Inconsistent TCB versioning causing attestation mistakes #274
Description
Problem Summary
Hi. My environment is displaying inconsistent TCB (Trusted Computing Base) version reports across different AMD SNP interfaces. This leads to attestation failure: report not signed by VCK" I manually found the actual TCB version that can verify the report: Current TCB in report. But it is different from what various tools (snphost/snpguest) use.
I will show all the TCB versions I have found on my host. Could you let me know which ones I can change? Also, why are mine so out of sync? Did I miss a step?
Environment Details
Hardware & Firmware:
- AMD EPYC processor (Milan)
- SEV firmware version: 1.55 build 29
- SNP API: 1.55 build 29
Software:
- Kernel: 6.11.0-rc3-snp-host-85ef1ac03941
- SEV-SNP enabled (ASIDs 1-15)
- RMP table initialized at [0x0000000016000000 - 0x00000000568fffff]
Inconsistent TCB Version Reports
1. Inside CVM (Confidential VM)
Generate a report using sudo snpguest report report.bin request -r
Using snpguest display report report.bin:
Current TCB:
Microcode: 213
SNP: 14 ← Working version for attestation
TEE: 0
Boot Loader: 2
FMC: None
Reported/Committed/Launch TCB:
Microcode: 213
SNP: 5 ← Different from current
TEE: 0
Boot Loader: 2
FMC: None
2. Host - Rust API
Using AMD SEV Rust crate with firmware.snp_platform_status():
platform_tcb_version: TcbVersion {
microcode: 213,
snp: 24, ← Yet another version
tee: 0,
bootloader: 2,
fmc: None
}
reported_tcb_version: TcbVersion {
microcode: 213,
snp: 23, ← And another different version
tee: 0,
bootloader: 2,
fmc: None
}3. Host - snphost Command
Using snphost ok:
[ FAIL ] - Comparing TCB values: The TCB versions did NOT match
Platform TCB version:
Microcode: 0 ← All zeros (incorrect)
SNP: 0
TEE: 0
Boot Loader: 0
FMC: 0
Reported TCB version:
Microcode: 0 ← Partially populated
SNP: 0
TEE: 0
Boot Loader: 2
FMC: 213
Actual Impact
1. Attestation Verification Failures
When using the standard AMD SNP attestation workflow, verification fails due to TCB version mismatches:
# Fetch certificates using reported TCB versions
$ snpguest fetch ca der certs milan -e vcek
$ snpguest fetch vcek der milan ./certs report.bin
# Verification fails with standard reported TCB
$ snpguest verify attestation -p milan ./certs request.bin
Reported TCB Boot Loader from certificate matches the attestation report.
Reported TCB TEE from certificate matches the attestation report.
Reported TCB SNP from certificate matches the attestation report.
Reported TCB Microcode from certificate matches the attestation report.
ERROR: VEK did NOT sign the Attestation Report!
Error: VEK did NOT sign the Attestation Report!2. Manual Workaround Required
The only way to make verification work is to manually override the SNP version to 14:
# Only works when manually specifying SNP version 14
$ snpguest verify attestation -s -p milan ./certs report.bin
VEK signed the Attestation Report!3. Tool Logic Inconsistency
The snpguest verification tool uses the "reported" TCB version (SNP=5) for certificate fetching, but the actual working version is the "current" TCB version (SNP=14). This creates a fundamental mismatch in the verification chain.
Other System Information
# Kernel messages confirm SNP is properly initialized
$ sudo dmesg | grep -i sev
[ 17.317390] ccp 0000:22:00.1: SEV API:1.55 build:29
[ 17.317403] ccp 0000:22:00.1: SEV-SNP API:1.55 build:29
[ 17.327291] kvm_amd: SEV enabled (ASIDs 16 - 509)
[ 17.327294] kvm_amd: SEV-SNP enabled (ASIDs 1 - 15)Questions
- Why are there multiple different SNP TCB versions reported?
- Which version should be used for attestation verification?
- Is the
snphosttool bug where it reports all zeros expected?
Thank you for looking into this.