From 12da224934f60eacf0a18f40c1d2f4c82120d132 Mon Sep 17 00:00:00 2001
From: Darnell Andries <dandries@brave.com>
Date: Mon, 16 Sep 2024 19:51:40 -0700
Subject: [PATCH] Ignore PCR3 during key sync attestation

---
 attestation.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/attestation.go b/attestation.go
index ee632b1..317faad 100644
--- a/attestation.go
+++ b/attestation.go
@@ -70,10 +70,10 @@ func arePCRsIdentical(ourPCRs, theirPCRs map[uint][]byte) bool {
 	}
 
 	for pcr, ourValue := range ourPCRs {
-		// PCR4 contains a hash over the parent's instance ID.  Our enclaves run
-		// on different parent instances; PCR4 will therefore always differ:
+		// PCR3 and PCR4 are hashes of the parent's instance ID and IAM role, respectively.
+		// Our enclaves run on different parent instances; PCR3 and PCR4 will therefore always differ:
 		// https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html
-		if pcr == 4 {
+		if pcr == 3 || pcr == 4 {
 			continue
 		}
 		theirValue, exists := theirPCRs[pcr]