Threat Model

SEV-SNP, similar to its predecessors SEV and SEV-ES, treats the AMD System-On-Chip (SOC) hardware, AMD Secure Processor (AMD-SP), and the Virtual Machine (VM) as fully trusted entities. The responsibility of safeguarding the VM and its interfaces lies with the VM itself, following standard best practices for protecting I/O data, such as network traffic and hard disk data. AMD strongly recommends using Full Disk Encryption (FDE) to protect VMs since SEV technologies only protect data in-use, while FDE safeguards data-at-rest.

Under SEV-SNP, all other CPU software components and PCI devices are considered fully untrusted, as depicted in figure below. This includes the BIOS on the host system, the hypervisor, device drivers, other VMs, etc. These components are assumed to be potentially malicious and may conspire to compromise the security of an SEV-SNP VM.

The SEV-SNP threat model goes beyond the scope of previous AMD SEV technologies, addressing additional attack vectors and potential threats to VM security. SEV and SEV-ES used a threat model of a "benign but vulnerable" hypervisor, implying that the hypervisor was not completely secure but was trusted to act with benign intent. SEV and SEV-ES technologies helped limit the exposure of certain hypervisor bugs or raise the difficulty of exploitation.

In contrast, SEV-SNP considers the hypervisor and other components as fully untrusted, aiming to protect against integrity attacks such as data replay, corruption, re-mapping, and aliasing-based attacks. Availability is also ensured, guaranteeing that the hypervisor retains control of the system and can regain control or terminate a guest VM at any time.

Confidentiality: In all current SEV technologies, confidentiality threats are addressed through hardware-based memory encryption. This ensures that an untrusted component, such as the hypervisor or a DMA-capable device, cannot directly access the plaintext data inside a VM. However, in cases where the VM explicitly allows untrusted access to a page, exceptions may apply. SEV-ES technology also adds confidentiality protection for the VM's register state by encrypting it when the VM returns to the hypervisor. This protection is maintained in SEV-SNP as well.

Integrity

SEV-SNP technology is specifically designed to safeguard against integrity attacks, including data replay, corruption, re-mapping, and aliasing-based attacks. The guarantee that a VM always perceives the most recent data it wrote implies that these attack vectors must be effectively prevented.

Availability

The virtualization platform's availability has two key aspects. First, it ensures that the hypervisor retains control of the system, and the guest VM cannot deny the hypervisor from running or disrupt the physical machine's functionality. All SEV technologies provide this level of availability and ensure that the hypervisor can regain control whenever required (e.g., via a physical timer interrupt) or terminate a guest VM without its consent. The second aspect of availability pertains to the guest VM's guarantees of availability, such as a minimum run-time. However, this is not considered part of the SEV technology threat models because a malicious hypervisor can choose not to run some or all of a guest VM.

Physical Access Attacks

While certain physical attacks, like DRAM cold boot attacks (analyzing DRAM chips offline), can be thwarted by these technologies, on-line DRAM integrity attacks, such as attacking the DDR bus while the VM is actively running, fall beyond the scope. These attacks are highly complex and require significant local access and resources to execute.

Miscellaneous

There are several other potential attack types against secure VMs, some of which are covered in this threat model. For instance, SEV-SNP incorporates features to prevent Trusted Computing Base (TCB) rollback attacks. This includes a cryptographic means to verify that the AMD-SP firmware and other trusted components in the system adhere to the VM's policy. Additionally, SEV-SNP optionally supports the ability to restrict the injection of interrupts and exceptions into a VM, and it can provide Branch Target Buffer (BTB) protection against specific types of side channel attacks. These protections are detailed later in this white paper.

There are certain types of attacks that are not specifically addressed by these features. Architectural side-channel attacks on CPU data structures are not prevented by hardware means, and code sensitive to such attacks should be written with preventive measures. Additionally, fingerprinting attack protection is not supported in the current generation of these technologies. SEV technologies focus primarily on safeguarding sensitive VM data contents, while protection against certain fingerprinting attacks may be considered in future iterations of SEV technologies.

Last updated 7 months ago