Merge pull request #334 from mkulke/mkulke/add-pcrs-to-vtpm-claim

az-snp/tdx-vtpm-verifier: add PCRs to claims map

attestation-service/docs/parsed_claims.md

@@ -72,3 +72,19 @@ The following fields always exist.
 - `sgx.body.reserved4`: Reserved.
 - `sgx.body.isv_family_id`: ISV assigned Family ID.
 - `sgx.body.report_data`: Data provided by the user.
+
+## Azure TDX Confidential VM (az-tdx-vtpm)
+
+The claim inherit the fields from the TDX claim with and additional `tpm` hierarchy in which the TEE's PCR values are stored:
+
+- `tpm.pcr{01,..,n}`: SHA256 PCR registers for the TEE's vTPM quote.
+
+Note: The TD Report and TD Quote are fetched during early boot in this TEE. Kernel, Initrd and rootfs are measured into the vTPM's registers.
+
+## Azure SEV-SNP Confidential VM (az-snp-vtpm)
+
+The claim inherit the fields from the SEV-SNP claim with and additional `tpm` hierarchy in which the TEE's PCR values are stored:
+
+- `tpm.pcr{01,..,n}`: SHA256 PCR registers for the TEE's vTPM quote.
+
+Note: The TD Report and TD Quote are fetched during early boot in this TEE. Kernel, Initrd and rootfs are measured into the vTPM's registers.

attestation-service/verifier/Cargo.toml

@@ -18,8 +18,8 @@ cca-verifier = [ "ear", "jsonwebtoken", "veraison-apiclient" ]
 anyhow.workspace = true
 asn1-rs = { version = "0.5.1", optional = true }
 async-trait.workspace = true
-az-snp-vtpm = { version = "0.5.1", default-features = false, features = ["verifier"], optional = true }
-az-tdx-vtpm = { version = "0.5.1", default-features = false, features = ["verifier"], optional = true }
+az-snp-vtpm = { version = "0.5.2", default-features = false, features = ["verifier"], optional = true }
+az-tdx-vtpm = { version = "0.5.2", default-features = false, features = ["verifier"], optional = true }
 base64 = "0.21"
 bincode = "1.3.3"
 byteorder = "1"

attestation-service/verifier/src/az_snp_vtpm/mod.rs

@@ -18,6 +18,7 @@ use az_snp_vtpm::vtpm::Quote;
 use log::{debug, warn};
 use openssl::pkey::PKey;
 use serde::{Deserialize, Serialize};
+use serde_json::Value;
 use sev::firmware::host::{CertTableEntry, CertType};
 
 const HCL_VMPL_VALUE: u32 = 0;
@@ -43,6 +44,24 @@ impl AzSnpVtpm {
     }
 }
 
+pub(crate) fn extend_claim_with_tpm_quote(
+    claim: &mut TeeEvidenceParsedClaim,
+    quote: &Quote,
+) -> Result<()> {
+    let Value::Object(ref mut map) = claim else {
+        bail!("failed to extend the claim, not an object");
+    };
+
+    let mut tpm_values = serde_json::Map::new();
+    for (i, pcr) in quote.pcrs_sha256().enumerate() {
+        tpm_values.insert(format!("pcr{:02}", i), Value::String(hex::encode(pcr)));
+    }
+    debug!("extending claim with TPM quote: {:#?}", tpm_values);
+    map.insert("tpm".to_string(), Value::Object(tpm_values));
+
+    Ok(())
+}
+
 #[async_trait]
 impl Verifier for AzSnpVtpm {
     /// The following verification steps are performed:
@@ -83,7 +102,9 @@ impl Verifier for AzSnpVtpm {
         let vcek = Vcek::from_pem(&evidence.vcek)?;
         verify_snp_report(&snp_report, &vcek, &self.vendor_certs)?;
 
-        let claim = parse_tee_evidence(&snp_report);
+        let mut claim = parse_tee_evidence(&snp_report);
+        extend_claim_with_tpm_quote(&mut claim, &evidence.quote)?;
+
         Ok(claim)
     }
 }
@@ -145,9 +166,10 @@ fn verify_snp_report(
 mod tests {
     use super::*;
     use az_snp_vtpm::vtpm::VerifyError;
+    use serde_json::json;
 
     const REPORT: &[u8; 2600] = include_bytes!("../../test_data/az-snp-vtpm/hcl-report.bin");
-    const QUOTE: &[u8; 1362] = include_bytes!("../../test_data/az-snp-vtpm/quote.bin");
+    const QUOTE: &[u8; 1170] = include_bytes!("../../test_data/az-snp-vtpm/quote.bin");
     const REPORT_DATA: &[u8] = "challenge".as_bytes();
 
     #[test]
@@ -273,4 +295,22 @@ mod tests {
             VerifyError::PcrMismatch.to_string()
         );
     }
+
+    #[test]
+    fn test_extend_claim_with_tpm_quote() {
+        let mut claim = json!({"some": "thing"});
+        let quote: Quote = bincode::deserialize(QUOTE).unwrap();
+        extend_claim_with_tpm_quote(&mut claim, &quote).unwrap();
+
+        let map = claim.as_object().unwrap();
+        assert_eq!(map.len(), 2);
+        let tpm_map = map.get("tpm").unwrap().as_object().unwrap();
+        assert_eq!(tpm_map.len(), 24);
+
+        for (i, pcr) in quote.pcrs_sha256().enumerate() {
+            let key = format!("pcr{:02}", i);
+            let value = tpm_map.get(&key).unwrap().as_str().unwrap();
+            assert_eq!(value, hex::encode(pcr));
+        }
+    }
 }

attestation-service/verifier/src/az_tdx_vtpm/mod.rs

@@ -3,6 +3,7 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
+use super::az_snp_vtpm::extend_claim_with_tpm_quote;
 use super::tdx::claims::generate_parsed_claim;
 use super::tdx::quote::{ecdsa_quote_verification, parse_tdx_quote, Quote as TdQuote};
 use super::{TeeEvidenceParsedClaim, Verifier};
@@ -62,7 +63,9 @@ impl Verifier for AzTdxVtpm {
 
         verify_hcl_var_data(&hcl_report, &td_quote)?;
 
-        let claim = generate_parsed_claim(td_quote, None)?;
+        let mut claim = generate_parsed_claim(td_quote, None)?;
+        extend_claim_with_tpm_quote(&mut claim, &evidence.tpm_quote)?;
+
         Ok(claim)
     }
 }
@@ -111,7 +114,7 @@ mod tests {
     use az_tdx_vtpm::vtpm::VerifyError;
 
     const REPORT: &[u8; 2600] = include_bytes!("../../test_data/az-tdx-vtpm/hcl-report.bin");
-    const QUOTE: &[u8; 1362] = include_bytes!("../../test_data/az-tdx-vtpm/quote.bin");
+    const QUOTE: &[u8; 1170] = include_bytes!("../../test_data/az-tdx-vtpm/quote.bin");
     const TD_QUOTE: &[u8; 5006] = include_bytes!("../../test_data/az-tdx-vtpm/td-quote.bin");
 
     #[test]

attestation-service/verifier/src/snp/mod.rs

@@ -112,7 +112,9 @@ impl Verifier for Snp {
             }
         }
 
-        Ok(parse_tee_evidence(&report))
+        let claims_map = parse_tee_evidence(&report);
+        let json = json!(claims_map);
+        Ok(json)
     }
 }
 

attestation-service/verifier/test_data/az-snp-vtpm/vcek.pem

@@ -3,29 +3,105 @@ MIIFTDCCAvugAwIBAgIBADBGBgkqhkiG9w0BAQowOaAPMA0GCWCGSAFlAwQCAgUA
 oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAgUAogMCATCjAwIBATB7MRQwEgYD
 VQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDASBgNVBAcMC1NhbnRhIENs
 YXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5jZWQgTWljcm8gRGV2aWNl
-czESMBAGA1UEAwwJU0VWLU1pbGFuMB4XDTIzMDEwMTA1MzExOFoXDTMwMDEwMTA1
-MzExOFowejEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQwEgYD
+czESMBAGA1UEAwwJU0VWLU1pbGFuMB4XDTIzMDUwMjIxMjIxOVoXDTMwMDUwMjIx
+MjIxOVowejEUMBIGA1UECwwLRW5naW5lZXJpbmcxCzAJBgNVBAYTAlVTMRQwEgYD
 VQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExHzAdBgNVBAoMFkFkdmFuY2Vk
 IE1pY3JvIERldmljZXMxETAPBgNVBAMMCFNFVi1WQ0VLMHYwEAYHKoZIzj0CAQYF
-K4EEACIDYgAEP3PCTk5P1qVUrvZPD+Motv8TNuSxJs5IR21EHLVk7HKQ3bNFknCc
-mwE4ldVb27hjHGpizC9Oom6HHfa7XjX+3P+77N217Tn8/u2MUWhlv7koTxe/xwuV
-Xn07DiWV7ZSKo4IBFjCCARIwEAYJKwYBBAGceAEBBAMCAQAwFwYJKwYBBAGceAEC
+K4EEACIDYgAE53roqP63VFYieePXcG6qPLq8m9pLUrvFe4V3RUMfTwPmAMBILaXW
+3jNzcaPfj8bz9ZgtTRaIHPW5hPuro1OO1rM+dYI6N11Xtjqadw78qxcPdOUQMkjY
+y6q5pqga5xj9o4IBFjCCARIwEAYJKwYBBAGceAEBBAMCAQAwFwYJKwYBBAGceAEC
 BAoWCE1pbGFuLUIwMBEGCisGAQQBnHgBAwEEAwIBAzARBgorBgEEAZx4AQMCBAMC
 AQAwEQYKKwYBBAGceAEDBAQDAgEAMBEGCisGAQQBnHgBAwUEAwIBADARBgorBgEE
 AZx4AQMGBAMCAQAwEQYKKwYBBAGceAEDBwQDAgEAMBEGCisGAQQBnHgBAwMEAwIB
-CDARBgorBgEEAZx4AQMIBAMCAXMwTQYJKwYBBAGceAEEBEA6dUWWsrgPLlF2yq6v
-VEvZSbse/BceAuFyGwp2fd/Jn04lmNJXQQtXEr6LTctPmYOLymx50lAmx2rwnxl5
-gvA8MEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0B
-AQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBA4ICAQA3s4HR1ZshYd/PeYXfiuLV
-kmTCWm+OBd9HVM0hXcNv2KWxRzmG7lBzNKfk71DLqsjOYK5uAS0Jdad9iSbJS6F9
-nQNL1O7/n8M3K6OYa1SYFubU1tXJjRL3Bzx/rcL1w6sGQIeXwDXNjxyPO433YbIW
-oQ6VuUj5AeTLlp3hChfrQ0Nkj3DbfsmDmSL4F0vsSq629YxQ6XTT+tIT897iMMVI
-IMUeJ4O7wxcMnoKoNbM+dTmKrkDm4/FdqYpsT2ziPD9FcTcMud0qZGy8YmUCa9cV
-/g7xKrDfRe8A8FDe1iFAVJ62xhS7GiOx/F2Gd/oEHto9dwE4/OVRmZlFy1njlxZt
-3Dd6W8z0TLmiyHngApx8VMJHNuf4+UeiDYkWo14ZzGlsMKHweGQhy/bRbkIpjNB/
-fUZsn404ZxV8+mbTdeMftIUAofDHryPq2/K4FZB6IucEil9S/dejUerlAlDn+uq/
-TT/FatsAv8gMnTHNB2/GRDRuiLf5bqRGXFRelV8K0edfoxxvW8JjiK2h6bsQf4aA
-JPH53P1GFWvEu9zOsGTldzOIvcPdykMFxhssRryI4YTTwAg6BPpXM83kdnGCEPgU
-pNO5zaEImuqtrxdmOZt8qGxyQ2DYgwS0QC8srEIxBtM9eBSJAodvgUiovwACF4+w
-5CU3rQt0CzyWLJop7k8GMw==
+CDARBgorBgEEAZx4AQMIBAMCAXMwTQYJKwYBBAGceAEEBEAZdSpEfbUBoyreRkKK
+RukmOb01Fdu0Xi5nu8sJNP/PHz48AEzLSpnJ+n5P+wnaazJKxYrO2vZ58kun21+D
+jGzKMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0B
+AQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBA4ICAQCJk1WMW74Z9cOTBpgetdgb
+fNHAmUKPwJIsOAWVlM/8dciPWcKdWc5VB7fy8bpOqCc95/RbUKFdT3cezjZ8Ukmo
+mQh7ALdiuSvBVh2RVGVAJW9/xuIQTB09jJO2izL03vHy6ojrUBohyLUJI1Qajheu
+6YjlZ2sL4xkvzMGqvKInqXYGEqMDrqgCIEFQ63Si1HWIi/ms3DPW+kZZNQVzAFCk
+dDxMAaApAbBJNww28bCSHrkgnQdwrRzUlM38truqV/g0ItThiAzBWE7asBggRHxA
+lHu53ECo4uZ0k9v3lD6NQ6lldnl0nM31rbry1rQlJqseyvWqDq4+/+LksBqdfsud
+hDP1SdeRD7YzBziTn5Tr/XY+Vg+GxMfUNE2E0XW3FJMLGd8AnGIipRN67BmDQuY7
+oVeWF1ZJ0Gk+d3fbCuJ5lYECcBBq8zKje9u/zX1UaSwgi11RMkKB4pfBmLrGPppz
+q/s5rx4x2+HrHyHLvpLeQaxWzMe0ZaF5XBYi5ujsOci550cl4x6mjb/grUucurSc
+cjl0NTQeyL5L7cpNTp450U9p7+EVRRxx2kufc1EbcDyZ5pwlnqApcgLX5ajF51im
+LikpLkCNCWdu5QNKFXquJkNSCaocE56djP1CwqirfeRuHvj7NpVA6QRJ8TFdjWV/
+J7rtq64Z//EpcDJ1B/c7PA==
 -----END CERTIFICATE-----
+
+-----BEGIN CERTIFICATE-----
+MIIGiTCCBDigAwIBAgIDAQABMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
+BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
+Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
+Y2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTgyNDIwWhcNNDUxMDIy
+MTgyNDIwWjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS
+BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j
+ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJU0VWLU1pbGFuMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAnU2drrNTfbhNQIllf+W2y+ROCbSzId1aKZft
+2T9zjZQOzjGccl17i1mIKWl7NTcB0VYXt3JxZSzOZjsjLNVAEN2MGj9TiedL+Qew
+KZX0JmQEuYjm+WKksLtxgdLp9E7EZNwNDqV1r0qRP5tB8OWkyQbIdLeu4aCz7j/S
+l1FkBytev9sbFGzt7cwnjzi9m7noqsk+uRVBp3+In35QPdcj8YflEmnHBNvuUDJh
+LCJMW8KOjP6++Phbs3iCitJcANEtW4qTNFoKW3CHlbcSCjTM8KsNbUx3A8ek5EVL
+jZWH1pt9E3TfpR6XyfQKnY6kl5aEIPwdW3eFYaqCFPrIo9pQT6WuDSP4JCYJbZne
+KKIbZjzXkJt3NQG32EukYImBb9SCkm9+fS5LZFg9ojzubMX3+NkBoSXI7OPvnHMx
+jup9mw5se6QUV7GqpCA2TNypolmuQ+cAaxV7JqHE8dl9pWf+Y3arb+9iiFCwFt4l
+AlJw5D0CTRTC1Y5YWFDBCrA/vGnmTnqG8C+jjUAS7cjjR8q4OPhyDmJRPnaC/ZG5
+uP0K0z6GoO/3uen9wqshCuHegLTpOeHEJRKrQFr4PVIwVOB0+ebO5FgoyOw43nyF
+D5UKBDxEB4BKo/0uAiKHLRvvgLbORbU8KARIs1EoqEjmF8UtrmQWV2hUjwzqwvHF
+ei8rPxMCAwEAAaOBozCBoDAdBgNVHQ4EFgQUO8ZuGCrD/T1iZEib47dHLLT8v/gw
+HwYDVR0jBBgwFoAUhawa0UP3yKxV1MUdQUir1XhK1FMwEgYDVR0TAQH/BAgwBgEB
+/wIBADAOBgNVHQ8BAf8EBAMCAQQwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cHM6Ly9r
+ZHNpbnRmLmFtZC5jb20vdmNlay92MS9NaWxhbi9jcmwwRgYJKoZIhvcNAQEKMDmg
+DzANBglghkgBZQMEAgIFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgIFAKID
+AgEwowMCAQEDggIBAIgeUQScAf3lDYqgWU1VtlDbmIN8S2dC5kmQzsZ/HtAjQnLE
+PI1jh3gJbLxL6gf3K8jxctzOWnkYcbdfMOOr28KT35IaAR20rekKRFptTHhe+DFr
+3AFzZLDD7cWK29/GpPitPJDKCvI7A4Ug06rk7J0zBe1fz/qe4i2/F12rvfwCGYhc
+RxPy7QF3q8fR6GCJdB1UQ5SlwCjFxD4uezURztIlIAjMkt7DFvKRh+2zK+5plVGG
+FsjDJtMz2ud9y0pvOE4j3dH5IW9jGxaSGStqNrabnnpF236ETr1/a43b8FFKL5QN
+mt8Vr9xnXRpznqCRvqjr+kVrb6dlfuTlliXeQTMlBoRWFJORL8AcBJxGZ4K2mXft
+l1jU5TLeh5KXL9NW7a/qAOIUs2FiOhqrtzAhJRg9Ij8QkQ9Pk+cKGzw6El3T3kFr
+Eg6zkxmvMuabZOsdKfRkWfhH2ZKcTlDfmH1H0zq0Q2bG3uvaVdiCtFY1LlWyB38J
+S2fNsR/Py6t5brEJCFNvzaDky6KeC4ion/cVgUai7zzS3bGQWzKDKU35SqNU2WkP
+I8xCZ00WtIiKKFnXWUQxvlKmmgZBIYPe01zD0N8atFxmWiSnfJl690B9rJpNR/fI
+ajxCW3Seiws6r1Zm+tCuVbMiNtpS9ThjNX4uve5thyfE2DgoxRFvY1CsoF5M
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGYzCCBBKgAwIBAgIDAQAAMEYGCSqGSIb3DQEBCjA5oA8wDQYJYIZIAWUDBAIC
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAICBQCiAwIBMKMDAgEBMHsxFDAS
+BgNVBAsMC0VuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzEUMBIGA1UEBwwLU2FudGEg
+Q2xhcmExCzAJBgNVBAgMAkNBMR8wHQYDVQQKDBZBZHZhbmNlZCBNaWNybyBEZXZp
+Y2VzMRIwEAYDVQQDDAlBUkstTWlsYW4wHhcNMjAxMDIyMTcyMzA1WhcNNDUxMDIy
+MTcyMzA1WjB7MRQwEgYDVQQLDAtFbmdpbmVlcmluZzELMAkGA1UEBhMCVVMxFDAS
+BgNVBAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTEfMB0GA1UECgwWQWR2YW5j
+ZWQgTWljcm8gRGV2aWNlczESMBAGA1UEAwwJQVJLLU1pbGFuMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEA0Ld52RJOdeiJlqK2JdsVmD7FktuotWwX1fNg
+W41XY9Xz1HEhSUmhLz9Cu9DHRlvgJSNxbeYYsnJfvyjx1MfU0V5tkKiU1EesNFta
+1kTA0szNisdYc9isqk7mXT5+KfGRbfc4V/9zRIcE8jlHN61S1ju8X93+6dxDUrG2
+SzxqJ4BhqyYmUDruPXJSX4vUc01P7j98MpqOS95rORdGHeI52Naz5m2B+O+vjsC0
+60d37jY9LFeuOP4Meri8qgfi2S5kKqg/aF6aPtuAZQVR7u3KFYXP59XmJgtcog05
+gmI0T/OitLhuzVvpZcLph0odh/1IPXqx3+MnjD97A7fXpqGd/y8KxX7jksTEzAOg
+bKAeam3lm+3yKIcTYMlsRMXPcjNbIvmsBykD//xSniusuHBkgnlENEWx1UcbQQrs
++gVDkuVPhsnzIRNgYvM48Y+7LGiJYnrmE8xcrexekBxrva2V9TJQqnN3Q53kt5vi
+Qi3+gCfmkwC0F0tirIZbLkXPrPwzZ0M9eNxhIySb2npJfgnqz55I0u33wh4r0ZNQ
+eTGfw03MBUtyuzGesGkcw+loqMaq1qR4tjGbPYxCvpCq7+OgpCCoMNit2uLo9M18
+fHz10lOMT8nWAUvRZFzteXCm+7PHdYPlmQwUw3LvenJ/ILXoQPHfbkH0CyPfhl1j
+WhJFZasCAwEAAaN+MHwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSFrBrRQ/fI
+rFXUxR1BSKvVeErUUzAPBgNVHRMBAf8EBTADAQH/MDoGA1UdHwQzMDEwL6AtoCuG
+KWh0dHBzOi8va2RzaW50Zi5hbWQuY29tL3ZjZWsvdjEvTWlsYW4vY3JsMEYGCSqG
+SIb3DQEBCjA5oA8wDQYJYIZIAWUDBAICBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZI
+AWUDBAICBQCiAwIBMKMDAgEBA4ICAQC6m0kDp6zv4Ojfgy+zleehsx6ol0ocgVel
+ETobpx+EuCsqVFRPK1jZ1sp/lyd9+0fQ0r66n7kagRk4Ca39g66WGTJMeJdqYriw
+STjjDCKVPSesWXYPVAyDhmP5n2v+BYipZWhpvqpaiO+EGK5IBP+578QeW/sSokrK
+dHaLAxG2LhZxj9aF73fqC7OAJZ5aPonw4RE299FVarh1Tx2eT3wSgkDgutCTB1Yq
+zT5DuwvAe+co2CIVIzMDamYuSFjPN0BCgojl7V+bTou7dMsqIu/TW/rPCX9/EUcp
+KGKqPQ3P+N9r1hjEFY1plBg93t53OOo49GNI+V1zvXPLI6xIFVsh+mto2RtgEX/e
+pmMKTNN6psW88qg7c1hTWtN6MbRuQ0vm+O+/2tKBF2h8THb94OvvHHoFDpbCELlq
+HnIYhxy0YKXGyaW1NjfULxrrmxVW4wcn5E8GddmvNa6yYm8scJagEi13mhGu4Jqh
+3QU3sf8iUSUr09xQDwHtOQUVIqx4maBZPBtSMf+qUDtjXSSq8lfWcd8bLr9mdsUn
+JZJ0+tuPMKmBnSH860llKk+VpVQsgqbzDIvOLvD6W1Umq25boxCYJ+TuBoa4s+HH
+CViAvgT9kf/rBq1d+ivj6skkHxuzcxbk1xv6ZGxrteJxVH7KlX7YRdZ6eARKwLe4
+AFZEAwoKCQ==
+-----END CERTIFICATE-----
+

kbs/tools/client/Cargo.toml

@@ -18,7 +18,7 @@ base64.workspace = true
 clap = { version = "4.0.29", features = ["derive"] }
 env_logger.workspace = true
 jwt-simple = "0.11.4"
-kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "8b0dbeb", default-features = false }
+kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "21b2c536b4d6c5c1442b53916c908b54dde136e8", default-features = false }
 log.workspace = true
 reqwest = { version = "0.11.18", default-features = false, features = ["cookies", "json"] }
 serde = { version = "1.0", features = ["derive"] }