Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SNPGuard: Remote Attestation of SEV-SNP VMs Using Open Source Tools

Luca Wilke, Gianluca Scopelliti

TL;DR

The paper tackles data privacy in cloud environments by enabling full remote attestation of AMD SEV-SNP VM-based TEEs (CVMs) through an open-source toolchain. It introduces two boot workflows—integrity-only and integrity-plus-confidentiality—each with a two-stage boot design that extends SEV-SNP measurements from firmware to the root filesystem and secret provisioning. The authors present practical implementation details (OVMF/kernel patches, initramfs, dm-verity, and dm-crypt workflows) and discuss limitations, cloud deployment challenges, and future work (vTPM, TDX support). The work aims to lower barriers to adopting CVMs by providing building blocks, templates, and open-source components that simplify attestation, secret provisioning, and potential integration into cloud workflows, with broader applicability to other VM-based TEEs.

Abstract

Cloud computing is a ubiquitous solution to handle today's complex computing demands. However, it comes with data privacy concerns, as the cloud service provider has complete access to code and data running on their infrastructure. VM-based Trusted Execution Environments (TEEs) are a promising solution to solve this issue. They provide strong isolation guarantees to lock out the cloud service provider, as well as an attestation mechanism to enable the end user to verify their trustworthiness. Attesting the whole boot chain of a VM is a challenging task that requires modifications to several software components. While there are open source solutions for the individual components, the tooling and documentation for properly integrating them remains scarce. In this paper, we try to fill this gap by elaborating on two common boot workflows and providing open source tooling to perform them with low manual effort. The first workflow assumes that the VM image does only require integrity but not confidentiality, allowing for an uninterrupted boot process. The second workflow covers booting a VM with an encrypted root filesystem, requiring secure provisioning of the decryption key during early boot. While our tooling targets AMD Secure Encrypted Virtualization (SEV) VMs, the concepts also apply to other VM-based TEEs such as Intel Trusted Domain Extensions (TDX).

SNPGuard: Remote Attestation of SEV-SNP VMs Using Open Source Tools

TL;DR

The paper tackles data privacy in cloud environments by enabling full remote attestation of AMD SEV-SNP VM-based TEEs (CVMs) through an open-source toolchain. It introduces two boot workflows—integrity-only and integrity-plus-confidentiality—each with a two-stage boot design that extends SEV-SNP measurements from firmware to the root filesystem and secret provisioning. The authors present practical implementation details (OVMF/kernel patches, initramfs, dm-verity, and dm-crypt workflows) and discuss limitations, cloud deployment challenges, and future work (vTPM, TDX support). The work aims to lower barriers to adopting CVMs by providing building blocks, templates, and open-source components that simplify attestation, secret provisioning, and potential integration into cloud workflows, with broader applicability to other VM-based TEEs.

Abstract

Cloud computing is a ubiquitous solution to handle today's complex computing demands. However, it comes with data privacy concerns, as the cloud service provider has complete access to code and data running on their infrastructure. VM-based Trusted Execution Environments (TEEs) are a promising solution to solve this issue. They provide strong isolation guarantees to lock out the cloud service provider, as well as an attestation mechanism to enable the end user to verify their trustworthiness. Attesting the whole boot chain of a VM is a challenging task that requires modifications to several software components. While there are open source solutions for the individual components, the tooling and documentation for properly integrating them remains scarce. In this paper, we try to fill this gap by elaborating on two common boot workflows and providing open source tooling to perform them with low manual effort. The first workflow assumes that the VM image does only require integrity but not confidentiality, allowing for an uninterrupted boot process. The second workflow covers booting a VM with an encrypted root filesystem, requiring secure provisioning of the decryption key during early boot. While our tooling targets AMD Secure Encrypted Virtualization (SEV) VMs, the concepts also apply to other VM-based TEEs such as Intel Trusted Domain Extensions (TDX).
Paper Structure (8 sections, 2 figures)

This paper contains 8 sections, 2 figures.

Table of Contents

  1. Introduction
  2. AMD SEV-SNP in a Nutshell
  3. Design
  4. First Stage
  5. Second Stage
  6. Implementation
  7. Limitations and Future Work
  8. Conclusions

Figures (2)

  • Figure 1: Trust chain of the software stack running inside the VM that shows how to use the SEV measurement as a trust anchor for software-based measurements. The control flow is bottom to top.
  • Figure 2: Protocol that uses the Guest Data field in the attestation report to securely send a disk encryption key to the VM. DH stands for Diffie-Hellman and PDHK refers to the public part of the DH key.