Inferensys

Glossary

AMD SEV-SNP

An extension of AMD Secure Encrypted Virtualization that adds memory integrity protection and prevents malicious hypervisor-based attacks like data replay and memory remapping.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
SECURE NESTED PAGING

What is AMD SEV-SNP?

AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware-based Trusted Execution Environment that extends memory encryption with strong memory integrity protection, preventing malicious hypervisor attacks like data replay, corruption, and memory remapping.

AMD SEV-SNP builds upon the foundational Secure Encrypted Virtualization (SEV) architecture by adding a reverse map table structure in the on-die memory controller. This hardware-enforced mechanism cryptographically verifies that the physical memory page a VM accesses is the exact page it is authorized to access, creating an implicit trust relationship between the guest and the hardware while completely distrusting the hypervisor.

The technology introduces VM Privilege Levels (VMPLs) to enable secure interrupt and exception handling within the guest, and an attestation report signed by the AMD Platform Security Processor (PSP) that provides a cryptographic measurement of the initial guest state. This allows a remote party to verify the VM is running unmodified code in a genuine AMD SEV-SNP environment before provisioning secrets.

SECURE NESTED PAGING

Key Features of AMD SEV-SNP

AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) extends the SEV architecture with strong memory integrity protection, preventing a range of hypervisor-based attacks to create a hardened Trusted Execution Environment for confidential computing workloads.

01

Memory Integrity Protection

SEV-SNP adds a new hardware-based data structure called the Reverse Map Table (RMP). The RMP tracks ownership of every physical page assigned to a guest VM. The processor checks the RMP on every memory access, preventing the hypervisor from maliciously remapping or aliasing guest memory pages. This directly mitigates data corruption and memory remapping attacks that were possible under previous SEV versions.

02

Hardware-Based Attestation

SEV-SNP introduces a strong, hardware-rooted attestation flow. The AMD Secure Processor generates a signed attestation report containing a cryptographic hash of the guest's initial memory state and firmware. A remote party can verify this report against AMD's certificate chain to cryptographically prove the VM is running the expected software in a genuine AMD SEV-SNP environment, establishing a hardware root of trust.

03

Protection Against Malicious Hypervisors

The core threat model for SEV-SNP treats the hypervisor as actively malicious. The architecture provides specific defenses against sophisticated hypervisor attacks:

  • Data Replay Protection: Prevents the hypervisor from replaying stale encrypted memory pages.
  • Memory Aliasing Prevention: The RMP stops the hypervisor from mapping two guest addresses to the same physical page.
  • Interrupt Injection Control: A restricted injection model prevents the hypervisor from using interrupt vectors to manipulate guest execution flow.
04

Virtual Machine Privilege Levels (VMPLs)

SEV-SNP introduces VMPLs, a feature that allows a single guest VM to be partitioned into up to four distinct security domains, analogous to x86 ring levels but enforced by the SEV hardware. This enables a secure supervisor to run within the same VM as a less-trusted guest OS kernel, creating a virtualized Trusted Execution Environment without the overhead of a full nested hypervisor.

05

Page Validation and Lazy Acceptance

To prevent the hypervisor from injecting malicious data into uninitialized memory, SEV-SNP requires the guest to explicitly validate each memory page before use. The guest issues a PVALIDATE instruction, which sets the page's status in the RMP. This lazy acceptance model ensures the guest only accepts memory it has verified, closing a class of attacks based on pre-populating memory with attacker-controlled data.

06

Interrupt Security with Restricted Injection

SEV-SNP fundamentally changes interrupt delivery to prevent the hypervisor from injecting malicious interrupts. The architecture provides a Restricted Injection model where the guest can opt to receive interrupts only from a trusted entity, such as a paravisor or the AMD Secure Processor itself. This prevents the hypervisor from using event injection to hijack the guest's control flow or leak register state.

GENERATIONAL COMPARISON

AMD SEV vs. SEV-ES vs. SEV-SNP

Technical comparison of AMD Secure Encrypted Virtualization features across three generations, showing the progressive hardening of the Trusted Computing Base against hypervisor-based threats.

FeatureSEVSEV-ESSEV-SNP

Memory Encryption

Full VM memory encryption with per-VM key

Full VM memory encryption with per-VM key

Full VM memory encryption with per-VM key

Register State Protection

Integrity Protection

Replay Protection

Memory Remapping Defense

Reverse Map Table (RMP)

Attestation

SEV attestation report

SEV-ES attestation report

SEV-SNP attestation report with ID block

Page-Level Encryption

AES-128

AES-128

AES-256

Hypervisor Trust Model

Semi-trusted

Untrusted for registers

Fully untrusted

Guest Interrupt Handling

Hypervisor-managed

Automatic with VMSA

Restricted injection model

Side-Channel Mitigations

Minimal

Moderate

Extensive

TCB Size

Large (includes hypervisor)

Medium

Small (excludes hypervisor)

Live Migration Support

Supported

Supported

Supported with migration agents

Hardware Generation

AMD EPYC 1st Gen (Naples)

AMD EPYC 2nd Gen (Rome)

AMD EPYC 3rd Gen+ (Milan and later)

AMD SEV-SNP CLARIFIED

Frequently Asked Questions

Precise answers to the most common technical questions about AMD Secure Encrypted Virtualization-Secure Nested Paging, its threat model, and its role in confidential computing for sovereign AI infrastructure.

AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware-based Trusted Execution Environment (TEE) extension that provides strong memory integrity protection for virtual machines, preventing malicious hypervisor-based attacks. It works by adding a hardware-enforced reverse map table to the memory controller, which cryptographically verifies that the physical memory page accessed by a guest VM matches the page the hypervisor mapped. This prevents data replay, memory remapping, and page table tampering. Each VM runs with a unique encryption key managed by the AMD Secure Processor, ensuring that even a compromised hypervisor cannot read or alter the VM's data in use. SEV-SNP also introduces an attestation mechanism, allowing a remote party to cryptographically verify the VM's initial state and identity before provisioning secrets.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.