# Attestation Azure, GCP and AWS really implement
{% hint style="info" %}
The following article addresses AMD SEV-SNP remote attestation.
Source: [SEV SNP Firmware ABI Specification](https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56860.pdf) (Revision: 1.57, January 2025)
{% endhint %}
## AMD's attestation report
Following the AMD ABI spec, below table summarizes the remote attestation properties.
| Property | Description |
| ------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| VERSION | The version number of the attestation report. It is used to identify major changes in the report structure. |
| GUEST\_SVN | The guest Secure Version Number (SVN) which indicates the version of the guest being deployed. |
| POLICY | Policy which needs to be fulfilled by the platform. |
| FAMILY\_ID | The family ID provided at launch. |
| IMAGE\_ID | The image ID provided at launch. |
| VMPL | Indicates from which privilege level the guest called the attestation report or if the host requested the report. |
| SIGNATURE\_ALGO | Signature algorithm used to sign the report. |
| CURRENT\_TCB | Contains the data for the current running TCB. |
| PLATFORM\_INFO | Information regarding the current configuration of the platform. |
| SIGNING\_KEY | Indicates which kind of key was used to sign this report. |
| MASK\_CHIP\_KEY | Indicates that the VCEK is not used in attestation and guest key derivation. |
| AUTHOR\_KEY\_EN | Indicates that an Author Key was used to sign the ID key and that the digest of the Author Key is included, |
| REPORT\_DATA | Can be filled with random data by the requesting guest in order to ensure freshness or communicate other properties. |
| MEASUREMENT | Measurement calculated over the initial guest state (firmware, bootloader, memory pages). |
| HOST\_DATA | Data supplied by the hypervisor which is mixed into the report. |
| ID\_KEY\_DIGEST | SHA-384 digest of the public key which signed the ID block (policy, family/image id, ...). |
| AUTHOR\_KEY\_DIGEST | SHA-384 digest of the author key which certified the ID key. |
| REPORT\_ID | An ID generated for each guest which is persistent through its lifetime and associated with every report generated during the lifetime. |
| REPORT\_ID\_MA | An ID for the migration agent of a guest. This ID persists through the entire lifetime of the guest. |
| REPORTED\_TCB | The TCB version which was used to derive the VCEK which signed the report. |
| CPUID\_FAM\_ID | The general family of the underlying CPU. |
| CPUID\_MOD\_ID | The specific model of the CPU. |
| CPUID\_STEP | The stepping ID of the CPU. |
| CHIP\_ID | Unique chip identifier which can be hidden. |
| COMMITTED\_TCB | Minimum TCB which can not be rollbacked to a previous due to hardware one time fuses. |
| CURRENT\_BUILD | Build number of CurrentVersion of the firmware. |
| CURRENT\_MINOR | Minor version of CurrentVersion of the firmware. |
| CURRENT\_MAJOR | Major version of CurrentVersion of the firmware. |
| COMMITTED\_BUILD | Build number of CommittedVersion of the firmware. |
| COMMITTED\_MINOR | Minor version of CommittedVersion of the firmware. |
| COMMITTED\_MAJOR | Major version of CommittedVersion of the firmware. |
| LAUNCH\_TCB | TCB value at guest launch or import. |
| SIGNATURE | Signature of the report. |
### Explanation
The SEV-SNP attestation report starts with the Version field which indicates the specification the report is following. This is important as some following fields may interpret the same bytes differently depending on the report version. An example for this would be a report with version 2 and a report with version 3. Between these two report versions the structure of the PLATFORM\_INFO section changed. One byte which was marked reserved for version 2 has been populated for report version 3 and indicates if the processor contains a mitigation for CVE-2024-21944.
{% hint style="warning" %}
As of 2025-05-20 GCP is the only provider to use the non public report version 4 and firmware version 1.55.31 on Milan CPUs.
{% endhint %}
The guest **Security Version Number** afterwards is indicating which version of the guest image is running. This field can be supplied by the user or hypervisor as part of the **ID Block** during the launch of the VM.
The **Guest Policy** field is also supplied through the user/hypervisor as part of the ID Block and contains information about features/versions that should be enabled/installed. The hardware is checking these values against the actual platform and will abort the boot process if a mismatch occurs.
Also as a part of the ID Block the hypervisor/user can provision a Family ID/Image ID in order to uniquely identify a VM or identify classes of VM's. This feature is currently only in use by Azure.
Overall the ID Block is following this structure:
| Name | Desciption | |
|---|
| LD | The expected launch digest/measurement of the guest. Will be checked by the firmware upon launch. | |
| FAMILY_ID | Family ID provided by the guest owner. | |
| IMAGE_ID | Image ID provided by the guest owner. | |
| VERSION | Version of ID block format. | |
| GUEST_SVN | Security Version Number of the guest. | |
| POLICY | Guest launch policy. | |
The **VMPL** field always indicates from which Virtual Machine Privilege Level the attestation report was requested and if this was a guest or host request. Due to their vTPM Azure the report must be requested from VMPL 0. Other providers can use VMPL 1.
Through the signature field the algorithm, of which currently only one exists (ECDSA P-384 with SHA-384), for the signature of the report can be selected.
The **CURRENT\_TCB** structure includes version information about the microcode, SNP firmware and other critical components and reports these at the time the of report creation. This may differ for each provider depending on their patch level and installed software. For example Azure and GCP reported the microcode version 219 while AWS reported 220 as they had a newer microcode version installed.
The **Platform Info** reports relevant enabled/disabled platform configurations. It is worth to note that AWS as the only cloud provider is using Transparent Secure Memory Encryption (TSME) which encrypts the complete memory irrespective from what an Operating System or hypervisor may indicate for a specific page with the C-bit. This requires no support in the hypervisor or Operating System for AMD SME.
The **SIGNING\_KEY** field provides data about the key which is used to sign the attestation report. Most importantly it indicates if VLEK (AWS) or VCEK (Azure, GCP) signing was used. VCEK signing uses a unique secret embedded in the hardware chip while VLEK signing uses a seed for each certificate maintained by AMD.
**MASK\_CHIP\_KEY** indicates, when set, that the VCEK is not used in the attestation procedure and guest key derivation.
**AUTHOR\_KEY\_ENABLED** indicates that the digest of an author key is present this remains unused by all CSPs.
**Report Data** allows for providing random data to the SNP firmware during the creation of a report in order to guarantee its freshness. While AWS and GCP allow the user to pass its own random data on Azure the data is generated by the host through the vTPM which only uses half of the available space for randomness.
{% tabs %}
{% tab title="Azure" %}
Report Data:
AE 92 75 D8 3A 13 D5 8F 25 06 77 33 92 05 93 8D
12 04 80 0B 88 3E F3 B2 4D F2 D5 59 40 AF D9 97
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
{% endtab %}
{% tab title="AWS/GCP" %}
```
Report Data:
BD 9D 07 CC 02 AC 21 1E 94 18 FE 7C FC 0B 8F 0C
FE 35 66 DD A0 ED 12 7F 64 94 3A B3 68 9C 97 0A
04 BE 9B 85 48 97 92 D1 5D 23 11 3C F1 C0 C7 BF
DA 84 EE 4F FD 67 03 98 5E 7F 0B 4B E9 5A 7E 31
```
{% endtab %}
{% endtabs %}
The **measurement** itself contains the hash calculated at launch of the VM and is the basis for trust as it needs to match the expected value by the user.
**Host Data** remains unused by the Cloud providers but would allow the hypervisor to supply additional data at the launch.
As Azure is using the Family ID and Image ID and in turn provides an ID Block it also used the **ID Key Digest** field which contains the hash of the public key that was used to sign the ID Block. As AWS and GCP do not utilize the ID Block this field remains empty for reports generated on their infrastructure.
As the ID Key can be certified the **Author Key Digest** can contain the hash of the public key of the certifier. However this remains unused by all providers.
Through the **Report ID** and **Report ID MA** fields the hardware can assign a unique ID for the lifetime of a guest. This unique ID will be linked to all reports generated by this guest or this guests Migration Agent. As the no CSP is using the Migration Agent it is currently filled with 0xFF completely by the firmware.
The **Reported TCB** holds the information which was used to derive the VCEK and should match with the Current TCB.
Through the three fields **CPUID\_FAM\_ID,** **CPUID\_MOD\_ID** and **CPUID\_STEP** it is possible to identify the underlying CPU. The **CPUID\_FAM\_ID** is in the case of our three CSPs 25 which indicates that the CPU belongs to the Zen 3 or Zen 4 microarchitecture. Through **CPUID\_MOD\_ID** this can be further broken down to the CPU generation called Milan. The **CPUID\_STEP** finally allows to differentiate between different iterations such as Engineering Samples within one generation of CPUs. In our case the **CPUID\_STEP** is always 1 which indicates the production release of Milan CPUs.
An interesting field is the Chip ID as this field allows to uniquely identify a given AMD CPU. Azure and GCP both provide these values while AWS choose to enable a platform configuration setting which masks the ID by setting it to all zeroes.
The **COMMITED\_TCB** field contains the information of the TCB which has been burned physically into the hardware using One Time Programmable fuses. This prevents the hypervisor or anyone else to rollback the TCB to values lower than those committed.
The **CURRENT\_BUILD, CURRENT\_MINOR** and **CURRENT\_MAJOR** field indicate the version of the SEV firmware which is not to be confused with the SVN of the firmware. These values also exists in a committed variant which prevents the rollback to previous versions.
Finally the signature field contains the necessary information about the signature over the attestation report. Together with the VCEK or VLEK, that can be requested from AMD's Key Distribution Center together with a certificate chain, the authenticity of the attestation report can be verified for all three cloud providers.
{% tabs %}
{% tab title="Azure" %}
Attestation Report:
Version: 3
Guest SVN: 8
Guest Policy (0x3001f):
ABI Major: 0
ABI Minor: 31
SMT Allowed: true
Migrate MA: false
Debug Allowed: false
Single Socket: false
Family ID:
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Image ID:
02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VMPL: 0
Signature Algorithm: 1
Current TCB:
TCB Version:
Microcode: 219
SNP: 24
TEE: 0
Boot Loader: 4
FMC: None
Platform Info (37):
SMT Enabled: true
TSME Enabled: false
ECC Enabled: true
RAPL Disabled: false
Ciphertext Hiding Enabled: false
Alias Check Complete: true
Key Information:
author key enabled: false
mask chip key: false
signing key: vcek
Report Data:
AE 92 75 D8 3A 13 D5 8F 25 06 77 33 92 05 93 8D
12 04 80 0B 88 3E F3 B2 4D F2 D5 59 40 AF D9 97
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Measurement:
0B 06 BC A8 12 62 98 FD 9F AD E4 D3 AE BA 6F 01
95 5B 11 01 32 02 13 D8 E1 F6 46 81 29 FD CF 8A
AD B7 40 80 1A 67 12 F8 EB 73 F7 AA 90 67 DD A4
Host Data:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ID Key Digest:
03 56 21 58 82 A8 25 27 9A 85 B3 00 B0 B7 42 93
1D 11 3B F7 E3 2D DE 2E 50 FF DE 7E C7 43 CA 49
1E CD D7 F3 36 DC 28 A6 E0 B2 BB 57 AF 7A 44 A3
Author Key Digest:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Report ID:
4A EF 3D 6D 2A D7 F9 A1 41 7A 0D 44 D0 EA CF E4
9A DE D6 22 50 EF 77 6E E8 79 CE 14 11 C2 2B 95
Report ID Migration Agent:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
Reported TCB:
TCB Version:
Microcode: 219
SNP: 24
TEE: 0
Boot Loader: 4
FMC: None
CPUID Family ID: 25
CPUID Model ID: 1
CPUID Stepping: 1
Chip ID:
88 B4 F6 6D 02 2C 88 1F 6F 37 F6 16 35 75 10 6F
1C 28 66 D3 01 6E 44 7D A3 18 70 41 87 61 BF 31
EA D2 92 8C 32 E6 1F C6 EF 8C BA BC 9B B2 44 28
F5 09 DD 99 D7 D7 B5 C5 A9 74 82 62 C1 2E 6E A7
Committed TCB:
TCB Version:
Microcode: 219
SNP: 24
TEE: 0
Boot Loader: 4
FMC: None
Current Version: 1.55.29
Committed Version: 1.55.29
Launch TCB:
TCB Version:
Microcode: 219
SNP: 24
TEE: 0
Boot Loader: 4
FMC: None
Signature:
R:
37 D8 BF 74 01 C4 D5 4D 67 87 2D 99 97 4E 7E 49
28 E9 7E 14 A2 A8 CC 69 8E CD C0 76 43 77 04 A1
5F E4 F8 3B 53 4A 74 B1 C4 5C DB 18 03 80 B2 0E
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
S:
0D E7 02 5D 68 16 06 1F 19 9C 39 8C 48 AE 9E 88
DE DD 0A 9E 9F B1 31 0E 2C CF 03 A1 58 BF 15 0E
3D 04 03 6C 9A 40 08 8C DF 8C 97 B2 50 2A 16 F3
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
{% endtab %}
{% tab title="AWS" %}
```
Attestation Report:
Version: 3
Guest SVN: 0
Guest Policy (0x30000):
ABI Major: 0
ABI Minor: 0
SMT Allowed: true
Migrate MA: false
Debug Allowed: false
Single Socket: false
Family ID:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Image ID:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VMPL: 1
Signature Algorithm: 1
Current TCB:
TCB Version:
Microcode: 220
SNP: 24
TEE: 0
Boot Loader: 4
FMC: None
Platform Info (39):
SMT Enabled: true
TSME Enabled: true
ECC Enabled: true
RAPL Disabled: false
Ciphertext Hiding Enabled: false
Alias Check Complete: true
Key Information:
author key enabled: false
mask chip key: false
signing key: vlek
Report Data:
BD 9D 07 CC 02 AC 21 1E 94 18 FE 7C FC 0B 8F 0C
FE 35 66 DD A0 ED 12 7F 64 94 3A B3 68 9C 97 0A
04 BE 9B 85 48 97 92 D1 5D 23 11 3C F1 C0 C7 BF
DA 84 EE 4F FD 67 03 98 5E 7F 0B 4B E9 5A 7E 31
Measurement:
89 22 EB BD D0 0E C2 C5 41 F3 6A 6E 7A 82 A8 77
3A 7A CC B4 51 ED 67 BC 94 E7 40 DB E9 2C 93 C4
E8 C9 AF 85 7F 5C EE B5 A4 93 DF 2A 57 0D 7B F0
Host Data:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ID Key Digest:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Author Key Digest:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Report ID:
88 23 5C CF 0A 06 E0 40 A8 86 EA 43 47 DD 0C CD
9C 38 67 64 DD 14 80 B0 08 8A CD 06 35 D2 23 65
Report ID Migration Agent:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
Reported TCB:
TCB Version:
Microcode: 217
SNP: 24
TEE: 0
Boot Loader: 4
FMC: None
CPUID Family ID: 25
CPUID Model ID: 1
CPUID Stepping: 1
Chip ID:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Committed TCB:
TCB Version:
Microcode: 219
SNP: 24
TEE: 0
Boot Loader: 4
FMC: None
Current Version: 1.55.29
Committed Version: 1.55.29
Launch TCB:
TCB Version:
Microcode: 219
SNP: 24
TEE: 0
Boot Loader: 4
FMC: None
Signature:
R:
92 9B AF 53 DB ED 02 14 EC C6 33 BE E9 27 C8 6A
23 0C 05 2F DE 92 00 CD 32 1D 80 FD 67 2A F7 58
E4 BF B7 CD CF 3C 1C D7 C2 BF B0 E3 AD 2E D3 C6
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
S:
DC 12 70 4B 3C 46 E7 64 EC 63 A1 4E B1 8A 2E 48
0C 67 55 DF 45 93 C0 F6 89 55 51 DF CB C7 A1 5F
E8 9D 0C 9B 0A 81 FD 97 ED D4 74 1A 5D B7 5D DC
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
```
{% endtab %}
{% tab title="GCP" %}
```
Attestation Report:
Version: 4
Guest SVN: 0
Guest Policy (0x30000):
ABI Major: 0
ABI Minor: 0
SMT Allowed: true
Migrate MA: false
Debug Allowed: false
Single Socket: false
Family ID:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Image ID:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VMPL: 1
Signature Algorithm: 1
Current TCB:
TCB Version:
Microcode: 219
SNP: 25
TEE: 0
Boot Loader: 4
FMC: None
Platform Info (37):
SMT Enabled: true
TSME Enabled: false
ECC Enabled: true
RAPL Disabled: false
Ciphertext Hiding Enabled: false
Alias Check Complete: true
Key Information:
author key enabled: false
mask chip key: false
signing key: vcek
Report Data:
7A F5 3C 1C AD BA 68 DC 65 AD D0 A9 28 51 C7 D1
CF 97 2B 86 55 06 50 D5 F6 9E C2 38 8E 18 82 08
E5 A3 3C 2A FA 64 7F 7F A6 7C CE 4A 45 BE 31 C7
36 E4 F9 7A F7 7F 02 D3 2A 1E 96 2E F5 6E 52 AE
Measurement:
30 9F 1B 1E 06 8F E6 39 02 34 72 2A 72 5C 7A 64
F9 D4 53 CE A1 32 75 A0 D5 74 F3 BF C1 F8 86 44
50 E8 C8 F2 8A 24 5F A1 ED 6E A6 81 7A C8 5B 2B
Host Data:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ID Key Digest:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Author Key Digest:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Report ID:
BB 5D 7C 49 BE 01 E0 12 07 3D 07 0C B2 05 A4 B8
00 82 D7 C2 BE C5 7C 71 90 AC CC 2D 0F 7D F6 91
Report ID Migration Agent:
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
Reported TCB:
TCB Version:
Microcode: 219
SNP: 25
TEE: 0
Boot Loader: 4
FMC: None
CPUID Family ID: 25
CPUID Model ID: 1
CPUID Stepping: 1
Chip ID:
77 D6 49 51 AE AD 0B 39 DB BB BF 10 97 05 A8 48
1D C6 38 51 96 A2 C8 B7 EB E3 71 81 DE 9A 65 33
B4 85 FA A9 7A B9 4E B0 99 91 F2 24 38 BE 51 9D
38 0F 3C 1B F7 44 10 CC B3 C6 64 76 B1 15 5E 65
Committed TCB:
TCB Version:
Microcode: 219
SNP: 25
TEE: 0
Boot Loader: 4
FMC: None
Current Version: 1.55.31
Committed Version: 1.55.31
Launch TCB:
TCB Version:
Microcode: 219
SNP: 25
TEE: 0
Boot Loader: 4
FMC: None
Signature:
R:
C4 65 00 68 C2 64 3A 27 4D B4 19 9F 25 BB 0C 62
3C B0 5A 0F E1 C6 F4 91 4D 3B B2 A9 49 2A 8A A6
11 24 EA 95 BA 32 65 37 FF E5 97 29 BA 5F 80 DE
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
S:
F7 81 71 7F B7 D8 75 1D 3C 5C 45 DC CF 2E D2 1F
2D 08 87 76 84 0C EB 78 DA 83 EC DD 8A 2C 43 B8
22 F6 F7 EE D4 D0 4A 4F D5 36 F0 77 5A BA CA 3B
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
```
{% endtab %}
{% endtabs %}