diff --git a/ledgers/ccf/README.md b/ledgers/ccf/README.md index 1bd95af5..4b5af3b8 100644 --- a/ledgers/ccf/README.md +++ b/ledgers/ccf/README.md @@ -216,13 +216,9 @@ cd ${PDO_SOURCE_ROOT}/build make test ``` -## CCF TP TEE attestation policy -We briefly describe the attestation verification policy implemented by CCF TP. -- CCF Governance consortium registers attestation policy after TP is deployed. -- Currently, TP supports two policies: - - No attestation verification: This policy is used while using PDO enclaves in SGX SIM mode. - - Check EPID attestation verification reports generated by IAS: This policy is used while using PDO enclaves in SGX HW mode. -- One of the two policies must necessarily have been registered by the CCF consortium before any PDO enclave can be registered. There is no default policy. -CCF TP provides a member-rpc that can be used for registering one of the above two policies. For the second policy above, the consortium -gets to specify expected MREnclave, basename and IAS public key via the member-rpc. -- The policy (including expected value of MREnclave) can be changed anytime by the CCF Governance consortium, subject to voting rules of the consortium. +## CCF TP TEE attestation verification policy +CCF TP provides two APIs to be used by the CCF Governance consortium to register attestation verification policy that must be satisfied by PDO contract enclaves. + +1. The first API `set_attestation_check_flag` is invoked as part of the TP start up scripts to specify whether PDO runs in SGX `HW` mode or SGX `SIM` mode. The flag can be set only once. There is no default value for the flag, and hence must be set explicitly before the TP can accept any `register_encalve` transactions. + +2. The second API `set_expected_sgx_measurements` is used whenever the `set_attestation_check_flag` specifies that PDO runs in SGX `HW` mode. In this case, the second API is used to the specify expected `MREnclave` value, and additionally `basename` and the `ias_public_key`. Note that PDO currently supports SGX `HW mode` with EPID attestation. The expected SGX measurements can be updated via the second API, subject to voting rules of the consortium.