Overview
Explore AMD's next-generation x86 virtualization isolation technology, SEV-SNP (Secure Nested Paging), in this 40-minute Linux Foundation conference talk by David Kaplan from AMD. Discover how SEV-SNP builds upon existing AMD SEV and SEV-ES features to provide enhanced hardware security designed to protect virtual machines from malicious hypervisors. Learn about new memory integrity protection, use models, and increased flexibility in attestation and VM management for protected VMs in hostile environments. Delve into the specific security measures provided by the SEV-SNP architecture, its stronger threat model, and the new hardware structures and x86 instructions being implemented. Gain insights into the potential impacts on the open-source ecosystem and areas where Linux may leverage these new protections. Topics covered include threat models, VM threats, integrity enforcement, RMP checks, page validation, interrupt protections, trusted platform information, guest launch, TCB versioning, VM attestation, migration, and side channels.
Syllabus
Intro
WHY NOT TRUST THE HYPERVISOR
THREAT MODEL
VM THREATS
ENFORCING INTEGRITY
RMP CHECKS
PAGE VAU DATION
PAGE REMAPPING
INTERRUPT PROTECTIONS
UN ENLIGHTENED GUEST SUPPORT
TRUSTED PLATFORM INFORMATION
GUEST LAUNCH
TCB VERSIONING
VM ATTESTATION
VM MIGRATION
SIDE CHANNELS
SUMMARY
Taught by
Linux Foundation