AMD SEV-SNP

How to use the AMD SEV-SNP platform

CCF must run on an AMD CPU which supports SEV-SNP, such as Azure confidential containers or Azure Kubernetes Service with Confidential Containers.

To use SNP, in the operations/configuration:``enclave`` configuration section, the enclave platform should be set to SNP.

Attestation

SNP attestation provide several fields needed to establish trust. Several deployment scenarios are possible.

Confidential Azure Container Instance (ACI)

Note

See here and here for more information on the deployment of confidential containers in Azure.

Azure Confidential ACI provides a security context directory containing the following files.

• security-policy-base64: The security policy [1] describing the state and transitions allowed for the container (Base64 encoded). The SHA256 hash of the decoded value should match the attestation report host_data. This value is stored in the nodes.snp.host_data table.

• reference-info-base64: The COSE Sign1 document containing the measurement [2] of the utility VM (UVM) used to launch the container (Base64 encoded). The measurement contained in the document payload should match the report measurement. If set, the value is stored in the nodes.snp.uvm_endorsements table and new nodes must present measurement endorsements from the same issuer (did:x509) to be trusted.

The location of the security context directory is passed to the container’s startup command as the UVM_SECURITY_CONTEXT_DIR environment variable. CCF can be configured to fetch the security policy and UVM endorsements from the security context directory by setting the snp_security_policy_file and snp_uvm_endorsements_file configuration options, respectively.

AMD endorsements must be fetched, preferably from the THIM service, but configuring the Azure cache or the AMD server is also possible.

Tip

See samples/config/start_config_aci_sev_snp.json for a sample node configuration for ACI deployments.

Confidential Azure Kubernetes Service (AKS)

Note

See here for more information on the deployment of confidential containers in Azure.

Confidential AKS provides a security context directory containing the following file.

• reference-info-base64: The COSE Sign1 document containing the measurement [2] of the utility VM (UVM) used to launch the container (Base64 encoded). The measurement contained in the document payload should match the report measurement. If set, the value is stored in the nodes.snp.uvm_endorsements table and new nodes must present measurement endorsements from the same issuer (did:x509) to be trusted.

The security policy must be provided by the operator, and will be picked up by CCF on startup if is named security-policy-base64 and located in the security context directory. The SHA256 hash of the decoded value should match the attestation report host_data. This value is stored in the nodes.snp.host_data table.

AMD endorsements must be fetched, preferably from the THIM service, but configuring the Azure cache or the AMD server is also possible.

Tip

See samples/config/start_config_aks_sev_snp.json for a sample node configuration for Confidential AKS deployments.

Non-Azure Deployment

For non-Azure deployments, the certificate chain for VCEK will need to be retrieved from an endorsement server, as specified in the operations/configuration:``snp_endorsements_servers`` configuration section. For example, for the well-known AMD endorsement server, the value should be set to:

"attestation": {
    "snp_endorsements_servers": [
        {
            "type": "AMD",
            "url": "kdsintf.amd.com"
        }
    ],
    "snp_security_policy_file": "/path/to/security-policy-base64",
    "snp_uvm_endorsements_file": "/path/to/reference-info-base64"
}

Tip

See samples/config/start_config_amd_sev_snp.json for a sample node configuration for non-Azure deployments.

Note

The CCF node will fetch the endorsements from the server on startup, which may cause substantial deployment delays (up to tens of seconds) depending on network latency and endpoint throttling.

Governance Proposals

The following governance proposals can be issued to add/remove these trusted values, e.g. when upgrading the service (see Code Upgrade):

• add_snp_host_data/remove_snp_host_data: To add/remove a trusted security policy, e.g. when adding a new trusted container image as part of the code upgrade procedure.

• add_snp_uvm_endorsement/add_snp_uvm_endorsement: To add remove a trusted UVM endorsement (Azure deployment only).

• add_snp_measurement/remove_snp_measurement: To add/remove a trusted measurement.

Footnotes

[1]

A REGO policy checked by the utility VM (UVM) against the container.

[2] (1,2)

Digest of the initial memory pages for the SEV-SNP VM.