Tracker: Confidential Virtualization Host with AMD SEV-SNP

[marmijo]

Upstream Fedora Change: https://fedoraproject.org/wiki/Changes/ConfidentialVirtHostAMDSEVSNP

Fedora is introducing support for AMD SEV-SNP, which enables Fedora virtualization hosts to launch confidential virtual machines.

This is to track adding support for this change in FCOS and ensuring that the OS can function as a guest operating system in environments utilizing AMD SEV-SNP.

This was discussed during the community meeting on 2024-07-24 ([meeting log).

Guest owners will be able to prove that their OS is running in a Fedora host confidential virtual machine protected by AMD SEV-SNP, by performing a guest attestation

• We'll investigate what changes are needed to perform this "guest attestation" in order to support AMD SEV-SNP.
• If this doesn't work "out-of-the-box" and changes are needed, we'll add a test for it.
• Will these changes extend to RHCOS as well?

[HuijingHei]

cosa issue coreos/coreos-assembler#3556

[HuijingHei]

Confirm that we already support AMD SEV-SNP type confidential instances on GCP (See coreos/coreos-assembler#3547), so what we should do is to add tests.

For Azure, need to confirm.
Edit: see #1777 (comment)

[travier]

Note that this is about running FCOS as a SEV-SNP host and so far, most of our testing in clouds as been about running FCOS as a SEV-SNP Guest. It's not clear to me if we can nest SEV-SNP or if we can get access to hardware to test that in clouds.