Lib.rs

Cryptographyaz-cvm-vtpm
#sev-snp #vm #attestation #tpm #azure #virtualization

bin+lib az-snp-vtpm

vTPM based SEV-SNP attestation for Azure Confidential VMs

by Magnus Kulke, Suraj Deshmukh, Jeremi Piotrowski and 3 contributors

15 unstable releases (6 breaking)

0.7.1 Nov 18, 2024
0.6.0 Jul 8, 2024
0.5.2 Feb 23, 2024
0.4.1 Dec 19, 2023
0.1.1 Mar 29, 2023

#489 in Cryptography

Download history 266/week @ 2024-12-21 240/week @ 2024-12-28 585/week @ 2025-01-04 481/week @ 2025-01-11 523/week @ 2025-01-18 360/week @ 2025-01-25 1018/week @ 2025-02-01 687/week @ 2025-02-08 937/week @ 2025-02-15 906/week @ 2025-02-22 571/week @ 2025-03-01 809/week @ 2025-03-08 1006/week @ 2025-03-15 790/week @ 2025-03-22 505/week @ 2025-03-29 426/week @ 2025-04-05

2,910 downloads per month

MIT license

55KB
1K SLoC

Rust 1K SLoC // 0.1% comments Bicep 155 SLoC

Rust Crate Docs

az-snp-vtpm

This library enables guest attestation flows for SEV-SNP CVMs on Azure. Please refer to the documentation in this repository for details on the attestation procedure.

Create a CVM

Default image is Ubuntu 22.04 cvm

export IMAGE_ID=/subscriptions/.../resourceGroups/.../providers/Microsoft.Compute/galleries/.../images/.../versions/1.0.0
make deploy

Build & Install

cargo b --release -p az-snp-vtpm
scp ../target/release/snp-vtpm azureuser@$CONFIDENTIAL_VM:

Run Binary

Retrieve SEV-SNP report, validate and print it:

sudo ./snp-vtpm -p

Example Project

There is a project in the ./example folder depicting how the crate can be leveraged in a Remote Attestation flow. Note: the code is merely illustrative and doesn't feature exhaustive validation, which would be required in a production scenario.

cargo b -p snp-example

SEV-SNP Report & vTPM

The vTPM is linked to the SEV-SNP report via the vTPM Attestation Key (AK). The public AK is part of a Runtime Data struct, which is hashed and submitted as Report Data when generating the SNP report. To provide freshness guarantees in an attestation exchange we can request a vTPM quote with a nonce. The resulting message is signed by the AK.

                              ┌────────────────────────┐
                              │ HCL Data               │
                              │                        │
                              │ ┌──────────────────────┴─┐  ─┐
                              │ │ Runtime Data           │   │
                              │ │                        │   │
    ┌──────────────────────┐  │ │ ┌────────────────────┐ │   ├─┐
  ┌─┤ vTPM AK              ├──┼─┼─┤ vTPM Public AK     │ │   │ │
  │ └──────────────────────┘  │ │ └────────────────────┘ │   │ │
  │         ┌──────────────┐  │ └──────────────────────┬─┘  ─┘ │
  │         │ vTPM Quote   │  │ ┌────────────────────┐ │       │
  │         │              │  │ │ HCL Report         │ │       │
signs ┌─  ┌─┴────────────┐ │  │ │                    │ │     sha256
  │   │   │ Message      │ │  │ │ ┌────────────────┐ │ │       │
  │   │   │              │ │  │ │ │ SEV-SNP Report │ │ │       │
  │   │   │ ┌──────────┐ │ │  │ │ │                │ │ │       │
  │   │   │ │ PCR0     │ │ │  │ │ │ ┌──────────────┴─┴─┴─┐     │
  │   │   │ └──────────┘ │ │  │ │ │ │ Report Data        │ ◄───┘
  │   │   │   ...        │ │  │ │ │ └──────────────┬─┬─┬─┘
  │   │   │ ┌──────────┐ │ │  │ │ └────────────────┘ │ │
  └─► │   │ │ PCRn     │ │ │  │ └────────────────────┘ │
      │   │ └──────────┘ │ │  └────────────────────────┘
      │   │ ┌──────────┐ │ │ 
      │   │ │ Nonce    │ │ │
      │   │ └──────────┘ │ │
      └─  └─┬────────────┘ │
            └──────────────┘

Integration Tests

The integration test suite can run on an SNP CVM. It needs to be executed as root and the tests have to run sequentially.

sudo -E env "PATH=$PATH" cargo t --features integration_test -- --test-threads 1

Dependencies

~7–18MB
~253K SLoC