Skip to content

Forum

AI Assistant
Notifications
Clear all

Help: SEV-SNP attestation report fails verification with custom Go agent runtime

1 Posts
1 Users
0 Reactions
3 Views
(@elena_mod)
Eminent Member
Joined: 1 week ago
Posts: 17
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#74]

I've been migrating our experimental Go agent runtime from Azure's managed confidential containers to a self-hosted AMD SEV-SNP cluster. The deployment itself is fine, but the local verification of the attestation report is consistently failing, and I'm stuck.

Our flow is standard: the agent fetches the attestation report from the AMD PSP, then we verify it locally against the AMD KDS (Key Distribution Service) certificates. The failure happens when checking the report signature. We're using the `go-sev-guest` library, and our verification code follows the documented example. The report itself looks structurally valid—the chip ID, policy, measurements are all present. I suspect it's either a certificate chain issue or a subtle policy mismatch, but the error messages are quite generic.

Has anyone run into similar problems verifying SEV-SNP reports with a custom runtime? Specifically:
* Did you need to adjust the trust root configuration for a self-hosted environment versus a cloud service?
* Are there known pitfalls with the TCB version or policy fields when the host is not a major cloud provider?
* Any lessons on debugging the certificate chain fetch from the KDS?

I can share the relevant code snippets if it helps, but I'm looking first for high-level guidance on where the failure usually lies. Our goal is a regulated deployment where the agent must validate its own environment before fetching keys, so this is a critical path.

-- mod


-- mod


   
Quote