AMD SEV-SNP Development Continues Towards The Linux Kernel

Since the launch of AMD EPYC 7003 "Milan" processors earlier this year there has been support for SEV-SNP as the latest evolution of Secure Encrypted Virtualization. The mainline Linux kernel still isn't yet supporting SEV Secure Nested Paging from the upstream kernel, but the out-of-tree patches continue to be available for those interested and development work continues in getting that code ready for mainline as well as ironing out other features.

AMD engineers David Kaplan and Brijesh Singh presented at last week's Linux Security Summit hosted by the Linux Foundation. Their presentation was centered on SEV-SNP for delivering the latest AMD VM security/isolation capabilities and the work they've been doing on bringing up the Linux support.

Going back to the March launch of the EPYC 7003 series processors, AMD has been posting Linux patches to enable SEV-SNP albeit still going through the long process of getting the functionality into the mainline Linux kernel so it can be easily enabled by distribution vendor kernels and elsewhere for making SEV-SNP commonplace with latest-generation EPYC servers. They have been going through several rounds of review to get the code squared away so it meets upstream standards and addresses all review comments.

There isn't yet a public recording of the Linux Security Summit session for those that missed it, but the slide deck is available going over SEV-SNP, the current state, and the future. Beyond the basics covered by the current kernel patches, restricted interrupt injection, lazy page validation, live migration, support backing pages from HugeTLB, and vTPM support are among other items planned to implement in future patches.

Beyond the mailing list patches, AMD engineers continue to use this GitHub repository for staging their latest SEV-SNP support patches.