AMD SEV-ES Sent In For Linux 5.10 To Further Secure Guest VMs
AMD SEV-ES takes the security a step further by encrypting all the CPU register contents when exiting a VM to ensure there is no leakage of register information to the hypervisor. SEV-ES is also reportedly able to detect malicious modifications to the CPU register state. SEV-ES is particularly suited for protecting against control flow and rollback attacks and other scenarios of needing to know or manipulate the register state.
The Linux 5.10 implementation of AMD SEV-ES is ready to go and ensures the registers are encrypted/decrypted on world switches. There have been Linux kernel patches floating around for SEV-ES since early 2020 while now Linux 5.10 as the last full kernel cycle of the calendar year will see this support land.
The AMD SEV-ES support was sent in as part of its own pull request on Tuesday. This current implementation is KVM-focused with other hypervisors also needing to be adapted to handle the SEV-ES support.