AWS

Pricing

An additional hourly usage cost is applicable upon launching an Amazon EC2 instance with AMD SEV-SNP activation. This cost is 10 percent of the On-Demand hourly rate associated with the chosen instance category.

This distinct AMD SEV-SNP usage fee is separate from the charges incurred for your Amazon EC2 instance usage. It's important to note that this fee remains unaffected by factors such as Reserved Instances, Savings Plans, and the utilization of different operating systems.

Requirements

To utilize AMD SEV-SNP, the following steps are necessary:

  1. Choose from the list of supported instance types, which includes:

    • M6a: m6a.large | m6a.xlarge | m6a.2xlarge | m6a.4xlarge | m6a.8xlarge

    • C6a: c6a.large | c6a.xlarge | c6a.2xlarge | c6a.4xlarge | c6a.8xlarge | c6a.12xlarge | c6a.16xlarge

    • R6a: r6a.large | r6a.xlarge | r6a.2xlarge | r6a.4xlarge

  2. Initiate the launch of your instance within a supported AWS Region. Only US East (Ohio) and Europe (Ireland) Regions are compatible with this feature.

  3. Employ an Amazon Machine Image (AMI) configured with either the uefi or uefi-preferred boot mode. Additionally, make sure your chosen operating system is compatible with AMD SEV-SNP. Consult your operating system's documentation for specific information on its AMD SEV-SNP support. Amazon Linux 2023 and Ubuntu 23.04 are among the AWS-supported operating systems offering AMD SEV-SNP compatibility.

Considerations

Activation Scope

AMD SEV-SNP activation is exclusively possible during instance launch. Once enabled at launch, it persists throughout the entire lifecycle of the instance.

Instance Type Adjustment

Modifying the instance type of an active instance with AMD SEV-SNP is permissible only if transitioning to another instance type that also supports AMD SEV-SNP.

Limitations on Features

Note that functionalities like hibernation and Nitro Enclaves are incompatible with the enabled state of AMD SEV-SNP.

Exclusion of Dedicated Hosts

The use of Dedicated Hosts is not compatible with AMD SEV-SNP.

Host Maintenance

In the event that the underlying host of your instance is scheduled for maintenance, a notification of the scheduled event will be issued 14 days in advance. To relocate the instance to a new host, you will need to manually halt or restart it.

EC2

Launch the Instance

  1. Go to EC2 Management Console to launch an instance.

  2. Fill in the necessary information.

  3. Select the Ubuntu 23.04 - Lunar Amazon Machine Image.

Select the image
  1. Choose c6a.large instance type.

  2. Click on Advanced details and set AMD SEV-SNP as Enabled.

Configuration of instance

Attestation

Attestation is a procedure that empowers your instance to authenticate its condition and identity. By activating AMD SEV-SNP for your instance, you can initiate a request for an AMD SEV-SNP attestation report directly from the underlying processor. Contained within the AMD SEV-SNP attestation report is a cryptographic hash named the "launch measurement." This hash encompasses the initial content of guest memory and the initial virtual Central Processing Unit (vCPU) state. This attestation report is endorsed with a VLEK (Versioned Loaded Endorsement Key) signature that traces back to an AMD root of trust. The launch measurement featured in the attestation report serves two key purposes: confirming the instance's operation within a genuine AMD environment and validating the initial boot code utilized for instance launch.

Attestation Result

To undertake attestation using AMD SEV-SNP, adhere to the subsequent steps:

Pre Step: Install Dependencies

$ sudo apt update
$ sudo apt install -y build-essential git libssl-dev uuid-dev autoconf

Step 1: Obtain the Attestation Report

In this phase, you'll install the necessary tools and request the AMD SEV-SNP attestation report from the processor and the VLEK signing key.

To request the attestation report from the CPU, utilize the sev-guest utility. To acquire the utility from the "sev-guest" repository, execute the following commands:

$ git clone https://github.com/AMDESE/sev-guest.git
$ cd sev-guest
$ make sev-guest-get-report
$ make sev-guest-parse-report

Employ the sev-guest utility to solicit the attestation report as well as the VLEK certificate responsible for signing the report:

$ sudo ./sev-guest-get-report guest_report.bin -x
Generating report using the following hash: 
    0000000000000000000000000000000000000000000000000000000000000000
    0000000000000000000000000000000000000000000000000000000000000000

wrote a8074bc2-a25a-483e-aae6-39c045a0b8a1
wrote guest_report.bin

This command generates two files:

  • guest_report.bin – The attestation report with a valid signature.

  • a8074bc2-a25a-483e-aae6-39c045a0b8a1 – The VLEK certificate in DER format serves as the attestation report's signatory.

Step 2: Verify the Attestation Report's Signature The attestation report gains its signature from a certificate known as the Versioned Loaded Endorsement Key (VLEK), issued by AMD for AWS. This step involves confirming the authenticity of the VLEK certificate and validating that this VLEK certificate indeed signs the attestation report.

To verify the attestation report's connection with the VLEK certificate, deploy the "sev-tool" utility. This utility necessitates that both the attestation report and the VLEK certificate reside within a folder named /certs. Initiate the creation of the /certs directory:

$ sudo mkdir certs

Convert the DER-encoded VLEK certificate into PEM format, a requisite for the "sev-guest" utility:

$ sudo openssl x509 -inform der -in a8074bc2-a25a-483e-aae6-39c045a0b8a1 -out certs/vcek.pem

This action results in the VLEK certificate being stored as vcek.pem in the /certs directory.

Download the VLEK root of trust certificates from the official AMD website to the /certs directory:

$ sudo curl --proto '=https' --tlsv1.2 -sSf https://kdsintf.amd.com/vlek/v1/Milan/cert_chain -o certs/cert_chain.pem

Use the "openssl" tool to validate the connection between the VLEK certificate and the AMD root of trust certificates:

$ sudo openssl verify --CAfile certs/cert_chain.pem certs/vcek.pem

Expected output:

certs/vcek.pem: OK

Copy the attestation report to the /certs directory:

$ sudo cp guest_report.bin certs/

Proceed to validate the attestation report's signature by making use of the "sev-tool" utility. Install the utility using these commands:

$ cd ..
$ git clone https://github.com/AMDESE/sev-tool.git
$ cd sev-tool
$ autoreconf -vif && ./configure && make

Utilize the "sev-tool" utility to validate the attestation report's connection with the VLEK certificate:

$ sudo ./src/sevtool --ofolder ../sev-guest/certs --validate_guest_report

Expected output:

Guest report validated successfully!

Command Successful

EKS

You can first create the EC2 instances according to the tutorials above, then deploy the Kubernetes cluster manually and connect them to the EKS cluster to have AMD SEV-SNP enhanced Kubernetes.

Lambda

Currently, AWS Lambda doesn't support AMD SEV-SNP.

Last updated