Skip to content

[GCP] Attestation failed with the latest version #795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
yuxisun1217 opened this issue May 19, 2025 · 2 comments
Open

[GCP] Attestation failed with the latest version #795

yuxisun1217 opened this issue May 19, 2025 · 2 comments
Labels
bug Something isn't working

Comments

@yuxisun1217
Copy link

yuxisun1217 commented May 19, 2025
edited
Loading

Describe the bug

The attestation failed with the latest version on GCP(I pulled it today).
Server: SNP
Client: SNP

How to reproduce

Compile install trustee server from the main branch source code in a GCP SNP VM.
Copy the kbs-client to another GCP SNP VM in the same subnet.
Generate tee_pubkey.pem and tee_key.pem. Put tee_pubkey.pem in server VM /opt/confidential-containers/kbs/repository/ path.
Server: /usr/local/bin/kbs --config-file /root/trustee/kbs/config/kbs-config.toml

# cat kbs-config.toml
[http_server]
insecure_http = true
sockets = ["127.0.0.1:8080", "10.128.0.88:8080"]

[attestation_token]
insecure_key = true

[attestation_service]
type = "coco_as_builtin"
work_dir = "/opt/confidential-containers/attestation-service"
policy_engine = "opa"

[attestation_service.attestation_token_broker]
type = "Ear"
duration_min = 5

[attestation_service.rvps_config]
type = "BuiltIn"

[policy_engine]
policy_path = "/opa/confidential-containers/kbs/policy.rego"

[admin]
insecure_api = true

[[plugins]]
name = "resource"
type = "LocalFs"
dir_path = "/opt/confidential-containers/kbs/repository"

CoCo version information

The latest main branch

What TEE are you seeing the problem on

Snp

Failing command and relevant log output

kbs-client --url http://trusteeserver:8080  attest --tee-key-file tee_key.pem

Client reports:

WARNING:esys:src/tss2-esys/api/Esys_NV_ReadPublic.c:309:Esys_NV_ReadPublic_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/esys_tr.c:243:Esys_TR_FromTPMPublic_Finish() Error NV_ReadPublic ErrorCode (0x0000018b) 
ERROR:esys:src/tss2-esys/esys_tr.c:402:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x0000018b) 
[2025-05-19T11:00:53Z ERROR tss_esapi::context::general_esys_tr] Error when getting ESYS handle from TPM handle: the handle is not correct for the use (associated with handle number 1)
[2025-05-19T11:00:53Z INFO  tss_esapi::context] Closing context.
[2025-05-19T11:00:53Z INFO  tss_esapi::context] Context closed.
[2025-05-19T11:00:55Z WARN  kbs_protocol::client::rcar_client] RCAR handshake failed: RcarHandshake("KBS attest unauthorized, Error Info: ErrorInformation { error_type: \"https://github.com/confidential-containers/kbs/errors/AttestationError\", detail: \"Attestation error: RCAR handshake Attest failed\" }"), retry 1...
[2025-05-19T11:00:58Z WARN  kbs_protocol::client::rcar_client] RCAR handshake failed: RcarHandshake("KBS attest unauthorized, Error Info: ErrorInformation { error_type: \"https://github.com/confidential-containers/kbs/errors/AttestationError\", detail: \"Attestation error: RCAR handshake Attest failed\" }"), retry 2...
[2025-05-19T11:01:03Z WARN  kbs_protocol::client::rcar_client] RCAR handshake failed: RcarHandshake("KBS attest unauthorized, Error Info: ErrorInformation { error_type: \"https://github.com/confidential-containers/kbs/errors/AttestationError\", detail: \"Attestation error: RCAR handshake Attest failed\" }"), retry 3...
[2025-05-19T11:01:07Z WARN  kbs_protocol::client::rcar_client] RCAR handshake failed: RcarHandshake("KBS attest unauthorized, Error Info: ErrorInformation { error_type: \"https://github.com/confidential-containers/kbs/errors/AttestationError\", detail: \"Attestation error: RCAR handshake Attest failed\" }"), retry 4...
Error: RCAR handshake failed: Unable to get token. RCAR handshake retried 5 times. Final attempt failed with: RcarHandshake("KBS attest unauthorized, Error Info: ErrorInformation { error_type: \"https://github.com/confidential-containers/kbs/errors/AttestationError\", detail: \"Attestation error: RCAR handshake Attest failed\" }")

Server reports:

2025-05-19T10:32:38Z INFO  actix_web::middleware::logger] 10.128.0.88 "POST /kbs/v0/attest HTTP/1.1" 401 140 "-" "attestation-agent-kbs-client/0.1.0" 0.002192
[2025-05-19T10:32:39Z INFO  actix_web::middleware::logger] 10.128.0.88 "POST /kbs/v0/auth HTTP/1.1" 200 74 "-" "attestation-agent-kbs-client/0.1.0" 0.000047
[2025-05-19T10:32:43Z ERROR kbs::error] AttestationError(RcarAttestFailed { source: verify TEE evidence failed
    
    Caused by:
        Verifier evaluate failed: Unexpected attestation report version. Check SNP Firmware ABI specification })
@yuxisun1217 yuxisun1217 added the bug Something isn't working label May 19, 2025
@fitzthum
Copy link
Member

We will support newer report versions in #792

@Xynnn007
Copy link
Member

What Tobin means is #785

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fitzthum @yuxisun1217 @Xynnn007