From 245ddd8558d9805ac9ff3ad78955037b5e3c1cd1 Mon Sep 17 00:00:00 2001
From: Thomas Tendyck <tt@edgeless.systems>
Date: Wed, 26 Jun 2024 13:46:59 +0200
Subject: [PATCH] api: elaborate on nonce and quote

---
 api/api.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/api/api.go b/api/api.go
index d8ce5adf..505ff66e 100644
--- a/api/api.go
+++ b/api/api.go
@@ -42,6 +42,7 @@ func SetLogSink(w io.Writer) {
 // On success, it returns the Coordinator's self signed root and intermediate certificates,
 // as well as the verified SGX quote.
 // The root certificate should be used by the client for future connections to the Coordinator.
+// The SGX quote is returned to allow further verification, but this is purely optional.
 //
 // If this function is called from inside an EGo enclave, the "marblerun_ego_enclave" build tag must be set when building the binary.
 func VerifyCoordinator(ctx context.Context, endpoint string, opts VerifyOptions) (rootCert *x509.Certificate, intermediateCert *x509.Certificate, sgxQuote []byte, err error) {
@@ -112,6 +113,7 @@ func VerifyCoordinator(ctx context.Context, endpoint string, opts VerifyOptions)
 // On success, it returns the Coordinator's self signed root and intermediate certificates,
 // as well as the verified SGX quote.
 // The root certificate should be used by the client for future connections to the Coordinator.
+// The SGX quote is returned to allow further verification, but this is purely optional.
 //
 // If this function is called from inside an EGo enclave, the "marblerun_ego_enclave" build tag must be set when building the binary.
 func VerifyMarbleRunDeployment(ctx context.Context, endpoint string, opts VerifyOptions, manifest []byte) (rootCert *x509.Certificate, intermediateCert *x509.Certificate, sgxQuote []byte, err error) {
@@ -468,6 +470,7 @@ type VerifyOptions struct {
 
 	// Nonce is an optional, user-defined nonce to be included in the Coordinator's attestation statement.
 	// If set, the Coordinator will generate an SGX quote over sha256(Coordinator_root_cert, Nonce).
+	// Set a nonce if you want to enforce freshness of the quote. The API functions will automatically verify that the returned quote includes this nonce.
 	Nonce []byte `json:"Nonce"`
 }