It looks like AMD-SEV is completely broken: https://arxiv.org/pdf/2108.04575.pdf, also posted here: Long term R&D: TEE enhanced IC (proposal) - #10 by lastmjs
Hello, sorry for the late reply. We have been focusing on bringing SEV-SNP enabled nodes on the BTC subnet. Here is the current plan and status:
- Complete SEV-SNP design - ongoing
- Move ahead with qualifying more Gen-2 hardware - ongoing
- Bring Gen-2 hardware to the IC (and BTC subnet in particular)
- Enable SEV-SNP for BTC subnet nodes.
We will keep the forum updated with the progress.
Will this be the first subnet that has SEV-SNP enabled nodes? Will other subnets soon enable this feature? Exciting stuff!
What is the latest update for SEV-SNP?
We are currently actively working on this!
We are working on (1) rolling out SEV-SNP hardware and (2) developing software to support a SEV-SNP GuestOS.
SEV-SNP is a hardware-based security feature, which means we must test and onboard SEV-SNP enabled nodes. We have just begun onboarding new node providers with SEV-SNP enabled nodes (what we’re calling “gen2 node machines”). However, these machines are not yet running GuestOS VMs in SEV-SNP mode, as there is much work that must be done first.
Enabling GuestOS to run with SEV-SNP support is not trivial, as:
- This is still a new technology and is being actively developed.
- The gen2 SEV machines must interoperate with the gen1 non-SEV machines.
- When a node enters a subnet and begins communicating with peers, we must perform mutual attestation between each node in the subnet to the joining node to establish trust.
- The GuestOS upgrade process becomes more complicated. Now, in order to upgrade the GuestOS, an additional SEV-SNP enabled VM must be spun up and go through an attestation process before data can be transferred from the old VM to the new VM.
We are likely still a few months away from the first SEV-SNP enabled GuestOS running in production, but we will give more updates as we get closer!
Thanks for the update! Good luck with all of this work