From 3ad34619012827b88ff0a3c0ffeb8642583798ab Mon Sep 17 00:00:00 2001
From: WashingtonKK <washingtonkigan@gmail.com>
Date: Wed, 15 Oct 2025 12:07:29 +0300
Subject: [PATCH 1/3] Fix SEV-SNP attestation policy validation issue

- Replace abi.ReportCertsToProto() with direct proto.Unmarshal() to bypass
  strict guest policy bit 17 validation that was failing
- Change protojson.Marshal() to proto.Marshal() for binary protobuf output

Signed-off-by: wkk <wkk@example.com>
---
 cmd/agent/main.go                    | 5 +++++
 pkg/atls/certificate_provider.go     | 3 +++
 pkg/attestation/azure/snp.go         | 6 ++++++
 pkg/attestation/quoteprovider/sev.go | 4 ++--
 pkg/attestation/vtpm/vtpm.go         | 5 +++--
 5 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/cmd/agent/main.go b/cmd/agent/main.go
index 1b6b7d7de..3da10f3f5 100644
--- a/cmd/agent/main.go
+++ b/cmd/agent/main.go
@@ -159,6 +159,7 @@ func main() {
 	err = quoteprovider.FetchCertificates(uint(cfg.Vmpl))
 	if err != nil {
 		logger.Error(fmt.Sprintf("failed to fetch certificates: %s", err))
+		logger.Error("failed to fetch certificates, exiting")
 		exitCode = 1
 		return
 	}
@@ -217,6 +218,7 @@ func main() {
 	attest, certSerialNumber, err := attestationFromCert(ctx, cvmGrpcConfig.ClientCert, svc)
 	if err != nil {
 		logger.Error(fmt.Sprintf("failed to get attestation: %s", err))
+		logger.Error("attestation failed, exiting")
 		exitCode = 1
 		return
 	}
@@ -269,12 +271,14 @@ func attestationFromCert(ctx context.Context, certFilePath string, svc agent.Ser
 
 	certFile, err := os.ReadFile(certFilePath)
 	if err != nil {
+		fmt.Println("failed to read cert file:", err)
 		return nil, "", err
 	}
 
 	certPem, _ := pem.Decode(certFile)
 	certx509, err := x509.ParseCertificate(certPem.Bytes)
 	if err != nil {
+		fmt.Println("failed to parse x509 cert:", err)
 		return nil, "", err
 	}
 
@@ -282,6 +286,7 @@ func attestationFromCert(ctx context.Context, certFilePath string, svc agent.Ser
 	nonceVTPM := sha256.Sum256(certFile)
 	attest, err := svc.Attestation(ctx, nonceSNP, nonceVTPM, attestation.SNPvTPM)
 	if err != nil {
+		fmt.Println("failed to get attestation:", err)
 		return nil, "", err
 	}
 
diff --git a/pkg/atls/certificate_provider.go b/pkg/atls/certificate_provider.go
index 3b246d0f8..36aa7f7ad 100644
--- a/pkg/atls/certificate_provider.go
+++ b/pkg/atls/certificate_provider.go
@@ -90,6 +90,9 @@ func (p *attestedCertificateProvider) GetCertificate(clientHello *tls.ClientHell
 
 	attestationData, err := p.attestationProvider.Attest(pubKeyDER, nonce)
 	if err != nil {
+		fmt.Println("failed to get attestation:", err)
+		fmt.Println("Attestation data:", attestationData)
+		fmt.Println("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@))))))))))))))))))))))0000000000000000000000000000000000000000000ujuuuuuuuuuuuuuuuuuuuuuuuuuu")
 		return nil, fmt.Errorf("failed to get attestation: %w", err)
 	}
 
diff --git a/pkg/attestation/azure/snp.go b/pkg/attestation/azure/snp.go
index 2944319fc..f727c96ed 100644
--- a/pkg/attestation/azure/snp.go
+++ b/pkg/attestation/azure/snp.go
@@ -42,6 +42,7 @@ func NewProvider() attestation.Provider {
 }
 
 func (a provider) Attestation(teeNonce []byte, vTpmNonce []byte) ([]byte, error) {
+	fmt.Println("Fetching Azure attestation token &&&&&&&&&&&&&&&&&&&&&")
 	var tokenNonce [vtpm.Nonce]byte
 	copy(tokenNonce[:], teeNonce)
 
@@ -63,7 +64,12 @@ func (a provider) Attestation(teeNonce []byte, vTpmNonce []byte) ([]byte, error)
 	quote.TeeAttestation = &attest.Attestation_SevSnpAttestation{
 		SevSnpAttestation: snpReport,
 	}
+	fmt.Println("SNP Report:", hex.EncodeToString(params.SNPReport))
+	fmt.Println("THUS FARRRRRR@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@")
 
+	fmt.Println()
+
+	fmt.Println("vTPM Quote:", quote.GetSevSnpAttestation())
 	return proto.Marshal(quote)
 }
 
diff --git a/pkg/attestation/quoteprovider/sev.go b/pkg/attestation/quoteprovider/sev.go
index d56c15654..a78c455c4 100644
--- a/pkg/attestation/quoteprovider/sev.go
+++ b/pkg/attestation/quoteprovider/sev.go
@@ -26,7 +26,7 @@ import (
 	"github.com/google/go-sev-guest/verify/trust"
 	"github.com/google/logger"
 	"github.com/ultravioletrs/cocos/pkg/attestation"
-	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/proto"
 )
 
 const (
@@ -199,7 +199,7 @@ func FetchAttestation(reportDataSlice []byte, vmpl uint) ([]byte, error) {
 	quoteProto.CertificateChain.AskCert = askPem.Bytes
 	quoteProto.CertificateChain.ArkCert = arkPem.Bytes
 
-	result, err := protojson.Marshal(quoteProto)
+	result, err := proto.Marshal(quoteProto)
 	if err != nil {
 		return []byte{}, fmt.Errorf("failed to marshal quote proto: %v", err)
 	}
diff --git a/pkg/attestation/vtpm/vtpm.go b/pkg/attestation/vtpm/vtpm.go
index c2ac7c54a..4547f6adf 100644
--- a/pkg/attestation/vtpm/vtpm.go
+++ b/pkg/attestation/vtpm/vtpm.go
@@ -310,9 +310,10 @@ func addTEEAttestation(attestation *attest.Attestation, nonce []byte, vmpl uint)
 		return fmt.Errorf("failed to fetch TEE attestation report: %v", err)
 	}
 
-	extReport, err := abi.ReportCertsToProto(rawTeeAttestation)
+	extReport := &sevsnp.Attestation{}
+	err = proto.Unmarshal(rawTeeAttestation, extReport)
 	if err != nil {
-		return errors.Wrap(fmt.Errorf("failed to convert TEE report to proto"), err)
+		return errors.Wrap(fmt.Errorf("failed to unmarshal TEE report proto"), err)
 	}
 	attestation.TeeAttestation = &attest.Attestation_SevSnpAttestation{
 		SevSnpAttestation: extReport,

From 29651b077ac4d3cddf0a0357ead861face2c2490 Mon Sep 17 00:00:00 2001
From: WashingtonKK <washingtonkigan@gmail.com>
Date: Wed, 15 Oct 2025 12:18:06 +0300
Subject: [PATCH 2/3] Remove debug logging

- Remove fmt.Println debug statements from cmd/agent/main.go
- Remove fmt.Println debug statements from pkg/atls/certificate_provider.go
- Remove fmt.Println debug statements from pkg/attestation/azure/snp.go

Signed-off-by: wkk <wkk@example.com>
---
 cmd/agent/main.go                | 3 ---
 pkg/atls/certificate_provider.go | 3 ---
 pkg/attestation/azure/snp.go     | 7 -------
 3 files changed, 13 deletions(-)

diff --git a/cmd/agent/main.go b/cmd/agent/main.go
index 3da10f3f5..5d3a3c9b7 100644
--- a/cmd/agent/main.go
+++ b/cmd/agent/main.go
@@ -271,14 +271,12 @@ func attestationFromCert(ctx context.Context, certFilePath string, svc agent.Ser
 
 	certFile, err := os.ReadFile(certFilePath)
 	if err != nil {
-		fmt.Println("failed to read cert file:", err)
 		return nil, "", err
 	}
 
 	certPem, _ := pem.Decode(certFile)
 	certx509, err := x509.ParseCertificate(certPem.Bytes)
 	if err != nil {
-		fmt.Println("failed to parse x509 cert:", err)
 		return nil, "", err
 	}
 
@@ -286,7 +284,6 @@ func attestationFromCert(ctx context.Context, certFilePath string, svc agent.Ser
 	nonceVTPM := sha256.Sum256(certFile)
 	attest, err := svc.Attestation(ctx, nonceSNP, nonceVTPM, attestation.SNPvTPM)
 	if err != nil {
-		fmt.Println("failed to get attestation:", err)
 		return nil, "", err
 	}
 
diff --git a/pkg/atls/certificate_provider.go b/pkg/atls/certificate_provider.go
index 36aa7f7ad..3b246d0f8 100644
--- a/pkg/atls/certificate_provider.go
+++ b/pkg/atls/certificate_provider.go
@@ -90,9 +90,6 @@ func (p *attestedCertificateProvider) GetCertificate(clientHello *tls.ClientHell
 
 	attestationData, err := p.attestationProvider.Attest(pubKeyDER, nonce)
 	if err != nil {
-		fmt.Println("failed to get attestation:", err)
-		fmt.Println("Attestation data:", attestationData)
-		fmt.Println("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@))))))))))))))))))))))0000000000000000000000000000000000000000000ujuuuuuuuuuuuuuuuuuuuuuuuuuu")
 		return nil, fmt.Errorf("failed to get attestation: %w", err)
 	}
 
diff --git a/pkg/attestation/azure/snp.go b/pkg/attestation/azure/snp.go
index f727c96ed..8494303d1 100644
--- a/pkg/attestation/azure/snp.go
+++ b/pkg/attestation/azure/snp.go
@@ -42,7 +42,6 @@ func NewProvider() attestation.Provider {
 }
 
 func (a provider) Attestation(teeNonce []byte, vTpmNonce []byte) ([]byte, error) {
-	fmt.Println("Fetching Azure attestation token &&&&&&&&&&&&&&&&&&&&&")
 	var tokenNonce [vtpm.Nonce]byte
 	copy(tokenNonce[:], teeNonce)
 
@@ -64,12 +63,6 @@ func (a provider) Attestation(teeNonce []byte, vTpmNonce []byte) ([]byte, error)
 	quote.TeeAttestation = &attest.Attestation_SevSnpAttestation{
 		SevSnpAttestation: snpReport,
 	}
-	fmt.Println("SNP Report:", hex.EncodeToString(params.SNPReport))
-	fmt.Println("THUS FARRRRRR@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@")
-
-	fmt.Println()
-
-	fmt.Println("vTPM Quote:", quote.GetSevSnpAttestation())
 	return proto.Marshal(quote)
 }
 

From 7807e3811c2c504e7483647647910a0ae9ae24a0 Mon Sep 17 00:00:00 2001
From: WashingtonKK <washingtonkigan@gmail.com>
Date: Wed, 15 Oct 2025 12:23:14 +0300
Subject: [PATCH 3/3] remove debug logs

Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
---
 cmd/agent/main.go | 2 --
 1 file changed, 2 deletions(-)

diff --git a/cmd/agent/main.go b/cmd/agent/main.go
index 5d3a3c9b7..1b6b7d7de 100644
--- a/cmd/agent/main.go
+++ b/cmd/agent/main.go
@@ -159,7 +159,6 @@ func main() {
 	err = quoteprovider.FetchCertificates(uint(cfg.Vmpl))
 	if err != nil {
 		logger.Error(fmt.Sprintf("failed to fetch certificates: %s", err))
-		logger.Error("failed to fetch certificates, exiting")
 		exitCode = 1
 		return
 	}
@@ -218,7 +217,6 @@ func main() {
 	attest, certSerialNumber, err := attestationFromCert(ctx, cvmGrpcConfig.ClientCert, svc)
 	if err != nil {
 		logger.Error(fmt.Sprintf("failed to get attestation: %s", err))
-		logger.Error("attestation failed, exiting")
 		exitCode = 1
 		return
 	}