AMD SEV / SEV-SNP
What is AMD SEV / SEV-SNP?
AMD SEV / SEV-SNPAMD EPYC technology that encrypts and integrity-protects each virtual machine's memory, isolating guests from a malicious or compromised hypervisor.
AMD Secure Encrypted Virtualization (SEV) encrypts the memory of each virtual machine with a per-VM key managed by the on-chip AMD Secure Processor. SEV-ES extends this with encrypted register state on VM exits, and SEV-SNP (Secure Nested Paging), introduced with EPYC 7003 Milan, adds memory-integrity protection (Reverse Map Table) against malicious hypervisor remapping, replay, and aliasing. SEV-SNP supports remote attestation of the guest measurement (VCEK/VLEK chain) for confidential computing workloads. It powers Azure Confidential VMs (DCasv5/ECasv5), AWS Nitro Enclaves-adjacent offerings, and Google Cloud Confidential VMs, allowing tenants to run unmodified Linux/Windows guests with cryptographic isolation from the cloud provider.
The threat model is deliberately strong — the hypervisor is assumed hostile — so research has probed its edges. CacheWarp (CVE-2023-20592), disclosed in 2023 by CISPA, TU Graz and independent researcher Youheng Lu, is a software fault-injection attack that lets a malicious hypervisor drop a VM's cache writes to revert memory to a stale state, defeating SEV-ES/SEV-SNP integrity on first- to third-generation EPYC (Naples, Rome, Milan). BadRAM (CVE-2024-21944), disclosed in 2024, tampers with a DIMM's SPD chip with under $10 of hardware to create aliased "ghost" addresses that bypass SEV-SNP's memory protections. AMD has issued microcode and firmware mitigations; defenders should patch the Secure Processor firmware and verify the reported TCB version inside the attestation report before trusting a guest.
flowchart TB
subgraph Untrusted
HV[Hypervisor / Cloud admin]
end
subgraph EPYC SoC
ASP[AMD Secure Processor]
ME[Memory encryption engine + RMP]
end
G[Guest VM memory] -->|encrypted per-VM key| ME
ASP -->|manages keys| ME
HV -.->|cannot read plaintext| G
ASP -->|signs measurement| ATT[Attestation report VCEK/VLEK]
ATT -->|verify TCB & measurement| Tenant[Relying party]For confidential computing the attestation step is essential: a guest must prove to the relying party that it booted the expected measurement on genuine, up-to-date AMD silicon before any secret (disk key, workload data) is released to it.
● Examples
- 01
Azure DCasv5/ECasv5 confidential VMs use AMD SEV-SNP.
- 02
Confidential Kubernetes nodes verifying their attestation report before joining a cluster.
● Frequently asked questions
What is AMD SEV / SEV-SNP?
AMD EPYC technology that encrypts and integrity-protects each virtual machine's memory, isolating guests from a malicious or compromised hypervisor. It belongs to the Cryptography category of cybersecurity.
What does AMD SEV / SEV-SNP mean?
AMD EPYC technology that encrypts and integrity-protects each virtual machine's memory, isolating guests from a malicious or compromised hypervisor.
How do you defend against AMD SEV / SEV-SNP?
Defences for AMD SEV / SEV-SNP typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for AMD SEV / SEV-SNP?
Common alternative names include: SEV, SEV-ES, SEV-SNP, Secure Encrypted Virtualization.