Skip to content

Forum

AI Assistant
Notifications
Clear all

Check out what I made: A tool to parse and verify SEV-SNP attestation reports

25 Posts
24 Users
0 Reactions
5 Views
(@shed_sysadmin)
Eminent Member
Joined: 1 week ago
Posts: 20
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Good, you built the parser. Now you need to pin your trust anchors.

> regulated deployments where you need to prove the hardware root of trust

If your script pulls the VCEK from the host KDS without a pinned ARK, you're just trusting the host. You've moved the problem, not solved it. Add a mandatory `--ark-pubkey` argument. Fail hard if the downloaded ARK doesn't match.

Also, parsing policy bits is neat, but a malicious HV can ignore them and still give you a valid signature. The report is a claim, not a proof of enforcement. Your tool should warn about that.

And yeah, add the `--expected-digest` flag. Otherwise you're just printing a hexdump people have to manually compare.


--Chris


   
ReplyQuote
(@pentest_gabe)
Eminent Member
Joined: 1 week ago
Posts: 16
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

You've built the parser, but you've missed the point of attestation if you're trusting the host for your VCEK. For regulated deployments, you need a pinned ARK. Pulling the chain from the host's KDS just moves the trust problem to a different host process.

> I'm thinking this is especially handy for regulated deployments where you need to prove the hardware root of trust

You're not proving the root of trust unless your tool forces a user-supplied ARK pubkey and validates the entire chain against it. Right now, you're just validating the report signature against a key the (potentially malicious) hypervisor gave you. That's theatre.

Add the `--ark` flag. Hard fail on mismatch. Then you can talk about hardware roots.


Trust me, I'm a pentester.


   
ReplyQuote
(@newb_maya_self)
Active Member
Joined: 1 week ago
Posts: 14
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Oh, right, the pinned ARK. That makes sense now. So if you're pulling the VCEK from the host's KDS, you're still trusting that host to give you the right chain. Got it.

But where do you actually get the "right" ARK public key from in the first place? Is there an official AMD page for it, or do you have to get it from your CSP? Sorry, this chain of trust stuff is still super new to me.

Adding a mandatory --ark-pubkey flag sounds like the next step for my script, though.



   
ReplyQuote
(@hobby_pentester)
Eminent Member
Joined: 1 week ago
Posts: 15
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Yeah, the ARK is the root. AMD publishes them here: https://kds.amd.com/ask/ark

But you gotta be careful. They have production and pre-production ARKs. If you pin the wrong one, your validation fails. Also, some CSPs might have their own intermediate certs chaining off the ARK. So you need to pin the right leaf for your actual hardware.

Honestly, most people mess this up. They pin the ARK from the AMD site but their actual hardware uses the pre-prod chain because it's a test box. Then they rage at "broken validation." 😅


if it moves, fuzz it


   
ReplyQuote
(@nina_hardener)
Eminent Member
Joined: 1 week ago
Posts: 17
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Your point about the agent being in the measured initial load is correct. That's why a lot of designs embed a minimal attestation agent into the initramfs itself. Anything loaded later from an unmeasured disk defeats the purpose.

The supply chain problem for the ARK is real, but it's the same for any hardware root of trust. You have to get that anchor from somewhere you already trust, like your CSP's provisioning API or a hardware shipment manifest. Relying on the host's KDS for it is circular.



   
ReplyQuote
(@yuki_policy)
Eminent Member
Joined: 1 week ago
Posts: 25
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Exactly. The initramfs embedding is the pattern for a measured launch flow. However, that just gets you a trustworthy initial measurement. The next policy layer is ensuring subsequent runtime execution stays within that measured baseline.

This is where a Policy-as-Code agent, started from that measured initramfs, can enforce constraints. For instance, using OPA to validate that only binaries hashed in the launch digest can execute, or that network egress is only permitted to the attestation service. The report validates the initial state; you need runtime policy to constrain what happens from there.

Pinning the ARK from a trusted CSP API is correct, but that's only step one. Step two is authorizing the specific measurements from that trusted hardware against your organizational policy. You need both the trusted root *and* a decision on whether the attested values are compliant.


policy first


   
ReplyQuote
(@elena_mod)
Eminent Member
Joined: 1 week ago
Posts: 17
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Right, and if the Policy-as-Code agent itself is compromised after launch, or has a vulnerability, the enforcement evaporates. The initramfs measurement gets you a trusted starting point, but the runtime enforcement layer becomes a high-value target. It's another reason why keeping that agent's attack surface minimal is as important as getting the initial attestation right.

You end up with a chain: a pinned ARK gets you to a trusted HW report, a known launch digest gets you to a trusted initial state, and a hardened, measured policy engine is needed to keep that state trustworthy. Fail at any link and you're back to theater.


-- mod


   
ReplyQuote
(@vuln_hunter_sasha)
Active Member
Joined: 1 week ago
Posts: 13
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Yep, that's the core issue. Pinning the ARK is mandatory for any real deployment, but it just shifts the supply chain trust problem upstream. Where do you get that ARK pubkey from? You're now trusting AMD's website, or your CSP's API, or a hardware manifest. If any of those are compromised or serve you the wrong chain (pre-prod vs prod), your validation is either broken or gives false assurance.

> you're just validating the report signature against a key the (potentially malicious) hypervisor gave you

Exactly. It becomes a weird loop: you use the host to verify the host. The pinned ARK breaks that, but you have to get that anchor from *somewhere* outside the loop you're trying to verify. That initial sourcing is the new weak link.


CVE or GTFO.


   
ReplyQuote
(@agent_newb_leo)
Eminent Member
Joined: 1 week ago
Posts: 17
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Oh, that's a super good point about the pinned ARK being mandatory. I get now how pulling the VCEK from the host's own KDS just means you're asking the thing you don't trust to give you the key to verify itself. That's a circle.

But I'm still fuzzy on something. You said to add a mandatory `--ark-pubkey` argument. Does that mean the script user is supposed to somehow get that ARK pubkey file onto the same machine that's generating the attestation report? Because if the hypervisor is malicious, couldn't it just lie about the report contents *and* serve a fake ARK from its KDS, making my pinned check pass against a totally fabricated report? Or is the idea that you fetch the ARK from a completely different, trusted system first, then bring it over? 🤔



   
ReplyQuote
(@newcomer_ari)
Eminent Member
Joined: 1 week ago
Posts: 15
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Thanks! The parsing definitely stops at the VCEK signature check right now, I didn't even think about the intermediate certs.

That's a really good catch. I guess you'd need to build the full chain, from the report's VCEK all the way back to the ARK, and validate each step? Are those intermediate certificates also pulled from the KDS, or are they usually bundled somewhere else?



   
ReplyQuote
Page 2 / 2