Uploaded image for project: 'Openshift sandboxed containers'
  1. Openshift sandboxed containers
  2. KATA-3995

AMD firmware version 2.19.0 cause CoCo on bare metal failure

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • None
    • sandboxed-containers
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • False
    • Bugs and Vulnerability Issues
    • 0

      Description

      I am using snp machine with Firmware version 2.19.0.   Fail to get key.   If rollback firmware version 2.18.1(by default).  It works well.   Firmware version 2.19.0 doesn't work for CoCo on bare metal.

      Steps to reproduce

      1. Installed the helper scripts quay.io/openshift_sandboxed_containers/install-helpers:0.2.0

      2. Installed Trustee Operator ( cd $HOME/install-helpers/trustee ; ./install.sh )

      3. Installed CoCo artifacts ( cd $HOME/install-helpers/baremetal-coco ; ./install.sh -t snp ) . 

      4. start a coco pod with kata-cc runtimeclass

      oc get pods
NAME         READY   STATUS    RESTARTS      AGE
ocp-cc-snp   1/1     Running   1 (18m ago)   27

      5. For Firmware version 2.18.1. can get key.  It works well.

      6. For firmware version 2.19.0.  Fail to get key.

      Expected result

      For firmware version 2.19.0, It works well(can get key)

      Actual result

      #oc exec -it ocp-cc-snp – curl http://127.0.0.1:8006/cdh/resource/default/encryption-key/key

      rpc status: Status { code: INTERNAL, message: "[CDH] [ERROR]: Get Resource failed", details: [], special_fields: SpecialFields { unknown_fields: UnknownFields { fields: None }, cached_size: CachedSize { size: 0 } } }

      #oc logs trustee-deployment-75d99c9895-jstmm -n trustee-operator-system

       

      [2025-07-04T02:24:28Z INFO  kbs] Using config file /etc/kbs-config/kbs-config.toml
[2025-07-04T02:24:28Z WARN  kbs::admin] insecure admin APIs are enabled
[2025-07-04T02:24:28Z INFO  attestation_service::rvps] launch a built-in RVPS.
[2025-07-04T02:24:28Z INFO  attestation_service::token::ear_broker] Loading default AS policy "ear_default_policy.rego"
[2025-07-04T02:24:28Z INFO  attestation_service::token::ear_broker] No Token Signer key in config file, create an ephemeral key and without CA pubkey cert
[2025-07-04T02:24:28Z INFO  kbs::api_server] Starting HTTP server at [0.0.0.0:8080]
[2025-07-04T02:24:28Z INFO  actix_server::builder] starting 64 workers
[2025-07-04T02:24:28Z INFO  actix_server::server] Actix runtime found; starting in Actix runtime
[2025-07-04T02:24:28Z INFO  actix_server::server] starting service: "actix-web-service-0.0.0.0:8080", workers: 64, listening on: 0.0.0.0:8080
[2025-07-04T02:29:22Z INFO  actix_web::middleware::logger] 10.128.1.90 "POST /kbs/v0/auth HTTP/1.1" 200 74 "-" "attestation-agent-kbs-client/0.1.0" 0.000451
[2025-07-04T02:29:24Z ERROR kbs::error] AttestationError(RcarAttestFailed { source: verify TEE evidence failed
    
    Caused by:
        Verifier evaluate failed: Unexpected attestation report version. Check SNP Firmware ABI specification })
[2025-07-04T02:29:24Z INFO  actix_web::middleware::logger] 10.128.1.90 "POST /kbs/v0/attest HTTP/1.1" 401 140 "-" "attestation-agent-kbs-client/0.1.0" 1.780984
[2025-07-04T02:29:25Z INFO  actix_web::middleware::logger] 10.128.1.90 "POST /kbs/v0/auth HTTP/1.1" 200 74 "-" "attestation-agent-kbs-client/0.1.0" 0.000564
[2025-07-04T02:29:26Z ERROR kbs::error] AttestationError(RcarAttestFailed { source: verify TEE evidence failed
    
    Caused by:
        Verifier evaluate failed: Unable to fetch VCEK from URL: 429 })
[2025-07-04T02:29:26Z INFO  actix_web::middleware::logger] 10.128.1.90 "POST /kbs/v0/attest HTTP/1.1" 401 140 "-" "attestation-agent-kbs-client/0.1.0" 1.176148
[2025-07-04T02:29:27Z INFO  actix_web::middleware::logger] 10.128.1.90 "POST /kbs/v0/auth HTTP/1.1" 200 74 "-" "attestation-agent-kbs-client/0.1.0" 0.000902
[2025-07-04T02:29:28Z ERROR kbs::error] AttestationError(RcarAttestFailed { source: verify TEE evidence failed
    
    Caused by:
        Verifier evaluate failed: Unable to fetch VCEK from URL: 429 })
[2025-07-04T02:29:28Z INFO  actix_web::middleware::logger] 10.128.1.90 "POST /kbs/v0/attest HTTP/1.1" 401 140 "-" "attestation-agent-kbs-client/0.1.0" 1.174242
[2025-07-04T02:29:29Z INFO  actix_web::middleware::logger] 10.128.1.90 "POST /kbs/v0/auth HTTP/1.1" 200 74 "-" "attestation-agent-kbs-client/0.1.0" 0.000486
[2025-07-04T02:29:30Z ERROR kbs::error] AttestationError(RcarAttestFailed { source: verify TEE evidence failed
    
    Caused by:
        Verifier evaluate failed: Unable to fetch VCEK from URL: 429 })
[2025-07-04T02:29:30Z INFO  actix_web::middleware::logger] 10.128.1.90 "POST /kbs/v0/attest HTTP/1.1" 401 140 "-" "attestation-agent-kbs-client/0.1.0" 1.171135
[2025-07-04T02:29:32Z INFO  actix_web::middleware::logger] 10.128.1.90 "POST /kbs/v0/auth HTTP/1.1" 200 74 "-" "attestation-agent-kbs-client/0.1.0" 0.000678
[2025-07-04T02:29:33Z ERROR kbs::error] AttestationError(RcarAttestFailed { source: verify TEE evidence failed
    
    Caused by:
        Verifier evaluate failed: Unable to fetch VCEK from URL: 429 })
[2025-07-04T02:29:33Z INFO  actix_web::middleware::logger] 10.128.1.90 "POST /kbs/v0/attest HTTP/1.1" 401 140 "-" "attestation-agent-kbs-client/0.1.0" 1.144770

       

      Impact

      <How badly does this interfere with using the software?>

      Env

      1. oc version
        Client Version: 4.15.0-0.nightly-2024-01-22-051500
        Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
        Server Version: 4.18.18
        Kubernetes Version: v1.31.9
      2. trustee-operator.v0.3.0
      3. sandboxed-containers-operator.v1.9.0

      Additional helpful info

      I only tested SNP machine's firmware version. no test TDX machine.

              Unassigned Unassigned
              xfu@redhat.com Xiangchun Fu
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: