AMD SEV - Max Fang's Notes

# AMD Secure Encrypted Virtualization (SEV) https://developer.amd.com/sev/ Links: [[AMD]], [[EPYC]], [[Confidential Computing]] ### Differentiation - SEV: Secure Encrypted Virtualization, 2016 - SEV-ES: Encrypted State, 2017 - SEV-SNP: Secure Nested Paging, 2020 - SME: Secure Memory Encryption ## See also ### - [[AMD SME]] ### - [[AMD SEV-SNP]] ### - [[SEV vs SGX]] ## Resources ### [AMD EPYC Developer Resources](https://developer.amd.com/resources/epyc-resources/) *Want to learn more? Check out our resources created for developers by developers.* - [Reference Architectures](https://developer.amd.com/resources/epyc-resources/epyc-reference-architectures/): Guides to help setup EPYC™ with a specific environment - [Solution Briefs and White Papers](https://developer.amd.com/resources/epyc-resources/solution-briefs-and-white-papers/): How EPYC™ solves different issues in server applications and Technical papers that provide a deeper look into EPYC™ technology - [Specs and Manuals](https://developer.amd.com/resources/epyc-resources/epyc-specifications/): Listing of specifications and manuals for EPYC™ hardware - [Tuning Guides](https://developer.amd.com/resources/epyc-resources/epyc-tuning-guides/): Guides to help optimize your EPYC™ configuration ### [Protecting VM Register State with SEV-ES](https://www.amd.com/system/files/TechDocs/Protecting%20VM%20Register%20State%20with%20SEV-ES.pdf) (8 page technical overview) [[2017-02-17]] ### [AMD MEMORY ENCRYPTION](https://developer.amd.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf) (12 page whitepaper, 2016) ### [PROTECTING VM REGISTER STATE WITH SEV-ES](https://www.amd.com/system/files/TechDocs/Protecting%20VM%20Register%20State%20with%20SEV-ES.pdf) (8 page whitepaper, 2017) ### [SEV Secure Nested Paging Firmware ABI Specification](https://www.amd.com/system/files/TechDocs/56860.pdf) (124 page technical document) ### [Secure Encrypted Virtualization API Version 0.24](https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf) (122 page Technical Preview) ## (Developer page) [AMD Secure Encrypted Virtualization (SEV)](https://developer.amd.com/sev/) ### AMD EPYC Hardware Memory Encryption Hardware accelerated memory encryption for data-in-use protection. Takes advantage of new security components available in AMD EPYC processors 1. **AES-128 encryption engine** embedded in the memory controller. Automatically encrypts and decrypts data in main memory when an appropriate key is provided. 2. **AMD Secure Processor**. Provides cryptographic functionality for secure key generation and key management. ### Feature Overview **AMD Secure Memory Encryption (SME)** Uses a single key to encrypt system memory. The key is generated by the AMD Secure Processor at boot. SME requires enablement in the system BIOS or operating system. When enabled in the BIOS, memory encryption is transparent and can be run with any operating system. **AMD Secure Encrypted Virtualization (SEV)** Uses one key per virtual machine to isolate guests and the hypervisor from one another. The keys are managed by the AMD Secure Processor. SEV requires enablement in the guest operating system and hypervisor. The guest changes allow the VM to indicate which pages in memory should be encrypted. The hypervisor changes use hardware virtualization instructions and communication with the AMD Secure processor to manage the appropriate keys in the memory controller. **AMD Secure Encrypted Virtualization-Encrypted State (SEV-ES)** Encrypts all CPU register contents when a VM stops running. This prevents the leakage of information in CPU registers to components like the hypervisor, and can even detect malicious modifications to a CPU register state. ## [Five Questions About SEV](https://www.youtube.com/watch?v=ext3DF_O-5E) - Unlisted, only 646 views - Decent 3 minute intro **2. How does it work?** ![[Screen Shot 2022-02-16 at 9.30.25 PM.png]] **4. How to use it?** "The easiest way is to go through a partner such as [[Google Cloud]] or [[VMware]]"