Calculate expected measurement of an AMD SEV/SEV-ES/SEV-SNP guest VM for confidential computing
Project description
sev-snp-measure
Scope
Command-line tool and Python library to calculate expected measurement of an AMD SEV/SEV-ES/SEV-SNP guest VM for confidential computing.
Installation
From pip
Install from pip:
pip install sev-snp-measure
This installs the sevsnpmeasure package and the sev-snp-measure
command-line script.
From Github
Clone the Github repo and run the script directly from the local directory:
git clone https://github.com/virtee/sev-snp-measure.git
cd sev-snp-measure
./sev-snp-measure.py --help
Command-line usage
sev-snp-measure
$ sev-snp-measure --help
usage: sev-snp-measure [-h] [--version] [-v] --mode {sev,seves,snp,snp:ovmf-hash,snp:svsm}
[--vcpus N] [--vcpu-type CPUTYPE] [--vcpu-sig VALUE] [--vcpu-family FAMILY]
[--vcpu-model MODEL] [--vcpu-stepping STEPPING] [--vmm-type VMMTYPE] --ovmf
PATH [--kernel PATH] [--initrd PATH] [--append CMDLINE]
[--output-format {hex,base64}] [--snp-ovmf-hash HASH] [--dump-vmsa]
[--vars-size VARS_SIZE] [--svsm SVSM]
Calculate AMD SEV/SEV-ES/SEV-SNP guest launch measurement
options:
-h, --help show this help message and exit
--version show program's version number and exit
-v, --verbose
--mode {sev,seves,snp,snp:ovmf-hash,snp:svsm}
Guest mode
--vcpus N Number of guest vcpus
--vcpu-type CPUTYPE Type of guest vcpu (EPYC, EPYC-v1, EPYC-v2, EPYC-IBPB, EPYC-v3, EPYC-v4,
EPYC-Rome, EPYC-Rome-v1, EPYC-Rome-v2, EPYC-Rome-v3, EPYC-Milan, EPYC-
Milan-v1, EPYC-Milan-v2, EPYC-Genoa, EPYC-Genoa-v1)
--vcpu-sig VALUE Guest vcpu signature value
--vcpu-family FAMILY Guest vcpu family
--vcpu-model MODEL Guest vcpu model
--vcpu-stepping STEPPING
Guest vcpu stepping
--vmm-type VMMTYPE Type of guest vmm (QEMU, ec2)
--ovmf PATH OVMF file to calculate hash from
--kernel PATH Kernel file to calculate hash from
--initrd PATH Initrd file to calculate hash from (use with --kernel)
--append CMDLINE Kernel command line to calculate hash from (use with --kernel)
--output-format {hex,base64}
Measurement output format
--snp-ovmf-hash HASH Precalculated hash of the OVMF binary (hex string)
--dump-vmsa Write measured VMSAs to vmsa<N>.bin (seves, snp, and snp:svsm modes only)
--vars-size VARS_SIZE
OVMF_VARS size in bytes (snp:svsm mode only)
--svsm SVSM SVSM binary (snp:svsm mode only)
For example:
$ sev-snp-measure --mode snp --vcpus=1 --vcpu-type=EPYC-v4 --ovmf=OVMF.fd --kernel=vmlinuz --initrd=initrd.img --append="console=ttyS0 loglevel=7"
1c8bf2f320add50cb22ca824c17f3fa51a7a4296a4a3113698c2e31b50c2dcfa7e36dea3ebc3a9411061c30acffc6d5a
snp-create-id-block
$ snp-create-id-block --help
usage: snp-create-id-block [-h] [--measurement VALUE] [--idkey PATH] [--authorkey PATH]
Calculate AMD SEV-SNP guest id block
optional arguments:
-h, --help show this help message and exit
--measurement VALUE Guest launch measurement in Base64 encoding
--idkey PATH id private key file
--authorkey PATH author private key file
Programmatic usage
After installing the sev-snp-measure package with pip, you can call it from
another Python application:
from sevsnpmeasure import guest,id_block
from sevsnpmeasure import vcpu_types
from sevsnpmeasure.sev_mode import SevMode
ld = guest.calc_launch_digest(SevMode.SEV_SNP, vcpus_num, vcpu_types.CPU_SIGS["EPYC-v4"],
ovmf_path, kernel_path, initrd_path, cmdline_str)
print("Calculated measurement:", ld.hex())
block = id_block.snp_calc_id_block(ld,"id_key_file","author_key_file")
print("Calculated id block in base64", block)
Choosing guest CPU type
For SEV-ES and SEV-SNP, the initial CPU state (VMSA) includes the guest CPU signature in the edx register when you use the QEMU vmm. Therefore, starting the VM with a different type of guest CPU will modify the content of the VMSA, and therefore modify the calculated measurement.
You can choose the guest CPU type using --vcpu-type, or --vcpu-sig, or a
combination of --vcpu-family, --vcpu-model, and --vcpu-stepping. For
example, the following 3 invocations are identical:
sev-snp-measure --vcpu-type=EPYC-v4 ...sev-snp-measure --vcpu-sig=0x800f12 ...sev-snp-measure --vcpu-family=23 --vcpu-model=1 --vcpu-stepping=2 ...
Precalculated OVMF hashes
The SEV-SNP digest gets generated in multiple steps that each have a digest as output. With that digest output, you can stop at any of these steps and continue generation of the full digest later. These are the steps:
- OVMF
- (optional) -kernel, -initrd, -append arguments
- Initial state of all vCPUs
In situations where only minor OVMF changes happen, you may not want to copy the full OVMF binary to the validation system. In these situations, you can cut digest calculation after the OVMF step and use its hash instead of the full binary.
To generate a hash, use the --mode snp:ovmf-hash parameter:
$ sev-snp-measure --mode snp:ovmf-hash --ovmf OVMF.fd
cab7e085874b3acfdbe2d96dcaa3125111f00c35c6fc9708464c2ae74bfdb048a198cb9a9ccae0b3e5e1a33f5f249819
On a different machine that only has access to an older but compatible OVMF binary, you can then ingest the hash again to generate a full measurement:
$ sev-snp-measure --mode snp --vcpus=1 --vcpu-type=EPYC-v4 --ovmf=OVMF.fd.old --ovmf-hash cab7e[...]
d52697c3e056fb8d698d19cc29adfbed5a8ec9170cb9eb63c2ac957d22b4eb647e25780162036d063a0cf418b8830acc
Related projects
- sev-snp-measure-go: port of sev-snp-measure to Go
- libvirt tools: virt-dom-sev-validate, virt-dom-sev-vmsa-tool
- sev Rust crate and snpguest CLI tool
- snp-digest-rs
- AMD sev-tool, sev-guest, and sev-utils
- go-sev-guest
Development
Run all unit tests:
pip install -r requirements.txt
make test
Check unit tests coverage:
pip install coverage
make coverage
# See HTML coverage report in htmlcov/
Check Python type hints:
pip install mypy
make typecheck
Check Python coding style:
pip install flake8
make lint
Notes
If you have any questions or issues you can create a new issue here
Pull requests are welcome!
License
Apache 2.0 license.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file sev-snp-measure-0.0.8.tar.gz.
File metadata
- Download URL: sev-snp-measure-0.0.8.tar.gz
- Upload date:
- Size: 21.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 124b8321c27b7c70a24fe03148b90da8f8f34df990f19934dcedd80f49c7cc8d |
|
| MD5 | bdce832c97f022975b02126f1f5006a2 |
|
| BLAKE2b-256 | 29ee1ed45f9cc86cb957edb7ba98689114d6ba90211f636d79afd43a0ec7a1d4 |
File details
Details for the file sev_snp_measure-0.0.8-py3-none-any.whl.
File metadata
- Download URL: sev_snp_measure-0.0.8-py3-none-any.whl
- Upload date:
- Size: 22.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 3f840eb592c7df4c7599cc3fd8d176677f0b9f687f65880a8dd80b62194cda20 |
|
| MD5 | 6b2ebaf7dcfc3233bf0522a7fa067cb1 |
|
| BLAKE2b-256 | c965139d3817e9118cd40b1589fe151ef30913b5f3130119cb9ca5412450085f |
