AMD SME - Max Fang's Notes

# AMD Secure Memory Encryption (SME) Links: [[AMD]], [[AMD SEV]], [[Confidential Computing]], [[EPYC]] ## [AMD Memory Encryption Whitepaper](https://developer.amd.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf) [[2016-04-24]] ### Introduction The need for practical security in modern computing systems is greater than ever. The increase in system complexity, growth of the cloud, and advent of new technologies are all contributing to a computing environment that is difficult yet critical to protect. AMD recognizes these serious challenges and has developed new memory encryption technologies that are designed to address these needs across a variety of systems. **Secure Memory Encryption (SME)** defines a simple and efficient architectural capability for main memory encryption. While memory encryption technologies have been used previously in various specialized products and industries, SME is a general purpose mechanism that is flexible, integrated into the CPU architecture, scalable from embedded to high-end server workloads, and requires no application software modifications. Main memory encryption can be utilized to protect a system against a variety of attacks. While data is typically encrypted today when stored on disk, it is stored in DRAM in the clear. This can leave the data vulnerable to snooping by unauthorized administrators or software or by hardware probing. New non-volatile memory technology (NVDIMM) exacerbates this problem since an NVDIMM chip can be physically removed from a system with the data intact, similar to a hard drive. Without encryption any stored information such as sensitive data, passwords, or secret keys can be easily compromised. **Secure Encrypted Virtualization (SEV)** integrates main memory encryption capabilities with the existing AMD-V virtualization architecture to support encrypted virtual machines. Encrypting virtual machines can help protect them not only from physical threats but also from other virtual machines or even the hypervisor itself. SEV thus represents a new virtualization security paradigm that is particularly applicable to cloud computing where virtual machines need not fully trust the hypervisor and administrator of their host system. As with SME, no application software modifications are required to support SEV. This document presents a technical overview of the SME and SEV and describes how they can be utilized by operating system (OS), hypervisor (HV), and guest virtual machine (VM) software in a variety of different environments to protect data in DRAM.