AMD SEV / SEV-SNP
What is AMD SEV / SEV-SNP?
AMD SEV / SEV-SNPAMD EPYC technology that encrypts and integrity-protects each virtual machine's memory, isolating guests from a malicious or compromised hypervisor.
AMD Secure Encrypted Virtualization (SEV) encrypts the memory of each virtual machine with a per-VM key managed by the on-chip AMD Secure Processor. SEV-ES extends this with encrypted register state on VM exits, and SEV-SNP (Secure Nested Paging), introduced with EPYC 7003 Milan, adds memory-integrity protection (Reverse Map Table) against malicious hypervisor remapping, replay, and aliasing. SEV-SNP supports remote attestation of the guest measurement (VCEK/VLEK chain) for confidential computing workloads. It powers Azure Confidential VMs (DCasv5/ECasv5), AWS Nitro Enclaves-adjacent offerings, and Google Cloud Confidential VMs, allowing tenants to run unmodified Linux/Windows guests with cryptographic isolation from the cloud provider.
● Examples
- 01
Azure DCasv5/ECasv5 confidential VMs use AMD SEV-SNP.
- 02
Confidential Kubernetes nodes verifying their attestation report before joining a cluster.
● Frequently asked questions
What is AMD SEV / SEV-SNP?
AMD EPYC technology that encrypts and integrity-protects each virtual machine's memory, isolating guests from a malicious or compromised hypervisor. It belongs to the Cryptography category of cybersecurity.
What does AMD SEV / SEV-SNP mean?
AMD EPYC technology that encrypts and integrity-protects each virtual machine's memory, isolating guests from a malicious or compromised hypervisor.
How does AMD SEV / SEV-SNP work?
AMD Secure Encrypted Virtualization (SEV) encrypts the memory of each virtual machine with a per-VM key managed by the on-chip AMD Secure Processor. SEV-ES extends this with encrypted register state on VM exits, and SEV-SNP (Secure Nested Paging), introduced with EPYC 7003 Milan, adds memory-integrity protection (Reverse Map Table) against malicious hypervisor remapping, replay, and aliasing. SEV-SNP supports remote attestation of the guest measurement (VCEK/VLEK chain) for confidential computing workloads. It powers Azure Confidential VMs (DCasv5/ECasv5), AWS Nitro Enclaves-adjacent offerings, and Google Cloud Confidential VMs, allowing tenants to run unmodified Linux/Windows guests with cryptographic isolation from the cloud provider.
How do you defend against AMD SEV / SEV-SNP?
Defences for AMD SEV / SEV-SNP typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for AMD SEV / SEV-SNP?
Common alternative names include: SEV, SEV-ES, SEV-SNP, Secure Encrypted Virtualization.
● Related terms
- cryptography№ 546
Intel SGX
Intel Software Guard Extensions, a CPU instruction set that creates encrypted memory enclaves to protect code and data from a compromised OS or hypervisor.
- cloud-security№ 1177
Trusted Execution Environment (TEE)
A secure, isolated execution context within a processor where code and data are protected in confidentiality and integrity, even from the host OS and hypervisor.
- cloud-security№ 208
Confidential Computing
Protecting data while it is being processed by running workloads inside hardware-based Trusted Execution Environments that isolate them from the host and the cloud operator.
- cryptography№ 460
Hardware Attestation
A cryptographic protocol by which a device proves its identity and software measurements to a remote verifier using a key rooted in tamper-resistant hardware.
- cryptography№ 060
ARM TrustZone
A hardware security extension on ARM CPUs that partitions the SoC into a Secure World and a Normal World, providing a TEE for keys, DRM, and biometric data.