Chapter 7. Configuring RHEL on Public Cloud Platforms with AMD SEV SNP

1. Initialization and measurement: A SEV-SNP enabled hypervisor sets the initial state of a VM. This hypervisor loads firmware binary into the VM memory and sets the initial register state. AMD Secure Processor (SP) measures the initial state of the VM and provides details to verify the initial state of the VM.
2. Firmware: The VM initiates the UEFI firmware. The firmware might include either stateful or stateless Virtual Trusted Platform Module (vTPM) implementation. Stateful vTPM maintains persistent cryptographic state across VM reboots and migrations, whereas stateless vTPM generates fresh cryptographic state for each VM session without persistence. Virtual Machine Privilege Levels (VMPL) technology isolates vTPM from the guest. VMPL offers hardware-enforced privilege isolation between different VM components and the hypervisor.

3. vTPM: Depending on your cloud service provider, for stateful vTPM implementation, the UEFI firmware might perform a remote attestation to decrypt the persistent state of vTPM.

   1. The vTPM also measures facts about the boot process such as Secure Boot state, certificates used for signing boot artifacts, UEFI binary hashes, and so on.

4. Shim: When the UEFI firmware finishes the initialization process, it searches for the extended firmware interface (EFI) system partition. Then, the UEFI firmware verifies and executes the first stage boot loader from there. For RHEL, this is shim. The shim program allows non-Microsoft operating systems to load the second stage boot loader from the EFI system partition.

   1. shim uses a Red Hat certificate to verify the second stage boot loader (grub) or Red Hat Unified Kernel Image (UKI).
   2. grub or UKI unpacks, verifies, and executes Linux kernel and initial RAM filesystem (initramfs), and the kernel command line. This process ensures that the Linux kernel is loaded in a trusted and secured environment.

5. Initramfs: In initramfs, vTPM information automatically unlocks the encrypted root partition in case of full disk encryption technology.

   1. When the root volume becomes available, initramfs transfers the execution flow to the root volume.
6. Attestation: The VM tenant gets access to the system and can perform a remote attestation to ensure that the accessed VM is an untampered Confidential Virtual Machine (CVM). Attestation is performed based on information from AMD SP and vTPM. This process confirms the authenticity and reliability of the initial CPU and memory state of the RHEL instance and AMD processor.
7. TEE: This process creates a Trusted Execution Environment (TEE) to ensure that booting of the VM is in a trusted and secured environment.

Procedure

1. Log in to Google Cloud by using the google-cloud-cli utility:

   $ gcloud auth login

2. Create a new Google Cloud project with specific settings:

   $ gcloud projects create <example_sev_snp_project> --name="RHEL SEV SNP Project"

3. Configure the Google Cloud project:

   $ gcloud config set project <example_sev_snp_project>

4. Create a RHEL compute instance:

   $ gcloud compute instances create <example-rhel-9-sev-snp-instance> \
   --confidential-compute-type=SEVSNP \
   --machine-type=n2d-standard-2 \
   --min-cpu-platform="AMD Milan" \
   --maintenance-policy="TERMINATE" \
   --image=<rhel-guest-image-9-6-20251016-0-x86-64> \
   --image-project="rhel-cloud" \
   --subnet=<example_subnet>

5. Connect to the RHEL instance by using public and private RSA key pair:

   1. Connect to the RHEL instance for the first time, generate a public and private RSA key pair:

      $ gcloud compute ssh <cloud_user>@<example-rhel-9-sev-snp-instance>

   2. Connect to the RHEL instance by using an existing key pair:

      $ ssh -i <example_private_key> <cloud_user>@<instance_ip>