ITA Attestation Fails – Missing tee-pubkey in claims

[acicfede]

Describe the bug

Description:

I'm attempting to set up Intel Trust Authority (ITA) attestation for Confidential Containers (CoCo) on OpenShift running on an Azure Confidential VM with TDX support.

I'm following the procedure described in the Trustee Operator documentation for ITA
(https://github.com/confidential-containers/trustee-operator/blob/main/docs/ita.md).

How to reproduce

During the attestation process, KBS fails with the following error:
[2025-07-10T17:42:38Z ERROR kbs::http::error] Received illegal attestation claims: Failed to find tee-pubkey in the attestation claims

CoCo version information

Trustee Operator: v0.2.0, Trustee image: quay.io/fidencio/trustee:v0.10.1.1,

What TEE are you seeing the problem on

Tdx

Failing command and relevant log output

[2025-07-10T17:42:37Z INFO  kbs::http::attest] Attest API called.
[2025-07-10T17:42:37Z INFO  kbs::attestation::intel_trust_authority] POST attestation request ...
[2025-07-10T17:42:38Z INFO  actix_web::middleware::logger] "POST /kbs/v0/attest HTTP/1.1" 200 7300 "-" "attestation-agent-kbs-client/0.1.0"
[2025-07-10T17:42:38Z ERROR kbs::http::error] Received illegal attestation claims: Failed to find `tee-pubkey` in the attestation claims
[2025-07-10T17:42:38Z INFO  actix_web::middleware::logger] "GET /kbs/v0/resource/default/security-policy/osc HTTP/1.1" 401 195 "-" "attestation-agent-kbs-client/0.1.0"

[fitzthum]

When using ITA I think the KBS expects to find the tee-pubkey at /attester_runtime_data/tee-pubkey or /attester_user_data/tee-pubkey. If you can get a hold of the attestation token, you can check if this field is there. You may be able to do this my increasing the RUST_LOG level.

Note that you are using a somewhat old version of the Trustee operator and seemingly a custom Trustee image. You may want to try with the latest upstream stuff assuming it will work with your version of OpenShift.

[mythi]

You may want to try with the latest upstream stuff assuming it will work with your version of OpenShift.

+1. This is the first step. Trustee kbs protocol implementation is able to adapt to ITA's tee-pubkey claim path in the token.

[acicfede]

Thanks for the clarification.
I tried updating the Trustee operator to version 0.3.0 and used the KBS image ghcr.io/confidential-containers/key-broker-service:ita-as-v0.13.0, but I encountered the following error:

[2025-07-14T15:15:11Z ERROR kbs::error] AttestationError(RcarAuthFailed { source: KBS Client Protocol Version Mismatch: expect =0.2.0 while the request is 0.1.1 })

Is there a more up-to-date guide or set of steps—based on the latest upstream releases—that I can follow to test this setup in my OpenShift environment?

Thanks in advance!

[mythi]

used the KBS image ghcr.io/confidential-containers/key-broker-service:ita-as-v0.13.0, but I encountered the following error:

try ita-as-v0.11.0 image.