From 50298bc9f64bf6e1fe59dc82fccdfe34600da380 Mon Sep 17 00:00:00 2001
From: Jernej Kos <jernej@kos.mx>
Date: Thu, 17 Oct 2024 16:49:00 +0200
Subject: [PATCH] runtime: Do not persist updated trusted state for TDX

---
 .changelog/5909.bugfix.md                       |  1 +
 .../tendermint/verifier/store/state.rs          | 17 ++++++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 .changelog/5909.bugfix.md

diff --git a/.changelog/5909.bugfix.md b/.changelog/5909.bugfix.md
new file mode 100644
index 00000000000..d45f5c86eaa
--- /dev/null
+++ b/.changelog/5909.bugfix.md
@@ -0,0 +1 @@
+runtime: Do not persist updated trusted state for TDX
diff --git a/runtime/src/consensus/tendermint/verifier/store/state.rs b/runtime/src/consensus/tendermint/verifier/store/state.rs
index e79e37a9029..3210882006a 100644
--- a/runtime/src/consensus/tendermint/verifier/store/state.rs
+++ b/runtime/src/consensus/tendermint/verifier/store/state.rs
@@ -15,7 +15,7 @@ use crate::{
     consensus::verifier::{Error, TrustRoot},
     protocol::ProtocolUntrustedLocalStorage,
     storage::KeyValue,
-    Protocol,
+    Protocol, TeeType, BUILD_INFO,
 };
 
 /// Storage key prefix under which the sealed trusted state is stored in
@@ -95,6 +95,12 @@ impl TrustedStateStore {
     /// Panics in case the light store does not have any blocks or if insertion to the underlying
     /// runtime's untrusted local store fails.
     pub fn save(&self, runtime_version: Version, store: &Box<dyn LightStore>) {
+        if BUILD_INFO.tee_type == TeeType::Tdx {
+            // TODO: Currently TDX does not have sealing capabilities, so we just do not persist
+            //       anything as we can't seal secrets until we have CPU-bound key derivation.
+            return;
+        }
+
         let lowest_block = store.lowest(Status::Trusted).unwrap();
         let highest_block = store.highest(Status::Trusted).unwrap();
 
@@ -129,6 +135,15 @@ impl TrustedStateStore {
         runtime_version: Version,
         trust_root: &TrustRoot,
     ) -> Result<TrustedState, Error> {
+        if BUILD_INFO.tee_type == TeeType::Tdx {
+            // TODO: Currently TDX does not have sealing capabilities, so we just do not persist
+            //       anything as we can't seal secrets until we have CPU-bound key derivation.
+            return Ok(TrustedState {
+                trust_root: trust_root.clone(),
+                trusted_blocks: vec![],
+            });
+        }
+
         // Attempt to load the previously sealed trusted state.
         let untrusted_value = self
             .untrusted_local_store