This document's goal is to provide a short discussion on what security properties access to /dev/sev-guest has, specifically in a Cloud setting.
For claims in this document, we assume that the VM firmware is vendored and signed by the vendor, or not signed at all. This will be the common use case.
If a virtual machine monitor gives you access to provide your own launch image and signed IDBlock, then you have full control and responsibility over what that image does, and how careful it is to give workloads access to the SEV device. Since this library is for wrapping the Linux driver /dev/sev-guest which will be booted from a UEFI firmware, further discussion of other uses of SEV-SNP are out of scope.
Your Cloud service provider (CSP) may launch SEV-SNP VMs with their own build of UEFI firmware. This build and its signature in IDBlock are probably widely deployed across the CSP's fleet. Because the firmware and IDBlock are the same everywhere, the measurement in the attestation report will be the same everywhere. The IDBlock, if provided, may also be the same everywhere.
The security of an attestation measurement or a derived key are proportional to the specificity of the initially measured image. If the initial image and its IDBlock is available to everyone and can run any workload, then keys bound to their measurement are known to everyone. An IDBlock signed by a different key will lead to different keys, but the IDBlock and ID Auth are also not secret in the SEV-SNP threat model. The measured image's behavior in granting authorization is what is important.
At the moment, the basis for most VM firmware, Open Virtual Machine Firmware (OVMF), does not have the behavior to lock in such a specific measurement and authorization semantics in a way that is reflected in the SEV-SNP attestation report. Measured boot integrity is dynamic post-launch via the TPM 2.0 specification, which for VMs is virtualized in software and not secret within the SEV-SNP threat model.
Supposing we did have a boot stack that accounted for workload and its configuration in the SEV-SNP attestation report, software updates change the measurement and thus change the derived keys. In a self-updating VM, you'd need custom software to manage the implications of changing derived keys.
Keys are derived from the launch information discussed above and the specific
machine's SEV-SNP key called the Versioned Chip Endorsement Key (VCEK). When you
do not have full control over the machine that derives the key, and your launch
image isn't fully linked to the workload you trust to have access to the key,
you should not set UseVCEK
to true.
With UseVCEK
set to false, you must be using an image that supports a migration
agent (MA). The MA will register a root key that migrates with the image, called
the VMRK. The security of this VMRK is entirely up to the MA's logic. If the
key is meant to persist across full shutdown and restart, then you have to solve
a hard problem: sealing that key to persist in a way that only the authorized
workload should later have access to. That is the same problem that exists for
VCEK.
If you're okay with keys that migrate but aren't otherwise recoverable, then VMRK key-based derivation should meet your needs. To many, that possibility of unrecoverable data loss is too risky to choose this option either.
Because of the danger in both root key selections, we do not recommend using this command unless you have full ownership of and secure physical access to the machine that will run it, and trust all parties that run software on that machine.