Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GCP]Policy deny when set snp measurement as policy #719

Open
yuxisun1217 opened this issue Feb 25, 2025 · 1 comment
Open

[GCP]Policy deny when set snp measurement as policy #719

yuxisun1217 opened this issue Feb 25, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@yuxisun1217
Copy link

yuxisun1217 commented Feb 25, 2025
edited
Loading

Describe the bug

In GCP VM if use snp measurement as policy it always hit "PolicyDeny" error when get-resource.
The attestation step can pass.

Server policy:

package policy
default allow = false
input_tcb := input["tcb-status"]
allow {
    input_tcb["snp"]["measurement"] == "WerZtCZk1U/aVPcHZwOG9hsdO9NOLajI+awGfmF6Cq5GIzBKSqmLswdWr/tLbAoF"
}

Attestation token payload:

{
  "customized_claims": {
    "init_data": null,
    "runtime_data": {
      "nonce": "Pn26/CYqumELcdg0zIV989Nll5HEZ/rEF8pUGeiHAgQ=",
      "tee-pubkey": {
        "alg": "RSA1_5",
        "e": "AQAB",
        "kty": "RSA",
        "n": "pRw83NogaTIw4yV4dejWS7txWBPnt8lSh6kD_k_Sb76GXfSZutHNckPu8zEtepW4KP2z5qkUDpqKfgM0QLNOcLjDG6Vxok69ovLOPItdEg6x52VXrT6PGtBMIPmzcgxbVFhkVp2WoOiI6ZbejFyWxTqcR2SvivgdtfCTgFTKBQdRIFjjmGOfAwqHGZ-r91yoXGWpKOIcNtu7Bg9wZowikqoBndA8zCqRtaOC3q2k3B1uEPiUCHbvePsBOTnudTsDngxEmylA7L4sMtdm21JghjEi3i9Pton5K0WGQ4f7MVbVIfTK-hbOvpJwtqGp8C4lrmWaXf919XmF7W3-lFXEtQ"
      }
    }
  },
  "evaluation-reports": [
    {
      "policy-hash": "c0e7929671fb6780387f54760d84d65d2ce96093dfb33efda21f5eb05afcda77bba444c02cd177b23a5d350716726157",
      "policy-id": "default"
    }
  ],
  "exp": 1740477661,
  "iat": 1740477361,
  "iss": "CoCo-Attestation-Service",
  "jti": "NW16c3ZO3x",
  "nbf": 1740477361,
  "tcb-status": "{\"init_data\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\",\"report_data\":\"hnmityIPJY64Q0Dxk2KBLwVyIuB2lFju8QxCigbQPQVk59DUtQphGhIKeAIqW7XvAAAAAAAAAAAAAAAAAAAAAA==\",\"snp.measurement\":\"WerZtCZk1U/aVPcHZwOG9hsdO9NOLajI+awGfmF6Cq5GIzBKSqmLswdWr/tLbAoF\",\"snp.platform_smt_enabled\":\"1\",\"snp.platform_tsme_enabled\":\"0\",\"snp.policy_abi_major\":\"0\",\"snp.policy_abi_minor\":\"0\",\"snp.policy_debug_allowed\":\"0\",\"snp.policy_migrate_ma\":\"0\",\"snp.policy_single_socket\":\"0\",\"snp.policy_smt_allowed\":\"1\",\"snp.reported_tcb_bootloader\":\"4\",\"snp.reported_tcb_microcode\":\"219\",\"snp.reported_tcb_snp\":\"24\",\"snp.reported_tcb_tee\":\"0\"}",
  "tee": "snp"
}

How to reproduce

kbs-client --url https://trusteeserver:8080 --cert-file /root/host.crt get-resource --attestation-token /root/gcp_attestation_token --tee-key-file /root/trustee/kbs/test/tee_key.pem --path default/test/dummy_test

CoCo version information

kbs 0.1.0

What TEE are you seeing the problem on

Snp

Failing command and relevant log output

Server debug log:
debug.log
@yuxisun1217 yuxisun1217 added the bug Something isn't working label Feb 25, 2025
@fitzthum
Copy link
Member

fitzthum commented Mar 3, 2025

Hm, it would be useful to see the attestation token itself to make sure that it matches up with the policy. Can you get that via debug? (It's not the same as the attestation info that is currently being printed) You'll probably need to add a debug entry in the simple attestation token broker

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fitzthum @yuxisun1217