Skip to content

Commit c2a4c84

Browse files
DeDTihoNDeDTihoN
committed
removed mr_td
1 parent 3bd2cac commit c2a4c84

File tree

3 files changed

+59
-45
lines changed

3 files changed

+59
-45
lines changed

Cargo.lock

Lines changed: 7 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@ x25519-dalek = { version = "=1.2.0", default-features = false, features = [
4242
] }
4343
log = "0.4.25"
4444
cc = { version = "=1.1.10" }
45+
hex-literal = "0.4"
4546
serde_json = "1.0.138"
4647
#enclave_crypto = { git = "https://github.com/scrtlabs/SecretNetwork.git", branch = "mrenclave3", version = "1.11.0"}
4748

src/contract.rs

Lines changed: 51 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,13 @@ use crate::import_helpers::{from_high_half, from_low_half};
1313
use crate::memory::{build_region, Region};
1414
use crate::msg::QueryMsg::ListImageFilters;
1515

16+
// Fixed legacy MR_TD used to derive the legacy image_key (48 bytes).
17+
// This is ONLY for the legacy fallback path in `try_get_secret_key_by_image`.
18+
const LEGACY_FIXED_MR_TD: [u8; 48] = hex_literal::hex!(
19+
"ba87a347454466680bfd267446df89d8117c04ea9f28234dd3d84e1a8a957d5a
20+
daf02d4aa88433b559fb13bd40f0109e"
21+
);
22+
1623
/// Declaration of tdx_quote_hdr_t and tdx_quote_t as provided.
1724
/// DO NOT CHANGE THIS CODE.
1825
#[repr(C)]
@@ -139,43 +146,43 @@ fn parse_tdx_attestation(quote: &[u8], collateral: &[u8]) -> Option<tdx_quote_t>
139146
pub fn migrate(deps: DepsMut, _env: Env, msg: MigrateMsg) -> StdResult<Response> {
140147
match msg {
141148
MigrateMsg::Migrate {} => {
142-
// Phase 1: load all old records into memory to avoid borrow issues
143-
let mut buf: Vec<(String, OldService)> = Vec::new();
144-
for it in OLD_SERVICES_MAP.iter(deps.storage)? {
145-
let (k, v) = it?;
146-
buf.push((k, v));
147-
}
148-
149-
let mut moved: u64 = 0;
150-
let mut replaced: u64 = 0;
151-
152-
// Phase 2: insert into SERVICES_MAP with password_hash=None
153-
for (key, old) in buf.into_iter() {
154-
let new_svc = Service {
155-
id: old.id.clone(),
156-
name: old.name.clone(),
157-
admin: old.admin.clone(),
158-
filters: old.filters.clone(),
159-
secret_key: old.secret_key.clone(),
160-
secrets_plaintext: old.secrets_plaintext.clone(),
161-
password_hash: None, // new field default
162-
};
163-
164-
if SERVICES_MAP.contains(deps.storage, &key) {
165-
SERVICES_MAP.insert(deps.storage, &key, &new_svc)?;
166-
replaced += 1;
167-
} else {
168-
SERVICES_MAP.insert(deps.storage, &key, &new_svc)?;
169-
moved += 1;
170-
}
171-
// remove from OLD map after move
172-
OLD_SERVICES_MAP.remove(deps.storage, &key)?;
173-
}
149+
// // Phase 1: load all old records into memory to avoid borrow issues
150+
// let mut buf: Vec<(String, OldService)> = Vec::new();
151+
// for it in OLD_SERVICES_MAP.iter(deps.storage)? {
152+
// let (k, v) = it?;
153+
// buf.push((k, v));
154+
// }
155+
//
156+
// let mut moved: u64 = 0;
157+
// let mut replaced: u64 = 0;
158+
//
159+
// // Phase 2: insert into SERVICES_MAP with password_hash=None
160+
// for (key, old) in buf.into_iter() {
161+
// let new_svc = Service {
162+
// id: old.id.clone(),
163+
// name: old.name.clone(),
164+
// admin: old.admin.clone(),
165+
// filters: old.filters.clone(),
166+
// secret_key: old.secret_key.clone(),
167+
// secrets_plaintext: old.secrets_plaintext.clone(),
168+
// password_hash: None, // new field default
169+
// };
170+
//
171+
// if SERVICES_MAP.contains(deps.storage, &key) {
172+
// SERVICES_MAP.insert(deps.storage, &key, &new_svc)?;
173+
// replaced += 1;
174+
// } else {
175+
// SERVICES_MAP.insert(deps.storage, &key, &new_svc)?;
176+
// moved += 1;
177+
// }
178+
// // remove from OLD map after move
179+
// OLD_SERVICES_MAP.remove(deps.storage, &key)?;
180+
// }
174181

175182
Ok(Response::new()
176-
.add_attribute("action", "migrate_services_old_to_new_with_password")
177-
.add_attribute("moved", moved.to_string())
178-
.add_attribute("replaced", replaced.to_string()))
183+
.add_attribute("action", "migrate"))
184+
// .add_attribute("moved", moved.to_string())
185+
// .add_attribute("replaced", replaced.to_string()))
179186
}
180187
MigrateMsg::StdError {} => Err(StdError::generic_err("this is an std error")),
181188
}
@@ -707,8 +714,11 @@ pub fn try_get_secret_key_by_image(
707714
}
708715

709716
// Legacy fallback by image hash (no password for legacy)
717+
// NOTE: historically, `mr_td` in the legacy pipeline was always a fixed value.
718+
// To preserve compatibility, we DO NOT use `tdx.mr_td` here; we hash with the fixed legacy MR_TD.
710719
let mut hasher = Sha256::new();
711-
hasher.update(&tdx.mr_td);
720+
// IMPORTANT: use the fixed legacy MR_TD constant instead of the parsed mr_td
721+
hasher.update(&LEGACY_FIXED_MR_TD);
712722
hasher.update(&tdx.rtmr1);
713723
hasher.update(&tdx.rtmr2);
714724
hasher.update(&tdx.rtmr3);
@@ -755,7 +765,6 @@ pub fn query(deps: Deps, env: Env, msg: QueryMsg) -> StdResult<Binary> {
755765
fn filter_matches_quote(f: &ImageFilter, tdx: &tdx_quote_t) -> bool {
756766
let mr_seam = tdx.mr_seam.to_vec();
757767
let mr_signer = tdx.mr_signer_seam.to_vec();
758-
let mr_td = tdx.mr_td.to_vec();
759768
let mr_config_id = tdx.mr_config_id.to_vec();
760769
let mr_owner = tdx.mr_owner.to_vec();
761770
let mr_config = tdx.mr_config.to_vec();
@@ -766,7 +775,7 @@ fn filter_matches_quote(f: &ImageFilter, tdx: &tdx_quote_t) -> bool {
766775

767776
if let Some(p) = &f.mr_seam { if p != &mr_seam { return false; } }
768777
if let Some(p) = &f.mr_signer_seam { if p != &mr_signer { return false; } }
769-
if let Some(p) = &f.mr_td { if p != &mr_td { return false; } }
778+
// if let Some(p) = &f.mr_td { if p != &mr_td { return false; } }
770779
if let Some(p) = &f.mr_config_id { if p != &mr_config_id { return false; } }
771780
if let Some(p) = &f.mr_owner { if p != &mr_owner { return false; } }
772781
if let Some(p) = &f.mr_config { if p != &mr_config { return false; } }
@@ -814,7 +823,6 @@ pub fn try_get_docker_credentials_by_image(
814823
.ok_or_else(|| StdError::generic_err("Attestation invalid"))?;
815824

816825
// Fields from quote
817-
let mr_td = tdx.mr_td.to_vec();
818826
let r1 = tdx.rtmr1.to_vec();
819827
let r2 = tdx.rtmr2.to_vec();
820828
let r3 = tdx.rtmr3.to_vec();
@@ -823,7 +831,7 @@ pub fn try_get_docker_credentials_by_image(
823831
// 1) Primary lookup: VM-keyed map
824832
if let Some(rec) = DOCKER_CREDENTIALS.get(deps.storage, &vm_uid) {
825833
// Enforce exact match between stored image params and attestation
826-
if rec.mr_td != mr_td || rec.rtmr1 != r1 || rec.rtmr2 != r2 || rec.rtmr3 != r3 {
834+
if rec.rtmr1 != r1 || rec.rtmr2 != r2 || rec.rtmr3 != r3 {
827835
return Err(StdError::generic_err(
828836
"Filter mismatch for docker credentials VM record",
829837
));
@@ -844,8 +852,7 @@ pub fn try_get_docker_credentials_by_image(
844852
// 2) Legacy fallback: scan the old Vec from the END (last-write wins)
845853
let legacy_list = docker_credentials_read(deps.storage).load().unwrap_or_default();
846854
if let Some(rec) = legacy_list.iter().rev().find(|cred| {
847-
cred.mr_td == mr_td
848-
&& cred.rtmr1 == r1
855+
cred.rtmr1 == r1
849856
&& cred.rtmr2 == r2
850857
&& cred.rtmr3 == r3
851858
&& cred.vm_uid
@@ -927,13 +934,12 @@ pub fn try_get_env_by_image(
927934

928935
// Legacy fallback (scan vector)
929936
let legacy = env_secrets_read(deps.storage).load().map_err(|_| StdError::generic_err("Legacy env storage missing"))?;
930-
let mr_td = tdx.mr_td.to_vec(); let r1 = tdx.rtmr1.to_vec(); let r2 = tdx.rtmr2.to_vec(); let r3 = tdx.rtmr3.to_vec();
937+
let r1 = tdx.rtmr1.to_vec(); let r2 = tdx.rtmr2.to_vec(); let r3 = tdx.rtmr3.to_vec();
931938
let candidate = legacy
932939
.iter()
933940
.rev()
934941
.find(|e| {
935-
e.mr_td == mr_td
936-
&& e.rtmr1 == r1
942+
e.rtmr1 == r1
937943
&& e.rtmr2 == r2
938944
&& e.rtmr3 == r3
939945
&& e.vm_uid

0 commit comments

Comments
 (0)