Share via

Why does the TPM nonce do not change sev-snp report data

Anderson Melo 20 Reputation points
2023-08-25T17:25:04.87+00:00

I am researching about VMs SNP on Azure and want to understand better how the TPM works when attesting SNP VMs, first, I know I can provide a nonce to the TPM to ensure freshness in an attestation but this nonce does not change the "x-ms-sevsnpvm-reportdata". Is there a way to provide a nonce to the TPM that impacts the sev-snp report data?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
9,068 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amira Bedhiafi 34,651 Reputation points Volunteer Moderator
    2025-01-18T18:44:44.8066667+00:00

    The x-ms-sevsnpvm-reportdata field in Azure SNP VM attestation refers to the report data included in the SEV-SNP attestation report which is used to include custom user-provided data to verify the integrity and authenticity of the attestation report during verification. However, this field is distinct from the nonce used by the TPM for freshness checks.

    The nonce is a random value you provide to the TPM as part of the attestation request. It ensures that the attestation is fresh and cannot be replayed by verifying that the nonce matches the one you supplied.

    The nonce is primarily used in the TPM's internal attestation mechanisms and is not directly included in the SEV-SNP report data.

    The x-ms-sevsnpvm-reportdata field corresponds to the report data in the SEV-SNP attestation report, which is a 64-byte field. You can include arbitrary data (e.g., a hash of your application state or configuration) in this field when generating the SEV-SNP attestation report.

    This data is included as-is in the SEV-SNP attestation report, and it does not interact with the TPM's nonce.

    Why the Nonce doesn't impact the Report Data ?

    The SEV-SNP attestation report generation process is independent of the TPM nonce. The report data field is user-defined and static for the duration of the attestation request.

    The TPM nonce ensures that the attestation is fresh, but it does not alter the SEV-SNP report data itself. This separation is by design to allow the report data to serve as a custom verification field.

    If you want the SEV-SNP attestation report to include dynamic data influenced by the nonce:

    • Include a hash or signature of the nonce and other relevant data in the x-ms-sevsnpvm-reportdata field when generating the report.
    • Use this hash/signature as a way to tie the report data to the TPM nonce indirectly.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.