attestation.snp: reflect dependency of validators on productLine in verify.Options #1082
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
burgerdev
reviewed
Dec 18, 2024
Comment on lines
65
to
67
| v.logger.Info("Validation failed", "nonce", hex.EncodeToString(nonce), "error", err) | ||
| } else { | ||
| v.logger.Info("Validation successful") | ||
| v.logger.Info("Validation successful", "nonce", hex.EncodeToString(nonce)) |
There was a problem hiding this comment.
Do we need to log the nonce? If validation fails because of it, wouldn't we see that in the corresponding error?
There was a problem hiding this comment.
Logging considerations were moved to #1095
jmxnzo
force-pushed
the
bug/snp-attestation-jla
branch
from
b0a4247 to
18c2dbd
Compare
jmxnzo
changed the title
jmxnzo
changed the title
jmxnzo
force-pushed
the
bug/snp-attestation-jla
branch
from
18c2dbd to
df5e047
Compare
jmxnzo
force-pushed
the
bug/snp-attestation-jla
branch
from
df5e047 to
1d79796
Compare
burgerdev
approved these changes
Dec 20, 2024
|
Successfully created backport PR for |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Our reference values of SNP attestation have a hard dependency on the productLine used during attestation. This includes the derivation of trustedRoots, as well as the trustedMeasurements. By design, we start a validator configured with specific verifyOpts for each reference value.
This led to the error "VCEK could not be verified by any trusted roots", because validators configured with the wrong productLine tried to fulfill the attestation verification. Therefore this PR adds the explicit setting of the productLine in verifyOpts, to reflect the dependency of our reference values on the productLine. As expected we then run into the error below prior to validation, which reveals that a validator is configured for the wrong productLine:
time=2024-12-18T10:46:20.815Z level=ERROR msg="Validation failed" mesh-authority.validator.tee-type=snp mesh-authority.validator.nonce=6881501f40cebdb1492a87316e5a11cbb1bb9dfc2939240a9df098dacdab8b6a mesh-authority.validator.error="verifying report: expected product name SEV_PRODUCT_MILAN, got SEV_PRODUCT_GENOA"Logging considerations were moved to #1095