logo

AMD SEV-SNP Attestation: Establishing Trust in Guests

2022-09-15

Authors:   Jeremy Powell


Summary

The presentation discusses attestation in a confidential computing environment and the threats around misconfiguring the platform and guest on its launch. It covers platform measurements, guest measurements, authenticity of attestation reports, and connecting the dots between different components.
  • Attestation is necessary to delegate security decisions to a remote relying party
  • The trusted computing base for a guest running an SP starts at the hardware root of trust
  • The TCB version is reported in the attestation report for the identity of the mutable firmware
  • Guest measurements include image, metadata, and runtime environment
  • Authenticity of attestation reports can be determined by comparing the report ID of the migration agent
  • Connecting the dots between different components involves chaining trust from a small kernel bootloader to the rest of the system
The presentation uses a diagram to illustrate how the security processor collects information about the platform and produces an attestation report, which is sent to the guest owner for a security decision. The guest owner then provides access to secrets or a master secret to unlock a desk in SP. The presentation emphasizes the importance of attestation in a confidential computing environment and the need to ensure the authenticity of attestation reports.

Abstract

In a confidential compute environment, the untrusted hypervisor controls the configuration of the platform and the launch of the secure guest. Guests VMs that run in the confidential compute environment constructed by AMD SEV Secure Nested Paging (AMD SEV-SNP) can retrieve a signed document, called an attestation report, that contains measurements and configuration information of both the platform and the guest. Relying parties can use the attestation report to establish trust with the guest before granting access to secrets and sensitive resources to a guest. This talk will explain how attestation works in SEV-SNP, how attestation reports can be securely verified, and how attestation can fit into the Linux guest boot flow.

Materials: