patch vulnerabilities

2025-01-21 22:15:37 +02:00 · 2025-01-21 22:15:37 +02:00 · 8ced0efcba
commit 8ced0efcba
parent c093b6b088
1 changed files with 5 additions and 4 deletions
--- a/src/quote.rs
+++ b/src/quote.rs
@ -198,12 +198,13 @@ impl VerifyResult {

    pub fn is_negligible(&self) -> bool {
        match self {
+            // We are not allowing ConfigNeeded, OutOfDate, OutOfDateConfigNeeded,
+            // ConfigAndSwHardeningNeeded since they are considered vulnerable
+            // However, SwHardeningNeeded is very difficult to patch and can be
+            // avoided on some platforms by running the latest SGX drivers
+            // https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
            VerifyResult::Ok => true,
-            VerifyResult::ConfigNeeded => true,
-            VerifyResult::OutOfDate => true,
-            VerifyResult::OutOfDateConfigNeeded => true,
            VerifyResult::SwHardeningNeeded => true,
-            VerifyResult::ConfigAndSwHardeningNeeded => true,
            _ => false,
        }
    }