Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 050

AMD SEV / SEV-SNP

Reviewed byCybersecurity entrepreneur & security researcher

What is AMD SEV / SEV-SNP?

AMD SEV / SEV-SNPAMD EPYC technology that encrypts and integrity-protects each virtual machine's memory, isolating guests from a malicious or compromised hypervisor.


AMD Secure Encrypted Virtualization (SEV) encrypts the memory of each virtual machine with a per-VM key managed by the on-chip AMD Secure Processor. SEV-ES extends this with encrypted register state on VM exits, and SEV-SNP (Secure Nested Paging), introduced with EPYC 7003 Milan, adds memory-integrity protection (Reverse Map Table) against malicious hypervisor remapping, replay, and aliasing. SEV-SNP supports remote attestation of the guest measurement (VCEK/VLEK chain) for confidential computing workloads. It powers Azure Confidential VMs (DCasv5/ECasv5), AWS Nitro Enclaves-adjacent offerings, and Google Cloud Confidential VMs, allowing tenants to run unmodified Linux/Windows guests with cryptographic isolation from the cloud provider.

The threat model is deliberately strong — the hypervisor is assumed hostile — so research has probed its edges. CacheWarp (CVE-2023-20592), disclosed in 2023 by CISPA, TU Graz and independent researcher Youheng Lu, is a software fault-injection attack that lets a malicious hypervisor drop a VM's cache writes to revert memory to a stale state, defeating SEV-ES/SEV-SNP integrity on first- to third-generation EPYC (Naples, Rome, Milan). BadRAM (CVE-2024-21944), disclosed in 2024, tampers with a DIMM's SPD chip with under $10 of hardware to create aliased "ghost" addresses that bypass SEV-SNP's memory protections. AMD has issued microcode and firmware mitigations; defenders should patch the Secure Processor firmware and verify the reported TCB version inside the attestation report before trusting a guest.

flowchart TB
  subgraph Untrusted
    HV[Hypervisor / Cloud admin]
  end
  subgraph EPYC SoC
    ASP[AMD Secure Processor]
    ME[Memory encryption engine + RMP]
  end
  G[Guest VM memory] -->|encrypted per-VM key| ME
  ASP -->|manages keys| ME
  HV -.->|cannot read plaintext| G
  ASP -->|signs measurement| ATT[Attestation report VCEK/VLEK]
  ATT -->|verify TCB & measurement| Tenant[Relying party]

For confidential computing the attestation step is essential: a guest must prove to the relying party that it booted the expected measurement on genuine, up-to-date AMD silicon before any secret (disk key, workload data) is released to it.

Examples

  1. 01

    Azure DCasv5/ECasv5 confidential VMs use AMD SEV-SNP.

  2. 02

    Confidential Kubernetes nodes verifying their attestation report before joining a cluster.

Frequently asked questions

What is AMD SEV / SEV-SNP?

AMD EPYC technology that encrypts and integrity-protects each virtual machine's memory, isolating guests from a malicious or compromised hypervisor. It belongs to the Cryptography category of cybersecurity.

What does AMD SEV / SEV-SNP mean?

AMD EPYC technology that encrypts and integrity-protects each virtual machine's memory, isolating guests from a malicious or compromised hypervisor.

How do you defend against AMD SEV / SEV-SNP?

Defences for AMD SEV / SEV-SNP typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for AMD SEV / SEV-SNP?

Common alternative names include: SEV, SEV-ES, SEV-SNP, Secure Encrypted Virtualization.

Related terms