Dov Murik

... and here is a simple guest userspace program to call the new SNP_SVSM_ATTEST_SERVICES ioctl (defined in the kernel RFC patches mentioned above) and save the responses in local files:...

Another more general question is whether we want to directly terminate, or propagate errors up (let's say all the way up to `svsm_request_loop()`) and there call the relevant `vc_terminate_xxxx` if...

A quick build shows that the use of `xargo` can be replaced with `cargo` (but it still uses unstable features defined in `.cargo/config.toml`): ```diff diff --git a/Makefile b/Makefile index 5f4a012..af0bbf8...

hmmm, cargo should have read its settings from `.cargo/config.toml`, which states `target = "svsm-target.json"` which is the equivalent of `cargo build --target svsm-target.json` . Can you try that? (but I'm...

I think there might be a step 1a: Verify that the cert-chain starts with an allowed cert (AMD's root cert). It might be that some of the details here might...

Another option: we may want the _guest_ (KBC) to fetch the VCEK / cert chain from AMD's KDS and add it to the request together with the attestation report. I'm...

The `SEV_ES_RESET_BLOCK_GUID` exists in OVMF builds for more than 3 years, if I recall correctly. Unless something changed recently that removed it... Are you able to boot the SNP VM...

Interesting. Maybe you can post your `OVMF.fd` somewhere that I can download and experiment with.

Thanks @LucaStabo for providing the file. It is very weird: First, the `image.fd` file is only 540672 bytes long. Usually OVMF builds are 3-4 MB. Second, the file is full...

@larrydewey Any idea why the instructions in AMDSEV will generate an OVMF build that is only ~500KB and contains mostly 0xff bytes? And how could that successfully launch an SNP...