AMD SEV-SNP Support Revised For Linux + Updated Hyper-V Isolation VM Code

AMD engineers and their partners continue work towards upstreaming Secure Encrypted Virtualization's Secure Nested Paging (SEV-SNP) support for the mainline Linux kernel.

AMD SEV-SNP debuted this year with EPYC 7003 "Milan" processors. SEV-SNP offers additional hardware features for EPYC's virtualization capabilities. With SEV-SNP there is additional memory integrity protections around replay protection, data corruption, memory aliasing, and memory re-mapping. There are also other hardware protections with SEV-SNP as outlined in the comparison below.

AMD has offered out-of-tree SEV-SNP Linux support for early Milan customers while the mainline upbringing is still in progress but at least moving forward in the right direction. Wednesday brought the latest guest support patches that are 36 patches and now up to their fourth revision. This new version adds support to use PSP-filtered CPUID handling, support for the extended guest request, documentation updates, and other low-level changes. This SEV-SNP guest support for VMs is some 3k new lines of code.

Yesterday also saw the latest SEV-SNP hypervisor patches -- 40 patches at 3.5k lines of new code. This KVM-focused hypervisor support for SEV-SNP exposes some new ioctls, adds support for the extended guest message requests, and other changes resulting from earlier code review feedback. Still to be completed on the hypervisor support side is making use of SNP's interrupt security.

Separately, Microsoft sent out their latest patches for the Linux kernel around Hyper-V Isolation VM support. This Hyper-V Isolation VM support is around virtualization-based security and making use of AMD SEV-SNP..

These patches are still undergoing review and it's already late into the 5.14 kernel merge window, so the earliest we'll see these patches picked up would be the 5.15 kernel later in the year. Hopefully by that time this AMD SEV-SNP support will be ready for upstream. AMD began posting the code for the kernel back in March, shortly after the EPYC 7003 debut -- hopefully moving forward they will be more like Intel in regards to upstreaming code prior to product launch to generally ensure splendid out-of-the-box Linux server support on launch day. Or at least ensuring the code is in better shape for upstreaming as soon as the launch occurs rather than still going through rounds of public review months later. In any case the EPYC 7003 series support is in good standing aside from this tardy functionality and the performance continues to be mighty impressive.

Learn more about AMD SEV-SNP in this whitepaper. Those not minding the out-of-tree code can find deployment steps and various sources via AMDESE's AMDSEV GitHub.