From e7193ed033afa9eac3bd845c4ea64dae399901e2 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Wed, 6 Dec 2023 15:39:26 -0600 Subject: [PATCH] docs: add info on parsed claims for SEV-SNP Includes brief description of reported TCB Signed-off-by: Tobin Feldman-Fitzthum --- attestation-service/docs/parsed_claims.md | 24 +++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/attestation-service/docs/parsed_claims.md b/attestation-service/docs/parsed_claims.md index 4b2411cc8..6249cb578 100644 --- a/attestation-service/docs/parsed_claims.md +++ b/attestation-service/docs/parsed_claims.md @@ -92,3 +92,27 @@ The claim inherit the fields from the SEV-SNP claim with and additional `tpm` hi - `tpm.pcr{01,..,n}`: SHA256 PCR registers for the TEE's vTPM quote. Note: The TD Report and TD Quote are fetched during early boot in this TEE. Kernel, Initrd and rootfs are measured into the vTPM's registers. + +## AMD SEV-SNP + +- `snp.measurement` Launch Digest covering initial guest memory +- `snp.platform_smt_enabled`: Whether Simultaneous Multithreading is enabled on the system +- `snp.platform_tsme_enabled`: Whether Transparent SME is enabled on the system +- `snp.policy_abi_major`: Minimum ABI major version allowed for guest +- `snp.policy_abi_minor`: Minimum ABI minor version allowed for guest +- `snp.policy_debug_allowed`: Whether SNP debug features are allowed for guest +- `snp.policy_migrate_ma`: Whether migration agent can be connected to guest +- `snp.policy_single_socket`: Whether guest can be activated only on one socket +- `snp.policy_smt_allowed`: Whether guest can run on a system with SMT enabled +- `snp.reported_tcb_bootloader`: Reported SVN of ASP bootloader +- `snp.reported_tcb_microcode`: Reported microcode version +- `snp.reported_tcb_snp`: Reported SVN of SNP Firmware +- `snp.reported_tcb_tee`: Reported SVN of ASP OS + +The claims map only includes the reported TCB version. +An SEV-SNP Attestation Report contains four sets of TCB version information. +Often all four values are the same, but sometimes the reported TCB might lag +behind the true firmware version. This is done to minimize churn of policies +and certificates while the provider updates to provisional firmware. +The actual firmware must always be newer than or equal to the reported TCB. +Generally, policies should be evaluated against the reported TCB.