AMD Secure Encrypted Virtualization (SEV) is a security feature introduced by AMD for their server processors. SEV aims to enhance the security and isolation of virtual machines (VMs) running on AMD-based platforms by encrypting the memory of each VM. It provides hardware-level memory encryption and protection, ensuring that the data within a VM remains confidential even if the host or hypervisor is compromised.
SEV availability for AMD CPU:
Technology
Minimum supported CPU
AMD SEV
EPYC1 (Neaples)
AMD SEV-ES
EPYC2 (Rome)
AMD SEV-SNP
EPYC3 (Milan)
Key features and concepts of AMD SEV-SNP include:
Encrypted Memory
SEV-SNP encrypts the memory contents of each virtual machine, isolating it from the hypervisor and other VMs running on the same physical server. This encryption is done using a unique encryption key per VM, generated by the AMD Secure Processor (ASP).
Secure Processor (ASP)
AMD's processors equipped with SEV-SNP include an additional on-chip component called the Secure Processor. It handles the encryption and decryption of memory contents, as well as the management of encryption keys. The Secure Processor operates independently of the hypervisor, providing an extra layer of security.
Launch Control
SEV-SNP incorporates a feature called Launch Control, which ensures the integrity of the hypervisor at VM startup. It verifies the hypervisor's digital signature, preventing the execution of tampered or malicious hypervisors.
Protected Memory Encryption (PME)
SEV-SNP includes an additional feature called Protected Memory Encryption. PME extends the memory encryption capability to the hypervisor itself, protecting its sensitive data from unauthorized access. It allows the hypervisor to create secure regions of memory that can only be accessed by the hypervisor itself and not by guest VMs.
Platform Level Encryption (PLE)
SEV-SNP also supports Platform Level Encryption, which enables encryption of the entire platform's memory. This feature adds an additional layer of security to protect against attacks targeting memory bus snooping.
By incorporating AMD SEV-SNP into their virtualized environments, organizations can achieve improved security and isolation for their virtual machines. SEV-SNP helps protect sensitive data and prevent unauthorized access, even if the underlying host infrastructure or hypervisor is compromised. It provides an added level of confidence for cloud service providers and organizations running virtualized workloads, particularly in scenarios where multiple VMs share the same physical server.