AMD SEV-SNP extends the Secure Encrypted Virtualization architecture by adding a Reverse Map Table to enforce memory integrity. This hardware structure prevents a compromised hypervisor from replaying stale encrypted pages, remapping guest memory, or performing alias-based attacks, creating a strong Trusted Execution Environment for entire virtual machines without requiring application code modifications.
Glossary
AMD SEV-SNP

What is AMD SEV-SNP?
AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) is a hardware security feature that encrypts virtual machine memory and adds strong integrity protection to prevent malicious hypervisor-based attacks like data replay and memory remapping.
SEV-SNP introduces an attestation report signed by the AMD Platform Security Processor, enabling remote parties to cryptographically verify the VM's initial state and identity before provisioning secrets. This hardware root of trust underpins Confidential Computing use cases, allowing sensitive workloads to run securely in untrusted cloud environments with protection against active hypervisor threats.
Key Features of AMD SEV-SNP
AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) extends prior SEV iterations by adding strong memory integrity protection, preventing a range of sophisticated hypervisor-based attacks against confidential virtual machines.
Full Memory Encryption
SEV-SNP encrypts the entire contents of a virtual machine's memory using an AES-128 engine integrated into the AMD system-on-a-chip (SoC). Each VM is assigned a unique encryption key managed by the AMD Secure Processor (AMD-SP) , ensuring that data remains encrypted even when resident in DRAM. This prevents the hypervisor or a rogue administrator with physical access from reading plaintext VM memory.
- Key Isolation: Encryption keys are never accessible to the host OS or hypervisor.
- Transparent Operation: Encryption and decryption occur inline during memory accesses with minimal performance impact.
Strong Memory Integrity (RMP)
SEV-SNP introduces the Reverse Map Table (RMP) , a hardware-enforced data structure that tracks page ownership and prevents malicious remapping. The RMP guarantees that a guest VM's physical memory page can only be mapped at the correct guest physical address, neutralizing data replay and memory aliasing attacks that previously exploited SEV-ES.
- Page Validation: The VM must explicitly accept a page before it becomes usable, preventing the hypervisor from injecting unvalidated data.
- Immutable Ownership: Once a page is assigned to a VM, the hypervisor cannot alter its mapping without triggering a fault.
Cryptographic Attestation
SEV-SNP provides a robust attestation mechanism that allows a remote party to cryptographically verify the identity and integrity of the VM before provisioning secrets. The AMD Secure Processor generates a signed attestation report containing the VM's launch digest—a hash of the initial guest firmware, kernel, and configuration.
- VMPL-based Signing: The report is signed by a Versioned Chip Endorsement Key (VCEK) , binding the attestation to a specific processor.
- Guest-Requested Reports: The VM itself can request an attestation report at any time, enabling ongoing trust verification.
Interrupt Protection
SEV-SNP extends the register state protection introduced in SEV-ES by adding hardware safeguards against malicious interrupt injection. The architecture restricts the injection of interrupts and exceptions to only those vectors explicitly allowed by the guest VM, preventing the hypervisor from manipulating the guest's control flow through crafted interrupt sequences.
- Restricted Injection: The hypervisor can only inject a predefined subset of interrupt vectors.
- Event Injection Validation: The hardware validates the event type and vector against the guest's configuration before delivery.
Virtual Machine Privilege Levels (VMPL)
SEV-SNP introduces VMPLs, an architectural feature that allows a single guest VM to run code at multiple privilege levels within the confidential boundary. This enables the guest to isolate sensitive operations—such as attestation report generation or key management—from the bulk of the guest OS, creating a secure enclave-like abstraction within the VM itself.
- In-Guest Isolation: VMPL0 can run a minimal security monitor, while VMPL1 runs the main OS kernel.
- Secure Services: Enables confidential computing patterns where a small, trusted service component is shielded from a larger, potentially compromised guest.
Secure Nested Paging
The Secure Nested Paging (SNP) table is a hardware-managed second-level address translation structure that enforces the memory integrity guarantees. Unlike a traditional hypervisor-managed nested page table, the SNP table is validated and locked by the AMD Secure Processor, ensuring that the hypervisor cannot create unauthorized mappings or redirect guest memory accesses to malicious pages.
- Hardware-Enforced Mapping: The RMP and SNP tables work in concert to validate every memory access.
- Page State Tracking: The hardware tracks whether a page is private to the VM, shared with the hypervisor, or in a transitional state.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about AMD Secure Encrypted Virtualization-Secure Nested Paging, its threat model, and its role in confidential computing.
AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware security feature integrated into AMD EPYC processors that provides strong memory integrity protection for virtual machines, preventing malicious hypervisor-based attacks. It works by adding a hardware-enforced, reverse-map table structure to standard SEV memory encryption. This structure cryptographically binds each guest physical page to a specific virtual machine, creating an immutable ownership record. When the processor accesses memory, it verifies this binding, which prevents the hypervisor from remapping encrypted pages belonging to one VM into another's address space. Additionally, SEV-SNP introduces a virtual machine privilege level (VMPL) feature, allowing a VM to run different execution contexts at distinct trust levels, and it cryptographically signs attestation reports with a chip-unique key, enabling a remote party to verify the entire software state of the protected VM.
AMD SEV-SNP vs. Intel TDX vs. Intel SGX
A technical comparison of three major hardware-based Trusted Execution Environment implementations for protecting data in use.
| Feature | AMD SEV-SNP | Intel TDX | Intel SGX |
|---|---|---|---|
Protection Granularity | Full VM | Full VM | Application-level enclave |
Integrity Protection | |||
Memory Encryption Engine | AES-128 (inline) | AES-XTS 128-bit | AES (Memory Encryption Engine) |
Reverse Mapping Table | |||
Hypervisor in TCB | |||
Code Modification Required | |||
Enclave Size Limit | VM memory size | VM memory size | 256 MB (EPC) |
Attestation Protocol | SEV-SNP Guest Attestation | TDX Guest Attestation | SGX DCAP / ECDSA |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts and complementary technologies that form the foundation of hardware-enforced data-in-use protection alongside AMD SEV-SNP.
Attestation
The cryptographic process by which an AMD SEV-SNP platform proves its identity, integrity, and security posture to a remote relying party before that party provisions secrets or trusts the VM's outputs.
- SEV-SNP uses an AMD-rooted certificate chain to sign attestation reports
- Reports include the launch digest (measurement of initial VM state)
- Verifiers can confirm firmware version, platform TCB status, and guest policy
- Essential for establishing trust before injecting decryption keys or sensitive data
Intel TDX
Intel's competing VM-level Trusted Execution Environment that, like AMD SEV-SNP, protects entire virtual machines from the hypervisor. Both technologies enable lift-and-shift confidential computing without application code modification.
- Intel TDX uses multi-key total memory encryption and integrity protection
- SEV-SNP and TDX share architectural goals but differ in implementation details
- Both support remote attestation and encrypted live migration
- Choosing between them often depends on existing hardware vendor relationships
Confidential VM
A full virtual machine instance running inside a hardware-backed TEE like AMD SEV-SNP. The hypervisor manages CPU scheduling and memory allocation but cannot read or modify VM memory contents.
- Entire VM memory space is encrypted with AES-128-XEX
- SEV-SNP adds Reverse Map Table integrity protection to prevent remapping attacks
- Guest owner can verify VM state via attestation before booting
- Enables migration of legacy workloads into confidential environments without refactoring
Trusted Computing Base (TCB)
The set of all hardware, firmware, and software components critical to a system's security. A vulnerability in any TCB component can compromise the entire system's security guarantees.
- AMD SEV-SNP minimizes the TCB by excluding the hypervisor from the trust boundary
- The TCB includes the AMD Secure Processor, SEV firmware, and the guest VM itself
- AMD reports TCB version in attestation reports for verifiable patch status
- Reducing TCB size is a primary goal of confidential computing architectures
Side-Channel Attack
A non-invasive attack that exploits physical information leakage—such as timing, power consumption, cache access patterns, or electromagnetic emissions—to extract secrets from a theoretically secure environment.
- SEV-SNP includes mitigations against certain speculative execution attacks
- Page table side-channels are addressed through restricted injection and validation
- No hardware TEE is immune; defense-in-depth strategies remain essential
- Ongoing research examines microarchitectural side-channels specific to SEV implementations

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us