docs: add info on parsed claims for SEV-SNP

Includes brief description of reported TCB

Signed-off-by: Tobin Feldman-Fitzthum <[email protected]>

attestation-service/docs/parsed_claims.md

@@ -92,3 +92,27 @@ The claim inherit the fields from the SEV-SNP claim with and additional `tpm` hi
 - `tpm.pcr{01,..,n}`: SHA256 PCR registers for the TEE's vTPM quote.
 
 Note: The TD Report and TD Quote are fetched during early boot in this TEE. Kernel, Initrd and rootfs are measured into the vTPM's registers.
+
+## AMD SEV-SNP
+
+- `snp.measurement` Launch Digest covering initial guest memory
+- `snp.platform_smt_enabled`:  Whether Simultaneous Multithreading is enabled on the system
+- `snp.platform_tsme_enabled`: Whether Transparent SME is enabled on the system
+- `snp.policy_abi_major`: Minimum ABI major version allowed for guest
+- `snp.policy_abi_minor`: Minimum ABI minor version allowed for guest
+- `snp.policy_debug_allowed`: Whether SNP debug features are allowed for guest
+- `snp.policy_migrate_ma`: Whether migration agent can be connected to guest
+- `snp.policy_single_socket`: Whether guest can be activated only on one socket
+- `snp.policy_smt_allowed`: Whether guest can run on a system with SMT enabled
+- `snp.reported_tcb_bootloader`: Reported SVN of ASP bootloader
+- `snp.reported_tcb_microcode`: Reported microcode version
+- `snp.reported_tcb_snp`: Reported SVN of SNP Firmware
+- `snp.reported_tcb_tee`: Reported SVN of ASP OS
+
+The claims map only includes the reported TCB version.
+An SEV-SNP Attestation Report contains four sets of TCB version information.
+Often all four values are the same, but sometimes the reported TCB might lag
+behind the true firmware version. This is done to minimize churn of policies
+and certificates while the provider updates to provisional firmware.
+The actual firmware must always be newer than or equal to the reported TCB.
+Generally, policies should be evaluated against the reported TCB.