CESSProject · jiuquxzy · Dec 12, 2023 · Dec 12, 2023
diff --git a/pallets/audit/src/lib.rs b/pallets/audit/src/lib.rs
@@ -279,6 +279,8 @@ pub mod pallet {
 		RandomErr,
 
 		UnSubmitted,
+
+		TeeNoPermission,
 	}
 
 	//Relevant time nodes for storage challenges
@@ -518,6 +520,10 @@ pub mod pallet {
 					tee_signature: _,
 				} = &challenge_info.miner_snapshot;
 
+				ensure!(
+					T::TeeWorkerHandler::can_verify(&tee_acc),
+					Error::<T>::TeeNoPermission
+				);
 				let verify_idle_info = VerifyIdleResultInfo::<T> {
 					miner: sender.clone(),
 					miner_prove: total_prove_hash.clone(),
@@ -630,6 +636,10 @@ pub mod pallet {
 					tee_signature: _,
 				} = challenge_info.miner_snapshot;
 
+				ensure!(
+					T::TeeWorkerHandler::can_verify(&tee_acc),
+					Error::<T>::TeeNoPermission
+				);
 				let verify_service_info = VerifyServiceResultInfo::<T> {
 					miner: sender.clone(),
 					tee_acc: tee_acc.clone(),

diff --git a/pallets/file-bank/src/lib.rs b/pallets/file-bank/src/lib.rs
@@ -262,6 +262,8 @@ pub mod pallet {
 		VerifyTeeSigFailed,
 
 		InsufficientReplaceable,
+
+		TeeNoPermission,
 	}
 
 	#[pallet::storage]
@@ -659,12 +661,20 @@ pub mod pallet {
 			origin: OriginFor<T>,
 			idle_sig_info: SpaceProofInfo<AccountOf<T>>,
 			tee_sig: TeeRsaSignature,
+			tee_acc: AccountOf<T>,
 		) -> DispatchResult {
 			let sender = ensure_signed(origin)?;
 
-			let original = idle_sig_info.encode();
+			ensure!(
+				T::TeeWorkerHandler::can_cert(&tee_acc),
+				Error::<T>::TeeNoPermission
+			);
+			let idle_sig_info_encode = idle_sig_info.encode();
+			let tee_acc_encode = tee_acc.encode();
+			let mut original = Vec::new();
+			original.extend_from_slice(&idle_sig_info_encode);
+			original.extend_from_slice(&tee_acc_encode);
 			let original = sp_io::hashing::sha2_256(&original);
-
 			let tee_puk = T::TeeWorkerHandler::get_tee_publickey()?;
 
 			ensure!(verify_rsa(&tee_puk, &original, &tee_sig), Error::<T>::VerifyTeeSigFailed);
@@ -741,10 +751,19 @@ pub mod pallet {
 			origin: OriginFor<T>,
 			idle_sig_info: SpaceProofInfo<AccountOf<T>>,
 			tee_sig: TeeRsaSignature,
+			tee_acc: AccountOf<T>,
 		) -> DispatchResult {
 			let sender = ensure_signed(origin)?;
 
-			let original = idle_sig_info.encode();
+			ensure!(
+				T::TeeWorkerHandler::can_cert(&tee_acc),
+				Error::<T>::TeeNoPermission
+			);
+			let idle_sig_info_encode = idle_sig_info.encode();
+			let tee_acc_encode = tee_acc.encode();
+			let mut original = Vec::new();
+			original.extend_from_slice(&idle_sig_info_encode);
+			original.extend_from_slice(&tee_acc_encode);
 			let original = sp_io::hashing::sha2_256(&original);
 
 			let tee_puk = T::TeeWorkerHandler::get_tee_publickey()?;

diff --git a/pallets/tee-worker/src/lib.rs b/pallets/tee-worker/src/lib.rs
@@ -83,7 +83,7 @@ pub mod pallet {
 		//Already registered
 		AlreadyRegistration,
 		//Not a controller account
-		NotController,
+		NotStash,
 		//The scheduled error report has been reported once
 		AlreadyReport,
 		//Boundedvec conversion error
@@ -104,14 +104,24 @@ pub mod pallet {
 		Existed,
 
 		CesealRejected,
+
 		InvalidIASSigningCert,
+
 		InvalidReport,
+
 		InvalidQuoteStatus,
+
 		BadIASReport,
+
 		OutdatedIASReport,
+
 		UnknownQuoteBodyFormat,
+
 		InvalidCesealInfoHash,
+
 		NoneAttestationDisabled,
+
+		WrongTeeType,
 	}
 
 	#[pallet::storage]
@@ -131,6 +141,10 @@ pub mod pallet {
 	#[pallet::getter(fn mr_enclave_whitelist)]
 	pub(super) type MrEnclaveWhitelist<T: Config> = StorageValue<_, BoundedVec<[u8; 64], T::MaxWhitelist>, ValueQuery>;
 
+	#[pallet::storage]
+	#[pallet::getter(fn validation_type_list)]
+	pub(super) type ValidationTypeList<T: Config> = StorageValue<_, BoundedVec<AccountOf<T>, T::SchedulerMaximum>, ValueQuery>;
+
 	#[pallet::pallet]
 	pub struct Pallet<T>(_);
 	#[pallet::call]
@@ -152,20 +166,26 @@ pub mod pallet {
 		#[pallet::weight(<T as pallet::Config>::WeightInfo::registration_scheduler())]
 		pub fn register(
 			origin: OriginFor<T>,
-			stash_account: AccountOf<T>,
+			worker_account: AccountOf<T>,
+			stash_account: Option<AccountOf<T>>,
 			peer_id: PeerId,
 			podr2_pbk: Podr2Key,
 			sgx_attestation_report: SgxAttestationReport,
 			end_point: EndPoint,
+			tee_type: TeeType,
 		) -> DispatchResult {
 			let sender = ensure_signed(origin)?;
 			//Even if the primary key is not present here, panic will not be caused
-			let acc = <pallet_cess_staking::Pallet<T>>::bonded(&stash_account)
-				.ok_or(Error::<T>::NotBond)?;
-			if sender != acc {
-				Err(Error::<T>::NotController)?;
-			}
-			ensure!(!TeeWorkerMap::<T>::contains_key(&sender), Error::<T>::AlreadyRegistration);
+			match &stash_account {
+				Some(acc) => {
+					ensure!(&sender == acc, Error::<T>::NotStash);
+					let _ = <pallet_cess_staking::Pallet<T>>::bonded(acc).ok_or(Error::<T>::NotBond)?;
+					ensure!(tee_type == TeeType::Verifier || tee_type == TeeType::Full, Error::<T>::WrongTeeType);
+				},
+				None => ensure!(tee_type == TeeType::Certifier || tee_type == TeeType::Marker, Error::<T>::WrongTeeType),
+			};
+
+			ensure!(!TeeWorkerMap::<T>::contains_key(&worker_account), Error::<T>::AlreadyRegistration);
 
 			let attestation = Attestation::SgxIas {
 				ra_report: sgx_attestation_report.report_json_raw.to_vec(),
@@ -176,12 +196,14 @@ pub mod pallet {
 			};
 
 			// Validate RA report & embedded user data
+			let worker_account_encode = worker_account.encode();
 			let mut identity = Vec::new();
 			identity.extend_from_slice(&peer_id);
 			identity.extend_from_slice(&podr2_pbk);
 			identity.extend_from_slice(&end_point);
+			identity.extend_from_slice(&worker_account_encode);
 			let now = T::UnixTime::now().as_secs();
-						
+
 			let _ = IasValidator::validate(
 				&attestation,
 				&sp_io::hashing::sha2_256(&identity),
@@ -191,19 +213,26 @@ pub mod pallet {
 			).map_err(Into::<Error<T>>::into)?;
 
 			let tee_worker_info = TeeWorkerInfo::<T> {
-				controller_account: sender.clone(),
 				peer_id: peer_id.clone(),
-				stash_account: stash_account,
+				bond_stash: stash_account,
 				end_point,
+				tee_type: tee_type.clone(),
 			};
 
+			if tee_type == TeeType::Full || tee_type == TeeType::Verifier {
+				ValidationTypeList::<T>::mutate(|tee_list| -> DispatchResult {
+					tee_list.try_push(worker_account.clone()).map_err(|_| Error::<T>::BoundedVecError)?;
+					Ok(())
+				})?;
+			}
+
 			if TeeWorkerMap::<T>::count() == 0 {
 				<TeePodr2Pk<T>>::put(podr2_pbk);
 			}
 
-			TeeWorkerMap::<T>::insert(&sender, tee_worker_info);
+			TeeWorkerMap::<T>::insert(&worker_account, tee_worker_info);
 
-			Self::deposit_event(Event::<T>::RegistrationTeeWorker { acc: sender, peer_id: peer_id });
+			Self::deposit_event(Event::<T>::RegistrationTeeWorker { acc: worker_account, peer_id: peer_id });
 
 			Ok(())
 		}
@@ -244,6 +273,13 @@ pub mod pallet {
 		pub fn exit(origin: OriginFor<T>) -> DispatchResult {
 			let sender = ensure_signed(origin)?;
 
+			let tee_info = TeeWorkerMap::<T>::try_get(&sender).map_err(|_| Error::<T>::Overflow)?;
+			if tee_info.tee_type == TeeType::Full || tee_info.tee_type == TeeType::Verifier {
+				ValidationTypeList::<T>::mutate(|tee_list| {
+					tee_list.retain(|tee_acc| *tee_acc != sender.clone());
+				});
+			}
+
 			TeeWorkerMap::<T>::remove(&sender);
 
 			if TeeWorkerMap::<T>::count() == 0 {
@@ -272,18 +308,19 @@ pub mod pallet {
 		#[pallet::weight(<T as pallet::Config>::WeightInfo::registration_scheduler())]
 		pub fn force_register(
 			origin: OriginFor<T>,
-			stash_account: AccountOf<T>,
+			stash_account: Option<AccountOf<T>>,
 			controller_account: AccountOf<T>,
 			peer_id: PeerId,
 			end_point: EndPoint,
+			tee_type: TeeType,
 		) -> DispatchResult {
 			let _ = ensure_root(origin)?;
 
 			let tee_worker_info = TeeWorkerInfo::<T> {
-				controller_account: controller_account.clone(),
 				peer_id: peer_id.clone(),
-				stash_account: stash_account,
+				bond_stash: stash_account,
 				end_point,
+				tee_type: tee_type,
 			};
 
 			TeeWorkerMap::<T>::insert(&controller_account, tee_worker_info);
@@ -309,37 +346,72 @@ pub mod pallet {
 	}
 }
 pub trait TeeWorkerHandler<AccountId> {
+	fn can_tag(acc: &AccountId) -> bool;
+	fn can_verify(acc: &AccountId) -> bool;
+	fn can_cert(acc: &AccountId) -> bool;
 	fn contains_scheduler(acc: AccountId) -> bool;
+	fn is_bonded(acc: AccountId) -> bool;
 	fn punish_scheduler(acc: AccountId) -> DispatchResult;
-	fn get_first_controller() -> Result<AccountId, DispatchError>;
 	fn get_controller_list() -> Vec<AccountId>;
 	fn get_tee_publickey() -> Result<Podr2Key, DispatchError>;
 }
 
 impl<T: Config> TeeWorkerHandler<<T as frame_system::Config>::AccountId> for Pallet<T> {
+	fn can_tag(acc: &AccountOf<T>) -> bool {
+		if let Ok(tee_info) = TeeWorkerMap::<T>::try_get(&acc) {
+			if TeeType::Marker == tee_info.tee_type || TeeType::Full == tee_info.tee_type {
+				return true;
+			}
+		}
+
+		false
+	}
+
+	fn can_verify(acc: &AccountOf<T>) -> bool {
+		if let Ok(tee_info) = TeeWorkerMap::<T>::try_get(acc) {
+			if TeeType::Verifier == tee_info.tee_type || TeeType::Full == tee_info.tee_type {
+				return true;
+			}
+		}
+
+		false
+	}
+
+	fn can_cert(acc: &AccountOf<T>) -> bool {
+		if let Ok(tee_info) = TeeWorkerMap::<T>::try_get(acc) {
+			if TeeType::Certifier == tee_info.tee_type || TeeType::Full == tee_info.tee_type {
+				return true;
+			}
+		}
+
+		false
+	}
+
 	fn contains_scheduler(acc: <T as frame_system::Config>::AccountId) -> bool {
 		TeeWorkerMap::<T>::contains_key(&acc)
 	}
 
+	fn is_bonded(acc: AccountOf<T>) -> bool {
+		if let Ok(tee_info) = TeeWorkerMap::<T>::try_get(&acc) {
+			let result = tee_info.bond_stash.is_some();
+			return result;
+		}
+
+		false
+	}
+
 	fn punish_scheduler(acc: <T as frame_system::Config>::AccountId) -> DispatchResult {
 		let tee_worker = TeeWorkerMap::<T>::try_get(&acc).map_err(|_| Error::<T>::NonTeeWorker)?;
-		pallet_cess_staking::slashing::slash_scheduler::<T>(&tee_worker.stash_account);
-		T::CreditCounter::record_punishment(&tee_worker.stash_account)?;
+		if let Some(stash_account) = tee_worker.bond_stash {
+			pallet_cess_staking::slashing::slash_scheduler::<T>(&stash_account);
+			T::CreditCounter::record_punishment(&stash_account)?;
+		}
 
 		Ok(())
 	}
 
-	fn get_first_controller() -> Result<<T as frame_system::Config>::AccountId, DispatchError> {
-		let (controller_acc, _) = TeeWorkerMap::<T>::iter().next().ok_or(Error::<T>::NonTeeWorker)?;
-		return Ok(controller_acc);
-	}
-
 	fn get_controller_list() -> Vec<AccountOf<T>> {
-		let mut acc_list: Vec<AccountOf<T>> = Default::default();
-
-		for (acc, _) in <TeeWorkerMap<T>>::iter() {
-			acc_list.push(acc);
-		}
+		let acc_list = <ValidationTypeList<T>>::get().to_vec();
 
 		acc_list
 	}

diff --git a/pallets/tee-worker/src/types.rs b/pallets/tee-worker/src/types.rs
@@ -4,15 +4,23 @@ use super::*;
 #[scale_info(skip_type_params(T))]
 #[codec(mel_bound())]
 pub struct TeeWorkerInfo<T: pallet::Config> {
-    pub controller_account: AccountOf<T>,
     pub peer_id: PeerId,
-    pub stash_account: AccountOf<T>,
+    pub bond_stash: Option<AccountOf<T>>,
     pub end_point: EndPoint,
+    pub tee_type: TeeType,
 }
 
 #[derive(PartialEq, Eq, Encode, Decode, Clone, RuntimeDebug, Default, MaxEncodedLen, TypeInfo)]
 pub struct SgxAttestationReport {
     pub report_json_raw: Report,
     pub sign: ReportSign,
     pub cert_der: Cert,
+}
+
+#[derive(PartialEq, Eq, Encode, Decode, Clone, RuntimeDebug, MaxEncodedLen, TypeInfo)]
+pub enum TeeType {
+    Full,
+    Certifier,
+    Verifier,
+    Marker,
 }