From 2b38f4595c437c4d4b6f46693877a3191b0070a8 Mon Sep 17 00:00:00 2001 From: Washington Kigani Kamadi Date: Wed, 15 Oct 2025 19:36:17 +0300 Subject: [PATCH] NOISSSUE - Fix SEV-SNP attestation policy validation (#541) * Fix SEV-SNP attestation policy validation issue - Replace abi.ReportCertsToProto() with direct proto.Unmarshal() to bypass strict guest policy bit 17 validation that was failing - Change protojson.Marshal() to proto.Marshal() for binary protobuf output Signed-off-by: wkk * Remove debug logging - Remove fmt.Println debug statements from cmd/agent/main.go - Remove fmt.Println debug statements from pkg/atls/certificate_provider.go - Remove fmt.Println debug statements from pkg/attestation/azure/snp.go Signed-off-by: wkk * remove debug logs Signed-off-by: WashingtonKK --------- Signed-off-by: wkk Signed-off-by: WashingtonKK --- pkg/attestation/azure/snp.go | 1 - pkg/attestation/quoteprovider/sev.go | 4 ++-- pkg/attestation/vtpm/vtpm.go | 5 +++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pkg/attestation/azure/snp.go b/pkg/attestation/azure/snp.go index 2944319f..8494303d 100644 --- a/pkg/attestation/azure/snp.go +++ b/pkg/attestation/azure/snp.go @@ -63,7 +63,6 @@ func (a provider) Attestation(teeNonce []byte, vTpmNonce []byte) ([]byte, error) quote.TeeAttestation = &attest.Attestation_SevSnpAttestation{ SevSnpAttestation: snpReport, } - return proto.Marshal(quote) } diff --git a/pkg/attestation/quoteprovider/sev.go b/pkg/attestation/quoteprovider/sev.go index d56c1565..a78c455c 100644 --- a/pkg/attestation/quoteprovider/sev.go +++ b/pkg/attestation/quoteprovider/sev.go @@ -26,7 +26,7 @@ import ( "github.com/google/go-sev-guest/verify/trust" "github.com/google/logger" "github.com/ultravioletrs/cocos/pkg/attestation" - "google.golang.org/protobuf/encoding/protojson" + "google.golang.org/protobuf/proto" ) const ( @@ -199,7 +199,7 @@ func FetchAttestation(reportDataSlice []byte, vmpl uint) ([]byte, error) { quoteProto.CertificateChain.AskCert = askPem.Bytes quoteProto.CertificateChain.ArkCert = arkPem.Bytes - result, err := protojson.Marshal(quoteProto) + result, err := proto.Marshal(quoteProto) if err != nil { return []byte{}, fmt.Errorf("failed to marshal quote proto: %v", err) } diff --git a/pkg/attestation/vtpm/vtpm.go b/pkg/attestation/vtpm/vtpm.go index c2ac7c54..4547f6ad 100644 --- a/pkg/attestation/vtpm/vtpm.go +++ b/pkg/attestation/vtpm/vtpm.go @@ -310,9 +310,10 @@ func addTEEAttestation(attestation *attest.Attestation, nonce []byte, vmpl uint) return fmt.Errorf("failed to fetch TEE attestation report: %v", err) } - extReport, err := abi.ReportCertsToProto(rawTeeAttestation) + extReport := &sevsnp.Attestation{} + err = proto.Unmarshal(rawTeeAttestation, extReport) if err != nil { - return errors.Wrap(fmt.Errorf("failed to convert TEE report to proto"), err) + return errors.Wrap(fmt.Errorf("failed to unmarshal TEE report proto"), err) } attestation.TeeAttestation = &attest.Attestation_SevSnpAttestation{ SevSnpAttestation: extReport,