AMD Publishes Latest Linux Patches For Enabling SEV-SNP Guest Support

Written by Michael Larabel in AMD on 30 January 2022 at 05:36 AM EST. 1 Comment
AMD --
One of the additions with EPYC 7003 "Milan" processors introduced last year was SEV-SNP as the "Secure Nested Paging" addition to AMD's Secure Encrypted Virtualization found with EPYC processors. While they have maintained an out-of-tree Linux source repository with the SEV-SNP patches, the mainline kernel is still lacking support for these latest security features but the code continues to undergo revisions and review for its eventual upstreaming.

Over SEV and SEV-ES "Encrypted State" introduced with prior EPYC processors, SEV-SNP is able to offer greater integrity with replay protection, data corruption safeguards, and fend off a variety of other possible attacks to VMs.


AMD didn't begin posting their SEV-SNP kernel patches publicly until after the EPYC 7003 series processors were first announced and thus the ongoing process still for getting the guest and KVM hypervisor support squared away and upstreamed so EPYC server users will be able to run off a mainline kernel without relying on any distribution-patched kernel or other third-party kernel builds to take advantage of the latest security features on EPYC.

Sent out on Friday were the latest guest patches. The SEV-SNP guest support is now up to its ninth revision for the code needed to be running in the VM guest kernels to make use of these strong memory integrity protections and other features. As with prior series, this SEV-SNP support isn't yet complete but features like interrupt protection are expected to be added after the initial SEV-SNP code is accepted to mainline.

The SEV-SNP guest v9 support is now out for review on the kernel mailing list. The KVM hypervisor support for SEV-SNP is maintained as a separate patch series and wasn't updated last week. It's unfortunate that it's going to be a year after the EPYC Milan launch at the earliest before this code is all mainlined, but then again at times we have seen Intel also running behind in their mainline kernel support for Intel CPU features like SGX and now the ongoing work with TDX. In any case at least the code once mainlined should be in good shape.

EPYC users can grab the SEV-SNP kernel patches via this GitHub repository as another easy source if wanting to spin your own kernel.

Meanwhile on the Intel side this week brought the v2 patches of Intel's TDX guest core support. This is the series for Intel's Trust Domain Extensions for confidential guest VMs from the host and physical attacks. Intel's TDX provides similar functionality to AMD SEV for future Intel CPUs.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week