AMD SEV-SNP Finally Being Merged In Linux 5.19 To Enhance Confidential Computing

Last year with the launch of AMD EPYC 7003 "Milan" processors one of the new security features was SEV-SNP, or the "Secure Nested Paging" update to the Secure Encrypted Virtualization functionality that has built up with succeeding EPYC generations. While AMD published out-of-tree kernel patches in a GitHub repository to enable SEV-SNP and has been volleying several revisions to them on the kernel mailing list, one year later it's finally arriving in mainline with the Linux 5.19 kernel.

The Linux 5.19 kernel to be released later this summer will offer AMD SEV-SNP support without having to resort to patching your kernel or using any out-of-tree code. As I wrote at the beginning of April, it looked like SEV-SNP was finally ready for upstreaming with Linux 5.19. Now on the first day of the v5.19 merge window, the SEV-SNP patches have indeed been submitted.

SEV-SNP has been one of many exciting enhancements with EPYC 7003 series.

The hardware-based memory integrity protections provided by AMD SEV-SNP can help prevent malicious hypervisor-based attacks and other functionality beyond what has already available with Secure Encrypted Virtualization of prior EPYC CPUs.

An AMD table showing the feature differences across the SEV tiers. SEV-SNP was introduced in March 2021 with AMD EPYC 7003 series processors.

SEV-SNP adds integrity protections around replay protection, data corruption, memory aliasing, memory re-mapping, TCB rollback, and more. The SEV-SNP for Linux 5.19 has all the initial enablement code in place but there still are some open tasks like handling the lazy validation mode for pages so for the moment it's all pre-validated at boot. The interrupt security enhancements are also still to be worked on for this Linux kernel code. See this AMD whitepaper to learn more about the various tiers of Secure Encrypted Virtualization.

This pull request is what has the initial SEV-SNP enablement for Linux 5.19. It's unfortunate it took over one year after the EPYC Milan launch for this less than 4k lines of code to be upstreamed into the kernel, but at least it's here now and after extensive review/testing. Many hyperscalers and other big EPYC customers likely have already been using SEV-SNP by patching their kernel builds but it's great to have all of this mainlined to make the availability of SEV-SNP more widespread and easier to maintain. Like previously with SEV-ES, it took rather a long time post-launch before being mainlined. This is one of the areas where AMD still has room for improvement with their Linux support is getting such new CPU features out there more punctually -- Intel meanwhile is known for their timely enablement and getting next-generation CPU features generally into the kernel prior to the hardware shipping. For EPYC Zen 4 processors I have already been reporting on various ID additions and basic enablement work for months but so far haven't seen any major feature code work its way to the kernel mailing list to begin the review/upstreaming process.

Update: As another example for Intel's timely enablement approach... Today Intel TDX was submitted for Linux 5.19 too with Trust Domain Extensions being Intel's SEV alternative coming with Xeon Scalable Sapphire Rapids.