# Architecture
SEV, an extension to the AMD-V architecture, facilitates the execution of multiple virtual machines (VMs) controlled by a hypervisor. When SEV is enabled, the hardware tags all code and data with its VM ASID, identifying the originating or intended VM for the data. This tag remains attached to the data within the SOC at all times, ensuring that only the owner VM can access it.
Inside the SOC, the tag provides protection to VM data. However, data outside the SOC is secured by AES with 128-bit encryption. When data enters or exits the SOC, the hardware encrypts or decrypts it based on the associated tag's encryption key.
Each VM and the hypervisor have unique tags and encryption keys. This arrangement, combined with memory encryption, restricts data access solely to the VM associated with the relevant tag. In the event that anyone else, including the hypervisor, attempts to access the data, they will only see it in its encrypted form. This robust encryption-based isolation ensures strong cryptographic separation between VMs and between VMs and the hypervisor, bolstering overall system security.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.enclaive.cloud/confidential-cloud/technology-in-depth/amd-sev/technology/fundamentals/architecture.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.