skills$openclaw/sev-attestation

6.6k★

sev-attestation – OpenClaw Skill

Name: sev-attestation
Author: xinyuwang

sev-attestation is an OpenClaw Skills integration for coding workflows. Perform AMD SEV-SNP remote attestation to cryptographically verify VM identity and integrity. Use when proving a VM is running in a genuine AMD SEV-SNP confidential computing environment, verifying VM integrity before trusting it with secrets, checking SEV-SNP availability, generating attestation reports, validating AMD certificate chains (ARK/ASK/VCEK), or debugging attestation failures.

6.6k stars9.4k forksSecurity L1

Updated Feb 7, 2026Created Feb 7, 2026coding

Skill Snapshot

name	sev-attestation
description	Perform AMD SEV-SNP remote attestation to cryptographically verify VM identity and integrity. Use when proving a VM is running in a genuine AMD SEV-SNP confidential computing environment, verifying VM integrity before trusting it with secrets, checking SEV-SNP availability, generating attestation reports, validating AMD certificate chains (ARK/ASK/VCEK), or debugging attestation failures. OpenClaw Skills integration.
owner	xinyuwang
repository	xinyuwang/sev-attestation
language	Markdown
license	MIT
topics
security	L1
install	openclaw add @xinyuwang/sev-attestation
last updated	Feb 7, 2026

Maintainer

xinyuwang

Maintains sev-attestation in the OpenClaw Skills directory.

View GitHub profile

File Explorer

14 files

references

error-codes.md

6.2 KB

manual-verification.md

7.3 KB

report-fields.md

5.1 KB

scripts

detect-sev-snp.sh

1.9 KB

fetch-certificates.sh

5.1 KB

full-attestation.sh

9.3 KB

generate-report.sh

3.1 KB

verify-chain.sh

3.8 KB

verify-report.sh

5.8 KB

_meta.json

285 B

README.md

844 B

SKILL.md

5.7 KB

SKILL.md

name: sev-attestation description: Perform AMD SEV-SNP remote attestation to cryptographically verify VM identity and integrity. Use when proving a VM is running in a genuine AMD SEV-SNP confidential computing environment, verifying VM integrity before trusting it with secrets, checking SEV-SNP availability, generating attestation reports, validating AMD certificate chains (ARK/ASK/VCEK), or debugging attestation failures.

sev-attestation

AMD SEV-SNP remote attestation for cryptographic VM identity verification.

Description

Perform AMD SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging) remote attestation to cryptographically verify VM identity and integrity. Use this skill when:

Proving a VM is running in a genuine AMD SEV-SNP confidential computing environment
Verifying the integrity of a confidential VM before trusting it with secrets
Checking if SEV-SNP is available and properly configured
Generating attestation reports for remote verification
Validating AMD certificate chains (ARK → ASK → VCEK)
Debugging attestation failures or certificate issues

Keywords: SEV-SNP, attestation, confidential computing, AMD, VCEK, certificate chain, remote attestation, VM identity, TCB, measurement

Workflow

┌─────────────────────────────────────────────────────────────────┐
│                    SEV-SNP Attestation Flow                      │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
                    ┌─────────────────┐
                    │  1. Detection    │
                    │  Is SEV-SNP      │
                    │  available?      │
                    └────────┬────────┘
                             │
              ┌──────────────┴──────────────┐
              │                             │
              ▼                             ▼
        ┌─────────┐                   ┌─────────┐
        │   YES   │                   │   NO    │
        └────┬────┘                   └────┬────┘
             │                              │
             ▼                              ▼
    ┌─────────────────┐             ┌─────────────────┐
    │ 2. Generate     │             │ Exit with       │
    │    Report       │             │ helpful error   │
    └────────┬────────┘             └─────────────────┘
             │
             ▼
    ┌─────────────────┐
    │ 3. Display      │
    │    Report Info  │
    └────────┬────────┘
             │
             ▼
    ┌─────────────────┐
    │ 4. Fetch AMD    │
    │    Certificates │
    │ (ARK, ASK, VCEK)│
    └────────┬────────┘
             │
             ▼
    ┌─────────────────┐
    │ 5. Verify       │
    │    Cert Chain   │
    └────────┬────────┘
             │
             ▼
    ┌─────────────────┐
    │ 6. Verify       │
    │    Report Sig   │
    └────────┬────────┘
             │
             ▼
    ┌─────────────────┐
    │   PASSED or     │
    │   FAILED        │
    └─────────────────┘

Quick Start

Check if SEV-SNP is Available

./scripts/detect-sev-snp.sh

Run Full Attestation

./scripts/full-attestation.sh [output_dir]

This runs the complete 6-step attestation workflow and outputs PASSED or FAILED.

Individual Steps

Each step can be run independently for debugging or custom workflows:

Script	Purpose
`scripts/detect-sev-snp.sh`	Check SEV-SNP availability
`scripts/generate-report.sh <output_dir>`	Generate attestation report with nonce
`scripts/fetch-certificates.sh <report_file> <output_dir>`	Fetch AMD certificates from KDS
`scripts/verify-chain.sh <certs_dir>`	Verify certificate chain
`scripts/verify-report.sh <report_file> <certs_dir>`	Verify report signature

Prerequisites

snpguest: Rust CLI from virtee/snpguest
openssl: For certificate operations
curl: For fetching certificates from AMD KDS
Root access: Required to access /dev/sev-guest

Install snpguest:

cargo install snpguest

Reference Documentation

Report Fields - Attestation report field reference
Error Codes - Common errors and troubleshooting
Manual Verification - OpenSSL-based verification without snpguest

Technical Details

AMD KDS URL: https://kdsintf.amd.com
Certificate Chain: ARK (self-signed) → ASK → VCEK
Report Signature: ECDSA P-384
Device: /dev/sev-guest (requires root or sev group membership)

README.md

SEV-SNP 远程证明工具

AMD SEV-SNP 远程证明，用于验证虚拟机身份和完整性。

快速开始

# 检测 SEV-SNP 是否可用
./scripts/detect-sev-snp.sh

# 运行完整证明流程
./scripts/full-attestation.sh ./output

脚本说明

脚本	功能
`detect-sev-snp.sh`	检测 SEV-SNP 可用性
`generate-report.sh`	生成证明报告
`fetch-certificates.sh`	从 AMD 获取证书
`verify-chain.sh`	验证证书链
`verify-report.sh`	验证报告签名
`full-attestation.sh`	完整证明流程

依赖

snpguest (cargo install snpguest)
openssl
curl
root 权限

参考文档

references/report-fields.md - 报告字段说明
references/error-codes.md - 错误排查
references/manual-verification.md - 手动验证方法

Permissions & Security

Security level L1: Low-risk skills with minimal permissions. Review inputs and outputs before running in production.

Requirements

- **snpguest**: Rust CLI from [virtee/snpguest](https://github.com/virtee/snpguest) - **openssl**: For certificate operations - **curl**: For fetching certificates from AMD KDS - **Root access**: Required to access `/dev/sev-guest` Install snpguest: ```bash cargo install snpguest ```

FAQ

How do I install sev-attestation?

Run openclaw add @xinyuwang/sev-attestation in your terminal. This installs sev-attestation into your OpenClaw Skills catalog.

Does this skill run locally or in the cloud?

OpenClaw Skills execute locally by default. Review the SKILL.md and permissions before running any skill.

Where can I verify the source code?

The source repository is available at https://github.com/openclaw/skills/tree/main/skills/xinyuwang/sev-attestation. Review commits and README documentation before installing.