-
Notifications
You must be signed in to change notification settings - Fork 47
/
snp.go
43 lines (26 loc) · 1.3 KB
/
snp.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
/*
# SNP
Attestation based on TPM and SEV-SNP attestation.
The TPM is used to generate runtime measurements and signed by an attestation key that can be verified using the SEV-SNP attestation report.
# Issuer
Generates a TPM attestation using an attestation key saved in the TPM.
Additionally loads the SEV-SNP attestation report and AMD VCEK certificate chain, and adds them to the attestation document.
# Validator
Verifies the attestation key used by first verifying the VCEK certificate chain and the SNP attestation report.
# Glossary
This section explains abbreviations used in SNP implementation.
- Attestation Key (AK)
- AMD Root Key (ARK)
- AMD Signing Key (ASK)
- Versioned Chip Endorsement Key (VCEK)
For more information see [SNP WhitePaper]
- Host (Hardware?) Compatibility Layer (HCL)
No public information. Azure compute API has a field `isHostCompatibilityLayerVm`, with only a [single sentence of documentation].
[SNP WhitePaper]: https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf
[single sentence of documentation]: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
*/
package snp