# Renew Attestation Policy After Measurement Mismatch

### Identifying the Problem

A failed attestation event looks like this:

json

```json
{
  "Success": false,
  "Message": "verify: gcp-sev-snp-raw: measurement did not match, found: 12068361...6a3a5, expected: 7a5ed176...2434e",
  "Instance": "1f96b38e-331b-49dc-bcf8-342480abcafe",
  "resourceModel": "Virtual-machine"
}
```

The key fields:

* **`Success: false`** — attestation verification failed.
* **`Message`** — contains both the `found` (actual) measurement and the `expected` measurement currently stored in Vault.
* **`Provider`** — the attestation provider (e.g., `gcp-sev-snp-raw`, `azure-sev-snp-vtpm`, `aws-sev-snp-raw`).

### Understanding `createPolicy.js`

The script `scripts/common/vault/createPolicy.js` is used to **create or update** the trusted attestation appraisal policy in Vault. It defines the "golden" measurements that Vault uses to verify a VM when it requests attestation.

Running this script with the new measurement effectively **renews the attestation baseline** that all future VMs of that configuration will be verified against.

#### What the Script Does

1. **Validates** the provided cloud provider (`-cp`) and measurement (`-mt`) arguments.
2. **Connects** to Vault and the database.
3. **Gathers** current policy names from the database and Vault.
4. **Parses** the `-name` argument to derive the firmware identity name.
5. **Prompts** for confirmation before making changes.
6. **Updates Vault**:
   * Creates (or overwrites) a **firmware identity** containing the new measurement.
   * Creates (or overwrites) the **appraisal policy** linking to the firmware identity and the correct hardware trust path based on the cloud provider.

#### Trust Path Mapping

| Cloud Provider | Hardware Trust Path      |
| -------------- | ------------------------ |
| Azure          | `AMD_SEV_SNP_MILAN_VCEK` |
| GCP            | `AMD_SEV_SNP_MILAN_VCEK` |
| AWS            | `AMD_SEV_SNP_MILAN_VLEK` |

### Usage

#### Parameters

| Flag    | Description                                         | Example                     |
| ------- | --------------------------------------------------- | --------------------------- |
| `-cp`   | Cloud provider name                                 | `AZURE`, `AWS`, `GCP`       |
| `-mt`   | The new firmware measurement hash                   | `12068361369cf917...`       |
| `-name` | Full policy identifier: `[provider]_[size]_[image]` | `gcp_n2d-standard-2_ubuntu` |

#### Example: Renewing a GCP Policy

Given this failed attestation:

```
found:    12068361369cf9179bb6ac08572b7e15ed0bc8abb698cb04d4f584f7ff512a4c2081c1f5b105351dbd45c035a7d6a3a5
expected: 7a5ed176bad8a9ff02cebb94b24b076a0b1905042a85d9fca7670d3a3ff466db3b1c2b76f8eca888f8d806d2ec92434e
```

Run the following to update Vault with the new measurement:

bash

```bash
node scripts/common/vault/createPolicy.js \
  -cp=GCP \
  -mt=12068361369cf9179bb6ac08572b7e15ed0bc8abb698cb04d4f584f7ff512a4c2081c1f5b105351dbd45c035a7d6a3a5 \
  -name=gcp_n2d-standard-2_ubuntu
```

The script will prompt you to type `y` to confirm.

#### Example: Renewing an Azure Policy

bash

```bash
node scripts/common/vault/createPolicy.js \
  -cp=AZURE \
  -mt=<new-measurement-hash> \
  -name=azure_standard-dc4as-v5_ubuntu
```

#### Example: Renewing an AWS Policy

bash

```bash
node scripts/common/vault/createPolicy.js \
  -cp=AWS \
  -mt=<new-measurement-hash> \
  -name=aws_m6a-large_ubuntu
```

### After Renewal

Once the policy is updated in Vault, the VM's next attestation cycle will use the new expected measurement. No VM restart is required — the attestation will succeed on the next scheduled check.

### Important Notes

* The `-name` must match the existing policy name exactly. Use the format `[provider]_[size]_[image]`.
* This script updates the **policy for all VMs** of that provider/size/image combination, not just a single VM instance.
* Always verify the new measurement is legitimate (e.g., from a known firmware update) before accepting it into Vault.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/enclaive-multi-cloud-platform/tutorials/renew-attestation-policy-after-measurement-mismatch.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.