Cryptographic Keys
Last updated
Last updated
When a key is signed, this section always refers to the public part of the key pair.
Platform Ownership During the initialization process, the firmware running on the AMD SP generates an ECDSA key, the Platform Endorsement Key (PEK), and a Platform Diffie-Hellman Key (PDH). To provide good randomness for cryptographic purposes, a secure entropy source is used in the generation process. The PEK is used to sign the PDH. To associate an AMD SEV CPU with a specific cloud provider, the SEV firmware provides an API to issue Certificate Signing Requests (CSR) for the PEK. The cloud organization CA (OCA) must create a certificate for the PEK. Once created, the certificate is imported back into the SEV firmware.
Platform Authenticity Each AMD SEV Ready CPU has OTP fuses where AMD stores unique CPU specific secrets. The Chip Endorsement Key (CEK) is an ECDSA key derived from the OTP fuses and current TCB versions to reflect security updates. To prove the authenticity of an AMD SEV CPU, AMD provides a Certificate Chain of Trust. Each CEK is signed by AMD's SEV Signing Key (ASK), which in turn is signed by AMD's Root Signing Key (ARK). Note that the trust anchor is the ARK (see Figure 1). Since the CEK is unique among all CPUs, a unique identifier (Platform ID) can be obtained through the SEV API. The Platform ID can be used to retrieve the certificates from AMD.
Trust Model The PEK is an important part of the trust model. Its role is to connect the two certificate trust chains, the cloud provider trust chain and the AMD trust chain. AMD issues a certificate for the CEK, which proofs the CEK to be generated on an AMD SEV CPU. The additional certificate from the cloud provider (OCA) is required to provide proof of ownership. By signing the PDH with the PEK, we can attach the PDH to both trust chains. Based on the certificates, another party can verify that the PDH belongs to a cloud provider and that the PDH was created on an AMD SEV CPU.