Inferensys

Glossary

AMD SEV-SNP

An advanced hardware security feature that encrypts virtual machine memory and adds strong integrity protection to prevent malicious hypervisor-based attacks like data replay and memory remapping.
Data engineer managing feature store on laptop, feature definitions visible, casual data engineering session.
SECURE ENCRYPTED VIRTUALIZATION

What is AMD SEV-SNP?

AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) is a hardware security feature that encrypts virtual machine memory and adds strong integrity protection to prevent malicious hypervisor-based attacks like data replay and memory remapping.

AMD SEV-SNP extends the Secure Encrypted Virtualization architecture by adding a Reverse Map Table to enforce memory integrity. This hardware structure prevents a compromised hypervisor from replaying stale encrypted pages, remapping guest memory, or performing alias-based attacks, creating a strong Trusted Execution Environment for entire virtual machines without requiring application code modifications.

SEV-SNP introduces an attestation report signed by the AMD Platform Security Processor, enabling remote parties to cryptographically verify the VM's initial state and identity before provisioning secrets. This hardware root of trust underpins Confidential Computing use cases, allowing sensitive workloads to run securely in untrusted cloud environments with protection against active hypervisor threats.

ARCHITECTURAL CAPABILITIES

Key Features of AMD SEV-SNP

AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) extends prior SEV iterations by adding strong memory integrity protection, preventing a range of sophisticated hypervisor-based attacks against confidential virtual machines.

01

Full Memory Encryption

SEV-SNP encrypts the entire contents of a virtual machine's memory using an AES-128 engine integrated into the AMD system-on-a-chip (SoC). Each VM is assigned a unique encryption key managed by the AMD Secure Processor (AMD-SP) , ensuring that data remains encrypted even when resident in DRAM. This prevents the hypervisor or a rogue administrator with physical access from reading plaintext VM memory.

  • Key Isolation: Encryption keys are never accessible to the host OS or hypervisor.
  • Transparent Operation: Encryption and decryption occur inline during memory accesses with minimal performance impact.
AES-128
Inline Encryption Engine
02

Strong Memory Integrity (RMP)

SEV-SNP introduces the Reverse Map Table (RMP) , a hardware-enforced data structure that tracks page ownership and prevents malicious remapping. The RMP guarantees that a guest VM's physical memory page can only be mapped at the correct guest physical address, neutralizing data replay and memory aliasing attacks that previously exploited SEV-ES.

  • Page Validation: The VM must explicitly accept a page before it becomes usable, preventing the hypervisor from injecting unvalidated data.
  • Immutable Ownership: Once a page is assigned to a VM, the hypervisor cannot alter its mapping without triggering a fault.
03

Cryptographic Attestation

SEV-SNP provides a robust attestation mechanism that allows a remote party to cryptographically verify the identity and integrity of the VM before provisioning secrets. The AMD Secure Processor generates a signed attestation report containing the VM's launch digest—a hash of the initial guest firmware, kernel, and configuration.

  • VMPL-based Signing: The report is signed by a Versioned Chip Endorsement Key (VCEK) , binding the attestation to a specific processor.
  • Guest-Requested Reports: The VM itself can request an attestation report at any time, enabling ongoing trust verification.
04

Interrupt Protection

SEV-SNP extends the register state protection introduced in SEV-ES by adding hardware safeguards against malicious interrupt injection. The architecture restricts the injection of interrupts and exceptions to only those vectors explicitly allowed by the guest VM, preventing the hypervisor from manipulating the guest's control flow through crafted interrupt sequences.

  • Restricted Injection: The hypervisor can only inject a predefined subset of interrupt vectors.
  • Event Injection Validation: The hardware validates the event type and vector against the guest's configuration before delivery.
05

Virtual Machine Privilege Levels (VMPL)

SEV-SNP introduces VMPLs, an architectural feature that allows a single guest VM to run code at multiple privilege levels within the confidential boundary. This enables the guest to isolate sensitive operations—such as attestation report generation or key management—from the bulk of the guest OS, creating a secure enclave-like abstraction within the VM itself.

  • In-Guest Isolation: VMPL0 can run a minimal security monitor, while VMPL1 runs the main OS kernel.
  • Secure Services: Enables confidential computing patterns where a small, trusted service component is shielded from a larger, potentially compromised guest.
06

Secure Nested Paging

The Secure Nested Paging (SNP) table is a hardware-managed second-level address translation structure that enforces the memory integrity guarantees. Unlike a traditional hypervisor-managed nested page table, the SNP table is validated and locked by the AMD Secure Processor, ensuring that the hypervisor cannot create unauthorized mappings or redirect guest memory accesses to malicious pages.

  • Hardware-Enforced Mapping: The RMP and SNP tables work in concert to validate every memory access.
  • Page State Tracking: The hardware tracks whether a page is private to the VM, shared with the hypervisor, or in a transitional state.
AMD SEV-SNP EXPLAINED

Frequently Asked Questions

Clear, technically precise answers to the most common questions about AMD Secure Encrypted Virtualization-Secure Nested Paging, its threat model, and its role in confidential computing.

AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware security feature integrated into AMD EPYC processors that provides strong memory integrity protection for virtual machines, preventing malicious hypervisor-based attacks. It works by adding a hardware-enforced, reverse-map table structure to standard SEV memory encryption. This structure cryptographically binds each guest physical page to a specific virtual machine, creating an immutable ownership record. When the processor accesses memory, it verifies this binding, which prevents the hypervisor from remapping encrypted pages belonging to one VM into another's address space. Additionally, SEV-SNP introduces a virtual machine privilege level (VMPL) feature, allowing a VM to run different execution contexts at distinct trust levels, and it cryptographically signs attestation reports with a chip-unique key, enabling a remote party to verify the entire software state of the protected VM.

CONFIDENTIAL COMPUTING COMPARISON

AMD SEV-SNP vs. Intel TDX vs. Intel SGX

A technical comparison of three major hardware-based Trusted Execution Environment implementations for protecting data in use.

FeatureAMD SEV-SNPIntel TDXIntel SGX

Protection Granularity

Full VM

Full VM

Application-level enclave

Integrity Protection

Memory Encryption Engine

AES-128 (inline)

AES-XTS 128-bit

AES (Memory Encryption Engine)

Reverse Mapping Table

Hypervisor in TCB

Code Modification Required

Enclave Size Limit

VM memory size

VM memory size

256 MB (EPC)

Attestation Protocol

SEV-SNP Guest Attestation

TDX Guest Attestation

SGX DCAP / ECDSA

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.