Error fetching report from TPM on Azure #2
Description
Hi,
I've been working on setting up the agent and the server as plugins using SPIRE's K8s quickstart as a starting point. I'm able to get the server deployed no problem, but I'm running into the following error with the agent:
time="2023-12-13T21:05:11Z" level=debug msg="panic: runtime error: slice bounds out of range [:1216] with capacity 0" external=true plugin_name=amd_sev_snp plugin_type=NodeAttestor subsystem_name=amd_sev_snp.snp-agent-plugin
time="2023-12-13T21:05:11Z" level=debug external=true plugin_name=amd_sev_snp plugin_type=NodeAttestor subsystem_name=amd_sev_snp.snp-agent-plugin
time="2023-12-13T21:05:11Z" level=debug msg="goroutine 26 [running]:" external=true plugin_name=amd_sev_snp plugin_type=NodeAttestor subsystem_name=amd_sev_snp.snp-agent-plugin
time="2023-12-13T21:05:11Z" level=debug msg="snp/agent/snp/snputil.GetReportTPM()" external=true plugin_name=amd_sev_snp plugin_type=NodeAttestor subsystem_name=amd_sev_snp.snp-agent-plugin
Indicating that there seems to be a panic in snputil.GetReportTPM(). Full logs are attached in case I'm missing something -- sev_agent_logs.txt. My plugin config is also as follows:
Server
NodeAttestor "amd_sev_snp" {
plugin_cmd = "/opt/spire/plugin/snp-server-plugin"
plugin_data {
amd_cert_chain = "/opt/spire/plugin/cert_chain.pem"
}
}
Where cert_chain.pem obtained via
curl --proto '=https' --tlsv1.2 -sSf https://kdsintf.amd.com/vcek/v1/Milan/cert_chain -o cert_chain.pem
Agent
NodeAttestor "amd_sev_snp" {
plugin_cmd = "/opt/spire/plugin/snp-agent-plugin"
plugin_data {
ek_path = "/opt/spire/plugin/vcek.pem"
}
}
Where vcek.pem is obtained via (Azure documentation)
curl -H Metadata:true http://169.254.169.254/metadata/THIM/amd/certification > vcek
cat ./vcek | jq -r '.vcekCert , .certificateChain' > ./vcek.pem
This is all running in a minikube instance on an SEV-SNP enabled VM in Azure (no SEV device available). Any idea what could be wrong here? Thank you for any help.