search

google / go-tdx-guest

go-tdx-guest offers a library to wrap the /dev/tdx-guest device in Linux, as well as a library for attestation verification of fundamental components of an attestation quote.
Apache License 2.0
53 stars 12 forks source link

Failed to verify TCB info #37

Closed pegahnikbakht closed 8 months ago

pegahnikbakht commented 9 months ago

Hi,

I extracted an attestation report from googel TDX VM and tried to verified it with the following command:

./check -in report -inform textproto -get_collateral true -check_crl true

But I get the following error: FATAL: could not verify the TDX Quote: TDX TCB info reported by Intel PCS failed TCB status check: SVN at index 1(0) in Tcb.TdxTcbcomponents is not equal to TD Quote Body's index 1(1) TEE TCB svn value

Do I miss anything?

If I remove -get_collateral true -check_crl true from the check command it works fine.

jrjatin commented 9 months ago

It appears that TCB Info is not supported. When the get_collateral flag is set to true, it uses Intel's PCS API service to further verify quote data. You can refer to Intel's doc for more information: https://api.portal.trustedservices.intel.com/content/documentation.html#pcs-tcb-info-tdx-v4

jrjatin commented 8 months ago

https://github.com/google/go-tdx-guest/pull/38 Please verify with these changes. This should fix the issue.