sev-attestation
AMD SEV-SNP remote attestation for cryptographic VM identity verification.
Description
Perform AMD SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging) remote attestation to cryptographically verify VM identity and integrity. Use this skill when:
- Proving a VM is running in a genuine AMD SEV-SNP confidential computing environment
- Verifying the integrity of a confidential VM before trusting it with secrets
- Checking if SEV-SNP is available and properly configured
- Generating attestation reports for remote verification
- Validating AMD certificate chains (ARK → ASK → VCEK)
- Debugging attestation failures or certificate issues
Keywords: SEV-SNP, attestation, confidential computing, AMD, VCEK, certificate chain, remote attestation, VM identity, TCB, measurement
Workflow
┌─────────────────────────────────────────────────────────────────┐
│ SEV-SNP Attestation Flow │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────┐
│ 1. Detection │
│ Is SEV-SNP │
│ available? │
└────────┬────────┘
│
┌──────────────┴──────────────┐
│ │
▼ ▼
┌─────────┐ ┌─────────┐
│ YES │ │ NO │
└────┬────┘ └────┬────┘
│ │
▼ ▼
┌─────────────────┐ ┌─────────────────┐
│ 2. Generate │ │ Exit with │
│ Report │ │ helpful error │
└────────┬────────┘ └─────────────────┘
│
▼
┌─────────────────┐
│ 3. Display │
│ Report Info │
└────────┬────────┘
│
▼
┌─────────────────┐
│ 4. Fetch AMD │
│ Certificates │
│ (ARK, ASK, VCEK)│
└────────┬────────┘
│
▼
┌─────────────────┐
│ 5. Verify │
│ Cert Chain │
└────────┬────────┘
│
▼
┌─────────────────┐
│ 6. Verify │
│ Report Sig │
└────────┬────────┘
│
▼
┌─────────────────┐
│ PASSED or │
│ FAILED │
└─────────────────┘
Quick Start
Check if SEV-SNP is Available
./scripts/detect-sev-snp.sh
Run Full Attestation
./scripts/full-attestation.sh [output_dir]
This runs the complete 6-step attestation workflow and outputs PASSED or FAILED.
Individual Steps
Each step can be run independently for debugging or custom workflows:
| Script | Purpose |
|---|---|
scripts/detect-sev-snp.sh | Check SEV-SNP availability |
scripts/generate-report.sh <output_dir> | Generate attestation report with nonce |
scripts/fetch-certificates.sh <report_file> <output_dir> | Fetch AMD certificates from KDS |
scripts/verify-chain.sh <certs_dir> | Verify certificate chain |
scripts/verify-report.sh <report_file> <certs_dir> | Verify report signature |
Prerequisites
- snpguest: Rust CLI from virtee/snpguest
- openssl: For certificate operations
- curl: For fetching certificates from AMD KDS
- Root access: Required to access
/dev/sev-guest
Install snpguest:
cargo install snpguest
Reference Documentation
- Report Fields - Attestation report field reference
- Error Codes - Common errors and troubleshooting
- Manual Verification - OpenSSL-based verification without snpguest
Technical Details
- AMD KDS URL:
https://kdsintf.amd.com - Certificate Chain: ARK (self-signed) → ASK → VCEK
- Report Signature: ECDSA P-384
- Device:
/dev/sev-guest(requires root or sev group membership)