DocumentationTutorials

Hello "attestation" world

Learn to make your first "local" attestation from within the enclaved workload.

Local attestation is when a workload inside an enclave retrieves its own security report directly from the hardware. Conversely, remote attestation occurs when you direct Nitride to manage the entire attestation and verification process.

Prerequisites

  • Log in as root user to the VM.

  • Install vHSM CLI.

  • Login to the vHSM instance with the root token or any other authentication credential.

Step-by-step Guide

Creating an attestation report

Run the following command in the enclave VM

vhsm nitride attestation -provider=<provider> generate dump

where the attestation provider denotes the structure of the attestation report. For details, see attestation concept.

Example output:

{"Version":1,
 "Provider":"aws-sev-snp-raw",
 "Attestation":
 {"Version":1,
  "Product":"Milan",
  "Report":"BAAAAAAAAAAAAAMAAA...",
  "Vlek":"MIIFIzCCAtegAwIBAgIB...",
  "Data":"eyJOb25jZSI6ImR1bXAiLCJEYXRhIjpudWxsfQ=="
}}

The report is attested using a Versioned Loaded Endorsement Key (VLEK), an attestation key that AWS loads directly into the Platform Security Processor.

Understanding the AWS SEV-SNP Attestation Document

This section explains the structure of an attestation report from an AWS instance using AMD SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging). The JSON response confirms the integrity and identity of the confidential virtual machine.

Key Components

The JSON response is organized into several key-value pairs at the top level.

  • Version: 1

    • Indicates the version of the overall attestation format.

  • Provider: aws-sev-snp-raw

    • Identifies the provider as AWS and the technology as SEV-SNP. The raw suffix means the response includes the complete, unmodified AMD hardware report and the VLEK certificate.

  • Data (Base64 Encoded)

    • This is user-provided data that gets embedded directly into the hardware attestation report to prevent replay attacks.

    • Decoded: {"Nonce":"dump", "Data":null}

      • Nonce: A "number used once" provided by the client during the attestation request. Verifying that this nonce is present in the final report confirms the report is fresh and not a replay of a previous one.

      • Data: An optional field for passing additional user data.

  • Attestation

    • This contains the core evidence generated by the AMD processor. For more information, see, Attestation object.

  • Vlek (Base64 Encoded)

    • A certificate from AWS that endorses the virtual machine's launch environment. For more information, see Vlek certificate.

Attestation object

This object contains the evidence generated and signed by the AMD CPU's Secure Processor.

  • Version: 1

    • The version of the hardware report format itself.

  • Product: Milan

    • Specifies the AMD EPYC processor generation (3rd Gen "Milan").

  • Report (Base64 Encoded)

    • The cryptographic report from the SEV-SNP hardware. It is signed by the processor and contains crucial integrity measurements:

      • MEASUREMENT: A cryptographic hash of the initial memory contents of the VM, proving the code has not been tampered with.

      • REPORT_DATA: Contains the user-provided Nonce and Data from the top-level field. This binds the hardware report to a specific attestation request.

      • POLICY: Defines the security policies enforced for the VM (e.g., whether debugging is disabled).

      • SIGNATURE: The cryptographic signature over the report, created by a key that chains back to AMD's hardware root of trust.

Vlek (VM Launch Endorsement Key) certificate

The VLEK is a certificate from AWS that adds a layer of trust. Instead of validating the report directly against AMD's public keys, you validate it against this AWS-provided certificate.

  • Purpose: The VLEK serves as AWS's guarantee that the SEV-SNP environment is legitimate and configured correctly within their infrastructure. It links the hardware-level trust from AMD to the infrastructure-level trust from AWS. The public key in this certificate is used to verify the Signature on the Attestation Report.

  • Certificate Details (Decoded):

    • Subject: CN=SEV-VLEK, O=Advanced Micro Devices, Inc., ...

      • Identifies the certificate as a VLEK for an AMD SEV platform.

    • Issuer: CN=SEV-VLEK-Milan, O=Advanced Micro Devices, Inc., ...

      • Identifies the certificate authority that signed this VLEK, specific to the Milan processor generation.

    • Validity: Jun 10 02:30:15 2025 GMT to Jun 10 02:30:15 2026 GMT

      • The time window during which this VLEK is considered valid.

    • Extensions: These custom fields contain critical metadata.

      • 1.3.6.1.4.1.33136.2.2.1: Product name (Milan).

      • 1.3.6.1.4.1.33136.2.2.2: AWS endpoint (cc-eu-west-1.amazonaws.com), confirming the report originated from the eu-west-1 region.

Last updated

Was this helpful?