Fix agent handling of 403 registration responses

The agent was incorrectly interpreting 403 Forbidden responses from
the registrar as API version incompatibility errors. This caused two
problems:

1. The agent would try all enabled API versions, even though 403
   indicates a permanent security rejection (e.g., TPM identity
   mismatch during re-registration)

2. The agent would continue running after registration failure,
   making it appear operational when it was not properly registered

This issue became apparent with the Python keylime registrar security
fix for CVE-2025-13609 (duplicate UUID vulnerability), which returns
403 Forbidden when an agent attempts to re-register with a different
TPM identity. The Rust agent would misinterpret this as:
  "IncompatibleAPI: agent enabled versions = '[2.1, 2.2]',
   registrar supported versions = '[1.0, 2.0, 2.1, 2.2, 2.3, 2.4, 3.0]'"

The agent will now correctly fail fast when the registrar rejects
registration for security reasons, allowing proper error detection
in tests and production deployments.

Related: keylime/keylime#1820 (Python registrar UUID spoofing fix)
Signed-off-by: Sergio Arroutbi <[email protected]>

Author: sarroutbi

keylime-agent/src/main.rs

@@ -623,11 +623,11 @@ async fn main() -> Result<()> {
         ak_handle,
         retry_config: None,
     };
-    match keylime::agent_registration::register_agent(aa, &mut ctx).await {
-        Ok(()) => (),
-        Err(e) => {
-            error!("Failed to register agent: {e:?}");
-        }
+    if let Err(e) =
+        keylime::agent_registration::register_agent(aa, &mut ctx).await
+    {
+        error!("Failed to register agent: {e:?}");
+        std::process::exit(1);
     }
 
     let (mut payload_tx, mut payload_rx) =

keylime/src/registrar_client.rs

@@ -245,6 +245,10 @@ pub enum RegistrarClientError {
     #[error("Failed to register agent: received {code} from {addr}")]
     Registration { addr: String, code: u16 },
 
+    /// Registration forbidden - TPM identity mismatch or security rejection
+    #[error("Registration forbidden: {message}. This may indicate a TPM identity change or UUID spoofing attempt. The existing agent record must be deleted before re-registering with a different TPM.")]
+    RegistrationForbidden { message: String },
+
     /// Reqwest error
     #[error("Reqwest error: {0}")]
     Reqwest(#[from] reqwest::Error),
@@ -387,6 +391,16 @@ impl RegistrarClient {
         };
 
         if !resp.status().is_success() {
+            // Check if this is a 403 Forbidden - indicates security rejection
+            if resp.status() == StatusCode::FORBIDDEN {
+                let error_message = resp
+                    .text()
+                    .await
+                    .unwrap_or_else(|_| "Unknown error".to_string());
+                return Err(RegistrarClientError::RegistrationForbidden {
+                    message: error_message,
+                });
+            }
             return Err(RegistrarClientError::Registration {
                 addr,
                 code: resp.status().as_u16(),
@@ -438,6 +452,15 @@ impl RegistrarClient {
                 info!("Trying to register agent using API version {api_version}");
                 let r = self.try_register_agent(ai, api_version).await;
 
+                // Check if this is a security rejection (403 Forbidden)
+                // If so, return immediately - don't try other API versions
+                if let Err(RegistrarClientError::RegistrationForbidden {
+                    ..
+                }) = r
+                {
+                    return r;
+                }
+
                 // If successful, cache the API version for future requests
                 if r.is_ok() {
                     self.api_version = api_version.to_string();
@@ -458,6 +481,17 @@ impl RegistrarClient {
                         let r =
                             self.try_register_agent(ai, api_version).await;
 
+                        // Check if this is a security rejection (403 Forbidden)
+                        // If so, return immediately - don't try other API versions
+                        if let Err(
+                            RegistrarClientError::RegistrationForbidden {
+                                ..
+                            },
+                        ) = r
+                        {
+                            return r;
+                        }
+
                         // If successful, cache the API version for future requests
                         if r.is_ok() {
                             self.api_version = api_version.to_string();