AMD SEV-SNP Attestation: Establishing Trust in Guests
Conference: Linux Security Summit Europe 2022
2022-09-15
Authors: Jeremy Powell
Summary
The presentation discusses attestation in a confidential computing environment and the threats around misconfiguring the platform and guest on its launch. It covers platform measurements, guest measurements, authenticity of attestation reports, and connecting the dots between different components.
- Attestation is necessary to delegate security decisions to a remote relying party
- The trusted computing base for a guest running an SP starts at the hardware root of trust
- The TCB version is reported in the attestation report for the identity of the mutable firmware
- Guest measurements include image, metadata, and runtime environment
- Authenticity of attestation reports can be determined by comparing the report ID of the migration agent
- Connecting the dots between different components involves chaining trust from a small kernel bootloader to the rest of the system
Abstract
In a confidential compute environment, the untrusted hypervisor controls the configuration of the platform and the launch of the secure guest. Guests VMs that run in the confidential compute environment constructed by AMD SEV Secure Nested Paging (AMD SEV-SNP) can retrieve a signed document, called an attestation report, that contains measurements and configuration information of both the platform and the guest. Relying parties can use the attestation report to establish trust with the guest before granting access to secrets and sensitive resources to a guest. This talk will explain how attestation works in SEV-SNP, how attestation reports can be securely verified, and how attestation can fit into the Linux guest boot flow.
Materials: