I noticed that recently (November 2022, rev 1.54) the SEV SNP Firmware ABI Spec doc was updated to include references to VLEK, which seems to be a replacement of the VCEK that has a parent key which resides with AMD. In fact, they even added a VCEK_DIS/VcekDis flag to completely disable VCEK.
See section 3.6 of the updated ABI Spec doc.
Wondering if (depending on implementation) this is a sufficient mitigation against the arbitrary remote attestation? (as long as the verifier knows to use the VLEK cert instead of the VCEK cert)
I noticed that recently (November 2022, rev 1.54) the SEV SNP Firmware ABI Spec doc was updated to include references to VLEK, which seems to be a replacement of the VCEK that has a parent key which resides with AMD. In fact, they even added a VCEK_DIS/VcekDis flag to completely disable VCEK.
See section 3.6 of the updated ABI Spec doc.
Wondering if (depending on implementation) this is a sufficient mitigation against the arbitrary remote attestation? (as long as the verifier knows to use the VLEK cert instead of the VCEK cert)