Rust agent API bump breaks ongoing attestation

Question

Rust agent API bump breaks ongoing attestation

ansasaki opened this issue a year ago · 3 comments

If the user updates an agent that was deployed using an older version of the agent (< v0.2.2), it will fail attestation after the update to a newer version (v0.2.2+).

This happens because the verifier will try to reach the agent using the API version it was registered with (2.0), but the new agent will reject the request because the minimum version is now 2.1.

To reproduce:

Add an old agent (<v0.2.2) to a verifier
Without deleting with the tenant, update the agent to a newer version (v0.2.2+)

The agent will fail attestation. The log will show something like:

> GET returning 400 response. API version not supported: v2.0

Suggested solution: the agent should accept requests that use older supported versions.

Answer 1 · 2023-08-21T13:44:19.000Z

Or maybe the verifier could start using the API version newly supported by the agent.

Answer 2 · 2023-08-22T11:40:36.000Z

@kkaarreell I would try to auto upgrade the API version in the verifier.

Currently the contract is rather simple: agent uses one API version and the server side (verifier/tenant/registrar) accept a range of versions. Adding again multiple API versions on the agent could make that more complicated.

Answer 3 · 2023-08-29T14:45:22.000Z

Fixed through keylime/keylime#1459 on python keylime side.