qos_core 0.8.0

Core components and logic for QuorumOS applications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392

//! Quorum protocol error
use borsh::{BorshDeserialize, BorshSerialize};
use qos_p256::P256Error;

use crate::{
	client::ClientError,
	io::IOError,
	protocol::{ProtocolPhase, services::boot},
};

/// A error from protocol execution.
#[derive(
	Debug,
	Clone,
	PartialEq,
	Eq,
	BorshSerialize,
	BorshDeserialize,
	serde::Serialize,
	serde::Deserialize,
)]
pub enum ProtocolError {
	/// A encrypted quorum key share sent to the enclave was invalid.
	InvalidShare,
	/// Failed to reconstruct the quorum key while provisioning.
	ReconstructionErrorEmptySecret,
	/// Reconstructed the incorrect key while provisioning.
	ReconstructionErrorIncorrectPubKey,
	/// Filesystem error
	IOError,
	/// Cryptography error
	/// Approval was not valid for a manifest.
	InvalidManifestApproval(boot::Approval),
	/// [`boot::ManifestEnvelope`] did not have approvals
	NotEnoughApprovals,
	/// Protocol Message could not be matched against an available route.
	/// Ensure the executor is in the correct phase.
	NoMatchingRoute(ProtocolPhase),
	/// Hash of the Pivot binary does not match the pivot configuration in the
	/// manifest.
	InvalidPivotHash {
		/// Expected hash as hex string.
		expected: String,
		/// Actual hash as hex string.
		actual: String,
	},
	/// Pivot environment variables are invalid.
	InvalidPivotEnv(String),
	/// The message is too large.
	OversizeMsg,
	/// Message could not be deserialized
	InvalidMsg,
	/// An error occurred with the enclave client.
	EnclaveClient,
	/// Failed attempting to decrypt something.
	DecryptionFailed,
	/// Could not create a private key.
	InvalidPrivateKey,
	/// Failed to parse from string.
	FailedToParseFromString,
	/// Got a path to a key that is used for testing. This error only occurs
	/// when the "mock" feature is disabled, which should always be the
	/// case in production.
	BadEphemeralKeyPath,
	/// Tried to modify state that must be static post pivoting.
	CannotModifyPostPivotStatic,
	/// For some reason the Ephemeral could not be read from the file
	/// system.
	FailedToGetEphemeralKey(P256Error),
	/// Failed to write the Ephemeral key to the file system.
	FailedToPutEphemeralKey,
	/// Failed to rotate the ephemeral key because the underlying file is missing.
	CannotRotateNonExistentEphemeralKey,
	/// Failed to delete the old ephemeral key (underlying failure in argument)
	CannotDeleteEphemeralKey(String),
	/// For some reason the Quorum Key could not be read from the file
	/// system.
	FailedToGetQuorumKey(P256Error),
	/// Failed to put the quorum key into the file system
	FailedToPutQuorumKey,
	/// For some reason the manifest envelope could not be read from the file
	/// system or decoded.
	FailedToGetManifestEnvelope,
	/// Failed to put the manifest envelope.
	FailedToPutManifestEnvelope,
	/// Failed to put the pivot executable.
	FailedToPutPivot,
	/// The socket client timed out while waiting to receive a response from
	/// the enclave app.
	AppClientRecvTimeout,
	/// The socket client was interrupted while trying to receive a response
	/// from the enclave app.
	AppClientRecvInterrupted,
	/// The socket client tried to call receive on a closed connection. Likely
	/// the enclave app panicked and closed the connection.
	AppClientRecvConnectionClosed,
	/// App client could not make a connection to a socket when trying to send.
	/// Likely the enclave app panic'ed and the apps server did not create the
	/// socket again.
	AppClientConnectError(String),
	/// App client encountered an error when calling the `send` system call.
	AppClientSendError(String),
	/// The socket client encountered an error when trying to execute a request
	/// to the enclave app.
	AppClientError(String),
	/// Payload is too big. See `MAX_ENCODED_MSG_LEN` for the upper bound on
	/// message size.
	OversizedPayload,
	/// A protocol message could not be deserialized.
	ProtocolMsgDeserialization,
	/// Share set approvals existed in the manifest envelope when they should
	/// not have.
	BadShareSetApprovals,
	/// Could not verify a message against an approval
	CouldNotVerifyApproval,
	/// Not a member of the [`boot::ShareSet`].
	NotShareSetMember,
	/// Not a member of the [`boot::ManifestSet`].
	NotManifestSetMember,
	/// `qos_p256` Error wrapper.
	P256Error(qos_p256::P256Error),
	/// Error with trying to read p256 DR public key.
	InvalidP256DRKey(qos_p256::P256Error),
	/// The provisioned secret is the incorrect length.
	IncorrectSecretLen,
	/// An error from the attest crate.
	QosAttestError(String),
	/// Quorum Key in the new manifest does not match the quorum key in the old
	/// manifest.
	DifferentQuorumKey {
		/// Expected value as hex string.
		expected: String,
		/// Actual value as hex string.
		actual: String,
	},
	/// The manifest sets do not match.
	DifferentManifestSet {
		/// Expected hash as hex string.
		expected: String,
		/// Actual hash as hex string.
		actual: String,
	},
	/// The manifests do not have the same namespace names.
	DifferentNamespaceName {
		/// Expected namespace name.
		expected: String,
		/// Actual namespace name.
		actual: String,
	},
	/// The manifest has a lower nonce then the current manifest.
	LowNonce {
		/// Expected minimum nonce value.
		#[serde(with = "qos_json::string_or_numeric")]
		expected: u32,
		/// Actual nonce value.
		#[serde(with = "qos_json::string_or_numeric")]
		actual: u32,
	},
	/// The manifests have different PCR3 values.
	DifferentPcr3 {
		/// Expected value as hex string.
		expected: String,
		/// Actual value as hex string.
		actual: String,
	},
	/// Attestation document is missing ephemeral key.
	MissingEphemeralKey,
	/// Ephemeral key cannot be decoded.
	InvalidEphemeralKey,
	/// Invalid signature over the encrypted quorum key.
	InvalidEncryptedQuorumKeySignature,
	/// Invalid length for encrypted quorum key secret.
	EncryptedQuorumKeyInvalidLen,
	/// The quorum secret was invalid.
	InvalidQuorumSecret,
	/// The injected quorum key was not the expected key.
	WrongQuorumKey,
	/// State machine transitioned unexpectedly
	InvalidStateTransition(ProtocolPhase, ProtocolPhase),
	/// The manifest envelope has duplicate approvals.
	DuplicateApproval,
	/// The new manifest was different from the old manifest when we expected
	/// them to be the same because they have the same nonce.
	DifferentManifest {
		/// Expected hash as hex string.
		expected: String,
		/// Actual hash as hex string.
		actual: String,
	},
	/// Error from the qos crypto library.
	QosCrypto(String),
	/// Error during expanding the `StreamPool`.
	PoolExpandError,
}

impl From<std::io::Error> for ProtocolError {
	fn from(_err: std::io::Error) -> Self {
		Self::IOError
	}
}

impl From<ClientError> for ProtocolError {
	fn from(err: ClientError) -> Self {
		match err {
			ClientError::IOError(IOError::RecvTimeout) => {
				ProtocolError::AppClientRecvTimeout
			}
			ClientError::IOError(IOError::RecvInterrupted) => {
				ProtocolError::AppClientRecvInterrupted
			}
			ClientError::IOError(IOError::RecvConnectionClosed) => {
				ProtocolError::AppClientRecvConnectionClosed
			}
			ClientError::IOError(IOError::ConnectNixError(e)) => {
				ProtocolError::AppClientConnectError(format!("{e:?}"))
			}
			ClientError::IOError(IOError::SendNixError(e)) => {
				ProtocolError::AppClientSendError(format!("{e:?}"))
			}
			e => ProtocolError::AppClientError(format!("{e:?}")),
		}
	}
}

impl From<qos_p256::P256Error> for ProtocolError {
	fn from(err: qos_p256::P256Error) -> Self {
		Self::P256Error(err)
	}
}

impl From<qos_nsm::nitro::AttestError> for ProtocolError {
	fn from(err: qos_nsm::nitro::AttestError) -> Self {
		let msg = format!("{err:?}");
		Self::QosAttestError(msg)
	}
}

impl std::fmt::Display for ProtocolError {
	#[allow(clippy::too_many_lines)]
	fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
		match self {
			Self::InvalidShare => write!(f, "invalid quorum key share"),
			Self::ReconstructionErrorEmptySecret => {
				write!(f, "failed to reconstruct quorum key: empty secret")
			}
			Self::ReconstructionErrorIncorrectPubKey => {
				write!(f, "reconstructed incorrect public key")
			}
			Self::IOError => write!(f, "filesystem error"),
			Self::InvalidManifestApproval(approval) => {
				write!(
					f,
					"invalid manifest approval from member '{}'",
					approval.member.alias
				)
			}
			Self::NotEnoughApprovals => write!(f, "not enough approvals"),
			Self::NoMatchingRoute(phase) => {
				write!(f, "no matching route for phase {phase:?}")
			}
			Self::InvalidPivotHash { expected, actual } => {
				write!(
					f,
					"invalid pivot hash: expected {expected}, got {actual}"
				)
			}
			Self::InvalidPivotEnv(e) => write!(f, "invalid pivot env: {e}"),
			Self::OversizeMsg => write!(f, "message too large"),
			Self::InvalidMsg => write!(f, "invalid message"),
			Self::EnclaveClient => write!(f, "enclave client error"),
			Self::DecryptionFailed => write!(f, "decryption failed"),
			Self::InvalidPrivateKey => write!(f, "invalid private key"),
			Self::FailedToParseFromString => {
				write!(f, "failed to parse from string")
			}
			Self::BadEphemeralKeyPath => write!(f, "bad ephemeral key path"),
			Self::CannotModifyPostPivotStatic => {
				write!(f, "cannot modify state after pivot")
			}
			Self::FailedToGetEphemeralKey(e) => {
				write!(f, "failed to get ephemeral key: {e:?}")
			}
			Self::FailedToPutEphemeralKey => {
				write!(f, "failed to put ephemeral key")
			}
			Self::CannotRotateNonExistentEphemeralKey => {
				write!(f, "cannot rotate non-existent ephemeral key")
			}
			Self::CannotDeleteEphemeralKey(e) => {
				write!(f, "cannot delete ephemeral key: {e}")
			}
			Self::FailedToGetQuorumKey(e) => {
				write!(f, "failed to get quorum key: {e:?}")
			}
			Self::FailedToPutQuorumKey => write!(f, "failed to put quorum key"),
			Self::FailedToGetManifestEnvelope => {
				write!(f, "failed to get manifest envelope")
			}
			Self::FailedToPutManifestEnvelope => {
				write!(f, "failed to put manifest envelope")
			}
			Self::FailedToPutPivot => write!(f, "failed to put pivot"),
			Self::AppClientRecvTimeout => {
				write!(f, "app client receive timeout")
			}
			Self::AppClientRecvInterrupted => {
				write!(f, "app client receive interrupted")
			}
			Self::AppClientRecvConnectionClosed => {
				write!(f, "app client connection closed")
			}
			Self::AppClientConnectError(e) => {
				write!(f, "app client connect error: {e}")
			}
			Self::AppClientSendError(e) => {
				write!(f, "app client send error: {e}")
			}
			Self::AppClientError(e) => write!(f, "app client error: {e}"),
			Self::OversizedPayload => write!(f, "oversized payload"),
			Self::ProtocolMsgDeserialization => {
				write!(f, "protocol message deserialization failed")
			}
			Self::BadShareSetApprovals => {
				write!(f, "unexpected share set approvals")
			}
			Self::CouldNotVerifyApproval => {
				write!(f, "could not verify approval")
			}
			Self::NotShareSetMember => write!(f, "not a share set member"),
			Self::NotManifestSetMember => {
				write!(f, "not a manifest set member")
			}
			Self::P256Error(e) => write!(f, "P256 error: {e:?}"),
			Self::InvalidP256DRKey(e) => {
				write!(f, "invalid P256 DR key: {e:?}")
			}
			Self::IncorrectSecretLen => write!(f, "incorrect secret length"),
			Self::QosAttestError(e) => write!(f, "attestation error: {e}"),
			Self::DifferentQuorumKey { expected, actual } => {
				write!(
					f,
					"different quorum key: expected {expected}, got {actual}"
				)
			}
			Self::DifferentManifestSet { expected, actual } => {
				write!(
					f,
					"different manifest set: expected {expected}, got {actual}"
				)
			}
			Self::DifferentNamespaceName { expected, actual } => {
				write!(
					f,
					"different namespace name: expected '{expected}', got '{actual}'"
				)
			}
			Self::LowNonce { expected, actual } => {
				write!(
					f,
					"manifest nonce too low: expected >= {expected}, got {actual}"
				)
			}
			Self::DifferentPcr3 { expected, actual } => {
				write!(f, "different PCR3: expected {expected}, got {actual}")
			}
			Self::MissingEphemeralKey => write!(f, "missing ephemeral key"),
			Self::InvalidEphemeralKey => write!(f, "invalid ephemeral key"),
			Self::InvalidEncryptedQuorumKeySignature => {
				write!(f, "invalid encrypted quorum key signature")
			}
			Self::EncryptedQuorumKeyInvalidLen => {
				write!(f, "encrypted quorum key has invalid length")
			}
			Self::InvalidQuorumSecret => write!(f, "invalid quorum secret"),
			Self::WrongQuorumKey => write!(f, "wrong quorum key"),
			Self::InvalidStateTransition(from, to) => {
				write!(f, "invalid state transition from {from:?} to {to:?}")
			}
			Self::DuplicateApproval => write!(f, "duplicate approval"),
			Self::DifferentManifest { expected, actual } => {
				write!(
					f,
					"different manifest: expected {expected}, got {actual}"
				)
			}
			Self::QosCrypto(e) => write!(f, "crypto error: {e}"),
			Self::PoolExpandError => write!(f, "pool expand error"),
		}
	}
}

impl std::error::Error for ProtocolError {}