Attest an Amazon EC2 instance with AMD SEV-SNP
Attestation is a process that allows your instance to prove its state and identity. When you enable AMD SEV-SNP for your instance, you can request an AMD SEV-SNP attestation report from the underlying processor. The AMD SEV-SNP attestation report contains a cryptographic hash, called the launch measurement, of the initial guest memory contents and initial vCPU state. The attestation report is signed with a VLEK signature that chains back to an AMD root of trust. You can use the launch measurement included in the attestation report to validate that the instance is running in a genuine AMD environment and to validate the initial boot code that was used to launch the instance.
To perform attestation with AMD SEV-SNP, complete the following steps.
Topics
Step 1: Enable AMD SEV-SNP during instance launch
You can use the AWS CLI to launch an instance with AMD SEV-SNP enabled.
To launch an instance with AMD SEV-SNP enabled, you must use the AWS CLI. Use the run-instances command and include the --cpu-options
AmdSevSnp=enabled
option. For --image-id
, specify an AMI with
the uefi
or uefi-prefered
boot mode and an operating system
that supports AMD SEV-SNP. For --instance-type
, specify a supported
instance type.
$
aws ec2 run-instances \ --image-idsupported_ami_id
\ --instance-typesupported_instance_type
\ --key-namekey_pair_name
\ --subnet-idsubnet_id
\ --cpu-options AmdSevSnp=enabled
Step 2: Get the attestation report
In this step, you install and build the snpguest
utility, and then
use it to request the AMD SEV-SNP attestation report and certificates.
-
Run the following commands to build the
snpguest
utility from the snpguest repository. $
git clone https://github.com/virtee/snpguest.git$
cd snpguest$
cargo build -r$
cd target/release -
Generate a request for the attestation report. The utility requests the attestation report from the host, and writes it to a binary file with the provided request data.
The following example creates a random request string, and uses it as the request file (
request-file.txt
). When the command returns the attestation report it's stored in the file path that you specify (report.bin
). In this case, the utility stores the report in the current directory.$
./snpguest reportreport.bin
request-file.txt
--random -
Request the certificates from host memory, and store them as PEM files. The following example stores the files in the same directory as the
snpguest
utility. If certificates already exist in the specified directory, those certificates are overwritten.$
./snpguest certificates PEM./
Step 3: Validate the attestation report signature
The attestation report is signed with a certificate, called the Versioned Loaded Endorsement Key (VLEK), which is issued by AMD for AWS. In this step, you can validate that the VLEK certificate is issued by AMD, and that the attestation report is signed by that VLEK certificate.
-
Download the VLEK root of trust certificates from the official AMD website to the current directory.
$
sudo curl --proto '=https' --tlsv1.2 -sSf https://kdsintf.amd.com/vlek/v1/Milan/cert_chain -o ./cert_chain.pem -
Use
openssl
to validate that the VLEK certificate is signed by the AMD root of trust certificates.$
sudo openssl verify --CAfile ./cert_chain.pem vlek.pemExpected output:
certs/vcek.pem: OK
-
Use the
snpguest
utility to validate that the attestation report is signed by the VLEK certificate.$
./snpguest verify attestation ./ report.binExpected output.
Reported TCB Boot Loader from certificate matches the attestation report. Reported TCB TEE from certificate matches the attestation report. Reported TCB SNP from certificate matches the attestation report. Reported TCB Microcode from certificate matches the attestation report. VEK signed the Attestation Report!