Re: cloud.debian.org: Debian-12 GCP image has the SEV_SNP_CAPABLE tag but no sev-guest driver
Zach (cc'd) just informed me that their team is responsible for these
images and not y'all. Sorry for the noise!
On Thu, May 9, 2024 at 2:48 PM Dionna Amalie Glaze
<dionnaglaze@google.com> wrote:
>
> Package: cloud.debian.org
> Severity: important
>
> Dear Maintainer,
>
> I'm a Google Cloud engineer in the confidential computing organization.
> We found that --image_project=debian-cloud --image_family=debian-12 fails
> basic SEV-SNP attestation tests.
>
> Please remove the guest_os_feature SEV_SNP_CAPABLE from your images until
> you resolve this issue.
>
> This means that /dev/sev-guest is not available, and neither is
> /sys/kernel/config/tsm/report, and modprobe sev-guest fails to install the
> required module for either of those attestation entry points to become visible.
>
> We believe that the SEV-SNP technology's main advantage beyond its nested
> page table integrity protections is its ability to provide signed attestations
> that contain a digest of the VM state at launch time. The SEV_SNP_CAPABLE
> feature ought to imply attestation support. I will clarify the public
> documentation
> on this.
>
> The sev-guest driver ought to be easily accessible to Cloud users of
> the Debian-12
> image. If I missed which package contains this kernel module, please let me
> know which it is so I may update our testing facilities.
>
> Thanks!
> --
> -Dionna Glaze, PhD, CISSP (she/her)
--
-Dionna Glaze, PhD, CISSP (she/her)
Reply to: