Lib.rs

Cryptographyaz-cvm-vtpm
#sev-snp #azure #tpm #virtualization

bin+lib az-snp-vtpm

vTPM based SEV-SNP attestation for Azure Confidential VMs

by Magnus Kulke, Suraj Deshmukh, Jeremi Piotrowski and 3 contributors

15 unstable releases (6 breaking)

0.7.1 Nov 18, 2024
0.6.0 Jul 8, 2024
0.5.2 Feb 23, 2024
0.4.1 Dec 19, 2023
0.1.1 Mar 29, 2023

#419 in Cryptography

Download history 645/week @ 2024-11-22 578/week @ 2024-11-29 783/week @ 2024-12-06 993/week @ 2024-12-13 478/week @ 2024-12-20 177/week @ 2024-12-27 541/week @ 2025-01-03 436/week @ 2025-01-10 671/week @ 2025-01-17 303/week @ 2025-01-24 978/week @ 2025-01-31 688/week @ 2025-02-07 735/week @ 2025-02-14 1103/week @ 2025-02-21 604/week @ 2025-02-28 699/week @ 2025-03-07

3,253 downloads per month

MIT license

55KB
1K SLoC

Rust 1K SLoC // 0.1% comments Bicep 155 SLoC

Rust Crate Docs

az-snp-vtpm

This library enables guest attestation flows for SEV-SNP CVMs on Azure. Please refer to the documentation in this repository for details on the attestation procedure.

Create a CVM

Default image is Ubuntu 22.04 cvm

export IMAGE_ID=/subscriptions/.../resourceGroups/.../providers/Microsoft.Compute/galleries/.../images/.../versions/1.0.0
make deploy

Build & Install

cargo b --release -p az-snp-vtpm
scp ../target/release/snp-vtpm azureuser@$CONFIDENTIAL_VM:

Run Binary

Retrieve SEV-SNP report, validate and print it:

sudo ./snp-vtpm -p

Example Project

There is a project in the ./example folder depicting how the crate can be leveraged in a Remote Attestation flow. Note: the code is merely illustrative and doesn't feature exhaustive validation, which would be required in a production scenario.

cargo b -p snp-example

SEV-SNP Report & vTPM

The vTPM is linked to the SEV-SNP report via the vTPM Attestation Key (AK). The public AK is part of a Runtime Data struct, which is hashed and submitted as Report Data when generating the SNP report. To provide freshness guarantees in an attestation exchange we can request a vTPM quote with a nonce. The resulting message is signed by the AK.

                              ┌────────────────────────┐
                              │ HCL Data               │
                              │                        │
                              │ ┌──────────────────────┴─┐  ─┐
                              │ │ Runtime Data           │   │
                              │ │                        │   │
    ┌──────────────────────┐  │ │ ┌────────────────────┐ │   ├─┐
  ┌─┤ vTPM AK              ├──┼─┼─┤ vTPM Public AK     │ │   │ │
  │ └──────────────────────┘  │ │ └────────────────────┘ │   │ │
  │         ┌──────────────┐  │ └──────────────────────┬─┘  ─┘ │
  │         │ vTPM Quote   │  │ ┌────────────────────┐ │       │
  │         │              │  │ │ HCL Report         │ │       │
signs ┌─  ┌─┴────────────┐ │  │ │                    │ │     sha256
  │   │   │ Message      │ │  │ │ ┌────────────────┐ │ │       │
  │   │   │              │ │  │ │ │ SEV-SNP Report │ │ │       │
  │   │   │ ┌──────────┐ │ │  │ │ │                │ │ │       │
  │   │   │ │ PCR0     │ │ │  │ │ │ ┌──────────────┴─┴─┴─┐     │
  │   │   │ └──────────┘ │ │  │ │ │ │ Report Data        │ ◄───┘
  │   │   │   ...        │ │  │ │ │ └──────────────┬─┬─┬─┘
  │   │   │ ┌──────────┐ │ │  │ │ └────────────────┘ │ │
  └─► │   │ │ PCRn     │ │ │  │ └────────────────────┘ │
      │   │ └──────────┘ │ │  └────────────────────────┘
      │   │ ┌──────────┐ │ │ 
      │   │ │ Nonce    │ │ │
      │   │ └──────────┘ │ │
      └─  └─┬────────────┘ │
            └──────────────┘

Integration Tests

The integration test suite can run on an SNP CVM. It needs to be executed as root and the tests have to run sequentially.

sudo -E env "PATH=$PATH" cargo t --features integration_test -- --test-threads 1

Dependencies

~7–21MB
~254K SLoC