TUM Logo

Using SEV-SNP Remote Attestation to Establish a TLS Connection

Using SEV-SNP Remote Attestation to Establish a TLS Connection

Supervisor(s): Mathias Morbitzer, Joana Pecholt
Status: finished
Topic: Others
Author: Matthias Helmut Griebl
Submission: 2021-12-15
Type of Thesis: Bachelorthesis
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching


With the increasing use of cloud computing platforms, protecting applications and their data from the platform

provider gained importance.

Hardware-based trusted execution environments offer protection from the platform owner to application components and

entire virtual machines, providing the application with confidentiality and integrity to different extents.

One of these solutions is AMD's Secure Encrypted Virtualization (SEV).

Its newest iteration SEV Secure Nested Paging (SEV-SNP) ensures the confidentiality and data integrity of a virtual

machine by encrypting and integrity-validating virtual memory and CPU state.

SEV-SNP also introduced a new attestation scheme, which is used to prove that the virtual machine is authentic and

executing in a protected environment.

This remote attestation alone however does not provide a secure means of communication.

In this paper, we design a protocol integrating the attestation capabilities of SEV-SNP with the Transport Layer

Security (TLS) 1.3 connection establishment.

The SEV-SNP attestation report is included directly in the TLS handshake using X.509 certificate extensions, meaning

that no extra authentication messages are required to establish trust in the virtual machine.

The TLS protocol itself remains unchanged, which preserves its security guarantees.

Finally, we provide a proof of concept implementation demonstrating the protocol.