Secure communication with guests using AMD SEV-SNP

(This is slightly more focused on the SEV-SNP side of things than the GPU, but it’s sill relevant to the NVIDIA confidential computing offering, I think)

The Confidential Computing Deployment Guide has us set up and run an SEV-SNP VM with a custom OVMF file and a qcow2 disk. When you produce attestations from the guest (using they correctly chain up to the AMD root of trust, and can take up to 64-bytes of user supplied data (typically a public key).

However, these attestations include a measurement of only the kernel, firmware, initrd, and kernel arguments; they don’t include a measurement of the contents of disk, or any of the code running in the VM itself. So, an external user cannot safely encrypt data to the guest, since none of the application code has been attested.

What’s the standard practice for binding an attestation to the actual code running in the VM with AMD SEV-SNP?

Here are the options we’ve considered:

  1. We could use the Kata + Confidential Containers approach mentioned in the guide. The Kata runtime is loaded into initrd, so it becomes part of the measurement in the attestation. However, when a user later loads a container, we don’t see a straightforward way to get a secure tunnel to the container, since the attestation will still not contain a measurement of the container (only the Kata runtime). We could put a secret into the container, encrypt the image, and then deploy it, but this doesn’t work for our multi-user scenario.
  2. We could modify initrd to check the contents of the disk before mounting it. Exactly how to do this seems unclear; we could use something like dm-verity, but we were hoping there is an example of this out there already. One issue is that you’d also need to ensure no additional disks are loaded, and that you can operate from a completely read-only filesystem.
  3. Our final vague idea would be to just not use disks at all, and try to boot and run the application directly from initrd.

Would love to hear what other folks are doing! Thanks for any advice.