Hello folks, I’m exploring the capabilities of the AMD SEV-SNP platform for a TEE implementation that will handle and store secret data.
This data should be tied to a single guest, that is no other guest that boots with the same kernel/initrd/cmdline - in the form of a UKI - should be able to decrypt it. I have a prototype that encrypts the boot disk with a key derived from the VCEK, but a different guest is able to derive the same key provided it boots either the same UKI. The key has been derived with the snpguest tool developed by the virtee project. Does anybody have experience with encryption at rest with the AMD SEV SNP platform? I understand that it’s possible to inject secrets into a SEV VM at creation time, but documentation is scarce on that front. Thank you
