It is really wired that the error occurs randomly, re-calculating id-block and id-auth may solve the problem.

I tried to locally validate the signatures in id-auth and it seems valid, so I'm not sure if it is because of my environment or the SNP firmware. If anyone have similar problem plz let me know.

in build_save_area()

1. the py code use cr0=0x10, but based-on https://www.amd.com/system/files/TechDocs/24593.pdf (page 103, 526), it said cr0=6000_0010h , why ?
2. g_pat=0x7040600070406, i can not find where the value comes from
3. cs=VmcbSeg(0xf000, 0x9b, 0xffff, eip & 0xffff0000), why eip & 0xffff0000?
4. how the attribute was calc-ed? (e.g. 0x93, 0x9b in VmcbSeg) ?

thanks

Currently, regardless of the family specified, the tool always creates a SHA-256 digest. It would be beneficial to adjust this behavior to create SHA-384 digests for anything Rome or newer.

One of the main features of SNP is starting vm based on id block, which requires id-block and id-auth for guest owner, id-key-digest and author-key-digest for verifier.

The main program should add two addtional inputs: idkey and authorkey to take id private key and author private key files, and a new option output-format=idblock

After a short conversations with the teams in IBM, AMD, and @tylerfanelli , we decided it is a good idea to transfer this repo from the IBM github org to the virtee github org.

Expected effects for end-users:

1. When installing with pip install sev-snp-measure: no change.
2. When cloning the repo: github should redirect all accesses (https and git/ssh) over to the new repo.

Here's the list of tasks; please comment if you see any issue.

• @tylerfanelli : Allow @dubek to create new repos in @virtee org.
  • According to the docs, this is needed in order to transfer the repo.
• @dubek : Transfer the repo to virtee. Accesses to the old repo will be redirected by github.
• @dubek : Create a PR modifying README.md, CONTRIBUTING.md, setup.cfg - fixing the repo links to the new URL.
• @dubek : Cut a new version 0.0.7 with this change and publish to PyPI. This will cause the PyPI project page to be updated with the new URLs.

FYI @fitzthum @dbuono @larrydewey

When passing command line parameters for sev-snp-measure, if OVMF is missing functionality for the fields specified, it would be nice to provide a warning about them not being included in the produced measurement. For example, if a user requests the cmdline to be included, but OVMF doesn't have support to include that in the measurement.

I'm a freshman about AMD sev-snp, I want to know why measurement not need include rootfs hash?
If there are some security hole when not include rootfs hash?

Can someone can help to explain it, thank U!

I learned this morning there is a thread happening in the upstream Linux community regarding DEBUG_SWAP where they are planning to disable the value by default in the future. We will need to mitigate this by changing the default value of 0x21 back to 0x1. The ability to use DEBUG_SWAP will still be present, but it will not be enabled by default.

https://lore.kernel.org/kvm/[email protected]/T/

I will open a PR to address this.

Hi there,

The tool looks very promising. I learnt a lot details about qemu and sev. Thank you very much! Currently I only have SEV-ES platform, and hope I could use this tool to measure SEV-ES vm. Occassionally I ran into this thread and I guess that this tool is the closest tool for SEV-ES measurement. How do you think? Thanks!

Hi,

Apologies for the noob question. I'm experimenting with SEV-SNP using the official scripts and tools from the AMDESE/AMDSEV repo (snp-latest branch). I'm at the point that I can correctly launch a SNP-enabled guest VM, and now I want to attest my VM and verify the launch digest.

However, the launch digest in the attestation report does not match my reference value computed using sev-snp-measure. I am not even sure which exact parameters are needed to compute the correct measurement.

The command I used to compute the launch digest is the following:

sev-snp-measure --mode snp --vcpus=4 --vcpu-type=EPYC-v4 --ovmf=AMDSEV/snp-release-2023-10-13/usr/local/share/qemu/OVMF_CODE.fd

Instead, this is the full QEMU command that is used to boot the guest VM (from launch-qemu.sh):

/home/ecaiogs/sev/AMDSEV/snp-release-2023-10-13/usr/local/bin/qemu-system-x86_64 -enable-kvm -cpu EPYC-v4 -machine q35 -smp 4,maxcpus=255 -m 2048M,slots=5,maxmem=10240M -no-reboot -drive if=pflash,format=raw,unit=0,file=/home/ecaiogs/sev/AMDSEV/snp-release-2023-10-13/usr/local/share/qemu/OVMF_CODE.fd,readonly -drive if=pflash,format=raw,unit=1,file=/home/ecaiogs/sev/AMDSEV/snp-release-2023-10-13/sevsnp.fd -drive file=/home/ecaiogs/sev/sevsnp.qcow2,if=none,id=disk0,format=qcow2 -device virtio-scsi-pci,id=scsi0,disable-legacy=on,iommu_platform=true -device scsi-hd,drive=disk0 -machine memory-encryption=sev0,vmport=off -object memory-backend-memfd-private,id=ram1,size=2048M,share=true -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,discard=none -machine memory-backend=ram1,kvm-type=protected -nographic -monitor pty -monitor unix:monitor,server,nowait

Now, here I assumed that the kernel, initrd and append parameters do not play a role in the launch digest since when I pass the kernel to sev-snp-measure it complains that OVMF does not include SNP_KERNEL_HASHES (I checked #26 and I will to verify the kernel and initrd as well).

Does anybody know what I am missing here?

Thanks!

I am trying to run the sev-snp-measure tool in SNP mode using the example in the readme:
sev-snp-measure --mode snp --vcpus=1 --vcpu-type=EPYC-v4 --ovmf=OVMF.fd --kernel=vmlinuz --initrd=initrd.img --append="console=ttyS0 loglevel=7"

but i get the following error:
Error: Can't find SEV_ES_RESET_BLOCK_GUID entry in OVMF table

the type of the OVMF.fd file is the following:
file OVMF.fd
OVMF.fd: Matlab v4 mat-file (little endian) \226v\213L\251\205'G\007[OP, numeric, rows 0, columns 0

i tried with different images but the problem always seems to be the OVMF.fd file.
what could be the cause of the error? is there a specific format that i have to use ?

It would be nice to be able to calculate measurement values
when running the Coconut SVSM in an Qemu SNP VM.

This requires measuring the additional svsm binary.
The configuration of the other pages (CPUID, Secrets, ZeroPage, VMSA) seems to be different too.

I am putting this here as a "would be nice to have" feature request, and I am intending to spend time on this myself.

Please share if you have any hints on how to implement this.

Hi,

I had quite some issues with verifying the ID Block since I was always getting the Bad signature error when launching QEMU and could not understand why.

I then found out that the problem is that snp-create-id-block computes the author and id public keys using always the P-384 curve, regardless of what is passed as input, as shown in the line below:

This of course creates some problems when the keys passed as input to snp-create-id-block use a different curve. So, my suggestion would be to simply use the public_key() method of EllipticCurvePrivateKey to derive the correct public keys, instead of using marshal_ec_public_key().

https://github.com/IBM/sev-snp-measure/blob/90f6e59831d20e44d03d5ee19388f624fca87291/sevsnpmeasure/gctx.py#L40

in the code, VMSA_GPA = 0xFFFFFFFFF000, but 0xFFFFFFFFF000 is 48-bits, not 52-bits

when launch sev-snp vm, we use cbitpos=51,reduced-phys-bits=1, so i think it use 51-bit (0-50) physical address space, with cbit=1, so should VMSA_GPA = 0xFFFFFFFFFF000 ?

Hi,

I tried to run sev-snp-measure both from source code and from pip but in both I get this error "ModuleNotFoundError: No module named 'sevsnpmeasure.cli'", what is missing?

Thanks in advance.
Pegah

Because of the way the SEV API specification is written, users of this tool might be confused to learn this tool does not generate the expected launch measurement, but calculates an expected launch digest

Launch Measurement:

# Legacy SEV (non-SNP)
HMAC(0x04 || API_MAJOR || API_MINOR || BUILD || GCTX.POLICY || GCTX.LD || MNONCE; GCTX.TIK)

Launch Digest:

# Naples - UEFI Possibly additional measurements.
SHA256SUM(OVFM||Linux Kernel||initrd||Command Line Parameters)

# >= Rome - UEFI, Kernel, Initrd, CLI-params, VMSA, Pages (Milan+)
SHA384SUM(OVFM||Linux Kernel||initrd||Command Line Parameters||VMSA)

Perhaps some re-naming would be beneficial?

Hi,

Is there anyone know why this occurs?

Error: Kernel specified but OVMF metadata doesn't include SNP_KERNEL_HASHES section

To generate an OVMF.fd with SEV-SNP enabled, I followed the instruction of this AMDSEV repo.
However, the above problem occurs when I use the following command.

$ sev-snp-measure --mode snp --vcpus=1 --vcpu-type=EPYC-v4 --ovmf=OVMF.fd --kernel=vmlinuz --initrd=initrd.img --append="console=ttyS0 loglevel=7"

Am I missing some parts?

Jingyao

I am encountering an issue while attempting to recalculate the measurement from the attestation report within the guest machine. Below are the details of the problem:

I have installed the guest machine, a virtual machine, using the AMDSEV project from the GitHub user AMDESE. After successfully installing the guest machine, I executed it using the command:

sudo ./launch-qemu.sh -hda sev-guest.qcow2 -sev-snp

Following the execution of the guest machine, I utilized the 'snpguest' tool to generate the attestation report. The report contains the measurement, represented by the hash:

d7b9f49e254f5d3eeda91e2966ad68504c2b54710ff6a21d05bc1279bfd77aba8de2e582a00eaebb37c004be12c37830.

Subsequently, I attempted to recalculate this hash (measurement) from the host machine using the 'sev-snp-measurement' tool with the following command:

./sev-snp-measure.py --mode snp --vcpus=1 --vcpu-type=EPYC-v4 --vmm-type=QEMU --ovmf=/home/user/AMDSEV/usr/local/share/qemu/OVMF_CODE.fd --kernel=/home/user/AMDSEV/sev-guest.fd --initrd=/home/user/AMDSEV/sev-guest.qcow2 --append="console=ttyS0 loglevel=7" --snp-ovmf-hash=711dd640bc679fcdefa729f47ff56700c95b1c590a779391ab178d511d6237677bea447327923972c4eee313fc2f915d

However, I encountered the following error:

"Error: Kernel specified but OVMF metadata doesn't include SNP_KERNEL_HASHES section."

This has led me to question the correctness of the kernel path, initrd value, and other parameters.

1. Where can I find the correct values to use for the parameters( kernel path, initrd path, append,..) mentioned above please ?

Additionally, when using the 'sev-snp-measure.py' tool with the command:

./sev-snp-measure.py --mode snp --vcpus=1 --vcpu-type=EPYC-v4 --vmm-type=QEMU --ovmf=/home/user/AMDSEV/usr/local/share/qemu/OVMF_CODE.fd --snp-ovmf-hash=711dd640bc679fcdefa729f47ff56700c95b1c590a779391ab178d511d6237677bea447327923972c4eee313fc2f915d

I get a value that does not match the measurement in the attestation report within the guest machine.

2. How can I accurately recalculate the value of this measurement?

Any guidance or assistance on resolving this issue and accurately recalculating the measurement would be highly appreciated.

Hey everyone,
thanks for writing this tool, it has been very helpful in precalculating launch measurements!

I am currently working on a component that should precalculate launch measurements depending on the number of vCPUs.
The component only supports a specific VMM and CPU type.
The component does not have access to the OVMF binary, but can fetch arbitrary metadata from an API.

Right now, the API serves the data that is parsed from the OVMF binary as json. But I am wondering if that data could be hardcoded into the component.
So my question is: when and how can the metadata of an OVMF image change? On what does it depend?

I compared the metadata from the two releases of aws/uefi and they stayed the same. But thats a very small sample size..
It seems to me like the addresses that are parsed relate to the GCTX's layout. And I would imagine that there is not much room for change here within one processor generation. But I am not very familiar with UEFI, OVMF, etc.

Thanks!
Otto

The OVMF binary that's built using the AMDSEV repository now contains a SVSM Calling Area Address (CAA) section type.
Defined here as:

%define OVMF_SECTION_TYPE_SVSM_CAA        0x4

This causes the measurement to fail with

ValueError: 4 is not a valid SectionType

Could you give me some guidance on how I could fix the measurement calculation?