|
| 1 | +# AMD Secure Encrypted Virtualization (AMD-SEV) |
| 2 | + |
| 3 | +# Concepts |
| 4 | +- AMD-SEV is targeted at securing virtual machines by encrypting the memory of each virtual machine with a unique key. |
| 5 | +- SEV can protect your machine from a potentially malicious hypervisor. |
| 6 | +- SEV can calculate a signature of virtual machine's memory content which can be sent to the VM's owner as an attestation that the memory on the target host, was encrypted correctly by firmware. |
| 7 | +- AMD-SEV SNP is an extension to SEV which adds new hardware-based security protections |
| 8 | + |
| 9 | +## Keys used in SEV |
| 10 | +The AMD SEV firmware provides a mechanism to verify that it is executing on AMD hardware that supports SEV. The following key hierarchy, rooted in an AMD-owned key, is used in this process: |
| 11 | + |
| 12 | +- $PDH$ (Platform Diffie Hellman) key - This key is used to negotiate a master secret which is then used with a key derivation function to establish a trusted channel |
| 13 | +- $PEK$ (Platform Endorsement Key) - This key signs the $PDH$ to anchor the $PDH$ to the AMD root of trust and the platform owner's root of trust |
| 14 | +- $CEK$ (Chip endorsement key) - This key signs the $PEK$ to anchor the $PEK$ to the AMD root of trust. Each chip has a unique $CEK$ which is derived from secrets stored in the chip's one-time programmable (OTP) memory |
| 15 | +- $ASK$ (AMD Signing Key) - The $ASK$ private key signs the $CEK$ public key to demonstrate that the $CEK$ is an authentic AMD key |
| 16 | +- $ARK$ (AMD Root Key) - The $ARK$ private key signs the $ASK$ public key to demonstrate that the $ASK$ is an authentic AMD key. This key is the root of trust of AMD and its signatures signify AMD authencity |
| 17 | + |
| 18 | +Therefore the following certificate chain is produced: |
| 19 | + |
| 20 | + |
| 21 | +$ARK \rightarrow ASK \rightarrow CEK \rightarrow PEK \rightarrow PDH$ |
| 22 | + |
| 23 | + |
| 24 | +Therefore if the secure channel can be established using the $PDH$ key, then it is ensured that, the attesting workload is executed on, is an authentic AMD system which has the SEV feature. |
| 25 | + |
| 26 | +## AMD-SEV SNP Attestation report measurements |
| 27 | + |
| 28 | +### Platform measurements |
| 29 | +- CHIP_ID - The unique chip identifier |
| 30 | +- PLATFORM_INFO - Indicates properties of the platform configuration, for example whether whole system memory encryption (TSME) or simultaneous multithreading (SMT) is enabled |
| 31 | +- CURRENT_TCB - Security Version Numbers (SVNs) of the current executing platform firmware and microcode |
| 32 | +- COMMITTED_TCB - SVNs of the anti-rollback minimum of the platform firmware and microcode |
| 33 | +- REPORTED_TCB - SVN of the hypervisor. The hypervisor has the option to report a lower version |
| 34 | +- LAUNCH_TCB - SVNs of the platform firmware and microcode at the time the guest was launched or imported |
| 35 | + |
| 36 | +### Guest measurements |
| 37 | +- FAMILY_ID - The family ID of the guest that is provided at launch |
| 38 | +- IMAGE_ID - The image ID of the guest that is provided at launch |
| 39 | +- GUEST_SVN - The guest SVN |
| 40 | +- MEASUREMENT - Measurement of the guest address space |
| 41 | +- ID_KEY_DIGEST - SHA-384 digest of the ID public key that signed the [ID block](https://www.amd.com/system/files/TechDocs/56860.pdf#page=91) provided in `SNP_LAUNCH_FINISH` |
| 42 | +- AUTHOR_KEY_DIGEST - SHA-384 digest of the Author public key that certified the ID key, if provided in `SNP_LAUNCH_FINISH` |
| 43 | +- POLICY - The [guest policy](https://www.amd.com/system/files/TechDocs/56860.pdf#page=26) |
| 44 | +- REPORT_ID - Report ID of this guest |
| 45 | +- REPORT_ID_MA - Report ID of this guest's migration agent, if the guest is associated with a migration agent |
| 46 | + |
| 47 | +More details on other elements of the produced attestation report are outlined [here](https://www.amd.com/system/files/TechDocs/56860.pdf#page=44). |
0 commit comments