[GCP]Policy deny when set snp measurement as policy

[yuxisun1217]

Describe the bug

In GCP VM if use snp measurement as policy it always hit "PolicyDeny" error when get-resource.
The attestation step can pass.

Server policy:

package policy
default allow = false
input_tcb := input["tcb-status"]
allow {
    input_tcb["snp"]["measurement"] == "WerZtCZk1U/aVPcHZwOG9hsdO9NOLajI+awGfmF6Cq5GIzBKSqmLswdWr/tLbAoF"
}

Attestation token:

eyJhbGciOiJSUzM4NCIsImp3ayI6eyJhbGciOiJSUzM4NCIsImUiOiJBUUFCIiwia3R5IjoiUlNBIiwibiI6InZsaE9YdFQ4WE8yY2xvNUl1d1Q3ai0zN21EWWdkSmFUQUw4anhPRFdwZkYzUFU0ajhqQ2J4NFRteWhvSEZ2eUNJUDlhMG9tX0xHbTdPdGQxOUJTU2dSOEdlQkczLVRkOHZJVGZnOG5oTXAzZ2toQ3FuTTJocnJzT3hLMFgwb2dpTkRTbFpqbjZ5T3RkYUJ6ejNmbU4tUE5ybzNjcGp1Q3ZYS3ZjaW5UWENwaFVxdVJoMmhkbFNINFFLemhRNjJhQlptR0pNRm5TX0xnRHZKRGFGZFNOcGdQNnBySllHdnUwMW5zQjREWjJrS2pteFFQNFZ6LUdSQTdUdzc3RHRPMFdveHpUNnlpTEtOZEdGTkhGN3ZIMVFtVVZsWm1JTHpHaGdXM2dfWDlSZ2NJN25jT1o4SmZ1Ym9QMnJhS0tRRlRXdFd2UldXOE5wNkY2UmRJQmtsdnV6dyJ9LCJ0eXAiOiJKV1QifQ.eyJjdXN0b21pemVkX2NsYWltcyI6eyJpbml0X2RhdGEiOm51bGwsInJ1bnRpbWVfZGF0YSI6eyJub25jZSI6IldUWGNTNlBQbzRsY2hId2JPSmVUeEx1MjRrcUg4MVNCTG4rL3Q4bkxRVDg9IiwidGVlLXB1YmtleSI6eyJhbGciOiJSU0ExXzUiLCJlIjoiQVFBQiIsImt0eSI6IlJTQSIsIm4iOiJwUnc4M05vZ2FUSXc0eVY0ZGVqV1M3dHhXQlBudDhsU2g2a0Rfa19TYjc2R1hmU1p1dEhOY2tQdTh6RXRlcFc0S1AyejVxa1VEcHFLZmdNMFFMTk9jTGpERzZWeG9rNjlvdkxPUEl0ZEVnNng1MlZYclQ2UEd0Qk1JUG16Y2d4YlZGaGtWcDJXb09pSTZaYmVqRnlXeFRxY1IyU3ZpdmdkdGZDVGdGVEtCUWRSSUZqam1HT2ZBd3FIR1otcjkxeW9YR1dwS09JY050dTdCZzl3Wm93aWtxb0JuZEE4ekNxUnRhT0MzcTJrM0IxdUVQaVVDSGJ2ZVBzQk9UbnVkVHNEbmd4RW15bEE3TDRzTXRkbTIxSmdoakVpM2k5UHRvbjVLMFdHUTRmN01WYlZJZlRLLWhiT3ZwSnd0cUdwOEM0bHJtV2FYZjkxOVhtRjdXMy1sRlhFdFEifX19LCJldmFsdWF0aW9uLXJlcG9ydHMiOlt7InBvbGljeS1oYXNoIjoiYzBlNzkyOTY3MWZiNjc4MDM4N2Y1NDc2MGQ4NGQ2NWQyY2U5NjA5M2RmYjMzZWZkYTIxZjVlYjA1YWZjZGE3N2JiYTQ0NGMwMmNkMTc3YjIzYTVkMzUwNzE2NzI2MTU3IiwicG9saWN5LWlkIjoiZGVmYXVsdCJ9XSwiZXhwIjoxNzQyMzY1NDYzLCJpYXQiOjE3NDIzNjUxNjMsImlzcyI6IkNvQ28tQXR0ZXN0YXRpb24tU2VydmljZSIsImp0aSI6IjhsNGw2YUJqN3IiLCJuYmYiOjE3NDIzNjUxNjMsInRjYi1zdGF0dXMiOiJ7XCJpbml0X2RhdGFcIjpcIkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE9XCIsXCJyZXBvcnRfZGF0YVwiOlwiM24xZ0hxYzRraVBTcEVOVjVBSXpsV25BWWQ2N3BNZmloWUhTYmd4dU4yVkhhLy9jNTFLSWtuS1lhK21UUFJQaEFBQUFBQUFBQUFBQUFBQUFBQUFBQUE9PVwiLFwic25wLm1lYXN1cmVtZW50XCI6XCJXZXJadENaazFVL2FWUGNIWndPRzloc2RPOU5PTGFqSSthd0dmbUY2Q3E1R0l6QktTcW1Mc3dkV3IvdExiQW9GXCIsXCJzbnAucGxhdGZvcm1fc210X2VuYWJsZWRcIjpcIjFcIixcInNucC5wbGF0Zm9ybV90c21lX2VuYWJsZWRcIjpcIjBcIixcInNucC5wb2xpY3lfYWJpX21ham9yXCI6XCIwXCIsXCJzbnAucG9saWN5X2FiaV9taW5vclwiOlwiMFwiLFwic25wLnBvbGljeV9kZWJ1Z19hbGxvd2VkXCI6XCIwXCIsXCJzbnAucG9saWN5X21pZ3JhdGVfbWFcIjpcIjBcIixcInNucC5wb2xpY3lfc2luZ2xlX3NvY2tldFwiOlwiMFwiLFwic25wLnBvbGljeV9zbXRfYWxsb3dlZFwiOlwiMVwiLFwic25wLnJlcG9ydGVkX3RjYl9ib290bG9hZGVyXCI6XCI0XCIsXCJzbnAucmVwb3J0ZWRfdGNiX21pY3JvY29kZVwiOlwiMjE5XCIsXCJzbnAucmVwb3J0ZWRfdGNiX3NucFwiOlwiMjRcIixcInNucC5yZXBvcnRlZF90Y2JfdGVlXCI6XCIwXCJ9IiwidGVlIjoic25wIn0.NO8WodwJYN_J0m1jYYGQOrnFdqv_wiOlsy2x-8m2imb0zOv9SmaEh-jK204_V2U2C__JRd89Tw1-5NJrlvmBhTpbGHeuUIXCHXD-nTTsdQQ-4k-yEM6-5kmbCycMxA38bEx9J2-HMIjk4rFscO5OQjbuKVWMElzrRKOeRSgYdlGtqVfMUsCQpj8V8bdPV-pBiLuD440aEpWt0wCsVTHDVAKAyoLwlpkASTV2wiOVUOI6e_ZT5ApGKyV1EX1JxNwgNtHJ5H6OXWQxSYcv8mntkskPkq_id_IJp8slJI4uEVl5jvlfToAlCdsyMK_H4pNE0VhDe5MpBpUeP2er6SUOTg

Attestation token payload:

{
  "customized_claims": {
    "init_data": null,
    "runtime_data": {
      "nonce": "Pn26/CYqumELcdg0zIV989Nll5HEZ/rEF8pUGeiHAgQ=",
      "tee-pubkey": {
        "alg": "RSA1_5",
        "e": "AQAB",
        "kty": "RSA",
        "n": "pRw83NogaTIw4yV4dejWS7txWBPnt8lSh6kD_k_Sb76GXfSZutHNckPu8zEtepW4KP2z5qkUDpqKfgM0QLNOcLjDG6Vxok69ovLOPItdEg6x52VXrT6PGtBMIPmzcgxbVFhkVp2WoOiI6ZbejFyWxTqcR2SvivgdtfCTgFTKBQdRIFjjmGOfAwqHGZ-r91yoXGWpKOIcNtu7Bg9wZowikqoBndA8zCqRtaOC3q2k3B1uEPiUCHbvePsBOTnudTsDngxEmylA7L4sMtdm21JghjEi3i9Pton5K0WGQ4f7MVbVIfTK-hbOvpJwtqGp8C4lrmWaXf919XmF7W3-lFXEtQ"
      }
    }
  },
  "evaluation-reports": [
    {
      "policy-hash": "c0e7929671fb6780387f54760d84d65d2ce96093dfb33efda21f5eb05afcda77bba444c02cd177b23a5d350716726157",
      "policy-id": "default"
    }
  ],
  "exp": 1740477661,
  "iat": 1740477361,
  "iss": "CoCo-Attestation-Service",
  "jti": "NW16c3ZO3x",
  "nbf": 1740477361,
  "tcb-status": "{\"init_data\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\",\"report_data\":\"hnmityIPJY64Q0Dxk2KBLwVyIuB2lFju8QxCigbQPQVk59DUtQphGhIKeAIqW7XvAAAAAAAAAAAAAAAAAAAAAA==\",\"snp.measurement\":\"WerZtCZk1U/aVPcHZwOG9hsdO9NOLajI+awGfmF6Cq5GIzBKSqmLswdWr/tLbAoF\",\"snp.platform_smt_enabled\":\"1\",\"snp.platform_tsme_enabled\":\"0\",\"snp.policy_abi_major\":\"0\",\"snp.policy_abi_minor\":\"0\",\"snp.policy_debug_allowed\":\"0\",\"snp.policy_migrate_ma\":\"0\",\"snp.policy_single_socket\":\"0\",\"snp.policy_smt_allowed\":\"1\",\"snp.reported_tcb_bootloader\":\"4\",\"snp.reported_tcb_microcode\":\"219\",\"snp.reported_tcb_snp\":\"24\",\"snp.reported_tcb_tee\":\"0\"}",
  "tee": "snp"
}

How to reproduce

kbs-client --url https://trusteeserver:8080 --cert-file /root/host.crt get-resource --attestation-token /root/gcp_attestation_token --tee-key-file /root/trustee/kbs/test/tee_key.pem --path default/test/dummy_test

CoCo version information

kbs 0.1.0

What TEE are you seeing the problem on

Snp

Failing command and relevant log output

Server debug log:
debug.log

[fitzthum]

Hm, it would be useful to see the attestation token itself to make sure that it matches up with the policy. Can you get that via debug? (It's not the same as the attestation info that is currently being printed) You'll probably need to add a debug entry in the simple attestation token broker

[yuxisun1217]

Hi @fitzthum ,

Thanks! Could you please show more details about how to collect this attestation token you need? I'm not very clear how to collect it. Thanks!

[fitzthum]

If you don't mind changing the source, you can add a debug log around here printing out the token.

I notice your log also has [2025-02-25T09:56:01Z DEBUG actix_web::middleware::logger] Error in response: TokenVerifierError(TokenVerificationFailed { source: Cannot verify token since trusted JWK Set is empty })

it's pretty easy to get around that temporarily by setting insecure_key to true in the config. I'm not sure how that error relates to the PolicyDeny tho.