# TCB Versioning Within the SEV-SNP architecture, several firmware components are considered upgradeable and trusted in the threat model. These components, such as the AMD-SP API and CPU microcode patch, collectively form the Trusted Computing Base (TCB) of the architecture. To maintain security and integrity, new versions of these firmware components may be released periodically to address bugs, introduce improvements, or implement new features. In the event of discovering a security bug in one of these components, the guest owner needs assurance that their virtual machine (VM) is running on a patched firmware version and not a vulnerable one. Previous SEV and SEV-ES features relied on a self-reported AMD-SP version number to manage TCB versioning. In SEV-SNP, this check has been significantly enhanced to provide cryptographic strength. The version numbers of all TCB components are now combined with a fused secret called the Chip Endorsement Key (CEK) to generate a Versioned Chip Endorsement Key (VCEK). The VCEK is a private ECDSA key unique to each AMD chip, running a specific TCB version. The construction of the VCEK leverages cryptographic hash functions to prevent any attempt to impersonate a newer TCB version. This ensures that a given TCB version cannot be misrepresented as a more recent one. The VCEK plays a crucial role in various aspects, including signing attestation reports, contributing to the overall security and integrity of the SEV-SNP ecosystem. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enclaive.cloud/confidential-cloud/technology-in-depth/amd-sev/technology/fundamentals/features/tcb-versioning.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.