In this example, a Guest Owner will request a new guest instance from a remote cloud provider. The Guest Owner wishes to confirm the identity of the guest instance before sending any sensitive information to the guest. The guest instance will be protected by SEV-SNP, and the Guest Owner will confirm the identity of the guest using the SNP guest report. Once the identity of the guest is confirmed, the Guest Owner will exchange public keys with the guest instance to setup a secure channel for communication via ssh.
The following diagram shows the high-level component relationships:
Cloud Provider CLI/VMM
- This component includes the user interface to the Cloud Provider's infrastructure as well as the backend virtual machine manager that is responsible for launching guest images.
- This example assumes a CLI/VMM implementation that is capable of starting SEV-SNP guests.
cloud-init
- cloud-init is a tool common to multiple cloud vendors and is used to configure aspects of cloud instances such as networking, user creation, package installation, SSH key exchange, etc. The final instance configuration is comprised of metadata from the cloud provider, optional user data, and optional vendor data.
- This example provides a user data file that uses the
runcmd
module to initiate the attestation flow with a server controlled by the Guest Owner.
Confidential Compute Utility
- This utility communicates with the Confidential Compute Driver to retrieve the SNP guest report.
- This example provides the
sev-guest
utility in this repository to communicate with the proposedsevguest.ko
Linux kernel module.
Confidential Compute Driver
- This guest kernel driver is responsible for sending the
SNP_GUEST_REQUEST
message to the ASP firmware and presenting the reply back to user space. - This example will use the proposed
sevguest.ko
Linux kernel module.
Kernel Virtual Machine (KVM)
- KVM is the kernel-mode component of the KVM-Qemu hypervisor on Linux and makes use of the virtualization instructions of modern x86 processors.
- This example makes use of the proposed SEV-SNP support in the
kvm_amd.ko
andccp.ko
Linux kernel modules. Theccp.ko
module can optionally store the VCEK certificate for the platform along with the certificate chain necessary to validate the VCEK certificate. These certificates can be stored by the cloud provider using thesev-host
utility in this repository.
AMD Secure Processor (ASP)
- The ASP is an embedded security subsystem in every AMD CPU and performs key management for SEV-SNP guests.
- This example will send the
MSG_REPORT_REQ
message to the ASP firmware to request a guest attestation report signed by the Versioned Chip Endorsement Key (VCEK). - The Guest Owner can retrieve the certificate chain necessary to validate the attestation report signature directly from AMD.
- Similarly, the Guest Owner can retrieve the VCEK certificate of the hosting platform directly from AMD using information contained in the attestation report.
Web Server
- The web server is controlled by the Guest Owner and listens for connections from new SEV-SNP guest instances. Any
POST
commands will be relayed to the CGI backend for processing. - This example will have the SEV-SNP guest send a
POST
command containing the attestation report to an nginx web server in the Guest Owner's infrastructure.
CGI Backend
- A scripting facility to process incoming requests to the web server.
- This example will use a simple
bash
script to receive the attestation report and verify the signature.
World-Readable Directory
- A directory on the web server that contains cached attestation results in the form of SSH
known_hosts
file entries. This directory is readable by any user on the system, and users can subscribe to any directory updates usinginotify
. - While the CGI Backend could conceivably update the SSH
known_hosts
file for a user directly, doing so would require the CGI Backend to have elevated privileges on the web server and pose a potential security risk. Allowing users to subscribe to filesystem updates allows the CGI Backend to run with minimal privileges. - This example uses
/var/www/attestation
to contain the SSHknown_hosts
entries for SEV-SNP guests that successfully attest. The files in this directory are named after the hostname of the guest.
User inotify Handler
- The
inotify
handler allows any user to subscribe to updates to the World-Readable Directory and run arbitrary commands whenever a new guest successfully attests to the Web Server. - This example will use inoticoming to monitor
/var/www/attestation
and copy any new guestknown_hosts
entries to the user's SSHknown_hosts
file.
A complete SEV-SNP guest launch with attestation includes the following steps (as depicted in the design diagram):
- The Guest Owner launches a new SEV-SNP guest instance and specifies their SSH public key in the
cloud-init
user data along with a list of shell commands necessary to perform the attestation. (See step XXX below.) - The cloud provider launches the guest and passes the instance configuration and user data to
cloud-init
. cloud-init
creates any new users and copies the Guest Owner's SSH public key to the new users' SSHauthorized_keys
file.cloud-init
generates SSH host keypairs to identify the guest and invokes the list of shell commands in the instance user data. These commands begin by passing the public portion of the host SSH key to thesev-guest
utility along with the Guest Owner's public key for inclusion in the attestation report.- The
sev-guest
utility issues theSNP_GET_REPORT
(orSNP_GET_EXT_REPORT
) IOCTL to thesevguest.ko
kernel driver to retrieve the attestation report from the ASP firmware. - The
sevguest.ko
kernel driver encrypts and integrity-protects theMSG_REPORT_REQ
guest message with a key that was placed into guest memory by the ASP during launch, then exits to the hypervisor. The key is known only to the guest and the ASP firmware, so the hypervisor cannot view or modify the guest message in transit. - The hypervisor sends the
SNP_GUEST_REQUEST
command (with theMSG_REPORT_REQ
payload) to the ASP firmware. - The hypervisor relays the response back through the
sevguest.ko
driver, and thesev-guest
utility returns the attestation report tocloud-init
. cloud-init
continues executing the shell commands from the instance user data, which thenPOST
the attestation report to the Guest Owner's Web Server.- The Web Server passes the attestation report to the CGI Backend for validation.
- The CGI Backend validates the attestation report and, if successful, crafts an SSH
known_hosts
entry for the guest and writes it to a file in/var/www/attestation/
. - Users who are monitoring
/var/www/attestation/
receive aninotify
event that a new guest has successfully attested to the Web Server. - The user's
inotify
handler runs a script to copy the SSHknown_hosts
entry of the guest to the user's localknown_hosts
file.
At this point, the SSH key exchange is complete, and the Guest Owner can ssh to the guest with increased assurance that the guest is authentic and not an imposter. (For a discussion of the level of assurance provided to the Guest Owner, see Security Considerations below.)
SEV-SNP features a stronger threat model than past SEV features.
Trusted components:
- AMD hardware and signed firmware,
- OS software inside the target VM.
Untrusted components:
- Everything else (including other VMs),
- External devices.
Untrusted components are assumed to be malicious and may be conspiring with each other.
Since our threat model considers all cloud-provider infrastructure to be untrusted, it must be noted that the user-data provided to cloud-init has no integrity protection. Thus, it is possible for a malicious actor to alter the guest configuration, run arbitrary commands, or prevent key commands from running. One way to address this is to perform the attestation flow in this example earlier in the boot process, such as in the initrd, and make use of a measured boot scheme to protect the initrd. Future examples in this repository will demonstrate this approach. See Future Work.
In this example, the Guest Owner verifies the SNP attestation report with the following series of checks:
- The signature of the report verifies correctly using the public portion of the VCEK.
- The signature of the VCEK verifies correctly using the public portion of the AMD Signing Key (ASK).
- The signature of the ASK verifies correctly using the public portion of the AMD Root Key (ARK).
- The ARK is self-signed.
- The hash of the public keys included in the attestation report matches the expected value.
In the SEV-SNP architecture, the identity of the guest instance is established by the ID Block, which contains the public portion of a key pair that identifies the Guest Owner. This key is called the ID key. The ID block also contains the expected launch measurement of the guest instance. This ID block is copied into guest memory by the SEV-SNP firmware during the launch sequence and binds the Guest Owner's identity to that guest instance. If the ID block is present for a guest instance, then the attestation report generated by the SEV-SNP firmware will contain the hash of the ID key as well as the expected launch measurement. In this way, the attestation report attests to both the identity of the guest instance as well as the launch integrity.
This example does not yet configure the ID block when launching the guest, so the ID key and the launch measurement are currently set to 0 in the attestation report. As such, they are not checked by the Guest Owner. To realize the full security promise of SEV-SNP, production environments must configure these fields during launch. Similarly, Guest Owners should validate these fields in the attestation report in addition to the checks listed above. Future updates to this repository will demonstrate how to do this. See Future Work.
While SEV-SNP provides strong confidentiality and integrity guarantees for data in use, these protections do not extend to data at rest. Specifically, the virtual disk that contains the guest's root filesystem is typically implemented as a file under the control of the hypervisor. Since the hypervisor is untrusted in this example, a complete solution would include an encrypted disk image to protect the confidentiality of the filesystem. Future examples in this repository will demonstrate how to use the attestation flow to setup a secure communication channel early in the guest boot sequence and receive the key to unlock an encrypted disk. See Future Work.