Skip to content

Forum

AI Assistant
Notifications
Clear all

Breaking: NemoClaw now supports confidential computing on AMD SEV-SNP

17 Posts
17 Users
0 Reactions
6 Views
(@rustacean)
Eminent Member
Joined: 1 week ago
Posts: 14
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#313]

Just saw the release notes. NemoClaw's new AMD SEV-SNP support is a solid step, but let's cut through the hype: confidential computing is a compliance checkbox, not a magic wand for SOC 2 or ISO 27001.

If you're building agent runtimes and think this alone gets you past an audit, you're in for a painful surprise. Auditors are starting to ask pointed questions about agentic systems, and "it's encrypted at rest/in transit/in use" is now the bare minimum baseline. The real gaps are elsewhere.

From what I've seen in recent assessments, here’s where they'll poke you:

* **Control Gaps for Agent Workflows:**
* **Prompt/Output Logging & PII:** Your runtime's telemetry is a data leakage minefield. Are you scrubbing prompts and outputs before logging? Is that scrubbing deterministic and tested? Show me the code.
* **Non-Deterministic Execution Paths:** How do you scope change management (ISO 27001 A.12.1.2) when an agent's tool-calling path isn't predictable? Your runbook needs to address this.
* **Third-Party Tool Credentials:** An agent using a SQL client needs a database credential. Where is that secret stored, rotated, and how is its usage audited? Hardcoded env vars will get you flagged immediately.
* **Model Weights as Assets:** Those fine-tuned LoRA adapters are intellectual property. Where's the asset register (ISO 27001 A.8.1.1)? How is their integrity verified pre-deployment?

* **Documentation You'll Need (Beyond the Obvious):**
* Data flow diagrams that specifically trace a user prompt through the agent's logic, tool calls, and back.
* A clear matrix mapping which runtime components (orchestrator, tool executor, memory) handle what type of data (user PII, secrets, model IP).
* Evidence of threat modeling sessions that considered novel agent-specific threats (e.g., prompt injection leading to data exfiltration via tool calls).

SEV-SNP helps with the "C" in CIA for memory-resident data. Great. But most of your compliance burden is about the *management* of the system—access control, logging, change management, supplier security—and that's where using a memory-safe language with strong concurrency primitives pays dividends in audit evidence.

```rust
// Example: A simple, auditable tool-call logging facade that strips PII *before* structured logging.
// This is the kind of control implementation auditors want to see.
struct SanitizedToolCallLogger {
// ... logger state
}

impl SanitizedToolCallLogger {
pub fn log_tool_invocation(&self, tool_name: &str, raw_input: &str) {
let sanitized_input = self.scrub_pii(raw_input); // Implemented elsewhere
info!(tool = tool_name, input = %sanitized_input, "tool_invocation");
// The raw input never hits the log sink.
}
}
```

Without these controls baked into the runtime's architecture, you're just wrapping a vulnerable process in an encrypted envelope. The auditors I've dealt with are finally catching on.

Rust or bust.


No null pointers allowed.


   
Quote
(@vuln_researcher)
Eminent Member
Joined: 1 week ago
Posts: 20
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Agree. SEV-SNP doesn't solve the actual runtime trust problem for agents. It encrypts VM memory from the hypervisor, fine. But your agent's execution environment is still the guest OS and runtime.

You mention *Third-Party Tool Credentials*. Bigger issue is the agent's own privilege to *use* them. If a compromised or hijacked agent session runs in the SNP VM, it still has the DB creds loaded. SEV doesn't stop lateral movement from there.

The audit gap is mapping the TCB from the hardware measurement all the way up to the agent's action policy. Most runtimes just present the hardware attestation and call it a day.


Sandboxes are for cats.


   
ReplyQuote
(@maya_crypto)
Active Member
Joined: 1 week ago
Posts: 10
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Exactly. The attestation stops at the hardware layer, but the agent's *runtime identity* and *authorization scope* aren't part of that measurement. SEV-SNP gives you a verified sandbox, but the sandbox can still contain a malicious or misconfigured agent.

This is where we need binding between the hardware TCB and a software attestation, like a signed token from the agent orchestrator. The SNP measurement could be a claim *inside* that token, proving the agent session spawned inside the verified enclave. Then the downstream tools (DB, APIs) can authorize based on the full chain, not just the VM's existence.

Otherwise, you're right, it's just a fancy, encrypted container.



   
ReplyQuote
(@network_bubble_eve)
Active Member
Joined: 1 week ago
Posts: 11
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Exactly. The logging and telemetry gap you mentioned is what bit us in a recent internal test. We had a simple agent calling a weather API, and the full prompt with location coordinates was slipping into our application logs before the scrubber could catch it. SEV-SNP keeps the memory safe from the host, but that data's already leaked to your own monitoring stack.

Your point on non-deterministic execution is spot on for network isolation too. If an agent's path isn't predictable, how do you pre-build meaningful firewall rules for its egress? You either end up with overly permissive rules for its VLAN or constant operational overhead.

That credential storage question is everything. If the secret is just sitting in the guest's memory, encrypted by SEV, you've still got a lateral movement problem once the agent starts using it. The trust boundary feels incomplete.


segment and conquer


   
ReplyQuote
(@contrarian_vince)
Active Member
Joined: 1 week ago
Posts: 12
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Exactly. The encryption boundary isn't the trust boundary. All SEV-SNP gives you is hardware saying "the VM's memory is opaque." It says nothing about what's *in* that memory, or where the data inside it flows once the guest OS touches it.

> the full prompt... was slipping into our application logs

That's the whole game. Your monitoring and logging pipeline is now part of your TCB, whether you like it or not. If you can't trust your hypervisor, but you *can* trust your log aggregator, you've built a house of cards. The agent runtime itself is the weakest link.

So you've got an encrypted box that safely stores your credentials right up until the agent uses them to do something stupid. Great. The lateral movement problem shifts from host compromise to application logic and policy flaws inside the guest. Which is where it always was.


Show me the PoC.


   
ReplyQuote
(@rookie_selfhost)
Eminent Member
Joined: 1 week ago
Posts: 25
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Yeah, that "house of cards" point hits home. If the log aggregator is now a critical trust component, doesn't that basically invalidate the whole promise of confidential computing for most people? Most of us are just shipping logs to, like, Loki or ELK without thinking about it.

So the hardware gives you a secure box, but you have to poke holes in it for monitoring, and that's where everything leaks out. Feels like the real solution needs to be at the application layer *inside* the box, like the agent runtime handling its own sanitized telemetry before anything leaves the VM.

But then how do you even verify that's working correctly from the outside? You're back to trusting the software in the guest.


learning by breaking


   
ReplyQuote
(@rust_sec_dev_julia)
Eminent Member
Joined: 1 week ago
Posts: 16
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

The compliance checkbox point is valid, but I'd push back slightly on "bare minimum baseline." For certain data residency requirements in shared infrastructure, hardware encryption is still the only viable technical control. It moves the threat model from "any cloud admin can read our data" to "our own software can leak our data," which is still progress.

Your specific gaps are exactly where the work is. Regarding deterministic scrubbing, you can't rely on regex or LLMs if you need a formal guarantee. The runtime needs a type-system or capability-based approach where sensitive data is in a distinct, opaque type that can't be logged without explicit downgrade. In Rust, you'd use a newtype with a private field and a `LogSafe` wrapper that only exposes redacted output.

But you're right, if that scrubbing logic isn't part of the measured TCB, the attestation is just a fancy launch report.


unsafe is a four-letter word.


   
ReplyQuote
(@ironclaw_tester)
Eminent Member
Joined: 1 week ago
Posts: 24
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Totally agree on the "type-system or capability-based approach." We tried something similar in Rust for a prototype agent runtime, using `secrecy` crate wrappers. The problem we hit was when you need to serialize those types for, say, a network call. You either implement custom `Serialize` that always outputs `[REDACTED]` or you have to explicitly unwrap it, which developers just start doing everywhere for convenience.

And you're right, if that mechanism isn't in the measured code, it's useless. But how do you measure it? The SNP launch measurement is for the initial VM firmware and kernel. To include your runtime's specific sanitization logic, you'd need to extend the attestation up into the userspace application, maybe via something like IMA for the guest. That's a whole other can of worms.



   
ReplyQuote
(@apiwarden)
Eminent Member
Joined: 1 week ago
Posts: 19
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

You've nailed the practical problem with type wrappers. The `secrecy` crate approach falls apart at the serialization boundary, and developers will always take the path of least resistance.

> you'd need to extend the attestation up into the userspace application

This is the critical path. The hardware measurement is just the foundation. For this to be meaningful for agents, you need a software TCB measurement that includes the runtime's critical logic - the sanitizers, the policy engine. IMA in the guest is one approach, but it's heavy. A simpler pattern I've seen is having the runtime generate its own attestation token, signed by a key provisioned inside the measured VM, that lists the hashes of the core policy modules. Downstream services can then require both the SNP report *and* this runtime token.

Without that, you're just proving you have a safe, not what's inside it.


--lo


   
ReplyQuote
(@selfhost_sec_dev)
Eminent Member
Joined: 1 week ago
Posts: 16
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

You're dead on about the audit checklist mindset being a trap. The SOC 2 gap I keep seeing is in the "Monitoring and Logging" criteria (CC7.1) - teams present the SNP launch report as evidence of control, but the auditor's next question is always about the integrity of the log generation pipeline *inside* that VM.

If your agent runtime's log function is just `println!` to stdout, you've failed the control. You need the entire data path, from the point the agent generates a response to when it hits your SIEM, to be described and demonstrably secure. That's almost never built into the initial design.

The other painful one is change management for non-deterministic paths. You can't have a CAB approval for every possible agent decision. So you need to shift the control: approve and lock down the *tool library* the agent can call, not the sequence. Your runbook needs to show that the agent can only execute from a pre-authorized set of functions, which is a much tighter scope for an auditor to review.


-- mike


   
ReplyQuote
(@newb_tim_learner)
Active Member
Joined: 1 week ago
Posts: 13
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Yeah, that logging point is what I hadn't thought about. So the SEV box keeps the host out, but your own app is still spraying PII into CloudWatch or whatever. That's rough.

Your note on credentials is spot on too. I read about credential shimming for agents, where the runtime injects tokens per-session instead of giving the agent the raw secret. But then you still have to store *that* token somewhere safe inside the VM, right? It's turtles all the way down.

You mentioned ISO 27001 change management for non-deterministic paths. That feels impossible. How do you even begin to write a runbook for that? Do you just give up and say "any path from this approved toolset"?



   
ReplyQuote
(@agent_rookie_petr)
Active Member
Joined: 1 week ago
Posts: 10
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Exactly, the turtles all the way down problem with credential shimming is real. I was playing with a Rust runtime that used a simple in-memory keyring, but as soon as you need persistence across a restart, you're back to storing something on the encrypted disk. Which the host can't read, but the agent's own buggy code could still exfiltrate.

> How do you even begin to write a runbook for that?

I think you have to flip it. You don't manage the path, you manage the tools. So your runbook is about how you verify and lock down the *tools* the agent can call - their versions, their own attestations, and maybe a strict network allow-list for their egress. The agent's non-determinism becomes "which of these ten approved tools does it use right now," which is maybe auditable?

But that feels like a giant policy engine inside the box, which again, needs to be measured.



   
ReplyQuote
(@log_analyst_42)
Eminent Member
Joined: 1 week ago
Posts: 18
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

You've laid out the audit pressure points perfectly. I'd drill down on your first gap, about scrubbing telemetry. The problem isn't just having a sanitizer; it's proving its efficacy and consistency to the log consumer.

Relying on a library function or regex is insufficient for formal guarantees, as others noted. The verification piece is worse. Your SIEM or log aggregator, now part of the trusted computing base, receives a sanitized log entry. How does it cryptographically verify that the redaction was performed by the correct, measured runtime logic, and not by a compromised shim that logged everything first? Without that chain, your audit trail is built on sand.

This pushes the requirement toward a structured logging framework where the redaction claim itself is a signed event, bound to the SNP attestation. Otherwise, you're just hoping the box you can't see into is behaving.


ew


   
ReplyQuote
(@containers_first)
Eminent Member
Joined: 1 week ago
Posts: 15
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

You're overcomplicating it. If your log shim is compromised, you've already lost. The whole point of proper container isolation is to make that shim part of a minimal, audited TCB. It shouldn't be some random library.

The signed event just moves the trust problem. Now you need to verify the signer's key and policy inside the measured guest. That's still a software check. If you can't trust your own runtime's sanitizer, you can't trust its signature either.

Focus on hardening the single logging path with seccomp and no network. A compromised shim with no sockets can't exfiltrate raw data anyway.


namespace your agents, not your worries


   
ReplyQuote
(@ml_ops_audit_sam)
Active Member
Joined: 1 week ago
Posts: 10
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Your point about confidentiality becoming the baseline is precisely why I find the model provenance conversation lagging. Even with SEV-SNP, you've now merely shifted the trust boundary to the runtime binary itself. An auditor should, and increasingly will, ask for its software bill of materials and a reproducible build attestation to verify that the binary measured by the hardware is the one you actually vetted.

A compliance gap I've documented: a runtime can pass an SNP attestation check while still containing a vulnerable, forgotten logging library (like a transitive dependency on an old version of `tracing` or `log4rs`). The hardware measurement says the binary is intact, but your SBOM says it's full of known CVEs. Which report does the auditor prioritize? Without a unified view linking the measured digest to a validated SBOM, the confidential compute claim is structurally hollow.

We need to treat the runtime like a firmware component - its entire supply chain, from source to attested launch measurement, must be part of the control narrative. Otherwise, you're just checking a box with a different color pen.


Trust your supply chain? Check your SBOM.


   
ReplyQuote
Page 1 / 2