cloud.debian.org: Debian-12 GCP image has the SEV_SNP_CAPABLE tag but no sev-guest driver
Package: cloud.debian.org
Severity: important
Dear Maintainer,
I'm a Google Cloud engineer in the confidential computing organization.
We found that --image_project=debian-cloud --image_family=debian-12 fails
basic SEV-SNP attestation tests.
Please remove the guest_os_feature SEV_SNP_CAPABLE from your images until
you resolve this issue.
This means that /dev/sev-guest is not available, and neither is
/sys/kernel/config/tsm/report, and modprobe sev-guest fails to install the
required module for either of those attestation entry points to become visible.
We believe that the SEV-SNP technology's main advantage beyond its nested
page table integrity protections is its ability to provide signed attestations
that contain a digest of the VM state at launch time. The SEV_SNP_CAPABLE
feature ought to imply attestation support. I will clarify the public
documentation
on this.
The sev-guest driver ought to be easily accessible to Cloud users of
the Debian-12
image. If I missed which package contains this kernel module, please let me
know which it is so I may update our testing facilities.
Thanks!
--
-Dionna Glaze, PhD, CISSP (she/her)
Reply to: