By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AMS SEV-SNP measurement

0

Hi, I am currently working with AMD SEV-SNP guest VMs on AWS. However, I have been unable to locate any information regarding the generation of the launch digest to be included on VMs measurement. Is there any information available on how the launch digest is generated (which informations are loaded into memory to generate it) for inclusion in the measurement of AMD SEV-SNP VMs on AWS?

  • Zalan
    9 months ago

    Yeah this is the only thing I'm also missing. Currently it is only possible to (remotely) attest that your VM is running as an authentic AMD SEV-SNP Guest VM. It is however, not documented anywhere how we can measure the firmware, kernel, initrd, and cmdline (part of "launch digest") which is running in the authentic AMD SEV-SNP Guest VM. And really the whole point with AMD SEV-SNP Confidential VMs is that we don't have to trust you guys - we just need to trust AMD.

    Your Confidential VM solution would be outstanding if you just add this missing documentation.

Topics
Security, Identity, & ComplianceComputeAWS Well-Architected Framework
Tags
Security, Identity, & ComplianceAmazon EC2Security
Language
English
davi_pontes
asked 10 months ago423 views
2 Answers
1

Hello Davi. Thanks for your patience and reaching out. Your question on how the launch digest is generated not included in the EC2 documentation have been sent to the Service PM. I will follow up with you when i get a response.

However, when launching an instance, the boot mode of the instance is determined by the configuration of the AMI, the operating system contained in it, and the instance type. Please see details as related to EC2 boot modes: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-boot.html

AWS
rePost-User-5076019
answered 10 months ago
0

Hi,

I understand you been unable to locate any information regarding the generation of the launch digest to be included on VMs measurement regarding AMD SEV-SNP.

The official documentation/user guide related to AMD SEV-SNP can be located: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html

**If the answer is helpful, please click "Accept Answer" and upvote it. **

Kind regards, Ahmed.

AWS
rePost-User-5076019
answered 10 months ago
  • davi_pontes
    10 months ago

    Hi Ahmed, thank you for your response! I have already read this documentation, but it doesn't explain how the Launch Digest is generated. For instance, in the QEMU documentation about AMD SEV, it describes the process of generating the launch digest and identifies the information loaded in memory for this purpose. This information enables me to reproduce the Launch Digest and validate the initial boot code that was used to launch the instance. However, the EC2 documentation does not provide details on how this digest is generated. Consequently, I am unsure how to determine if the initial content of the VM is in a trustworthy state.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content