SEV-SNP Host Setup
Categories:
Platform Setup
In order to launch SNP memory encrypted guests, the host must be prepared with a compatible kernel, 6.8.0-rc5-next-20240221-snp-host-cc2568386. AMD custom changes and required components and repositories will eventually be taken upstream.
Sev-utils is an easy way to install the required host kernel, but it will unnecessarily build AMD compatible guest kernel, OVMF, and QEMU components. The additional components can be used with the script utility to test launch and attest a base QEMU SNP guest. However, for the CoCo use case, make sure to use the coco tagged version because they are already packaged and delivered with Kata.
Alternatively, refer to the AMDESE guide to manually build the host kernel and other components.
Create the Certificate-Chain
Certificate chains (cert-chain) are an essential piece for creating a secure and trusted environment, ensuring that data is processed securely and that all components involved are verified and trustworthy. Use the following commands to create a cert-chain for SNP.
git clone -b snphost-0.5.0 https://github.com/virtee/snphost.git && cd snphost/
cargo build
mkdir /tmp/certs
./target/debug/snphost fetch vcek der /tmp/certs
./target/debug/snphost import /tmp/certs /opt/snp/cert_chain.cert
Optional Edit the SNP config File
The previous section installs the cert-chain in the default path, if you would like to install the cert-chains in a custom directory, it will need to be specified in the SNP config file. But first, you will need to install the operator first before being able to edit the SNP config file. Follow these instructions to setup the operator. In order to use cert chain that was made for SNP, the Kata SNP configuration file needs to be edited first. The config file can be found under /opt/kata/share/defaults/kata-containers/configuration-qemu-snp.toml.
The location of the certificate chain needs to be specified under snp_certs_path.
snp_certs_path = "{PATH TO cert_chain.cert}"