Hi joeyjoy,
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
To verify that you're running within a real SNP guest, you can use the sevctl
command to check the SNP guest status.
Run the sevctl status
and sevctl guest-status
commands to check the SEV-SNP status. Verify that the output shows SEV-SNP: ENABLED
and SEV-SNP Guest: RUNNING
This command should display the SNP features supported by the guest. If the output shows that SNP features are enabled, it's a good indication that you're running within a real SNP guest.
Attestation is a critical component of Secure Encrypted Virtualization (SEV). It's a process that verifies the identity and integrity of a system or a virtual machine. In the context of SEV, attestation is used to ensure that the guest is running on a trusted platform with the correct firmware and microcode.
Azure confidential VMs boot only after successful attestation of the platform's critical components and security settings. The attestation report includes:
- A signed attestation report
- Platform boot settings
- Platform firmware measurements
- OS measurements
You can initialize an attestation request inside of a confidential VM to verify that your confidential VMs are running a hardware instance with either AMD SEV-SNP, or Intel TDX enabled processors. For more information, see Azure confidential VM guest attestation.
Your Trusted Launch VM needs Secure Boot and virtual Trusted Platform Module (vTPM) to be enabled so that the attestation extensions can be installed. Microsoft Defender for Cloud offers reports based on Guest Attestation verifying status and that the boot integrity of your VM is set up correctly. To learn more about Microsoft Defender for Cloud integration, see Trusted Launch integration with Microsoft Defender for Cloud.
To know more about Confidential OS disk encryption and verify these guarantees, please go through the document: https://video2.skills-academy.com/en-us/azure/confidential-computing/confidential-vm-overview
Yes, you can launch Confidential Virtual Machines (CVMs) with Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) on a higher kernel version. However, it’s important to ensure compatibility and stability.
https://video2.skills-academy.com/en-us/azure/confidential-computing/confidential-vm-faq#can-i-convert-a-dcasv5-ecasv5-cvm-into-a-dcesv5-ecesv5-cvm-or-a-dcesv5-ecesv5-cvm-into-a-dcasv5-ecasv5-cvm-
When you create an Ubuntu Server 20.04 LTS (Confidential VM - SEV-SNP Only), you will obtain a Confidential Virtual Machine (CVM) guest that leverages SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging). This technology, provided by AMD, offers hardware-based isolation between virtual machines, the hypervisor, and host management code. It ensures that the VM's memory is encrypted and protected from unauthorized access. https://azuremarketplace.microsoft.com/en-us/marketplace/apps/canonical.0001-com-ubuntu-confidential-vm-focal?tab=Overview
When you create an Ubuntu Pro 22.04 LTS (Confidential VM), you will obtain a Confidential Virtual Machine (CVM) guest that includes several advanced security features. These features are designed to provide strong security and confidentiality guarantees. https://azuremarketplace.microsoft.com/en-us/marketplace/apps/canonical.0001-com-ubuntu-pro-confidential-vm-jammy?tab=Overview
Secure virtualisation with AMD SEV-SNP and Intel TDX
For the x86 architecture, both AMD and Intel processors provide hardware features (named AMD SEV SNP and Intel TDX respectively) to support running virtual machines with memory encryption and integrity protection. They ensure that the data contained within the virtual machine is inaccessible to the hypervisor and hence the infrastructure operator. Support for using these features as a guest virtual machine was introduced in the upstream Linux kernel version 5.19.
https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-24-04-lts
If you have any further queries, do let us know.
If the answer is helpful, please click "Accept Answer" and "Upvote it."