Updating CCF PDO/TP Documentation with details about recent API changes used to set PDO contract enclave attestation policy.

ledgers/ccf/README.md

@@ -216,13 +216,33 @@ cd ${PDO_SOURCE_ROOT}/build
 make test
 ```
 
-## CCF TP TEE attestation policy
+## CCF TP TEE attestation verification policy
 We briefly describe the attestation verification policy implemented by CCF TP.
-- CCF Governance consortium  registers attestation policy after TP is deployed.
-- Currently, TP supports two policies:
-    - No attestation verification: This policy is used while using PDO enclaves in SGX SIM mode.
-    - Check EPID attestation verification reports generated by IAS: This policy is used while using PDO enclaves in SGX HW mode.
-- One of the two policies must necessarily have been registered by the CCF consortium before any PDO enclave can be registered. There is no default policy.
-CCF TP provides a member-rpc that can be used for registering one of the above two policies. For the second policy above, the consortium
-gets to specify expected MREnclave, basename and IAS public key via the member-rpc.
-- The policy (including expected value of MREnclave) can be changed anytime by the CCF Governance consortium, subject to voting rules of the consortium.
+
+1. The TP contains a programmable flag that specifies whether the TP will check
+for PDO contract enclaves' attestation when eservices attempt registering
+PDO enclaves with TP. The CCF TP governance consortium
+(see https://microsoft.github.io/CCF/release/4.x/governance/index.html)
+gets to set the flag after the TP is started. The flag can be set only once.
+
+2. If the flag described above is set, then it is expected that the CCF TP
+governance consortium further programs the TP with expected values required to
+verify enclave attestation reports. We note that PDO currently supports EPID
+attestation verification, and while running in SGX HW mode, the eservice submits
+IAS attestation report to the TP as part of contract enclave
+registration with TP. To help the TP verify the IAS attestation report, the TP
+must be programmed with expected `MREnclave`, enclave `basename` and `ias_public_key`.
+Further, the CCF TP governance consortium is permitted to change the
+values of these parameters, subject to TP consoritum governance rules.
+
+The TP provides two APIs `set_attestation_check_flag` and `set_expected_sgx_measurements`
+to program the various values required to implement the above attestation
+verification policy.
+
+1. The first API `set_attestation_check_flag` is invoked as part of the TP start up
+scripts to specify whether PDO runs in SGX `HW` mode or SGX `SIM` mode.
+
+2. The second API `set_expected_sgx_measurements` is used whenever the
+`set_attestation_check_flag` specifies that PDO runs in SGX `HW` mode.
+In this case, as noted above the second API is used to the specify expected
+`MREnclave` value, and additionally `basename` and the `ias_public_key`.