# Get Firmware Measurement ### Install `sev-snp-measure` **`sev-snp-measure`** is a command-line tool that calculates and reports measurement values for AMD SEV-SNP (Secure Encrypted Virtualization – Secure Nested Paging) environments, helping verify the integrity of firmware and virtual machine configurations before launch.\ \ You need **`sev-snp-measure`** because it pre-calculates the expected firmware and virtual machine launch measurements used in AMD SEV-SNP attestation. This is crucial for verifying that a confidential VM is running trusted and untampered firmware and configuration before it starts. By enabling secure [remote attestation,](/nitride/documentation/getting-started/remote-attestation.md) it helps cloud users and providers ensure that VMs have not been altered by malicious actors. Without this tool, it would be difficult to reliably compare a VM’s runtime measurement against a known-good baseline, thereby weakening trust in confidential computing environments. In short, **`sev-snp-measure`** is essential for establishing and proving VM integrity and security in SEV-SNP protected environments. You can install `sev-snp-measure` tool using: * [PIP package manager](#install-using-pip-package-manager) * [GitHub repository](#install-from-the-github-repository) #### Install using `pip` package manager ```bash # Update and install pip if necessary sudo apt update sudo apt install -y python3-pip # Install the tool pip3 install sev-snp-measure ``` Verify that the tool is installed: ```bash sev-snp-measure --help ``` **Output** ``` usage: sev-snp-measure [-h] [--version] [-v] --mode {sev,seves,snp,snp:ovmf-hash,snp:svsm} [--vcpus N] [--vcpu-type CPUTYPE] [--vcpu-sig VALUE] [--vcpu-family FAMILY] [--vcpu-model MODEL] [--vcpu-stepping STEPPING] [--vmm-type VMMTYPE] --ovmf PATH [--kernel PATH] [--initrd PATH] [--append CMDLINE] [--guest-features VALUE] [--output-format {hex,base64}] [--snp-ovmf-hash HASH] [--dump-vmsa] [--svsm PATH] [--vars-size SIZE | --vars-file PATH] Calculate AMD SEV/SEV-ES/SEV-SNP guest launch measurement optional arguments: -h, --help show this help message and exit --version show program's version number and exit -v, --verbose --mode {sev,seves,snp,snp:ovmf-hash,snp:svsm} Guest mode --vcpus N Number of guest vcpus --vcpu-type CPUTYPE Type of guest vcpu (EPYC, EPYC-v1, EPYC-v2, EPYC-IBPB, EPYC-v3, EPYC-v4, EPYC-Rome, EPYC-Rome-v1, EPYC- Rome-v2, EPYC-Rome-v3, EPYC-Milan, EPYC-Milan-v1, EPYC-Milan-v2, EPYC-Genoa, EPYC-Genoa-v1) --vcpu-sig VALUE Guest vcpu signature value --vcpu-family FAMILY Guest vcpu family --vcpu-model MODEL Guest vcpu model --vcpu-stepping STEPPING Guest vcpu stepping --vmm-type VMMTYPE Type of guest vmm (QEMU, ec2) --ovmf PATH OVMF file to calculate hash from --kernel PATH Kernel file to calculate hash from --initrd PATH Initrd file to calculate hash from (use with --kernel) --append CMDLINE Kernel command line to calculate hash from (use with --kernel) --guest-features VALUE Hex representation of the guest kernel features expected to be included (defaults to 0x1); see README.md for possible values --output-format {hex,base64} Measurement output format --snp-ovmf-hash HASH Precalculated hash of the OVMF binary (hex string) --dump-vmsa Write measured VMSAs to vmsa.bin (seves, snp, and snp:svsm modes only) snp:svsm Mode: AMD SEV-SNP with Coconut-SVSM. This mode additionally requires --svsm and either --vars-file or --vars-size to be set. --svsm PATH SVSM binary --vars-size SIZE Size of the OVMF_VARS file in bytes (conflicts with --vars-file) --vars-file PATH OVMF_VARS file (conflicts with --vars-size) ``` #### Install from the **GitHub repository** ```bash git clone https://github.com/virtee/sev-snp-measure.git cd sev-snp-measure ./sev-snp-measure.py --help ``` This runs the script directly from your local copy. **Output** ``` Cloning into 'sev-snp-measure'... remote: Enumerating objects: 584, done. remote: Counting objects: 100% (235/235), done. remote: Compressing objects: 100% (103/103), done. remote: Total 584 (delta 147), reused 184 (delta 128), pack-reused 349 (from 1) Receiving objects: 100% (584/584), 1.75 MiB | 2.62 MiB/s, done. Resolving deltas: 100% (346/346), done. usage: sev-snp-measure [-h] [--version] [-v] --mode {sev,seves,snp,snp:ovmf-hash,snp:svsm} [--vcpus N] [--vcpu-type CPUTYPE] [--vcpu-sig VALUE] [--vcpu-family FAMILY] [--vcpu-model MODEL] [--vcpu-stepping STEPPING] [--vmm-type VMMTYPE] --ovmf PATH [--kernel PATH] [--initrd PATH] [--append CMDLINE] [--guest-features VALUE] [--output-format {hex,base64}] [--snp-ovmf-hash HASH] [--dump-vmsa] [--svsm PATH] [--vars-size SIZE | --vars-file PATH] Calculate AMD SEV/SEV-ES/SEV-SNP guest launch measurement options: -h, --help show this help message and exit --version show program's version number and exit -v, --verbose --mode {sev,seves,snp,snp:ovmf-hash,snp:svsm} Guest mode --vcpus N Number of guest vcpus --vcpu-type CPUTYPE Type of guest vcpu (EPYC, EPYC-v1, EPYC-v2, EPYC-IBPB, EPYC-v3, EPYC-v4, EPYC-Rome, EPYC-Rome-v1, EPYC- Rome-v2, EPYC-Rome-v3, EPYC-Milan, EPYC-Milan-v1, EPYC-Milan-v2, EPYC-Genoa, EPYC-Genoa-v1) --vcpu-sig VALUE Guest vcpu signature value --vcpu-family FAMILY Guest vcpu family --vcpu-model MODEL Guest vcpu model --vcpu-stepping STEPPING Guest vcpu stepping --vmm-type VMMTYPE Type of guest vmm (QEMU, ec2) --ovmf PATH OVMF file to calculate hash from --kernel PATH Kernel file to calculate hash from --initrd PATH Initrd file to calculate hash from (use with --kernel) --append CMDLINE Kernel command line to calculate hash from (use with --kernel) --guest-features VALUE Hex representation of the guest kernel features expected to be included (defaults to 0x1); see README.md for possible values --output-format {hex,base64} Measurement output format --snp-ovmf-hash HASH Precalculated hash of the OVMF binary (hex string) --dump-vmsa Write measured VMSAs to vmsa.bin (seves, snp, and snp:svsm modes only) snp:svsm Mode: AMD SEV-SNP with Coconut-SVSM. This mode additionally requires --svsm and either --vars-file or --vars-size to be set. --svsm PATH SVSM binary --vars-size SIZE Size of the OVMF_VARS file in bytes (conflicts with --vars-file) --vars-file PATH OVMF_VARS file (conflicts with --vars-size) ``` ### Locate or download `OVMF` firmware * **If installed using package**: ```bash sudo apt install ovmf ls /usr/share/OVMF/OVMF_CODE.fd ``` * **If not available**:\ Download a reference firmware from the GitHub repo: ```bash curl -L -o OVMF.fd https://github.com/virtee/sev-snp-measure/raw/main/data/OVMF.fd ``` ### Calculate the SEV-SNP firmware measurement After you have the `sev-snp-measure` tool and an `OVMF.fd` file, run:\ \ **Example** ```bash sev-snp-measure \ --mode snp \ --vcpus 4 \ --vcpu-type EPYC-v4 \ --ovmf OVMF.fd ``` * **`--mode snp`** : Specifies the measurement mode. * `snp` means Secure Nested Paging mode, which measures firmware for AMD SEV-SNP (Secure Encrypted Virtualization – Secure Nested Paging) environments. * **`--vcpus 4`** : Sets the number of virtual CPUs to use in the measurement process. In this example, it is configured to simulate 4 vCPUs. * **`--vcpu-type EPYC-v4`** : Defines the virtual CPU model for the measurement. * `EPYC-v4` corresponds to a 4th generation AMD EPYC CPU, which determines the instruction set and capabilities available during measurement. * **`--ovmf OVMF.fd`** : Specifies the path to the OVMF firmware file used for the virtual machine. * `OVMF.fd` is the UEFI firmware image required for initializing the virtual environment in which the measurement is performed. **Output** ``` 75ec6c4d1dbfec59760a1d352fc70df2b061b3991c31599234334c743e2651d8f495079099bd87e168fae59585444d43 ``` *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enclaive.cloud/nitride/tutorials/get-firmware-measurement.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.