AMD SEV-SNP builds upon the foundational Secure Encrypted Virtualization (SEV) architecture by adding a reverse map table structure in the on-die memory controller. This hardware-enforced mechanism cryptographically verifies that the physical memory page a VM accesses is the exact page it is authorized to access, creating an implicit trust relationship between the guest and the hardware while completely distrusting the hypervisor.
Glossary
AMD SEV-SNP

What is AMD SEV-SNP?
AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware-based Trusted Execution Environment that extends memory encryption with strong memory integrity protection, preventing malicious hypervisor attacks like data replay, corruption, and memory remapping.
The technology introduces VM Privilege Levels (VMPLs) to enable secure interrupt and exception handling within the guest, and an attestation report signed by the AMD Platform Security Processor (PSP) that provides a cryptographic measurement of the initial guest state. This allows a remote party to verify the VM is running unmodified code in a genuine AMD SEV-SNP environment before provisioning secrets.
Key Features of AMD SEV-SNP
AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) extends the SEV architecture with strong memory integrity protection, preventing a range of hypervisor-based attacks to create a hardened Trusted Execution Environment for confidential computing workloads.
Memory Integrity Protection
SEV-SNP adds a new hardware-based data structure called the Reverse Map Table (RMP). The RMP tracks ownership of every physical page assigned to a guest VM. The processor checks the RMP on every memory access, preventing the hypervisor from maliciously remapping or aliasing guest memory pages. This directly mitigates data corruption and memory remapping attacks that were possible under previous SEV versions.
Hardware-Based Attestation
SEV-SNP introduces a strong, hardware-rooted attestation flow. The AMD Secure Processor generates a signed attestation report containing a cryptographic hash of the guest's initial memory state and firmware. A remote party can verify this report against AMD's certificate chain to cryptographically prove the VM is running the expected software in a genuine AMD SEV-SNP environment, establishing a hardware root of trust.
Protection Against Malicious Hypervisors
The core threat model for SEV-SNP treats the hypervisor as actively malicious. The architecture provides specific defenses against sophisticated hypervisor attacks:
- Data Replay Protection: Prevents the hypervisor from replaying stale encrypted memory pages.
- Memory Aliasing Prevention: The RMP stops the hypervisor from mapping two guest addresses to the same physical page.
- Interrupt Injection Control: A restricted injection model prevents the hypervisor from using interrupt vectors to manipulate guest execution flow.
Virtual Machine Privilege Levels (VMPLs)
SEV-SNP introduces VMPLs, a feature that allows a single guest VM to be partitioned into up to four distinct security domains, analogous to x86 ring levels but enforced by the SEV hardware. This enables a secure supervisor to run within the same VM as a less-trusted guest OS kernel, creating a virtualized Trusted Execution Environment without the overhead of a full nested hypervisor.
Page Validation and Lazy Acceptance
To prevent the hypervisor from injecting malicious data into uninitialized memory, SEV-SNP requires the guest to explicitly validate each memory page before use. The guest issues a PVALIDATE instruction, which sets the page's status in the RMP. This lazy acceptance model ensures the guest only accepts memory it has verified, closing a class of attacks based on pre-populating memory with attacker-controlled data.
Interrupt Security with Restricted Injection
SEV-SNP fundamentally changes interrupt delivery to prevent the hypervisor from injecting malicious interrupts. The architecture provides a Restricted Injection model where the guest can opt to receive interrupts only from a trusted entity, such as a paravisor or the AMD Secure Processor itself. This prevents the hypervisor from using event injection to hijack the guest's control flow or leak register state.
AMD SEV vs. SEV-ES vs. SEV-SNP
Technical comparison of AMD Secure Encrypted Virtualization features across three generations, showing the progressive hardening of the Trusted Computing Base against hypervisor-based threats.
| Feature | SEV | SEV-ES | SEV-SNP |
|---|---|---|---|
Memory Encryption | Full VM memory encryption with per-VM key | Full VM memory encryption with per-VM key | Full VM memory encryption with per-VM key |
Register State Protection | |||
Integrity Protection | |||
Replay Protection | |||
Memory Remapping Defense | |||
Reverse Map Table (RMP) | |||
Attestation | SEV attestation report | SEV-ES attestation report | SEV-SNP attestation report with ID block |
Page-Level Encryption | AES-128 | AES-128 | AES-256 |
Hypervisor Trust Model | Semi-trusted | Untrusted for registers | Fully untrusted |
Guest Interrupt Handling | Hypervisor-managed | Automatic with VMSA | Restricted injection model |
Side-Channel Mitigations | Minimal | Moderate | Extensive |
TCB Size | Large (includes hypervisor) | Medium | Small (excludes hypervisor) |
Live Migration Support | Supported | Supported | Supported with migration agents |
Hardware Generation | AMD EPYC 1st Gen (Naples) | AMD EPYC 2nd Gen (Rome) | AMD EPYC 3rd Gen+ (Milan and later) |
Frequently Asked Questions
Precise answers to the most common technical questions about AMD Secure Encrypted Virtualization-Secure Nested Paging, its threat model, and its role in confidential computing for sovereign AI infrastructure.
AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware-based Trusted Execution Environment (TEE) extension that provides strong memory integrity protection for virtual machines, preventing malicious hypervisor-based attacks. It works by adding a hardware-enforced reverse map table to the memory controller, which cryptographically verifies that the physical memory page accessed by a guest VM matches the page the hypervisor mapped. This prevents data replay, memory remapping, and page table tampering. Each VM runs with a unique encryption key managed by the AMD Secure Processor, ensuring that even a compromised hypervisor cannot read or alter the VM's data in use. SEV-SNP also introduces an attestation mechanism, allowing a remote party to cryptographically verify the VM's initial state and identity before provisioning secrets.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
AMD SEV-SNP is a foundational technology within the broader confidential computing landscape. These related terms cover the hardware, software, and cryptographic primitives that interact with or extend SEV-SNP to build complete sovereign AI infrastructure.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us