Remote OpenClaw
Menu

OpenClaw · Skill

AMD

AMD SEV-SNP remote attestation for cryptographic VM identity verification.

Coding Agents & IDEs
v1.0.2
VirusTotal: Benign

Install

Start with the primary install command. Alternate entrypoints are included below for ClawHub and OpenClaw CLI users.

Primary command

clawhub install xinyuwang/sev-attestation

ClawHub installer

npx clawhub@latest install xinyuwang/sev-attestation

OpenClaw CLI

openclaw skills install xinyuwang/sev-attestation

Direct OpenClaw install

openclaw install xinyuwang/sev-attestation
View source

What this skill does

AMD SEV-SNP remote attestation for cryptographic VM identity verification.

Why it matters

Automates the full 6-step AMD SEV-SNP attestation workflow with individually runnable scripts, removing the need to manually chain openssl commands and AMD KDS API calls.

Typical use cases

  • Verifying a confidential VM before sharing secrets with it
  • Proving a VM runs in a genuine AMD SEV-SNP environment for compliance audits
  • Debugging attestation failures in confidential computing deployments
  • Automating pre-deployment integrity checks on SEV-SNP VMs
  • Validating AMD certificate chains before trusting remote workloads

Source instructions

sev-attestation

AMD SEV-SNP remote attestation for cryptographic VM identity verification.

Description

Perform AMD SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging) remote attestation to cryptographically verify VM identity and integrity. Use this skill when:

  • Proving a VM is running in a genuine AMD SEV-SNP confidential computing environment
  • Verifying the integrity of a confidential VM before trusting it with secrets
  • Checking if SEV-SNP is available and properly configured
  • Generating attestation reports for remote verification
  • Validating AMD certificate chains (ARK → ASK → VCEK)
  • Debugging attestation failures or certificate issues

Keywords: SEV-SNP, attestation, confidential computing, AMD, VCEK, certificate chain, remote attestation, VM identity, TCB, measurement

Workflow

┌─────────────────────────────────────────────────────────────────┐
│                    SEV-SNP Attestation Flow                      │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
                    ┌─────────────────┐
                    │  1. Detection    │
                    │  Is SEV-SNP      │
                    │  available?      │
                    └────────┬────────┘
                             │
              ┌──────────────┴──────────────┐
              │                             │
              ▼                             ▼
        ┌─────────┐                   ┌─────────┐
        │   YES   │                   │   NO    │
        └────┬────┘                   └────┬────┘
             │                              │
             ▼                              ▼
    ┌─────────────────┐             ┌─────────────────┐
    │ 2. Generate     │             │ Exit with       │
    │    Report       │             │ helpful error   │
    └────────┬────────┘             └─────────────────┘
             │
             ▼
    ┌─────────────────┐
    │ 3. Display      │
    │    Report Info  │
    └────────┬────────┘
             │
             ▼
    ┌─────────────────┐
    │ 4. Fetch AMD    │
    │    Certificates │
    │ (ARK, ASK, VCEK)│
    └────────┬────────┘
             │
             ▼
    ┌─────────────────┐
    │ 5. Verify       │
    │    Cert Chain   │
    └────────┬────────┘
             │
             ▼
    ┌─────────────────┐
    │ 6. Verify       │
    │    Report Sig   │
    └────────┬────────┘
             │
             ▼
    ┌─────────────────┐
    │   PASSED or     │
    │   FAILED        │
    └─────────────────┘

Quick Start

Check if SEV-SNP is Available

./scripts/detect-sev-snp.sh

Run Full Attestation

./scripts/full-attestation.sh [output_dir]

This runs the complete 6-step attestation workflow and outputs PASSED or FAILED.

Individual Steps

Each step can be run independently for debugging or custom workflows:

ScriptPurpose
scripts/detect-sev-snp.shCheck SEV-SNP availability
scripts/generate-report.sh <output_dir>Generate attestation report with nonce
scripts/fetch-certificates.sh <report_file> <output_dir>Fetch AMD certificates from KDS
scripts/verify-chain.sh <certs_dir>Verify certificate chain
scripts/verify-report.sh <report_file> <certs_dir>Verify report signature

Prerequisites

  • snpguest: Rust CLI from virtee/snpguest
  • openssl: For certificate operations
  • curl: For fetching certificates from AMD KDS
  • Root access: Required to access /dev/sev-guest

Install snpguest:

cargo install snpguest

Reference Documentation

Technical Details

  • AMD KDS URL: https://kdsintf.amd.com
  • Certificate Chain: ARK (self-signed) → ASK → VCEK
  • Report Signature: ECDSA P-384
  • Device: /dev/sev-guest (requires root or sev group membership)

Related OpenClaw skills

Browse all →

OpenClaw Skill

GnamiBlast

2K1

OpenClaw Skill

BidClub

1.9K2

OpenClaw Skill

Clawder

1.8K

OpenClaw Skill

Strykr PRISM

1.8K1
Featured slot

Your product here

Reserve this slot to reach operators and coding-agent buyers.

Shown where builders are actively comparing tools and deployment options.

Advertise