remove version, use PcrEntry struct

MystenLabs · Feb 5, 2025 · ef6042f · ef6042f
1 parent 8ec1157
commit ef6042f
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 33 deletions.
diff --git a/crates/sui-framework/packages/sui-framework/sources/crypto/nitro_attestation.move b/crates/sui-framework/packages/sui-framework/sources/crypto/nitro_attestation.move
@@ -26,8 +26,6 @@ public struct PCREntry has drop {
 
 /// Nitro Attestation Document defined for AWS.
 public struct NitroAttestationDocument has drop  {
-    /// Version
-    version: u8,
     /// Issuing Nitro hypervisor module ID.
     module_id: vector<u8>,
     /// UTC time when document was created, in milliseconds since UNIX epoch.
@@ -37,7 +35,7 @@ public struct NitroAttestationDocument has drop  {
     /// The map of all locked PCRs at the moment the attestation document was generated.
     /// The array contains PCR0, PCR1, PCR2, PCR3, PCR4, PCR8. See more 
     ///  <https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html#where>.
-    pcrs: vector<vector<u8>>,
+    pcrs: vector<PCREntry>,
     /// An optional DER-encoded key the attestation, consumer can use to encrypt data with.
     public_key: Option<vector<u8>>,
     /// Additional signed user data, defined by protocol.
@@ -56,20 +54,17 @@ native fun verify_nitro_attestation_internal(
 /// @param attestation: attesttaion documents bytes data. 
 /// @param clock: the clock object.
 ///
-/// Returns parsed NitroAttestationDocument after verifying the attestation.
+/// Returns parsed NitroAttestationDocument after verifying the attestation, may abort with 
+/// errors described above. 
 public fun verify_nitro_attestation(
     attestation: &vector<u8>,
     clock: &Clock
 ): NitroAttestationDocument {
     verify_nitro_attestation_internal(attestation, clock::timestamp_ms(clock))
 }
 
-public fun version(attestation: &NitroAttestationDocument): &u8 {
-    &attestation.version
-}
-
-public fun module_id(attestation: &NitroAttestationDocument): vector<u8> {
-    attestation.module_id
+public fun module_id(attestation: &NitroAttestationDocument): &vector<u8> {
+    &attestation.module_id
 }
 
 public fun timestamp(attestation: &NitroAttestationDocument): &u64 {
@@ -82,19 +77,8 @@ public fun digest(attestation: &NitroAttestationDocument): &vector<u8> {
 
 /// Returns a list of mapping from index to the pcr itself. Currently AWS supports 
 ///PCR0, PCR1, PCR2, PCR3, PCR4, PCR8. 
-public fun pcrs(attestation: &NitroAttestationDocument): vector<PCREntry> {
-    assert!(attestation.pcrs.length() == 6, EInvalidPcrLength);
-    let mut result: vector<PCREntry> = vector::empty();
-    let indices = vector[0, 1, 2, 3, 4, 8];
-    let mut i = 0;
-    while (i < attestation.pcrs.length()) {
-        result.push_back(PCREntry {
-            index: indices[i],
-            value: attestation.pcrs[i]
-        });
-        i = i + 1;
-    };
-    result
+public fun pcrs(attestation: &NitroAttestationDocument): &vector<PCREntry> {
+    &attestation.pcrs
 }
 
 public fun public_key(attestation: &NitroAttestationDocument): &Option<vector<u8>> {

diff --git a/crates/sui-framework/packages/sui-framework/tests/crypto/nitro_attestation_test.move b/crates/sui-framework/packages/sui-framework/tests/crypto/nitro_attestation_test.move
@@ -27,7 +27,6 @@ module sui::nitro_attestation_tests {
         assert!(res.user_data().is_some());
         assert!(res.nonce().is_none());
         assert!(res.public_key().is_none());
-        assert!(res.version() == 0);
         scenario.end();
         clock.destroy_for_testing();
     }

diff --git a/sui-execution/latest/sui-move-natives/src/crypto/nitro_attestation.rs b/sui-execution/latest/sui-move-natives/src/crypto/nitro_attestation.rs
@@ -98,18 +98,10 @@ pub fn verify_nitro_attestation_internal(
                     // Could do this with `and_then` as well if desired.
                     let result = || {
                         Ok(Value::struct_(Struct::pack(vec![
-                            Value::u8(0), // Starts from 0
                             Value::vector_u8(payload.module_id.as_bytes().to_vec()),
                             Value::u64(payload.timestamp),
                             Value::vector_u8(payload.digest.as_bytes().to_vec()),
-                            Vector::pack(
-                                &Type::Vector(Box::new(Type::U8)),
-                                payload
-                                    .pcrs
-                                    .iter()
-                                    .map(|pcr| Value::vector_u8(pcr.to_vec()))
-                                    .collect::<Vec<_>>(),
-                            )?,
+                            to_indexed_struct(payload.pcrs)?,
                             to_option_vector_u8(payload.public_key)?,
                             to_option_vector_u8(payload.user_data)?,
                             to_option_vector_u8(payload.nonce)?,
@@ -139,3 +131,18 @@ fn to_option_vector_u8(value: Option<Vec<u8>>) -> PartialVMResult<Value> {
         )?]))),
     }
 }
+
+// Convert a list of PCRs into a vector of PCREntry struct with index and value, 
+// where the indices are [0, 1, 2, 3, 4, 8] since AWS currently supports PCR0, 
+// PCR1, PCR2, PCR3, PCR4, PCR8.
+fn to_indexed_struct(pcrs: Vec<Vec<u8>>) -> PartialVMResult<Value> {
+    let indices = [0, 1, 2, 3, 4, 8];
+    let mut indexed_struct = vec![];
+    for (index, pcr) in pcrs.iter().enumerate() {
+        indexed_struct.push(Value::struct_(Struct::pack(vec![
+            Value::u8(indices[index]),
+            Value::vector_u8(pcr.to_vec()),
+        ])));
+    }
+    Ok(Value::vector_for_testing_only(indexed_struct))
+}