SYSTEM Cited by 1 source
AMD SEV-SNP¶
What it is¶
AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) is AMD's VM-granularity trusted execution environment. Available on AMD EPYC processors from 3rd generation (Milan) onward, with successive generations adding additional isolation primitives.
Per AMD's SEV-SNP documentation:
- Memory encryption for guest VM with integrity protection.
- Reverse Map Table (RMP) — defends against malicious-hypervisor attacks by tracking the legitimate owner of each page.
- VMPLs (Virtual Machine Privilege Levels) — additional isolation domains within a guest VM (e.g. for paravisor / host-trusted components).
- Attestation — hardware-rooted measurement of the guest VM's initial state.
SEV-SNP is one of the two production VM-TEE substrates competing with Intel TDX; both are CVM implementations with different vendor lineages and architectural details.
Lineage: SEV → SEV-ES → SEV-SNP¶
AMD's confidential-VM stack evolved across three generations:
| Generation | Year | Key addition |
|---|---|---|
| SEV | 2017 | Memory encryption per VM; weak attacker model |
| SEV-ES | 2020 | Encrypted register state on VMEXIT |
| SEV-SNP | 2021 | Integrity protection (RMP); defends against malicious hypervisor |
SEV-SNP is the production-relevant variant. Earlier SEV / SEV-ES had known integrity flaws that allowed a malicious hypervisor to swap encrypted-VM pages.
Architectural role¶
┌─────────────────────────────────┐
│ Application binary (attested) │ ← runs inside the SEV-SNP guest
├─────────────────────────────────┤
│ Guest OS (also inside) │
├─────────────────────────────────┤
│ AMD-SP firmware │ ← enforces RMP / encryption
├─────────────────────────────────┤
│ Host hypervisor (untrusted) │
├─────────────────────────────────┤
│ Host OS (untrusted) │
├─────────────────────────────────┤
│ Hardware (AMD CPU + memory) │
└─────────────────────────────────┘
The hypervisor manages VM scheduling, paging, and I/O — but the RMP prevents it from swapping encrypted pages or reading guest state.
Side-channel research¶
The 2026-05-27 Google post cites SNPeek as a recent side-channel result against SEV-SNP:
"Researchers regularly discover side-channel vulnerabilities that can be leveraged by an attacker to either invalidate TEE guarantees, or application-level specific guarantees ([SNPeek][SEV-SNP], [TDXray][TDX])."
SNPeek is itself Google Research output — Side-channel analysis for privacy applications on confidential VMs. Like TDXray for TDX, it demonstrates that VM-TEE substrates have ongoing side-channel surfaces that motivate composition with cryptographic privacy layers.
Use in production privacy architectures¶
| System | Role |
|---|---|
| systems/google-confidential-federated-analytics | SEV-SNP (or TDX) hosts the secure-aggregation binary |
| systems/whatsapp-private-processing | Comparable TEE-VM hosts LLM inference |
| AWS / Azure / GCP confidential VMs | All three clouds offer SEV-SNP-backed CVM products |
Attestation flow¶
SEV-SNP attestation produces a signed report containing:
- Measurement — hash of the guest's initial memory + register state.
- VMPL — the privilege level the guest is running at.
- TCB version — patch-level of the AMD-SP firmware.
- Chip ID — identifies the specific physical CPU.
- AMD-SP signature — rooted in AMD's signing keys.
Verifiers check the report against:
- Signature chain validity to AMD's root.
- Measurement match against expected guest-binary digest.
- TCB-version freshness (no unpatched vulnerabilities).
- Nonce match (anti-replay).
Comparison to Intel TDX¶
| Property | AMD SEV-SNP | Intel TDX |
|---|---|---|
| Available since | 2021 (Milan) | 2023 (Sapphire Rapids) |
| Memory-integrity primitive | RMP | Per-page integrity counter |
| Privilege levels | VMPLs (4) | TD-only |
| Side-channel research | SNPeek | TDXray |
| Cloud-provider availability | All major clouds | All major clouds |
| Programming model | VM lift-and-shift | VM lift-and-shift |
Both are roughly comparable from a workload-developer perspective; the choice is typically driven by cloud-provider availability and price / performance rather than threat-model differences.
Caveats¶
- Side-channel attacks are ongoing. SNPeek and similar research continue to surface microarchitectural leaks; AMD-SP firmware updates land but the discovery cadence is non-zero.
- Vendor-rooted trust. Attestation roots in AMD signing keys; compromise of AMD's signing infrastructure breaks the trust chain.
- Encryption performance overhead. ~5-10% for typical workloads; higher for memory-bandwidth-bound workloads.
- Confidential-IO support is generation-dependent. Newer EPYC generations add encrypted DMA / accelerator paths; earlier ones don't securely attest peripheral access.
- Earlier-generation SEV / SEV-ES are deprecated for confidential workloads. SEV-SNP is the production-grade variant; older SEV only protects against weaker attackers.
Seen in¶
- sources/2026-05-27-google-private-analytics-via-zero-trust-aggregation — SEV-SNP (or TDX) is the substrate for Google's confidential-federated-analytics aggregator; cited specifically alongside the SNPeek side-channel research as motivation for composing TEE with cryptographic privacy layers.
Related¶
- systems/intel-tdx — Intel's competing VM-TEE substrate
- systems/cvm-confidential-virtual-machine — generalising wiki concept SEV-SNP is one realisation of
- systems/snpeek-side-channel-research — Google Research's side-channel analysis of SEV-SNP
- concepts/trusted-execution-environment — TEE class
- concepts/remote-attestation — attestation primitive
- concepts/tee-side-channel-vulnerability — risk class SNPeek is in
- concepts/confidential-computing — the broader posture
- patterns/cryptography-plus-tee-defense-in-depth — the architectural response to ongoing side-channel risk
- patterns/tee-for-private-ai-inference — sibling use of SEV-SNP-class TEE