Skip to content

fix: correct td_attributes.debug field path in baremetal TDX policy#32

Merged
butler54 merged 2 commits into
validatedpatterns:mainfrom
butler54:fix/td-attributes-path-bug
Jun 1, 2026
Merged

fix: correct td_attributes.debug field path in baremetal TDX policy#32
butler54 merged 2 commits into
validatedpatterns:mainfrom
butler54:fix/td-attributes-path-bug

Conversation

@butler54
Copy link
Copy Markdown
Collaborator

@butler54 butler54 commented Jun 1, 2026

Problem

The baremetal TDX attestation policy uses the wrong field path for debug attribute checking, causing configuration trust claim to always evaluate to 36 (unavailable) instead of 2 (approved) or 3 (no known vulnerabilities).

Wrong path:

input["tdx"].quote.body.td_attributes.debug == false

Correct path:

input["tdx"].td_attributes.debug == false

Root Cause

The TDX quote.body.td_attributes field contains a hex string ("0000001000000000"), not a parsed object. The verifier parses this hex value and places the structured object at the top level: input["tdx"].td_attributes.

Impact

  • Attestation succeeds but with warning status (configuration: 36)
  • Expected behavior: configuration: 2 when debug=false AND xfam matches reference values
  • Expected fallback: configuration: 3 when debug=false AND xfam reference values not available

Solution

Align with upstream trustee-operator reference policy (ear_default_attestation_policy_cpu.rego) which correctly uses input.tdx.td_attributes.debug.

Fixed in both:

  • Main configuration rule (line 247): checks debug + xfam
  • Fallback configuration rule (line 255): checks debug only

Testing

Verified against cluster with:

  • OCP 4.20.18 on Intel TDX hardware
  • Firmware reference values loaded in RVPS
  • Debug disabled (td_attributes shows "debug": false)
  • Before fix: configuration: 36, no xfam query logged
  • Expected after fix: configuration: 2, xfam query appears in logs

Part of Wave 2 bare metal attestation hardening work.

butler54 and others added 2 commits June 1, 2026 16:46
@butler54 @claude
fix: correct td_attributes.debug field path in baremetal TDX policy
5d737fa 
The attestation policy used the wrong path for debug attribute checking:
- Wrong: input["tdx"].quote.body.td_attributes.debug
- Correct: input["tdx"].td_attributes.debug

The quote.body.td_attributes contains a hex string ("0000001000000000"),
not a parsed object. The verifier parses this hex value and places the
structured object at the top level: input["tdx"].td_attributes.

This caused the configuration trust claim to always evaluate to 36
(default/unavailable) instead of 2 (approved) or 3 (no known
vulnerabilities), even when debug was disabled and xfam matched.

Affected rules:
- configuration := 2 (main rule with xfam check)
- configuration := 3 (fallback without xfam)

Aligned with upstream trustee-operator reference policy which uses
input.tdx.td_attributes.debug (not input.tdx.quote.body.td_attributes.debug).

Fixes attestation for bare metal TDX deployments where configuration
claim should pass when debug=false and xfam reference values available.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@butler54
chore: release
e2be86c 
Signed-off-by: Chris Butler <chris.butler@redhat.com>
@butler54 butler54 merged commit 10a447a into validatedpatterns:main Jun 1, 2026
4 checks passed
@butler54 butler54 mentioned this pull request Jun 1, 2026
Merged
butler54 added a commit to butler54/coco-pattern that referenced this pull request Jun 1, 2026
@butler54 @claude
chore: update trustee-chart to v0.7.* across all profiles
2b4604a 
Bump trustee chart dependency from 0.4.*/0.6.* to 0.7.* in all profiles.
Also migrate values-trusted-hub from git branch reference to chart registry.

Changes:
- values-baremetal.yaml: 0.6.* → 0.7.*
- values-baremetal-gpu.yaml: 0.6.* → 0.7.*
- values-simple.yaml: 0.4.* → 0.7.*
- values-trusted-hub.yaml: git branch → chart 0.7.*

Trustee v0.7.0 includes the td_attributes.debug path fix that was causing
configuration trust claim to evaluate to 36 (unavailable) instead of 2
(approved). This fix enables proper debug-disabled enforcement in the
attestation policy.

Related: validatedpatterns/trustee-chart#32

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
butler54 added a commit to validatedpatterns/coco-pattern that referenced this pull request Jun 1, 2026
@butler54 @claude
feat: update trustee-chart to v0.7.* across all profiles (#93)
bfc6374 
Bump trustee chart dependency from 0.4.*/0.6.* to 0.7.* in all profiles.
Also migrate values-trusted-hub from git branch reference to chart registry.

Changes:
- values-baremetal.yaml: 0.6.* → 0.7.*
- values-baremetal-gpu.yaml: 0.6.* → 0.7.*
- values-simple.yaml: 0.4.* → 0.7.*
- values-trusted-hub.yaml: git branch → chart 0.7.*

Trustee v0.7.0 includes the td_attributes.debug path fix that was causing
configuration trust claim to evaluate to 36 (unavailable) instead of 2
(approved). This fix enables proper debug-disabled enforcement in the
attestation policy.

Related: validatedpatterns/trustee-chart#32

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@butler54