AMD SEV

AMD Secure Encrypted Virtualization (SEV) is a hardware-based confidential computing technology developed by AMD Corporation that encrypts virtual machines in memory

AMD Secure Encrypted Virtualization technology provides confidentriality of Virtual Machine during runtime, and - EPYC3 or newer - integrity of the running workload against the hypervisor.

Prerequisites

Before enabling SEV, ensure he following requirements are met.

CPU Support

Feature

Minimum EPYC Generation

SEV

EPYC 7001 (Naples)

SEV-ES

EPYC 7002 (Rome)

SEV-SNP

EPYC 7003 (Milan)

SEV-SNP + TIO

EPYC 7004 (Genua)

Check your CPU

lscpu

BIOS Version

Update to the latest BIOS firmware
Update PSP firmware
Reset BIOS to defaults after update (recommended)

SEV-SNP especially requires modern firmware.

Step-by-Step: Enable SEV in BIOS

BIOS menus differ slightly by vendor

Step 1 — Enter BIOS

Reboot the server
Press one of the following during boot
- DEL
- F2
- F10
- ESC

(depending on vendor)

Step 2 — Enable SVM Mode

Navigate to

Advanced
  → CPU Configuration
      → SVM Mode

Set

SVM Mode → Enabled

SVM (Secure Virtual Machine) must be enabled before SEV can be used.

Step 3 — Enable SEV

Navigate to

Advanced
  → CPU Configuration
      → SEV

Set

SEV → Enabled

Step 4 — Enable SEV-ES (EPYC2)

SEV-ES encrypts CPU register state.

If available

SEV-ES → Enabled

Step 5 — Enable SEV-SNP (EPYC3+)

SEV-SNP protects a virtual machine not only by encrypting its memory, but also by ensuring memory integrity and ownership validation.

If supported

SEV-SNP → Enabled

Sometimes called

Secure Nested Paging
SNP
SEV Secure Nested Paging
Memory Encryption → SNP

Additional Required BIOS Settings

Some systems require the following to be enabled

IOMMU → Enabled
Memory Encryption → Enabled
Above 4G Decoding → Enabled
Secure Boot → Enabled (recommended for SNP)

Verify SEV in Linux

After booting into Linux, check

dmesg | grep -i sev

Expected output

SEV supported
SEV-ES supported
SEV-SNP supported

Also verify

ls /dev/sev

And

cat /sys/module/kvm_amd/parameters/sev

If output is

SEV is enabled in KVM.

Troubleshooting

Problem

Possible Cause

Solution

SEV not visible

Old BIOS

Update BIOS

SEV-ES missing

CPU too old

Check EPYC generation

SEV-SNP missing

PSP firmware outdated

Update firmware

VM fails to start

IOMMU disabled

Enable IOMMU

PreviousBIOS enablement NextIntel TDX

Last updated 4 days ago

Was this helpful?

hashtagPrerequisites

hashtagCPU Support

hashtagBIOS Version

hashtagStep-by-Step: Enable SEV in BIOS

hashtagStep 1 — Enter BIOS

hashtagStep 2 — Enable SVM Mode

hashtagStep 3 — Enable SEV

hashtagStep 4 — Enable SEV-ES (EPYC2)

hashtagStep 5 — Enable SEV-SNP (EPYC3+)

hashtagAdditional Required BIOS Settings

hashtagVerify SEV in Linux

hashtagTroubleshooting

Prerequisites

CPU Support

BIOS Version

Step-by-Step: Enable SEV in BIOS

Step 1 — Enter BIOS

Step 2 — Enable SVM Mode

Step 3 — Enable SEV

Step 4 — Enable SEV-ES (EPYC2)

Step 5 — Enable SEV-SNP (EPYC3+)

Additional Required BIOS Settings

Verify SEV in Linux

Troubleshooting