Ignore PCR3 during key sync attestation

brave · Sep 17, 2024 · 12da224 · 12da224
1 parent 42dfbcf
commit 12da224
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/attestation.go b/attestation.go
@@ -70,10 +70,10 @@ func arePCRsIdentical(ourPCRs, theirPCRs map[uint][]byte) bool {
 	}
 
 	for pcr, ourValue := range ourPCRs {
-		// PCR4 contains a hash over the parent's instance ID.  Our enclaves run
-		// on different parent instances; PCR4 will therefore always differ:
+		// PCR3 and PCR4 are hashes of the parent's instance ID and IAM role, respectively.
+		// Our enclaves run on different parent instances; PCR3 and PCR4 will therefore always differ:
 		// https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html
-		if pcr == 4 {
+		if pcr == 3 || pcr == 4 {
 			continue
 		}
 		theirValue, exists := theirPCRs[pcr]