement found in recovery ledger"
+
+
 def run(args):
     run_max_uncommitted_tx_count(args)
     run_file_operations(args)
@@ -972,3 +1053,5 @@ def run(args):
     run_cose_signatures_config_check(args)
     run_late_mounted_ledger_check(args)
     run_empty_ledger_dir_check(args)
+    if infra.snp.is_snp():
+        run_initial_uvm_descriptor_checks(args)
