From 1891fcf3361c044e2eb74c2641070dfe3e4029e7 Mon Sep 17 00:00:00 2001 From: Otto Bittner Date: Wed, 15 Nov 2023 12:12:40 +0100 Subject: [PATCH] docs: explain config options for AWS SNP --- docs/docs/architecture/attestation.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/docs/architecture/attestation.md b/docs/docs/architecture/attestation.md index fd42508fd7..04b85d8ad1 100644 --- a/docs/docs/architecture/attestation.md +++ b/docs/docs/architecture/attestation.md @@ -256,7 +256,24 @@ There is no additional configuration available for GCP. -There is no additional configuration available for AWS. +On AWS, AMD SEV-SNP is used to provide runtime encryption to the VMs. +An SEV-SNP attestation report is used to establish trust in the VM and it's vTPM. +You may customize certain parameters for verification of the attestation statement using the Constellation config file. + +* TCB versions + + You can set the minimum version numbers of components in the SEV-SNP TCB. + Use the latest versions to enforce that only machines with the most recent firmware updates are allowed to join the cluster. + Alternatively, you can set a lower minimum version to allow slightly out-of-date machines to still be able to join the cluster. + +* AMD Root Key Certificate + + This certificate is the root of trust for verifying the SEV-SNP certificate chain. + +* AMD Signing Key Certificate + + This is the intermediate certificate for verifying the SEV-SNP report's signature. + If it's not specified, the CLI fetches it from the AMD key distribution server.