TEERegistry: simplify PCR revocation, clean up naming#35
Merged
adambalogh merged 13 commits intomainfrom Mar 10, 2026
Merged
Conversation
added 2 commits
March 9, 2026 22:01
adambalogh
changed the title
adambalogh
changed the title
added 2 commits
March 9, 2026 22:22
adambalogh
added
run-ci
added 2 commits
March 9, 2026 22:36
adambalogh
added
run-ci
adambalogh
added
run-ci
There was a problem hiding this comment.
Pull request overview
This PR refactors the TEERegistry Solidity contract and related tooling to simplify PCR revocation (lazy → eager), remove the removeTEE endpoint, and standardize naming across contracts, tests, CLI, and integration scripts.
Changes:
- Switch PCR revocation to immediate enforcement and actively disable TEEs using a revoked PCR.
- Remove permanent TEE deletion (
removeTEE) in favor of enable/disable only. - Rename “active/activate/deactivate” terminology to “enabled/enable/disable”, and adjust dependent tests and tooling.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| contracts/solidity/TEERegistry.sol | Core contract refactor: eager PCR revocation + naming cleanup + removeTEE removal. |
| contracts/solidity/TEERegistry.json | Updated ABI JSON (currently inconsistent with Solidity; see comments). |
| contracts/solidity/TEEInferenceVerifier.sol | Updates registry calls to isTEEEnabled / getTEEPublicKey. |
| tests/solidity/suites/tee/test/registry.js | Updates tests for PCR revocation + renamed PCR/TEE APIs. |
| tests/solidity/suites/tee/test/lifecycle.js | Updates lifecycle tests for enable/disable semantics and eager PCR revocation behavior. |
| tests/solidity/suites/tee/test/settlementRelay.js | Updates integration-style test flow to enable/disable. |
| tests/solidity/suites/tee/contracts/TEETestHelper.sol | Updates helper wrappers to renamed APIs and new revokePCR signature. |
| tests/solidity/suites/tee/contracts/MockTEERegistry.sol | Updates mock registry to new TEEInfo field names and enable flow. |
| scripts/tee-mgmt-cli/registry/client.go | Updates Go client selectors/types for renamed endpoints (has build/runtime issues; see comments). |
| scripts/tee-mgmt-cli/cmd/tee.go | CLI commands renamed to enable/disable/active and updated output fields. |
| scripts/tee-mgmt-cli/cmd/pcr.go | CLI PCR revoke/list updated for eager revocation (return type mismatch risk; see comments). |
| scripts/tee-mgmt-cli/cmd/types.go | Removes TEE type deactivation command. |
| scripts/tee-mgmt-cli/Readme.md | Removes documentation reference to type deactivation. |
| scripts/integration/local_tee_workflow.go | Updates integration workflow to new selectors/names (multiple selector/ABI mismatches; see comments). |
| precompiles/tee/README.md | Documentation partially updated but still references removed APIs/old semantics (see comments). |
Comments suppressed due to low confidence (3)
contracts/solidity/TEERegistry.sol:324
getApprovedPCRs()currently returnsPCRKey[](pcrHash + teeType), but the updated ABI JSON and Go clients/scripts in this PR treat it as returning a plainbytes32[]of hashes. This API mismatch will break clients. Decide on one contract-level return type and make the ABI + clients consistent (either change Solidity tobytes32[], or update ABI/clients to decode a tuple array).
/// @notice Get all currently approved PCRs
/// @return PCRKey[] Array of active PCR keys (pcrHash + teeType)
function getApprovedPCRs() external view returns (PCRKey[] memory) {
uint256 count = 0;
for (uint256 i = 0; i < _pcrList.length; i++) {
if (isPCRApproved(_pcrList[i].teeType, _pcrList[i].pcrHash)) count++;
}
contracts/solidity/TEERegistry.json:578
contracts/solidity/TEERegistry.jsonis inconsistent withTEERegistry.soland will break any consumer that relies on this ABI:
getApprovedPCRsis defined as returningbytes32[], but Solidity returnsPCRKey[](tuple array).getActiveTEEsis listed with no inputs and returningbytes32[], but Solidity definesgetActiveTEEs(uint8)returningTEEInfo[].- The ABI appears to be missing
getEnabledTEEs(uint8)entirely. isPCRApprovedis shown asisPCRApproved(bytes32)but Solidity isisPCRApproved(uint8,bytes32).
Please regenerate this ABI from the compiled contract (or update it manually to exactly match the Solidity signatures and return types).
"inputs": [
{
"internalType": "bytes32",
"name": "teeId",
"type": "bytes32"
}
],
"name": "disableTEE",
"outputs": [],
"stateMutability": "nonpayable",
"type": "function"
},
{
"inputs": [],
"name": "getApprovedPCRs",
"outputs": [
{
"internalType": "bytes32[]",
"name": "",
"type": "bytes32[]"
}
],
"stateMutability": "view",
"type": "function"
},
{
"inputs": [],
"name": "getActiveTEEs",
"outputs": [
{
"internalType": "bytes32[]",
"name": "",
"type": "bytes32[]"
}
],
"stateMutability": "view",
"type": "function"
scripts/tee-mgmt-cli/registry/client.go:249
GetApprovedPCRs()decodes the return value as abytes32[], but the Solidity implementation ofgetApprovedPCRs()returnsPCRKey[](tuple array of{pcrHash, teeType}). This call will fail to decode or will produce incorrect results at runtime. Either change the contract/API to return onlybytes32[], or update the CLI to decode a tuple array and print both the hash and type.
func (c *Client) GetApprovedPCRs() ([]string, error) {
result, err := c.ethCall(selGetApprovedPCRs)
if err != nil {
return nil, err
}
return decodeBytes32Array(result)
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
added 4 commits
March 9, 2026 23:08
khalifaT
reviewed
Mar 10, 2026
| /// | ||
| /// 4. **Deactivation / Reactivation** — TEE owners or admins can toggle a TEE's active | ||
| /// status. `activateTEE` re-validates the TEE's PCR before reactivating. | ||
| /// 4. **Disable / Enable** — TEE owners or admins can toggle a TEE's enabled |
Collaborator
There was a problem hiding this comment.
SDK should be updated to take into consideration the new naming
Contributor
Author
There was a problem hiding this comment.
does the SDK use this?
Contributor
Author
There was a problem hiding this comment.
I updated the CLI already
khalifaT
reviewed
Mar 10, 2026
local_tee_workflow
Outdated
Collaborator
There was a problem hiding this comment.
We have to add it to .gitignore
khalifaT
reviewed
Mar 10, 2026
| /// @param gracePeriod Seconds until revocation takes effect (0 = immediate) | ||
| function revokePCR(bytes32 pcrHash, uint8 teeType, uint256 gracePeriod) external onlyRole(DEFAULT_ADMIN_ROLE) { | ||
| /// @param teeType The TEE type this PCR belongs to | ||
| function revokePCR(bytes32 pcrHash, uint8 teeType) external onlyRole(DEFAULT_ADMIN_ROLE) { |
Collaborator
There was a problem hiding this comment.
We will not consider a grace period, right?
Contributor
Author
There was a problem hiding this comment.
yes, i think it's better to simplify the logic here
khalifaT
reviewed
Mar 10, 2026
Collaborator
khalifaT
left a comment
khalifaT
left a comment
There was a problem hiding this comment.
I have added few comments:
- Update to sdk will be needed
- Revocation process: no need to grace period?
khalifaT
approved these changes
Mar 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Simplifies the TEERegistry contract by removing unused complexity and standardizing naming across the contract, tests, CLI, and integration scripts.
PCR revocation: lazy → eager
revokePCR. Revoked PCRs now take effect immediately.revokePCRactively iterates the enabled list and disables all TEEs running the revoked image (safe backward iteration with swap-and-pop).expiresAtfromApprovedPCR,PCRExpirederror, and lazy PCR enforcement fromheartbeat.isPCRApprovedsimplified to a single storage read.Removed
removeTEEendpointremoveTEEfunction,TEERemovedevent, and all associated tests, CLI commands, and client methods.Naming cleanup
active(TEEInfo field)enabledactiveactivateTEE/deactivateTEEenableTEE/disableTEEgetActivatedTEEsgetEnabledTEEsgetLiveTEEs/getHealthyTEEsgetActiveTEEsisHealthy/_isHealthyisTEEActive/_isTEEActiveactiveisEnabledisTEEEnabledgetPublicKeygetTEEPublicKeylastUpdatedAtlastHeartbeatAtTEEDeactivated/TEEActivatedTEEDisabled/TEEEnabledtee healthytee activeTest fixes
disableTEEtest to expect a revert (not a no-op) when disabling an already-disabled TEE, matching the contract'sTEENotEnabledguard.addTEETypetest to checktypeInfo.addedAtinstead of non-existenttypeInfo.activefield (TEETypeInfostruct hasnameandaddedAt, notactive).Other
onlyTEEOwnerOrAdminmodifier (clearer boolean logic).setAWSRootCertificateabove TEE type management for better section ordering.heartbeat(no longer needed with eager revocation).active→enabledfor TEEInfo).Files changed
contracts/solidity/TEERegistry.sol— core contract changescontracts/solidity/TEERegistry.json— updated ABIcontracts/solidity/TEEInferenceVerifier.sol— updated call sitestests/solidity/suites/tee/— updated test helper, lifecycle, registry, and settlement testsscripts/tee-mgmt-cli/— updated CLI commands and Go clientscripts/integration/local_tee_workflow.go— updated integration script