AMD Publishes Latest Linux Patches For Enabling SEV-SNP Guest Support
Over SEV and SEV-ES "Encrypted State" introduced with prior EPYC processors, SEV-SNP is able to offer greater integrity with replay protection, data corruption safeguards, and fend off a variety of other possible attacks to VMs.
AMD didn't begin posting their SEV-SNP kernel patches publicly until after the EPYC 7003 series processors were first announced and thus the ongoing process still for getting the guest and KVM hypervisor support squared away and upstreamed so EPYC server users will be able to run off a mainline kernel without relying on any distribution-patched kernel or other third-party kernel builds to take advantage of the latest security features on EPYC.
Sent out on Friday were the latest guest patches. The SEV-SNP guest support is now up to its ninth revision for the code needed to be running in the VM guest kernels to make use of these strong memory integrity protections and other features. As with prior series, this SEV-SNP support isn't yet complete but features like interrupt protection are expected to be added after the initial SEV-SNP code is accepted to mainline.
The SEV-SNP guest v9 support is now out for review on the kernel mailing list. The KVM hypervisor support for SEV-SNP is maintained as a separate patch series and wasn't updated last week. It's unfortunate that it's going to be a year after the EPYC Milan launch at the earliest before this code is all mainlined, but then again at times we have seen Intel also running behind in their mainline kernel support for Intel CPU features like SGX and now the ongoing work with TDX. In any case at least the code once mainlined should be in good shape.
EPYC users can grab the SEV-SNP kernel patches via this GitHub repository as another easy source if wanting to spin your own kernel.
Meanwhile on the Intel side this week brought the v2 patches of Intel's TDX guest core support. This is the series for Intel's Trust Domain Extensions for confidential guest VMs from the host and physical attacks. Intel's TDX provides similar functionality to AMD SEV for future Intel CPUs.