Hello "attestation" world

Learn to make your first "local" attestation from within the enclaved workload.

Prerequisites

Log in as root user to the VM.
Install vHSM CLI.
Login to the vHSM instance with the root token or any other authentication credential.

Local Attestation

A local attestation retrieves the report from the platform security processor from the inside of the enclave. The process contrasts remote attestation where the user asks Nitride to perform the attestation.

Creating an attestation report

Run the following command within the enclave

vhsm nitride attestation -provider=<provider> generate dump

where the attestation provider denotes the structure of the attestation report. For details, see attestation concept.

Example output:

{"Version":1,
 "Provider":"aws-sev-snp-raw",
 "Attestation":
 {"Version":1,
  "Product":"Milan",
  "Report":"BAAAAAAAAAAAAAMAAA...",
  "Vlek":"MIIFIzCCAtegAwIBAgIB...",
  "Data":"eyJOb25jZSI6ImR1bXAiLCJEYXRhIjpudWxsfQ=="
}}

The report indicates attestation with the Versioned Loaded Endorsement Key (VLEK), a method where AWS loads the attestation key into the Platform Security Processor.

Explanation of Each Field

This is an AWS attestation document for an AMD SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging) instance. Let's break down the key components of this JSON output:

The entire JSON represents the attestation response from AWS.

Version: 1 - Indicates the version of the attestation format.
Provider: aws-sev-snp-raw - Specifies that this attestation is from AWS for SEV-SNP, and it's in a raw format, meaning it includes the full AMD SEV-SNP attestation report and the VLEK certificate.
Attestation: This object contains the core attestation details.
- Version: 1 - Version of the attestation report itself.
- Product: Milan - This indicates the specific AMD EPYC processor generation, in this case, "Milan" (3rd Gen EPYC).
- Report: This is a base64 encoded AMD SEV-SNP Attestation Report. This report is generated by the SEV-SNP hardware on the AMD CPU and contains crucial information about the guest VM's state, including:
  - MEASUREMENT: A hash of the initial code and data loaded into the VM, ensuring its integrity.
  - HOST_DATA: Data provided by the hypervisor (AWS Nitro Enclaves in this case) that can be used to bind the attestation to a specific host.
  - REPORT_DATA: Data provided by the guest VM itself (e.g., a nonce or public key), allowing the attestation to be tied to a specific request or instance of the VM. In your provided Data field, you see {"Nonce":"dump","Data":null}, which corresponds to the REPORT_DATA.
  - VM_ID: A unique identifier for the VM.
  - POLICY: Various security policies enforced on the VM (e.g., whether debugging is allowed, whether the guest is SMT enabled).
  - SIGNATURE: The report is cryptographically signed by the AMD Secure Processor (ASP) using a key chained back to an AMD-provided VCEK (Versioned Chip Endorsement Key).
- Vlek: This is a base64 encoded certificate, specifically the VM Launch Endorsement Key (VLEK). This certificate is issued by AWS to endorse the AMD SEV-SNP environment within their infrastructure.
  - Purpose: The VLEK acts as an intermediary certificate. Instead of directly validating the AMD SEV-SNP Attestation Report against AMD's root of trust, you validate it against the VLEK. The VLEK itself is signed by an AWS-controlled certificate authority. This allows AWS to attest that the environment where your SEV-SNP VM is running is legitimate and configured correctly by AWS.
  - Contents (decoded details from the VLEK provided):
    Subject: CN=SEV-VLEK, O=Advanced Micro Devices, Inc., L=Santa Clara, ST=CA, C=US, OU=Engineering - This shows the issuer details.
    Issuer: CN=SEV-VLEK-Milan, O=Advanced Micro Devices, Inc., L=Santa Clara, ST=CA, C=US, OU=Engineering - This might seem counter-intuitive, but it indicates that this VLEK is specifically for Milan processors, and it's signed by a root that also identifies as SEV-VLEK-Milan.
    Validity: Not Before: Jun 10 02:30:15 2025 GMT, Not After: Jun 10 02:30:15 2026 GMT - The validity period of this specific VLEK.
    Public Key: An elliptic curve public key (prime256v1). This key is used to verify the signature of the AMD SEV-SNP Attestation Report.
    Extensions:
    1.3.6.1.4.1.33136.2.2.1: This OID (Object Identifier) is likely specific to AMD SEV-SNP and indicates the product as "Milan."
    1.3.6.1.4.1.33136.2.2.2: This OID likely carries the AWS region or endpoint information, as indicated by CN=cc-eu-west-1.amazonaws.com. This confirms the attestation is originating from AWS's eu-west-1 region.
    Other extensions likely contain additional attestation-related metadata.
- Data: This is a base64 encoded JSON string {"Nonce":"dump","Data":null}. As mentioned earlier, this corresponds to the REPORT_DATA field within the AMD SEV-SNP Attestation Report.
  - Nonce: "dump" - This is a user-provided nonce. A nonce (number used once) is a random value included in the attestation request by the relying party (or the guest VM itself) to prevent replay attacks. The relying party generates a unique nonce for each attestation request and verifies that the returned attestation report contains that specific nonce.
  - Data: null - This field can be used to pass additional arbitrary data from the guest VM to the relying party. In this case, it's null.

Last updated 3 days ago

Was this helpful?