DocumentationTutorials

Get Firmware Measurement

Learn to get the firmware measurement of the VM

Install sev-snp-measure

sev-snp-measure is a command-line tool that calculates and reports measurement values for AMD SEV-SNP (Secure Encrypted Virtualization – Secure Nested Paging) environments, helping verify the integrity of firmware and virtual machine configurations before launch. You need sev-snp-measure because it pre-calculates the expected firmware and virtual machine launch measurements used in AMD SEV-SNP attestation. This is crucial for verifying that a confidential VM is running trusted and untampered firmware and configuration before it starts. By enabling secure remote attestation, it helps cloud users and providers ensure that VMs have not been altered by malicious actors. Without this tool, it would be difficult to reliably compare a VM’s runtime measurement against a known-good baseline, thereby weakening trust in confidential computing environments. In short, sev-snp-measure is essential for establishing and proving VM integrity and security in SEV-SNP protected environments. You can install sev-snp-measure tool using:

Install using pip package manager

# Update and install pip if necessary
sudo apt update
sudo apt install -y python3-pip

# Install the tool
pip3 install sev-snp-measure

Verify that the tool is installed:

sev-snp-measure --help

Output

usage: sev-snp-measure [-h] [--version] [-v] --mode
                       {sev,seves,snp,snp:ovmf-hash,snp:svsm} [--vcpus N]
                       [--vcpu-type CPUTYPE] [--vcpu-sig VALUE]
                       [--vcpu-family FAMILY] [--vcpu-model MODEL]
                       [--vcpu-stepping STEPPING] [--vmm-type VMMTYPE] --ovmf
                       PATH [--kernel PATH] [--initrd PATH] [--append CMDLINE]
                       [--guest-features VALUE] [--output-format {hex,base64}]
                       [--snp-ovmf-hash HASH] [--dump-vmsa] [--svsm PATH]
                       [--vars-size SIZE | --vars-file PATH]

Calculate AMD SEV/SEV-ES/SEV-SNP guest launch measurement

optional arguments:
  -h, --help            show this help message and exit
  --version             show program's version number and exit
  -v, --verbose
  --mode {sev,seves,snp,snp:ovmf-hash,snp:svsm}
                        Guest mode
  --vcpus N             Number of guest vcpus
  --vcpu-type CPUTYPE   Type of guest vcpu (EPYC, EPYC-v1, EPYC-v2, EPYC-IBPB,
                        EPYC-v3, EPYC-v4, EPYC-Rome, EPYC-Rome-v1, EPYC-
                        Rome-v2, EPYC-Rome-v3, EPYC-Milan, EPYC-Milan-v1,
                        EPYC-Milan-v2, EPYC-Genoa, EPYC-Genoa-v1)
  --vcpu-sig VALUE      Guest vcpu signature value
  --vcpu-family FAMILY  Guest vcpu family
  --vcpu-model MODEL    Guest vcpu model
  --vcpu-stepping STEPPING
                        Guest vcpu stepping
  --vmm-type VMMTYPE    Type of guest vmm (QEMU, ec2)
  --ovmf PATH           OVMF file to calculate hash from
  --kernel PATH         Kernel file to calculate hash from
  --initrd PATH         Initrd file to calculate hash from (use with --kernel)
  --append CMDLINE      Kernel command line to calculate hash from (use with
                        --kernel)
  --guest-features VALUE
                        Hex representation of the guest kernel features
                        expected to be included (defaults to 0x1); see
                        README.md for possible values
  --output-format {hex,base64}
                        Measurement output format
  --snp-ovmf-hash HASH  Precalculated hash of the OVMF binary (hex string)
  --dump-vmsa           Write measured VMSAs to vmsa<N>.bin (seves, snp, and
                        snp:svsm modes only)

snp:svsm Mode:
  AMD SEV-SNP with Coconut-SVSM. This mode additionally requires --svsm and
  either --vars-file or --vars-size to be set.

  --svsm PATH           SVSM binary
  --vars-size SIZE      Size of the OVMF_VARS file in bytes (conflicts with
                        --vars-file)
  --vars-file PATH      OVMF_VARS file (conflicts with --vars-size)

Install from the GitHub repository

This runs the script directly from your local copy.

Output

Locate or download OVMF firmware

  • If installed using package:

  • If not available: Download a reference firmware from the GitHub repo:

Calculate the SEV-SNP firmware measurement

After you have the sev-snp-measure tool and an OVMF.fd file, run: Example

  • --mode snp : Specifies the measurement mode.

    • snp means Secure Nested Paging mode, which measures firmware for AMD SEV-SNP (Secure Encrypted Virtualization – Secure Nested Paging) environments.

  • --vcpus 4 : Sets the number of virtual CPUs to use in the measurement process. In this example, it is configured to simulate 4 vCPUs.

  • --vcpu-type EPYC-v4 : Defines the virtual CPU model for the measurement.

    • EPYC-v4 corresponds to a 4th generation AMD EPYC CPU, which determines the instruction set and capabilities available during measurement.

  • --ovmf OVMF.fd : Specifies the path to the OVMF firmware file used for the virtual machine.

    • OVMF.fd is the UEFI firmware image required for initializing the virtual environment in which the measurement is performed.

Output

Last updated

Was this helpful?