[mjg59]

AMD's SEV supports providing an attestation to the launch state of the VM, including information about whether the hypervisor has any visibility into the contents of the VM. If this works as described it does genuinely let you decouple trust from the CSP, instead placing it purely in the CPU vendor.

But I agree with the general thrust of the post - simply providing your own keys isn't sufficient to remove the CSP from the set of people you need to trust. There are reasons to do this (eg, you want the ability to extract your encrypted data and make use of it, or you want to have a chain of trust back to keys that you control), but the moment you upload a private key anywhere it's obviously no longer private in the same sense it was before you did that.

[raesene9]

So with AMDs SEV (and I'm guessing similar systems) what's the interface by which a customer will get that information?

What I'm interested in is, is there not a CSP controlled API between the literal hardware and the CSP customer, that might be subject to attack?

[mjg59]

The OS running inside the VM hits an external API (one you control, not the CSP), that returns a challenge, the CPU signs a response that includes that challenge and its state, you verify that the signature chains back to AMD. The CSP isn't directly involved in the exchange.

[raesene9]

So the CSP has physical access to the CPU (and the rest of the hardware), is it possible to attest that it hasn't been tampered with after it leaves the CPU manufacturer's control?

(I'm not saying that's it's in anyway easy to modify, but if our threat model here is a malicious company with the resources of AWS/Azure/GCP then it seems sensible to consider even difficult attacks)

[m1ghtym0]

The thing you're looking for is called remote attestation. That means there is a direct channel from the hardware to the user that attests the confidentiality and integrity of the VM. Such attestation statement is signed by a key burned into the CPU at production time. The remaining attack vector is leaking that key from the hardware itself. There is academic research on this topic. In essence, while technically possible, it is considered not practical, especially not at scale.

[candiddevmike]

Do you know of anyone offering this at the moment? I wonder if you could use that for Vault authentication somehow.

[derpsteb]

Constellation (a Kubernetes distro) [1] on Azure would give you this attestation feature. You could then run sth like HashiCorp's Vault in that cluster. You will know that all nodes of that cluster are in the state that you expect them to be through the attestation statement.

[1] https://github.com/edgelesssys/constellation

Disclaimer: I work for Edgeless Systems.