Secure communication with guests using AMD SEV-SNP

menon.samir · September 21, 2023, 7:05pm

(This is slightly more focused on the SEV-SNP side of things than the GPU, but it’s sill relevant to the NVIDIA confidential computing offering, I think)

The Confidential Computing Deployment Guide has us set up and run an SEV-SNP VM with a custom OVMF file and a qcow2 disk. When you produce attestations from the guest (using github.com/virtee/sev) they correctly chain up to the AMD root of trust, and can take up to 64-bytes of user supplied data (typically a public key).

However, these attestations include a measurement of only the kernel, firmware, initrd, and kernel arguments; they don’t include a measurement of the contents of disk, or any of the code running in the VM itself. So, an external user cannot safely encrypt data to the guest, since none of the application code has been attested.

What’s the standard practice for binding an attestation to the actual code running in the VM with AMD SEV-SNP?

Here are the options we’ve considered:

We could use the Kata + Confidential Containers approach mentioned in the guide. The Kata runtime is loaded into initrd, so it becomes part of the measurement in the attestation. However, when a user later loads a container, we don’t see a straightforward way to get a secure tunnel to the container, since the attestation will still not contain a measurement of the container (only the Kata runtime). We could put a secret into the container, encrypt the image, and then deploy it, but this doesn’t work for our multi-user scenario.
- Additionally, the latest Confidential Containers release does not fully support AMD SEV-SNP so we’re nervous to invest in it.
We could modify initrd to check the contents of the disk before mounting it. Exactly how to do this seems unclear; we could use something like dm-verity, but we were hoping there is an example of this out there already. One issue is that you’d also need to ensure no additional disks are loaded, and that you can operate from a completely read-only filesystem.
Our final vague idea would be to just not use disks at all, and try to boot and run the application directly from initrd.

Would love to hear what other folks are doing! Thanks for any advice.

Topic		Replies	Views
CPU attestation failure in AMD SEV SNP CVM + H100 Confidential Computing	5	705	January 23, 2024
Use non-CC GPU with CVM Confidential Computing	2	762	September 19, 2023
Confidential Computing on NVIDIA H100 GPUs for Secure and Trustworthy AI Technical Blog	1	626	July 3, 2024
Missing steps on Confidential Computing Deployment Guide - (AMD SEV-SNP & KVM) document Confidential Computing	0	52	November 18, 2024
What do "Driver" measurements from NVIDIA RIM Service actually measure? Confidential Computing	3	97	February 13, 2025
If H100 use SPDM mutual authentication? Confidential Computing	5	806	January 17, 2024
GTX 1080 & KVM PCI passthrough to guest CUDA Setup and Installation	12	17484	February 23, 2017
Explainer: What Is Confidential Computing? Technical Blog	0	252	March 8, 2023
Explainer: What Is Confidential Computing? Technical Blog	0	248	July 11, 2023
Installing the NVIDIA Driver and CUDA Toolkit failed Confidential Computing	2	4028	January 3, 2024

Secure communication with guests using AMD SEV-SNP

Related topics