How to provision assets into the Attestation Report of a SNP-CVM instance?
Here is the following FAQ on how to provision client assets into JWT tokens in Azure CVM.
Some Background:
Other than SKR (Secure Key Release), I want to provide some user data directly in the final attestation report. When conducting a CVM attestation, the AMD Hardware will generate an AMD attestation report of which the 512-bit <Report_Data> field can be used to achieve that function. Azure provides the AttestationClient for users to do CVM attestation. However, the AttestationClient currently doesn't have options for the users to make such a provision. Besides, the AMD official Attestation tool sevctl/stool can not be used in SNP-CVM due to compatibility.
Regarding the question, Azure will include the content of the AMD Hardware-generated report and return a JWT as the final attestation report.
Below is the default Azure SNP-CVM JWT I acquired using AttestationClient.
{
"alg": "RS256",
"jku": "https://sharedeus2.eus2.attest.azure.net/certs",
"kid": "J0pAPdfXXHqWWimgrH853wMIdh5/fLe1z6uSXYPXCa0=",
"typ": "JWT"
}.{
"exp": 1728429904,
"iat": 1728401104,
"iss": "https://sharedeus2.eus2.attest.azure.net",
"jti": "6c66a583d30ac24813e061dbb3254980d5a44b957d25266983dd916eee59ac98",
"nbf": 1728401104,
"secureboot": true,
"x-ms-attestation-type": "azurevm",
"x-ms-azurevm-attestation-protocol-ver": "2.0",
"x-ms-azurevm-attested-pcrs": [
0,
1,
2,
3,
4,
5,
6,
7
],
"x-ms-azurevm-bootdebug-enabled": false,
"x-ms-azurevm-dbvalidated": true,
"x-ms-azurevm-dbxvalidated": true,
"x-ms-azurevm-debuggersdisabled": true,
"x-ms-azurevm-default-securebootkeysvalidated": true,
"x-ms-azurevm-elam-enabled": false,
"x-ms-azurevm-flightsigning-enabled": false,
"x-ms-azurevm-hvci-policy": 0,
"x-ms-azurevm-hypervisordebug-enabled": false,
"x-ms-azurevm-is-windows": false,
"x-ms-azurevm-kerneldebug-enabled": false,
"x-ms-azurevm-osbuild": "NotApplication",
"x-ms-azurevm-osdistro": "Ubuntu",
"x-ms-azurevm-ostype": "Linux",
"x-ms-azurevm-osversion-major": 20,
"x-ms-azurevm-osversion-minor": 4,
"x-ms-azurevm-signingdisabled": true,
"x-ms-azurevm-testsigning-enabled": false,
"x-ms-azurevm-vmid": "4D40782A-122A-42B6-BB3C-45F76ACE525E",
"x-ms-isolation-tee": {
"x-ms-attestation-type": "sevsnpvm",
"x-ms-compliance-status": "azure-compliant-cvm",
"x-ms-runtime": {
"keys": [
{
"e": "AQAB",
"key_ops": [
"sign"
],
"kid": "HCLAkPub",
"kty": "RSA",
"n": "x09xjAAA5dntieiK5WLWPSC_CMnPBltXtHkSQK7TuJFtrWTlqAdZc1gkh71l-e_mWaqA7cNqkOeHo0sKYzDrGlTT3POEfrpMXLM3Ti58sQeoSioUMsajieKFlkqJFo0bLlt7_xgmt0YlJTQfVH1gEM5S1w0d97cxri8Zg_HU1FIMssU2eoI8w39kIMiE6xqNuQP5fu0CrP_b0YOibH1krvA6wyeW3ui7iOYkz3xnlw-lUp-_iHvGJmAKamaJSmNs5fsMXPvEcFgqw9lai1LpwbnM-bIkCeQOFmJh7clijFjBaJagD0chm8Lwy6PiletYWyg7oTSfB7UGT0j0-ltEWQ"
},
{
"e": "AQAB",
"key_ops": [
"encrypt"
],
"kid": "HCLEkPub",
"kty": "RSA",
"n": "lNn8lAAA3yFx08h7aX01sosbxH6MLn0wJXqK8J4Omv3LrgVQ_NK0JORZriwjKzg34SnOR4fnd_U9J_8e9uFS51tYZTRUmaDHrNBYTKtLAIirTbBl-xjUR6fqOW_ofymrR1meBoh_kaZJ4IL5QymlWMriRBGZfFputkMVs0VAng4WXF2cCGEsSNIpUtgBdUuCyLI95jZcouLOGq_eXILtuv7XxvfQ2Fa0n_4dHeFTMCgp898n1oWVuuKTT0zcoR6fML9EbfbdI9kKCZfZqxcl4LB-r65Hn7UZhw-ObPkOzcO30U_wJfTToycoiW35bOgB1nMh8-ImpPxnULXShuAQ6Q"
}
],
"user-data": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"vm-configuration": {
"console-enabled": true,
"secure-boot": true,
"tpm-enabled": true,
"vmUniqueId": "4D40782A-122A-42B6-BB3C-45F76ACE525E"
}
},
"x-ms-sevsnpvm-authorkeydigest": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"x-ms-sevsnpvm-bootloader-svn": 4,
"x-ms-sevsnpvm-familyId": "01000000000000000000000000000000",
"x-ms-sevsnpvm-guestsvn": 7,
"x-ms-sevsnpvm-hostdata": "0000000000000000000000000000000000000000000000000000000000000000",
"x-ms-sevsnpvm-idkeydigest": "0356215882a825279a85b300b0b742931d113bf7e32dde2e50ffde7ec743ca491ecdd7f336dc28a6e0b2bb57af7a44a3",
"x-ms-sevsnpvm-imageId": "02000000000000000000000000000000",
"x-ms-sevsnpvm-is-debuggable": false,
"x-ms-sevsnpvm-launchmeasurement": "122d0d6fcd1b714a7c34f32d0dc9262ab08976cc8e22132b40ef2569f1dcc47b71ba617debed11563389d7a3f8481d99",
"x-ms-sevsnpvm-microcode-svn": 211,
"x-ms-sevsnpvm-migration-allowed": false,
"x-ms-sevsnpvm-reportdata": "2d6c62edf2686bf4f793e32c150732e9cba314f84828437f298d896e7b09b4690000000000000000000000000000000000000000000000000000000000000000",
"x-ms-sevsnpvm-reportid": "c85a42eb003829ba7cfd0368958959f8de5aed503ca239793f42f32be84fe87d",
"x-ms-sevsnpvm-smt-allowed": true,
"x-ms-sevsnpvm-snpfw-svn": 21,
"x-ms-sevsnpvm-tee-svn": 0,
"x-ms-sevsnpvm-vmpl": 0
},
"x-ms-policy-hash": "wm9mHlvTU82e8UqoOy1Yj1FBRSNkfe99-69IYDq9eWs",
"x-ms-runtime": {
"client-payload": {
"nonce": ""
},
"keys": [
{
"e": "AQAB",
"key_ops": [
"encrypt"
],
"kid": "TpmEphemeralEncryptionKey",
"kty": "RSA",
"n": "riuyEwAA3im6ciMIpVgvHD187Fi-588V5RRRlFyQ5zEG5S148qVIc7VaZCTT6Q3h8ghs0Wt6bksRm56V5bsSgyMiZTQiotb2XvP0EJ0GsDrE56paaqcM-GqC1Ip0KdCmpXW1UTd_FPnxNLYj6kdUGvGsEIMxjXlq5KUMCyq7MFCanxoHdiRhaaN5XVhSSr4YzOUe7OP7aPy7SmadYO-W7rGEl2_Wd-5opTWMtIFAvZNbzTlbg374gxy2MzyKsH4jMVuBFqTE1GCfzKW2zouHMirU6Ygx_yvXExPB3zi-zB0fjlBCN-b9D3EwFMLTp3aLQULDDQ9QEX1B4i9oP65keQ"
}
]
},
"x-ms-ver": "1.0"
}.[Signature]
Related questions of the JWT claims:
- From the references azure/attestation/claim-sets and AMD SNP ABI Spec., 'x-ms-sevsnpvm-idkeydigest' is the SHA384 hash of the identification signing key. What is this signing key used by Azure by default? Is it the hash of the 'HCLEKPub' key?
- From Virtual TPMs in Azure CVMS and AMD SNP ABI Spec., 'x-ms-sevsnpvm-launchmeasurement' contains the hash of (UEFI+vTpm). The AMD hardware will check this measurement at pre-attestation when providing an IDBlock. It can be inferred that Azure provides the IDBlock when launching SNP-CVM in the backend. Can I manually calculate the 'x-ms-launch measurement' by myself?
- As introduced above, I want to set data leveraging the REPORT_DATA field of the AMD SNP hardware-generated report. Does the 'x-ms-sevsnpvm-reportdata' in the above JWT correspond to it? If it was, we can see this field is actually used by the Azure Attestation Service. My question is, what data is passed here by HCL to include with the report by default, which is mentioned in Azure/attestation/claim-sets? Is it the 'HCLEKPub key'? Or other data?
- Besides, we can see that a field named 'user-data' has not been used in the posted JWT. Where can I find the definition and usage guide for this field?
These questions are quite detailed and still puzzle me after reading a lot of documentation. Any suggestions and guidance will be greatly appreciated.