Removes xFAM and td attributes bit masks

src/BlockBuilderPolicy.sol

@@ -47,22 +47,6 @@ contract BlockBuilderPolicy is
     bytes32 public constant VERIFY_BLOCK_BUILDER_PROOF_TYPEHASH =
         keccak256("VerifyBlockBuilderProof(uint8 version,bytes32 blockContentHash,uint256 nonce)");
 
-    // ============ TDX workload constants ============
-
-    /// @dev See section 11.5.3 in TDX Module v1.5 Base Architecture Specification https://www.intel.com/content/www/us/en/content-details/733575/intel-tdx-module-v1-5-base-architecture-specification.html
-    /// @notice Enabled FPU (always enabled)
-    bytes8 constant TD_XFAM_FPU = 0x0000000000000001;
-    /// @notice Enabled SSE (always enabled)
-    bytes8 constant TD_XFAM_SSE = 0x0000000000000002;
-
-    /// @dev See section 3.4.1 in TDX Module ABI specification https://cdrdv2.intel.com/v1/dl/getContent/733579
-    /// @notice Allows disabling of EPT violation conversion to #VE on access of PENDING pages. Needed for Linux
-    bytes8 constant TD_TDATTRS_VE_DISABLED = 0x0000000010000000;
-    /// @notice Enabled Supervisor Protection Keys (PKS)
-    bytes8 constant TD_TDATTRS_PKS = 0x0000000040000000;
-    /// @notice Enabled Key Locker (KL)
-    bytes8 constant TD_TDATTRS_KL = 0x0000000080000000;
-
     // ============ Storage Variables ============
 
     /// @notice Mapping from workloadId to its metadata (commit hash and source locators)
@@ -227,12 +211,6 @@ contract BlockBuilderPolicy is
         override
         returns (WorkloadId)
     {
-        // We expect FPU and SSE xfam bits to be set, and anything else should be handled by explicitly allowing the workloadid
-        bytes8 expectedXfamBits = TD_XFAM_FPU | TD_XFAM_SSE;
-
-        // We don't mind VE_DISABLED, PKS, and KL tdattributes bits being set either way, anything else requires explicitly allowing the workloadid
-        bytes8 ignoredTdAttributesBitmask = TD_TDATTRS_VE_DISABLED | TD_TDATTRS_PKS | TD_TDATTRS_KL;
-
         return WorkloadId.wrap(
             keccak256(
                 bytes.concat(
@@ -243,8 +221,8 @@ contract BlockBuilderPolicy is
                     registration.parsedReportBody.rtMr3,
                     // VMM configuration
                     registration.parsedReportBody.mrConfigId,
-                    registration.parsedReportBody.xFAM ^ expectedXfamBits,
-                    registration.parsedReportBody.tdAttributes & ~ignoredTdAttributesBitmask
+                    registration.parsedReportBody.xFAM,
+                    registration.parsedReportBody.tdAttributes
                 )
             )
         );

test/BlockBuilderPolicy.t.sol

@@ -361,87 +361,6 @@ contract BlockBuilderPolicyTest is Test {
         assertEq(WorkloadId.unwrap(computedWorkloadIdF200), WorkloadId.unwrap(computedWorkloadId12c1));
     }
 
-    // Add these test functions to BlockBuilderPolicyTest contract
-
-    function test_workloadId_tdAttributes_allowed_bits_ignored() public {
-        // Register a TEE to get a baseline
-        _registerTEE(mockf200);
-        (, IFlashtestationRegistry.RegisteredTEE memory baseRegistration) =
-            registry.getRegistration(mockf200.teeAddress);
-        WorkloadId baseWorkloadId = policy.workloadIdForTDRegistration(baseRegistration);
-
-        // Test that all combinations of allowed bits don't affect workloadId
-        // We test: none set, all set, and one intermediate case
-        bytes8[3] memory allowedBitCombos = [
-            bytes8(0x00000000D0000000), // All three allowed bits set (VE_DISABLED | PKS | KL)
-            bytes8(0x0000000050000000), // VE_DISABLED | PKS
-            bytes8(0x0000000000000000) // None set
-        ];
-
-        for (uint256 i = 0; i < allowedBitCombos.length; i++) {
-            IFlashtestationRegistry.RegisteredTEE memory modifiedRegAllowed = baseRegistration;
-            // Clear the allowed bits first, then set the specific combination
-            modifiedRegAllowed.parsedReportBody.tdAttributes =
-                (baseRegistration.parsedReportBody.tdAttributes & ~bytes8(0x00000000D0000000)) | allowedBitCombos[i];
-
-            WorkloadId workloadId = policy.workloadIdForTDRegistration(modifiedRegAllowed);
-            assertEq(
-                WorkloadId.unwrap(baseWorkloadId),
-                WorkloadId.unwrap(workloadId),
-                "Allowed tdAttributes bits should not affect workloadId"
-            );
-        }
-
-        // Test that a non-allowed bit DOES change workloadId
-        IFlashtestationRegistry.RegisteredTEE memory modifiedReg = baseRegistration;
-        modifiedReg.parsedReportBody.tdAttributes =
-            baseRegistration.parsedReportBody.tdAttributes | bytes8(0x0000000000000001);
-        WorkloadId differentWorkloadId = policy.workloadIdForTDRegistration(modifiedReg);
-        assertNotEq(
-            WorkloadId.unwrap(baseWorkloadId),
-            WorkloadId.unwrap(differentWorkloadId),
-            "Non-allowed tdAttributes bits should affect workloadId"
-        );
-    }
-
-    function test_workloadId_xfam_expected_bits_required() public {
-        // Register a TEE to get a baseline
-        _registerTEE(mockf200);
-        (, IFlashtestationRegistry.RegisteredTEE memory baseRegistration) =
-            registry.getRegistration(mockf200.teeAddress);
-        WorkloadId baseWorkloadId = policy.workloadIdForTDRegistration(baseRegistration);
-
-        // Test removing FPU bit changes workloadId
-        IFlashtestationRegistry.RegisteredTEE memory modifiedReg1 = baseRegistration;
-        modifiedReg1.parsedReportBody.xFAM = baseRegistration.parsedReportBody.xFAM ^ bytes8(0x0000000000000001);
-        WorkloadId workloadIdNoFPU = policy.workloadIdForTDRegistration(modifiedReg1);
-        assertNotEq(
-            WorkloadId.unwrap(baseWorkloadId),
-            WorkloadId.unwrap(workloadIdNoFPU),
-            "Missing FPU bit should change workloadId"
-        );
-
-        // Test removing SSE bit changes workloadId
-        IFlashtestationRegistry.RegisteredTEE memory modifiedReg2 = baseRegistration;
-        modifiedReg2.parsedReportBody.xFAM = baseRegistration.parsedReportBody.xFAM ^ bytes8(0x0000000000000002);
-        WorkloadId workloadIdNoSSE = policy.workloadIdForTDRegistration(modifiedReg2);
-        assertNotEq(
-            WorkloadId.unwrap(baseWorkloadId),
-            WorkloadId.unwrap(workloadIdNoSSE),
-            "Missing SSE bit should change workloadId"
-        );
-
-        // Test adding an extra bit changes workloadId
-        IFlashtestationRegistry.RegisteredTEE memory modifiedReg3 = baseRegistration;
-        modifiedReg3.parsedReportBody.xFAM = baseRegistration.parsedReportBody.xFAM | bytes8(0x0000000000000008);
-        WorkloadId workloadIdExtraBit = policy.workloadIdForTDRegistration(modifiedReg3);
-        assertNotEq(
-            WorkloadId.unwrap(baseWorkloadId),
-            WorkloadId.unwrap(workloadIdExtraBit),
-            "Additional xFAM bits should change workloadId"
-        );
-    }
-
     function test_verifyBlockBuilderProof_fails_with_unregistered_tee() public {
         // Add workload to policy but don't register TEE
         policy.addWorkloadToPolicy(mockf200.workloadId, mockf200.commitHash, mockf200.sourceLocators);