Inferensys

Glossary

Secure Encrypted Virtualization (SEV)

A hardware feature from AMD that encrypts the memory of a virtual machine with a key unique to that VM, protecting it from the hypervisor and other VMs on the same physical host.
Data engineer managing feature store on laptop, feature definitions visible, casual data engineering session.
HARDWARE MEMORY ENCRYPTION

What is Secure Encrypted Virtualization (SEV)?

Secure Encrypted Virtualization is an AMD hardware feature that encrypts the memory of individual virtual machines with unique, hardware-generated keys, isolating them from the hypervisor and other VMs on the same physical host.

Secure Encrypted Virtualization (SEV) is a hardware-based security technology integrated into AMD EPYC processors that encrypts the memory of each virtual machine using a unique encryption key managed by the AMD Secure Processor. This architectural isolation ensures that the hypervisor—even if compromised—cannot access the plaintext memory of a guest VM, protecting data in use from privileged insider threats and multi-tenant cloud attacks.

SEV operates by tagging data with a VM-specific key in the on-chip memory controller, so any attempt by the hypervisor or another VM to read encrypted memory pages results in unintelligible ciphertext. The encryption keys are generated and managed entirely within the dedicated Platform Security Processor (PSP), a discrete ARM core on the AMD SoC, ensuring the host operating system and hypervisor have no visibility into the cryptographic material.

HARDWARE-ENFORCED MEMORY ENCRYPTION

Key Features of AMD SEV

AMD Secure Encrypted Virtualization (SEV) provides a foundational set of hardware capabilities that isolate virtual machines from the hypervisor. These features encrypt VM memory with per-VM keys, ensuring data-in-use confidentiality in shared cloud environments.

01

Per-VM Memory Encryption Keys

Each virtual machine is assigned a unique AES-128 encryption key managed by the AMD Secure Processor. This key encrypts the VM's entire memory space, making data unintelligible to the hypervisor, other VMs, or any unauthorized entity on the physical host.

  • Key Isolation: The hypervisor never has access to the plaintext encryption key.
  • Hardware Root of Trust: Key generation and management occur within the dedicated AMD Secure Processor, a separate ARM core on the CPU die.
  • Transparent Operation: Encryption and decryption happen in-line at the memory controller with minimal performance overhead.
AES-128
Encryption Standard
02

Hypervisor Isolation

SEV fundamentally changes the trust model of virtualization by removing the hypervisor from the Trusted Computing Base (TCB). Even a compromised or malicious hypervisor cannot read the plaintext memory of a protected guest VM.

  • Privilege De-escalation: The hypervisor retains control over scheduling and resource allocation but loses visibility into VM memory contents.
  • Mitigation of Insider Threats: Protects against rogue cloud administrators with physical or administrative access to the host.
  • Register State Protection: Guest VM CPU registers are also encrypted during context switches to prevent information leakage.
03

Secure Encrypted Virtualization - Encrypted State (SEV-ES)

SEV-ES extends the base SEV protection by encrypting the guest VM's CPU register state on each hypervisor transition. This prevents the hypervisor from inspecting register values during VM exits caused by interrupts or I/O operations.

  • Control Flow Integrity: Prevents the hypervisor from manipulating the guest's instruction pointer or stack pointer.
  • Automatic State Encryption: The hardware automatically encrypts and decrypts register state during VMRUN and VMEXIT operations.
  • Exception Handling: Even during guest-triggered exceptions, the register state presented to the hypervisor is encrypted.
04

Secure Nested Paging (SEV-SNP)

SEV-SNP adds memory integrity protection to prevent malicious hypervisor attacks like data replay, memory remapping, and page table tampering. It introduces a Reverse Map Table (RMP) managed by the Secure Processor.

  • Reverse Map Table (RMP): Tracks ownership and permissions for every physical page assigned to a guest, enforcing that a page can only be mapped into one guest at a time.
  • Page Validation: The guest VM can cryptographically validate the contents and permissions of a page before accepting it into its address space.
  • Replay Attack Prevention: Prevents the hypervisor from substituting a stale, previously valid page to trick the guest.
05

Cryptographic Attestation

SEV-SNP provides a hardware-rooted attestation mechanism that allows a guest VM owner to cryptographically verify the integrity of the firmware, hypervisor, and initial VM state before provisioning secrets.

  • Remote Attestation Flow: The AMD Secure Processor signs a measurement report containing the SHA-384 hash of the initial guest memory and firmware.
  • Identity Key (IDK): A unique, chip-specific key used to sign attestation reports, verifiable against AMD's Certificate Authority chain.
  • Guest-Requested Attestation: The guest VM can request an attestation report at any time to prove its ongoing integrity to external services.
06

Live Migration with Confidentiality

SEV-SNP supports the live migration of confidential VMs between physical hosts without exposing plaintext memory. The migration process maintains encryption and integrity throughout the transfer.

  • Migration Agent (MA): A privileged helper within the guest that orchestrates the secure transfer of encrypted pages.
  • Page Re-encryption: Memory pages are re-encrypted with a transport key before leaving the source host and re-encrypted with the destination VM's key upon arrival.
  • Attested Destination: The source VM can attest the destination platform before initiating the migration to ensure it is a genuine, trusted AMD SEV-SNP host.
SECURE ENCRYPTED VIRTUALIZATION

Frequently Asked Questions

Clear, technical answers to the most common questions about AMD Secure Encrypted Virtualization (SEV), its extensions, and its role in confidential computing for sovereign AI infrastructure.

AMD Secure Encrypted Virtualization (SEV) is a hardware-based memory encryption feature integrated into AMD EPYC processors that cryptographically isolates a virtual machine (VM) from the hypervisor and other VMs on the same physical host. It works by integrating an AES-128 encryption engine directly into the on-die memory controller. During a VM's creation, the AMD Secure Processor (AMD-SP), a dedicated ARM-based security co-processor, generates a unique VM Encryption Key (VEK). All data written by that specific VM to DRAM is transparently encrypted with its VEK, and decrypted when read back. This means that even if the hypervisor—which is responsible for managing memory—is compromised or malicious, it can only access the encrypted ciphertext, not the plaintext data. This protects data-in-use from privileged insider threats, making SEV a foundational technology for confidential computing in sovereign cloud deployments where the infrastructure operator must be excluded from the trust boundary.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.