AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP)
AMD Secure Encrypted Virtualization (SEV) and AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) are key components in AMD's confidential computing technology. SEV is a hardware-based feature that encrypts the memory of virtual machines running on AMD EPYC processors, to protect the data of the VM from unauthorized access by the hypervisor host, even if the hypervisor host is compromised. SEV uses a dedicated encryption key for each VM, managed by the processor. SEV must be enabled in both the guest OS and the KVM hypervisor host to work.
On Oracle Linux 9 and Oracle Linux 10, UEK 8U2 includes guest
and hypervisor support for SEV-SNP, which helps to prevent malicious
hypervisor-based attacks such as data replay, and memory remapping, among
other vectors such as side channel attacks. SEV-SNP is available on AMD E4
based servers or later (Milan). This functionality requires the latest
edk2-ovmf and qemu package
versions.
Note:
Confidential computing using SEV-SNP is a technical preview feature when used outside of Oracle Cloud Infrastructure (OCI).