Fedora 41 Aims To Ship AMD SEV-SNP Confidential Virtualization Host Support

Written by Michael Larabel in AMD on 17 June 2024 at 04:49 PM EDT. Add A Comment
AMD
With the release of Fedora 41 in October, this Red Hat sponsored Linux distribution is hoping to have all the software bits aligned that its AMD SEV-SNP virtualization stack will be all squared away for this latest iteration of Secure Encrypted Virtualization.

If all goes according to newly-filed plans, Fedora 41 this autumn should be shipping with confidential virtualization host support for AMD SEV-SNP. This is coming about as all of the relevant upstream pieces are finally coming together. As noted recently on Phoronix, Linux 6.11 will bring the AMD SEV-SNP KVM guest bits. QEMU 9.1 is working its way toward release in the coming months and it has the SEV-SNP feature integration complete. Libvirt is also having its SEV-SNP support cross the finish line this summer. Fedora 41 is also planning to ship updated Coconut SVSM, iVGM, and EDK2 packages for rounding out the SEV-SNP support.

AMD EPYC CPU in front of Fedora system


The change proposal was posted today to the Fedora Wiki for having this SEV-SNP support in Fedora 41:
"This enables Fedora virtualization hosts to launch confidential virtual machines using AMD's SEV-SNP technology. Confidential virtualization prevents admins with root shell access, or a compromised host software stack, from accessing memory of any running guest. SEV-SNP is an evolution of previously provided SEV and SEV-ES technologies providing stronger protection and unlocking new features such as a secure virtual TPM.
...
Fedora has provided support for launching confidential virtual machines using KVM on x86_64 hosts for several years, using the SEV and SEV-ES technologies available from AMD CPUs. These technologies have a number of design limitations, however, that make them less secure than is desired, and prevent exposure of desirable features such as secure TPMs. The SEV-SNP technology is a significant design enhancement and architectural change to addresses the key gaps, increasing security and unlocking more powerful use cases for confidential virtual machines."

SEV-SNP is indeed a nice upgrade over the earlier SEV and SEV-ES capabilities:

SEV-SNP comparison


It's great seeing all the upstream software bits finally coming together with SEV-SNP that is supported with AMD EPYC server processors since the EPYC 7003 "Milan" series. Other Q3~Q4 Linux distributions and later in turn should also be able to tap into this upstream support for the newest Secure Encrypted Virtualization functionality.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week