SUSE Linux Enterprise Server Documentation|Virtualization Guide|Managing virtual machines with libvirt|Enhancing virtual machine security with AMD SEV-SNP
Applies to SUSE Linux Enterprise Server 15 SP7

16 Enhancing virtual machine security with AMD SEV-SNP

  

You can enhance the security of your virtual machines with AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP). The AMD SEV-SNP feature isolates virtual machines from the host system and other VMs, protecting the data and code. This feature encrypts data and ensures that all changes with the code and data in the VM are detected or tracked. Since this isolates VMs, the other VMs or the host machine are not affected by threats.

This section explains the steps to enable and use AMD SEV-SNP on your AMD EPYC server with SUSE Linux Enterprise Server 15 SP7.

16.1 Supported hardware

  

A system with an AMD EPYC (3rd Gen or newer) is required to run AMD SEV-SNP virtual machines. The BIOS of the AMD machine must provide the necessary options to enable support for confidential computing on the platform.

16.2 Setting up the base system

  

The VM Host Server requires minor configuration changes prior to running AMD SEV-SNP enabled VM Guests. The default IOMMU configuration in SUSE Linux Enterprise Server 15 SP7 is passthrough mode. To use the AMD SEV-SNP feature, the IOMMU must be configured in non-passthrough mode. This is required to prevent peripheral devices from accessing memory that belongs to an encrypted VM Guest, compromising its data integrity. The MSR kernel module is required to use the optional snphost tool.

  1. To automatically load the msr module at boot: 

    > sudo  echo "msr" > /etc/modules-load.d/msr.conf

  2. To disable the IOMMU configuration in SUSE Linux Enterprise Server 15 SP7, open the /etc/default/grub file and add iommu=nopt to the GRUB_CMDLINE_LINUX_DEFAULT variable.

  3. To update the bootloader configuration, run the command: 

    > sudo ; update-bootloader

  4. The system is now ready to be restarted with the confidential computing kernel. It is not selected as the default kernel in the bootloader, so be sure to select it in the boot menu.

16.3 Verifying setup

  

You can verify the installation and configuration of the VM Host Server using dmesg or the optional snphost tool.

  • To check the initialization result of the AMD Secure Processor in the kernel log when the kernel is running, run the command: 

    > sudo  dmesg | grep -i ccp
[ 10.103166] ccp 0000:42:00.1: enabling device (0000 -> 0002)
[ 10.114951] ccp 0000:42:00.1: no command queues available
[ 10.127137] ccp 0000:42:00.1: sev enabled
[ 10.133152] ccp 0000:42:00.1: psp enabled
[ 10.240817] ccp 0000:42:00.1: SEV firmware update successful
[ 11.128307] ccp 0000:42:00.1: SEV API:1.55 build:8
[ 11.135057] ccp 0000:42:00.1: SEV-SNP API:1.55 build:8

    The message about the SEV-SNP API version indicates the successful initialization of the AMD Secure Processor. Sometimes it happens that these messages do not appear in the kernel log. In this case, the BIOS settings or the IOMMU configuration are often the root cause.

16.4 Installing an AMD SEV-SNP virtual machine

  

You can create and install AMD SEV-SNP protected virtual machines using the libvirt framework once the VM Host Server is properly configured and the AMD Secure Processor is initialized. The installation methods described in Chapter 10, Guest installation can be used with SEV-SNP protected virtual machines. The only exception is ISO installation using a virtual CD-ROM. See the limitations section for more details.

In addition to virtual CD-ROMs, VM Host Server-provided TPM devices are not compatible with AMD SEV-SNP-protected virtual machines and should be removed from the installation configuration. Rebooting SEV-SNP virtual machines is also not supported. The installation should ensure SEV-SNP virtual machines are configured to shut down on reboot. See the limitations section for more details.

Section 10.1, “GUI-based guest installation” describes GUI-based virtual machine installation using virt-manager. To enable AMD SEV-SNP, activate Customize configuration before install before selecting Finish in the New VM wizard. When the VM Guest configuration dialog opens, select Memory, then activate the Enable launch security checkbox and select Apply. Finally, select Begin Installation to proceed with the installation as described in Section 10.1, “GUI-based guest installation”.

Section 10.2, “Installing from the command line with virt-install describes virtual machine installation using virt-install. AMD SEV-SNP can be enabled with the --launchSecurity option. Below is a modification of Example 10.2, “Example of a virt-install command line” that enables AMD SEV-SNP protection: 

> virt-install --connect qemu:///system --virt-type kvm \
--name sle15sp7 --memory 4096 --disk size=60 --location /path/to/iso --graphics vnc \
--os-variant sle15sp7 --boot uefi --events on_reboot=destroy --launchSecurity type=sev-snp

See the Launch Security section of the libvirt Domain XML format manual at https://libvirt.org/formatdomain.html#launch-security for more information on the settings supported by --launchSecurity.

16.5 Verifying the AMD SEV-SNP virtual machine

  

From the appearance of the virtual machine, one cannot tell whether it runs in a confidential computing environment. But there are several ways to verify that from within the virtual machine.

The kernel log will contain messages describing the state of AMD memory encryption features within the virtual machine. To check the kernel log, run the following command: 

> sudo  dmesg | grep -i sev-snp
[ 1.986186] Memory Encryption Features active: AMD SEV SEV-ES SEV-SNP

The presence of the SEV-SNP feature in the kernel log, among other active memory encryption features, shows that it is active for the virtual machine.

You can use the optional snpguest tool to verify if the SEV-SNP feature is active in the virtual machine. Similar to snphost, the snpguest tool requires the MSR kernel module. The following example demonstrates using snpguest to check the status of memory encryption features within the virtual machine: 

> sudo  modprobe msr && snpguest ok
[ PASS ] - SEV: ENABLED
[ PASS ] - SEV-ES: ENABLED
[ PASS ] - SNP: ENABLED

There are also cryptographically secure ways to prove the security of the AMD SEV-SNP environment.

16.6 Attesting the AMD SEV-SNP Virtual Machine

  

Once SEV-SNP activation has been verified, the integrity of the confidential VM can be established through attestation, which provides cryptographic proof that it runs on genuine AMD hardware under a verified firmware and TCB level, backed by a trusted certificate hierarchy.

Note that the steps here perform local attestation verification only. It verifies the report signature and certificate chain from inside the guest and ensures that the attestation data matches the platform state. This workflow does not include remote attestation, where the attestation report is sent to an external verifier or service that independently validates the platform trust and enforces access to secrets or workload authorization.

The attestation process involves two tools: snpguest and snphost.

16.6.1 Generating and verifying the attestation report

  

Inside the guest, the snpguest tool can be used to perform the attestation workflow. This process generates an attestation report, fetches the corresponding AMD certificate chain, and verifies that the report is cryptographically signed by a valid platform key.

  1. Generate an attestation report and a corresponding request file. The --random flag includes random data for uniqueness: 

    > sudo snpguest report attestation-report.bin request-file.bin --random

  2. Fetch the AMD CA and ASK certificates from the Key Distribution Service (KDS) in DER format. Replace genoa with your processor model if different: 

    > sudo snpguest fetch ca der genoa ./certs-kds

  3. Fetch the Versioned Chip Endorsement Key (VCEK) using the generated attestation report: 

    > sudo snpguest fetch vcek der genoa ./certs-kds attestation-report.bin

  4. Verify the attestation report against the fetched certificates: 

    > sudo snpguest verify attestation ./certs-kds attestation-report.bin

Reported TCB Boot Loader from certificate matches the attestation report.
Reported TCB TEE from certificate matches the attestation report.
Reported TCB SNP from certificate matches the attestation report.
Reported TCB Microcode from certificate matches the attestation report.
Chip ID from certificate matches the attestation report.
VEK signed the Attestation Report!
Note
Note

The extended attestation workflow using the snpguest certificates command relies on QEMU functionality that is not currently available.

16.6.2 Validating AMD certificates on the host

  

The host can optionally fetch and verify the AMD certificate chain used to validate guest attestation reports.

  1. Fetch the AMD CA and ASK certificates from AMD’s Key Distribution Service (KDS): 

    > sudo  snphost fetch ca pem ./certs

  2. Fetch the chip endorsement certificate (VCEK or VLEK) for the platform: 

    > sudo  snphost fetch vek pem ./certs

  3. Verify the integrity of the fetched certificate chain: 

    > sudo  snphost verify ./certs
• = self signed, ⬑ = signs, •̷ = invalid self sign, ⬑̸ = invalid signs

ARK •
ARK ⬑ ASK
ASK ⬑ VCEK

16.7 Current limitations

  

The following limitations are placed on SEV-SNP VM Guests.

  • The guest operating system running inside an SEV-SNP protected VM must contain SEV-SNP support. SUSE Linux Enterprise Server 15 SP6 and newer releases support SEV-SNP.

  • SEV-SNP protected VM Guests cannot be installed with virt-install via ISO using the --cdrom option. Use the --location instead. See the virt-install manual page for more information on the --location option.

  • SEV-SNP protected VM Guests support a maximum of 255 vCPUs.

  • SEV-SNP protected VM Guests are not compatible with Secure Boot. UEFI firmware containing Secure Boot support does not work with SEV-SNP VM Guests.

  • SEV-SNP protected VM Guests are not compatible with VM Host Server-provided TPM devices. This includes emulated and passthrough TPM devices.

  • SEV-SNP protected Direct VM Guests do not support pass-through of host devices (PCI passthrough).

  • SEV-SNP protected VM Guests do not support memory ballooning.

  • SEV-SNP protected VM Guests do not support memory or vCPU hotplugging.

  • Using hugepages within a SEV-SNP protected VM Guest is not supported.

  • SEV-SNP VM Guests cannot be rebooted from within using reboot, shutdown -r now, etc. A reboot must be done by shutting down the VM Guest and starting it again.

  • Any operations that involve saving and restoring the memory and state of a VM Guest are currently not supported. This means that SEV-SNP protected VM Guests cannot be resumed from snapshots, saved/restored or live migrated. SEV-SNP protected VM Guests can be shut down and restarted on another host.

These limitations may be removed in the future as the hardware, firmware and specific layers of software receive new features.