You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adds more fields from the SNP evidence to the parsed claims, and use a
nested structure for SNP claims. Updated the documents and default
policy.
Importantly, adds a `snp.generation` claim to tell the generation of the
SNP platform.
Assisted-by: Cursor
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
-`snp.platform_smt_enabled`: Whether Simultaneous Multithreading is enabled on the system
230
-
-`snp.platform_tsme_enabled`: Whether Transparent SME is enabled on the system
231
-
-`snp.policy_abi_major`: Minimum ABI major version allowed for guest
232
-
-`snp.policy_abi_minor`: Minimum ABI minor version allowed for guest
233
-
-`snp.policy_debug_allowed`: Whether SNP debug features are allowed for guest
234
-
-`snp.policy_migrate_ma`: Whether migration agent can be connected to guest
235
-
-`snp.policy_single_socket`: Whether guest can be activated only on one socket
236
-
-`snp.policy_smt_allowed`: Whether guest can run on a system with SMT enabled
237
-
-`snp.reported_tcb_bootloader`: Reported SVN of ASP bootloader
238
-
-`snp.reported_tcb_microcode`: Reported microcode version
239
-
-`snp.reported_tcb_snp`: Reported SVN of SNP Firmware
240
-
-`snp.reported_tcb_tee`: Reported SVN of ASP OS
241
-
242
-
The claims map only includes the reported TCB version.
243
-
An SEV-SNP Attestation Report contains four sets of TCB version information.
244
-
Often all four values are the same, but sometimes the reported TCB might lag
245
-
behind the true firmware version. This is done to minimize churn of policies
246
-
and certificates while the provider updates to provisional firmware.
247
-
The actual firmware must always be newer than or equal to the reported TCB.
248
-
Generally, policies should be evaluated against the reported TCB.
228
+
229
+
-`snp.generation`: string. Processor generation derived from the attestation report. One of `milan` (3rd Gen EPYC), `genoa` (4th Gen EPYC), or `turin` (5th Gen EPYC).
230
+
231
+
### Guest policy (`snp.evidence.policy`)
232
+
233
+
The guest policy is set by the guest owner at launch and cannot be changed for the lifetime of the guest.
234
+
235
+
-`snp.evidence.policy.abi_major`: u64. Minimum SNP firmware ABI major version required for this guest.
236
+
-`snp.evidence.policy.abi_minor`: u64. Minimum SNP firmware ABI minor version required for this guest.
237
+
-`snp.evidence.policy.smt_allowed`: Boolean. Whether the guest may run on a host with SMT enabled.
238
+
-`snp.evidence.policy.migrate_ma_allowed`: Boolean. Whether the guest may be associated with a migration agent.
239
+
-`snp.evidence.policy.debug_allowed`: Boolean. Whether SNP debug features are allowed for the guest.
240
+
-`snp.evidence.policy.single_socket_required`: Boolean. Whether the guest may be activated on multiple sockets.
241
+
-`snp.evidence.policy.cxl_allowed`: Boolean. Whether CXL may be populated with devices or memory.
242
+
-`snp.evidence.policy.mem_aes_256_xts`: Boolean. Memory encryption mode requirement. `false`: AES-128-XEX or AES-256-XTS is allowed; `true`: AES-256-XTS is required.
243
+
-`snp.evidence.policy.rapl_dis`: Boolean. Running Average Power Limit (RAPL) requirement.
-`snp.evidence.policy.page_swap_disabled`: Boolean. Guest access to page-move/swap commands. `false`: SNP page-move/swap commands are allowed; `true`: guest access to `SNP_PAGE_MOVE`, `SNP_SWAP_OUT`, and `SNP_SWAP_IN` is disabled.
246
+
247
+
### Platform info (`snp.evidence.plat_info`)
248
+
249
+
-`snp.evidence.plat_info.smt_enabled`: Boolean. Whether Simultaneous Multithreading is enabled on the host.
250
+
-`snp.evidence.plat_info.tsme_enabled`: Boolean. Whether Transparent SME is enabled on the host.
251
+
-`snp.evidence.plat_info.ecc_enabled`: Boolean. Whether the platform is currently using ECC memory.
252
+
-`snp.evidence.plat_info.rapl_disabled`: Boolean. Whether the RAPL feature is disabled on the platform.
253
+
-`snp.evidence.plat_info.ciphertext_hiding_enabled`: Boolean. Whether ciphertext hiding is enabled on the platform.
254
+
-`snp.evidence.plat_info.alias_check_complete`: Boolean. Whether alias detection has completed since the last system reset with no aliasing addresses found.
255
+
-`snp.evidence.plat_info.tio_enabled`: Boolean. Whether SEV-TIO is enabled on the platform.
256
+
257
+
### Key info (`snp.evidence.key_info`)
258
+
259
+
-`snp.evidence.key_info.author_key_en`: Boolean. Whether the author key digest is present in `author_key_digest`. `true`: digest is present; `false`: digest is zero.
260
+
-`snp.evidence.key_info.mask_chip_key`: Boolean. Whether the report signature is masked. `false`: firmware signs with VCEK or VLEK; `true`: the signature field is zeroed instead of signing.
261
+
-`snp.evidence.key_info.signing_key`: u32. Key used to sign this report. `0`: VCEK; `1`: VLEK; `7`: none (unsigned report).
262
+
263
+
### TCB versions
264
+
265
+
Four TCB sets are exposed. Each is an object with the subfields below. The same subfields and types exist on `current_tcb`, `reported_tcb`, `committed_tcb`, and `launch_tcb`.
266
+
267
+
-`snp.evidence.current_tcb`: object. Current platform TCB at report generation time.
268
+
-`snp.evidence.reported_tcb`: object. TCB version used to derive the VCEK/VLEK that signed this report. **Policies should generally evaluate against this set.**
-`snp.evidence.launch_tcb`: object. Platform TCB at guest launch or import time.
271
+
272
+
Each TCB object contains the following fields (SVN / patch level):
273
+
274
+
-`fmc`: u8 | null. FMC firmware SVN. Present on Turin (`generation` = `turin`); `null` on Milan and Genoa.
275
+
-`bootloader`: u8. PSP bootloader SVN.
276
+
-`tee`: u8. PSP operating-system SVN.
277
+
-`snp`: u8. SNP firmware SVN.
278
+
-`microcode`: u8. Lowest current microcode patch level across all cores.
279
+
280
+
Often all four TCB values are the same, but the reported TCB may lag behind the true firmware version to minimize churn of policies and certificates while the provider updates to provisional firmware. The actual firmware must always be newer than or equal to the reported TCB.
281
+
282
+
Firmware version objects:
283
+
284
+
-`snp.evidence.current`: object. Current SNP firmware version.
285
+
-`snp.evidence.current.major`: u8. Major version component.
286
+
-`snp.evidence.current.minor`: u8. Minor version component.
287
+
-`snp.evidence.current.build`: u8. Build version component.
288
+
-`snp.evidence.committed`: object. Committed SNP firmware version.
289
+
-`snp.evidence.committed.major`: u8. Major version component.
290
+
-`snp.evidence.committed.minor`: u8. Minor version component.
291
+
-`snp.evidence.committed.build`: u8. Build version component.
292
+
293
+
### Measurements and identifiers
294
+
295
+
-`snp.evidence.version`: u32. Attestation report format version. Supported values are 3 through 5.
296
+
-`snp.evidence.guest_svn`: u32. Guest security version number provided at launch.
297
+
-`snp.evidence.family_id`: string (hex). Family ID provided at launch.
298
+
-`snp.evidence.image_id`: string (hex). Image ID provided at launch.
299
+
-`snp.evidence.vmpl`: u32. Requested VMPL for the attestation report. Guest attestation expects `0`.
300
+
-`snp.evidence.sig_algo`: u32. Signature algorithm identifier. `1`: ECDSA P-384 with SHA-384.
-`snp.evidence.report_data`: string (hex). Guest-provided report data from the attestation report (64 bytes). Also available at the policy root as `report_data`.
303
+
-`snp.evidence.host_data`: string (hex). Hypervisor-provided host data from launch (32 bytes). Also available at the policy root as `init_data`.
304
+
-`snp.evidence.id_key_digest`: string (hex). SHA-384 digest of the ID public key that signed the ID block.
305
+
-`snp.evidence.author_key_digest`: string (hex). SHA-384 digest of the author public key that certified the ID key. Zero when `key_info.author_key_en` is `false`.
306
+
-`snp.evidence.report_id`: string (hex). Report ID of this guest.
307
+
-`snp.evidence.report_id_ma`: string (hex). Report ID of this guest's migration agent, if applicable.
308
+
-`snp.evidence.chip_id`: string (hex). Unique chip identifier (64 bytes). Zero when `key_info.mask_chip_key` is `true`.
309
+
-`snp.evidence.cpu_id_fam_id`: u8 | null. CPUID family ID (combined extended family and family). Present in report version 3+; `null` on older reports.
310
+
-`snp.evidence.cpu_id_mod_id`: u8 | null. CPUID model ID (combined extended model and model). Present in report version 3+; `null` on older reports.
311
+
-`snp.evidence.cpu_id_step`: u8 | null. CPUID stepping. Present in report version 3+; `null` on older reports.
312
+
-`snp.evidence.launch_mit_vector`: u64 | null. Verified mitigation vector at guest launch. Present in report version 5+; `null` on older reports.
313
+
-`snp.evidence.current_mit_vector`: u64 | null. Current verified mitigation vector. Present in report version 5+; `null` on older reports.
0 commit comments