From 5d737fa4fb35dfe7e1cad18ef37f390c145a491b Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Mon, 1 Jun 2026 16:46:38 +0800 Subject: [PATCH 1/2] fix: correct td_attributes.debug field path in baremetal TDX policy The attestation policy used the wrong path for debug attribute checking: - Wrong: input["tdx"].quote.body.td_attributes.debug - Correct: input["tdx"].td_attributes.debug The quote.body.td_attributes contains a hex string ("0000001000000000"), not a parsed object. The verifier parses this hex value and places the structured object at the top level: input["tdx"].td_attributes. This caused the configuration trust claim to always evaluate to 36 (default/unavailable) instead of 2 (approved) or 3 (no known vulnerabilities), even when debug was disabled and xfam matched. Affected rules: - configuration := 2 (main rule with xfam check) - configuration := 3 (fallback without xfam) Aligned with upstream trustee-operator reference policy which uses input.tdx.td_attributes.debug (not input.tdx.quote.body.td_attributes.debug). Fixes attestation for bare metal TDX deployments where configuration claim should pass when debug=false and xfam reference values available. Co-Authored-By: Claude Sonnet 4.5 --- templates/attestation-policy.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/attestation-policy.yaml b/templates/attestation-policy.yaml index acd38b2..abf47c5 100644 --- a/templates/attestation-policy.yaml +++ b/templates/attestation-policy.yaml @@ -244,7 +244,7 @@ data: input["tdx"] # Check the TD has the expected attributes (e.g., debug not enabled) and features. - input["tdx"].quote.body.td_attributes.debug == false + input["tdx"].td_attributes.debug == false input["tdx"].quote.body.xfam in query_reference_value("xfam") } @@ -252,7 +252,7 @@ data: else := 3 if { input["tdx"] - input["tdx"].quote.body.td_attributes.debug == false + input["tdx"].td_attributes.debug == false # CoCo pattern: init_data check (runtime configuration hash) input.init_data in query_reference_value("init_data") From e2be86c1aed1dddbeb1f66e59ee356e53c00c404 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Mon, 1 Jun 2026 17:23:21 +0800 Subject: [PATCH 2/2] chore: release Signed-off-by: Chris Butler --- Chart.yaml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 9993e78..c5c5cb6 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -7,4 +7,4 @@ keywords: - confidential-containers name: trustee # DO NOT EDIT VERSION HERE, IT IS AUTO-GENERATED BY SEMANTIC-RELEASE -version: 0.6.0 +version: 0.7.0 diff --git a/README.md b/README.md index 14752ea..7d1698f 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # trustee -![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) +![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) A Helm chart to provide an opinionated deployment of Trustee in a validated pattern