SEV is a virtual machine-based confidential computing solution; it protects data-in-use by creating a Trusted Execution Environment, that is defined by the boundaries of the confidential VM. SEV uses one key per virtual machine to isolate guests and the hypervisor from one another. The keys are managed by the AMD Secure Processor. SEV requires enablement in the guest operating system and hypervisor. The guest changes allow the VM to indicate which pages in memory should be encrypted. The hypervisor changes use hardware virtualization instructions and communication with the AMD Secure processor to manage the appropriate keys in the memory controller. AMD has evolved SEV to add new features and new capabilities with each generation of AMD EPYC server CPUs to help address the evolving security landscape. These enhancements are described below.
Encrypted State (ES) – formerly known as SEV-ES
SEV-ES encrypts all CPU register contents when a VM stops running. This prevents the leakage of information in CPU registers to components like the hypervisor and can even detect malicious modifications to a CPU register state.
Secure Nested Paging (SNP) – formerly known as SEV-SNP
SEV-SNP adds strong memory integrity protection to help prevent malicious hypervisor-based attacks like data replay, memory re-mapping, and more to create an isolated execution environment. Also, SEV-SNP introduces several additional optional security enhancements designed to support additional VM use models, offer stronger protection around interrupt behavior, and offer increased protection against recently disclosed side channel attacks.
Trusted I/O (TIO) – formerly known as SEV-TIO
SEV-TIO extends the Trusted Execution Environment (TEE) created by SEV to include PCIe devices (NICs, accelerators, storage) using the PCI-SIG defined TEE Device Interface Security Protocol (TDISP). TDISP defines new protocols and functions of devices that enable them to authenticate themselves, prevent traffic interception or masquerading on the PCIe fabric, attest to their configuration, and isolate guest workloads from device controls available to host drivers.
AMD Transparent Secure Memory Encryption (TSME)
TSME uses a single key to encrypt system memory. The key is generated by the AMD Secure Processor at boot. SME requires enablement in the system BIOS or operating system. When enabled in the BIOS, memory encryption is transparent and can be run with any operating system.
SEV Functionality and Capabilities for Each AMD EPYC™ Server CPU Generation
| AMD EPYC Server CPU Generation | New Features | New Capabilities |
| AMD EPYC™ 7001 | Encrypted State via confidential VMs | 128-bit AES XEX encryption 128 threads 15 keys |
| AMD EPYC™ 7002 | Encrypted CPU registers via Encrypted State (ES) | 256 Threads 509 Keys Enhanced scalability |
| AMD EPYC™ 7003 | Hypervisor isolation and guest attestation support via Secure Nested Paging (SNP) | |
| AMD EPYC™ 8004 & 9004 | Memory Encryption for CXL attached memory | Stronger 256-bit AES-XTS encryption 512 Threads 1006 Keys Support for up to 63 Multi Host Keys |
| AMD EPYC™ 9005 | Trusted I/O via TDISP (formerly SEV-TIO) | Segmented RMP Secure AVIC Performance Counter (PMC) Virtualization Guest Intercept Controls Ciphertext Hiding |
White Papers & Specifications
| Document | Description | Revision | Date |
|---|---|---|---|
| SEV-TIO Firmware Interface Specification | Specifies the Trusted I/O extension to the SEV firmware. The TIO extension provides a mechanism for guests to bind to and use trusted devices within their guest private address space. | 0.91 | July 2025 |
| SEV-SNP Platform Attestation Using VirTEE/SEV | The VirTEE/SEV crate offers a Rust-friendly, simple-to-use API for interfacing with the AMD Secure Processor included within 3rd Gen and newer AMD EPYC processors. | 1.2 | July 2023 |
| SEV-TIO-Whitepaper | Overview of Trusted I/O technology for improved I/O performance and security in AMD SEV guests | March 2023 | |
| Versioned Chip Endorsement Key (VCEK) Certificate and KDS Interface Specification | Introduction to the VCEK certificate and the KDS interface used to retrieve the certificate. | 1.00 | January 2025 |
| Guest Hypervisor Communication Block (GHCB) Standardization | Standardizes the Guest-Hypervisor Communication Block (GHCB) format and specifies the required exit support and associated guest state to be provided in the GHCB to allow interoperability between hypervisors and SEV-ES guests. | 2.04 | January 2025 |
| SEV Secure Nested Paging Firmware ABI Specification | Documents the API available to the host hypervisor for management of SNP-active guests. | 1.58 | May 2025 |
| SVSM Specification | Secure VM Service Module (SVSM) for SEV Guests | 1.0 | July 2023 |
| AMD Memory Encryption | Introduction to Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV). | October 2021 | |
| Secure Encrypted Virtualization API | Documents the API available to the host hypervisor for management of keys and secure data transfer between host hypervisor and guest VM memory | 3.24 | April 2020 |
| AMD64 Architecture Programmer’s Manual Volume 2 | Describes the AMD64 architecture’s resources and functions that are managed by system software. Note sections
|
3.43 | June 2025 |
| AMD SEV-SNP | Strengthening VM isolation with integrity protection and more. | January 2020 | |
| OpenStack: libvirt driver launching AMD SEV-encrypted instances | Proposes work required in order for nova’s libvirt driver to support launching of KVM instances which are encrypted using AMD’s SEV (Secure Encrypted Virtualization) technology. | January 2019 | |
| Protecting VM Register State With SEV-ES | Technical overview of the Encrypted State SEV-ES feature, the principles behind the architecture, and protections offered to further isolate encrypted VMs. | February 2017 |
Links & Downloads
| Link | Description |
|---|---|
| https://github.com/AMDESE/AMDSEV | Linux open source code under development |
| Confidential Containers | Confidential Containers (CoCO) Project |
| Using AMD Secure Memory Encryption with Oracle Linux | Oracle UEK support for SME and SEV. |
| SUSE: AMD Secure Encrypted Virtualization (AMD-SEV) Guide | Provides a basic understanding of how SEV works, how to enable and configure it, and some of the limitations and restrictions that its use causes as compared to non-encrypted virtualization. |
| ask_ark_naples.cert | ASK/ARK certificates for EPYC 7xx1 (Naples) |
| ask_ark_rome.cert | ASK/ARK certificates for EPYC 7xx2 (Rome) |
| ask_ark_milan.cert | ASK/ARK certificates for EPYC 7xx3 (Milan) |
| ask_ark_genoa.cert | ASK/ARK certificates for EPYC 9xx4 (Genoa) |
| ask_ark_prod_turin.cert | ASK/ARK certificates for EPYC 9xx5 (Turin) |
| amd_sev_fam17h_model01h_0.17.48.zip | SEV Firmware | SEV firmware 0.17.48 [hex 00.11.30] for EPYC 7xx1 (Naples) |
| amd_sev_fam17h_model3xh_0.24.20.zip | SEV Firmware | SEV firmware 0.24.20 [hex 00.18.14] for EPYC 7xx2 (Rome) |
| amd_sev_fam19h_model0xh_1.55.36.zip | SEV Firmware | SEV firmware 1.55.36 [hex 1.37.24] for EPYC 7xx3 (Milan) |
| amd_sev_fam19h_model1xh_1.55.49.zip | SEV Firmware | SEV firmware 1.55.49 [hex 1.37.31] for EPYC 9xx4 (Genoa) |
| amd_sev_fam1ah_model0xh_1.55.65.zip | SEV Firmware | SEV firmware 1.55.65 [hex 1.37.41] for EPYC 9xx5 (Turin) |
| CEK certificate web page | Interactive tool for obtaining CEK certificate. Also available as https://kdsintf.amd.com/cek/id/<GetIDValue> |
| https://github.com/AMDESE/sev-tool | Deprecated AMD SEV Tool for managing SEV platform certificates |
Technical Presentations
| Forum | Presentation | Date |
|---|---|---|
| Linux Security Summit (2022) | Secure Nested Paging Attestation: Establishing Trust in Guests | September 2022 |
| KVM Forum (2022) | Providing Confidential Guest Services with a Secure VM Service Module on AMD | September 2022 |
| Linux Security Summit (2021) | Secure Nested Paging Development Update | September 2021 |
| KVM Forum (2021) | Protecting from Malicious Hypervisor Using Secure Nested Paging | September 2021 |
| Linux Security Summit (2019) | Upcoming x86 Technologies for Malicious Hypervisor Protection | November 2019 |
| KVM Forum (2019) | Secure Encrypted Virtualization – What’s Next? | November 2019 |
| Linux Security Summit (2019) | Enarx – Attested, Secured Execution with AMD’s SEV | August 2019 |
| Linux Security Summit (2018) | AMD Encrypted Virtualization Update | November 2018 |
| KVM Forum (2018) | Extending Secure Encrypted Virtualization with Encrypted State | October 2018 |
| Linux Security Summit (2017) | Protecting VM Register State with Encrypted State | September 2017 |
| Linux Security Summit (2016) | AMD x86 Memory Encryption Technologies | December 2016 |
| KVM Forum (2016) | AMD’s Virtualization Memory Encryption Technology | September 2016 |
| Xen Summit | AMD’s Virtualization Memory Encryption Technology | September 2016 |
| Usenix Security Symposium | AMD x86 Memory Encryption Technologies | August 2016 |
User Guides
| Document | Date |
|---|---|
| Using SEV with AMD EPYC™ Processors | October 2023 |
| Solving the Cloud Trust Problem with WinMagic and AMD EPYC Hardware Memory Encryption | October 2018 |
| Enhance your Cloud Security with AMD EPYC Hardware Memory Encryption | October 2018 |