#sev-snp #azure #tpm #virtualization

bin+lib az-snp-vtpm

vTPM based SEV-SNP attestation for Azure Confidential VMs

15 unstable releases (6 breaking)

0.7.1 Nov 18, 2024
0.6.0 Jul 8, 2024
0.5.2 Feb 23, 2024
0.4.1 Dec 19, 2023
0.1.1 Mar 29, 2023

#374 in Cryptography

Download history 737/week @ 2024-08-22 503/week @ 2024-08-29 1224/week @ 2024-09-05 599/week @ 2024-09-12 278/week @ 2024-09-19 680/week @ 2024-09-26 546/week @ 2024-10-03 476/week @ 2024-10-10 413/week @ 2024-10-17 567/week @ 2024-10-24 607/week @ 2024-10-31 591/week @ 2024-11-07 948/week @ 2024-11-14 684/week @ 2024-11-21 608/week @ 2024-11-28 627/week @ 2024-12-05

2,970 downloads per month

MIT license

55KB
1K SLoC

Rust 1K SLoC // 0.1% comments Bicep 155 SLoC

Rust Crate Docs

az-snp-vtpm

This library enables guest attestation flows for SEV-SNP CVMs on Azure. Please refer to the documentation in this repository for details on the attestation procedure.

Create a CVM

Default image is Ubuntu 22.04 cvm

export IMAGE_ID=/subscriptions/.../resourceGroups/.../providers/Microsoft.Compute/galleries/.../images/.../versions/1.0.0
make deploy

Build & Install

cargo b --release -p az-snp-vtpm
scp ../target/release/snp-vtpm azureuser@$CONFIDENTIAL_VM:

Run Binary

Retrieve SEV-SNP report, validate and print it:

sudo ./snp-vtpm -p

Example Project

There is a project in the ./example folder depicting how the crate can be leveraged in a Remote Attestation flow. Note: the code is merely illustrative and doesn't feature exhaustive validation, which would be required in a production scenario.

cargo b -p snp-example

SEV-SNP Report & vTPM

The vTPM is linked to the SEV-SNP report via the vTPM Attestation Key (AK). The public AK is part of a Runtime Data struct, which is hashed and submitted as Report Data when generating the SNP report. To provide freshness guarantees in an attestation exchange we can request a vTPM quote with a nonce. The resulting message is signed by the AK.

                              ┌────────────────────────┐
                              │ HCL Data               │
                              │                        │
                              │ ┌──────────────────────┴─┐  ─┐
                              │ │ Runtime Data           │   │
                              │ │                        │   │
    ┌──────────────────────┐  │ │ ┌────────────────────┐ │   ├─┐
  ┌─┤ vTPM AK              ├──┼─┼─┤ vTPM Public AK     │ │   │ │
  │ └──────────────────────┘  │ │ └────────────────────┘ │   │ │
  │         ┌──────────────┐  │ └──────────────────────┬─┘  ─┘ │
  │         │ vTPM Quote   │  │ ┌────────────────────┐ │       │
  │         │              │  │ │ HCL Report         │ │       │
signs ┌─  ┌─┴────────────┐ │  │ │                    │ │     sha256
  │   │   │ Message      │ │  │ │ ┌────────────────┐ │ │       │
  │   │   │              │ │  │ │ │ SEV-SNP Report │ │ │       │
  │   │   │ ┌──────────┐ │ │  │ │ │                │ │ │       │
  │   │   │ │ PCR0     │ │ │  │ │ │ ┌──────────────┴─┴─┴─┐     │
  │   │   │ └──────────┘ │ │  │ │ │ │ Report Data        │ ◄───┘
  │   │   │   ...        │ │  │ │ │ └──────────────┬─┬─┬─┘
  │   │   │ ┌──────────┐ │ │  │ │ └────────────────┘ │ │
  └─► │   │ │ PCRn     │ │ │  │ └────────────────────┘ │
      │   │ └──────────┘ │ │  └────────────────────────┘
      │   │ ┌──────────┐ │ │ 
      │   │ │ Nonce    │ │ │
      │   │ └──────────┘ │ │
      └─  └─┬────────────┘ │
            └──────────────┘

Integration Tests

The integration test suite can run on an SNP CVM. It needs to be executed as root and the tests have to run sequentially.

sudo -E env "PATH=$PATH" cargo t --features integration_test -- --test-threads 1

Dependencies

~7–20MB
~244K SLoC