Policy V2: AcceptedTcbStatus evaluation logic only allow "ConfigurationNeeded"

[haitaohuang]

Code Reference: policy.rs lines 774-794
The allow-list for tcbStatusAccepted is only meaningful when "ConfigurationNeeded" is specified in the list. For all other TCB status values (UpToDate, SWHardeningNeeded, OutOfDate, Revoked), the allow-list has no effect because these statuses are already handled by the hardcoded ALWAYS_ALLOW/ALWAYS_DENY rules (lines 731-751).

If "ConfigurationAndSWHardeningNeeded" or "OutOfDateConfigurationNeeded" are specified directly in the allow-list without "ConfigurationNeeded", they will be ignored and the "policy_allow" list will not be populated at line 774. These statuses are only honored when "ConfigurationNeeded" is specified. Direct specification of these variants has no effect.

Is that intended?

Additionally, why we hard code OutOfDate,SWHardeningNeeded as always allowed? should we allow policy to change?

[jyao1]

yes, that is intended, by design.

[haitaohuang]

@jyao1 thanks. Can you also confirm that "Revoked" status won't be returned by QVL for non-production/testing platforms? And those would return verification error and are handled separately? A concern we have is if this design would affect testing on those platforms.