In this article we discuss the public key infrastracture related to AMD SEV technology.
Public-key Infrastructure
In the following we describe the key hierarchie underlying the AMD SEV public key infrastructure. As with most PKIs there is the AMD Certificate Authority (CA) acting as the root of trust. The AMD CA certifies so called signing keys for each EPYC3 platform, which allow to certify a security processor, more precisely the processor along its Trusted Computing Base (TCB) comprising the firmware, firmware version and other identifying information. Included in this certificate is also an attestation key linked to the platform (Versioned Chip Endorsement Key) or linked to the cloud service provider (Versioned Loaded Endorsement Key).
Root Keys
AMD Root Key (ARK)
AMD is the root of trust of the public key infrastracture. The AMD Root Key is the master key behind the AMD certificate authority. Accordingly the key pair is self-signed and the secret key is kept private.
AMD Signing Key (ASK)
ASK signs another key called the Versioned Chip Endorsement Key (VCEK), unique to each AMD processor. Effectively the key is used to issue AMD processor certificates. This creates a chain of trust where the VCEK's authenticity can be verified by referencing the publicly known ASK. The ASK key pair is signed with the AMD Root Key (ARK).
Attestation Keys
Versioned Chip Endorsement Key (VCEK)
The Versioned Chip Endorsement Key is an attestation signing key derived from chip unique secrets and a TCB_VERSION. The VCEK can be computed for any TCB_VERSION less than or equal to the CurrentTcb, allowing for migrations of secrets from previous version to the current version.
Versioned Loaded Endorsement Key (VLEK)
A Versioned Loaded Endorsement Key is a versioned Elliptic Curve Digital Signature Algorithm (ECDSA) P-384 signing key certified by AMD and used by SNP firmware to sign attestation reports as an alternative to the VCEK. While the VCEK is derived from a chip-unique seed, the VLEK is derived from a seed maintained by the AMD Key Derivation Service (KDS). Each Cloud Service Provider (CSP) that enrolls with AMD has dedicated VLEK seeds.
Auxilliary Keys
Derived Keys
Some use cases require a platform-specific key, sometimes referred to as binding and sealing key. AMD SEV supports the binding/sealing related to VLEK and VCEK. The latter binds the key to the platform, while the first allows for moving the workload within the CSP realm.
Virtual Machine Root Key (VMRK)
Migration is supported in the SNP architecture through Migration Agents (MAs). A Migration Agent is itself an SNP VM that is bound to the primary VM during the launch process. A VM may be associated with only a single MA, but a single MA may manage multiple primary VMs. The MA is responsible for supplying the VMRK during the launch process and for enforcing the guest migration policy. During launch, the migration agent of the guest sends the VMRK to use for the guest. It must be encrypted with the migration agent’s encryption key.
Chain of Trust
Note that like with every PKI the AMD root CA/KDS issues revocation lists to revoke VCEKs and VLEKs in case of compromise.
The root of trust is AMD and vouches for the trust of the compute platform and/or the cloud service provider. For both cases the AMD KDS API provides registration and lookup endpoints.
