Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error fetching report from TPM on Azure #2

Open
octaviansima opened this issue Dec 13, 2023 · 1 comment
Open

Error fetching report from TPM on Azure #2

octaviansima opened this issue Dec 13, 2023 · 1 comment

Comments

@octaviansima
Copy link

Hi,

I've been working on setting up the agent and the server as plugins using SPIRE's K8s quickstart as a starting point. I'm able to get the server deployed no problem, but I'm running into the following error with the agent:

time="2023-12-13T21:05:11Z" level=debug msg="panic: runtime error: slice bounds out of range [:1216] with capacity 0" external=true plugin_name=amd_sev_snp plugin_type=NodeAttestor subsystem_name=amd_sev_snp.snp-agent-plugin
time="2023-12-13T21:05:11Z" level=debug external=true plugin_name=amd_sev_snp plugin_type=NodeAttestor subsystem_name=amd_sev_snp.snp-agent-plugin
time="2023-12-13T21:05:11Z" level=debug msg="goroutine 26 [running]:" external=true plugin_name=amd_sev_snp plugin_type=NodeAttestor subsystem_name=amd_sev_snp.snp-agent-plugin
time="2023-12-13T21:05:11Z" level=debug msg="snp/agent/snp/snputil.GetReportTPM()" external=true plugin_name=amd_sev_snp plugin_type=NodeAttestor subsystem_name=amd_sev_snp.snp-agent-plugin

Indicating that there seems to be a panic in snputil.GetReportTPM(). Full logs are attached in case I'm missing something -- sev_agent_logs.txt. My plugin config is also as follows:

Server

      NodeAttestor "amd_sev_snp" {
        plugin_cmd = "/opt/spire/plugin/snp-server-plugin"
        plugin_data {
          amd_cert_chain = "/opt/spire/plugin/cert_chain.pem"
        }
      }

Where cert_chain.pem obtained via

curl --proto '=https' --tlsv1.2 -sSf https://kdsintf.amd.com/vcek/v1/Milan/cert_chain -o cert_chain.pem

Agent

      NodeAttestor "amd_sev_snp" {
        plugin_cmd = "/opt/spire/plugin/snp-agent-plugin"
        plugin_data {
          ek_path = "/opt/spire/plugin/vcek.pem"
        }
      }

Where vcek.pem is obtained via (Azure documentation)

curl -H Metadata:true http://169.254.169.254/metadata/THIM/amd/certification > vcek
cat ./vcek | jq -r '.vcekCert , .certificateChain' > ./vcek.pem

This is all running in a minikube instance on an SEV-SNP enabled VM in Azure (no SEV device available). Any idea what could be wrong here? Thank you for any help.
@Anderson-Melo
Copy link
Collaborator

Hi @octaviansima, did you expose the vTPM device to the pod? The plugin communicates with this device (/dev/tpm0) to retrieve the SNP Report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@octaviansima @Anderson-Melo