Encrypted Memory

SEV leverages the same high-performance memory encryption engine featured in the SME technology described earlier. It also utilizes the C-bit in the page tables to indicate encrypted pages, albeit with some additional restrictions.

One of SEV's key features is granting guest VMs the capability to designate which data memory pages they want to keep private. This control is exercised through the standard CPU page tables, fully managed by the guest. Private memory is encrypted with a guest-specific key, while shared memory may be encrypted using the hypervisor key. This flexibility empowers VMs to mark specific memory pages as confidential (private), while others can be used for communication with other VMs or the hypervisor. In a common configuration, the guest typically designates all its code and data as private, except for specific shared pages it chooses to expose.

For enhanced security, SEV hardware enforces that certain memory types (including instruction pages and page tables) must always remain private to protect the VM.

An illustrative example of communication configuration is presented in figure above. In this scenario, the SEV-enabled guest and the hypervisor communicate through memory marked as shared by both entities. However, all other guest memory is encrypted with the guest's key, which the hypervisor cannot utilize directly. Any memory not used by the hypervisor for direct guest communication is encrypted using the SME feature, as detailed earlier. This setup ensures a secure and controlled communication environment between the guest VM and the hypervisor.