AMD Sends Out New Linux Code For SEV-SNP With EPYC 7003 Series

In addition to AMD EPYC 7003 "Milan" processors offering fantastic performance, another important highlight for these new Zen 3 server processors is SEV-SNP for upping the Secure Encrypted Virtualization capabilities. AMD has been offering SEV "Secure Nested Paging" patches via a GitHub repository while now they are working towards mainlining this feature for the Linux kernel.

AMD Secure Encrypted Virtualization's Secure Nested Paging builds upon SEV/SEV-ES to offer integrity protections, including against malicious hypervisor attacks. This AMD whitepaper spells out SEV-SNP in more detail for those interested in all of the finer details of this feature round on EPYC 7003 series processors.

Last year we saw AMD working on some early bits around SEV-SNP for the Linux kernel while finally today, one week after the EPYC 7003 series was publicly announced, we are seeing more of the Linux kernel patches work their way out on the kernel mailing list for review and eventual inclusion into the upstream kernel.

Hitting the kernel mailing list minutes ago were SEV-SNP guest support and SEV-SNP hypervisor support. Both of these patch series were sent out as an initial "request for comments" - indicating further revisions are likely necessary before being ready for mainlining into the upstream Linux kernel.

The SEV-SNP guest support currently amounts to 13 patches and implements the initial blocks for being able to boot SEV-SNP VMs. However, this code isn't yet feature complete for maximum security with interrupt security being one of the items not yet implemented. Also still to be completed is CPUID filtering, the ability to query the attestation report, lazy validation, and more.

The SEV-SNP hypervisor support also still has yet to implement the interrupt security and query attestation portions. The hypervisor support is some 30 patches at the moment.

Given they are "RFC" patches and a big ticket security feature, it will likely be some time before these SEV-SNP patches are ready for mainline. The Linux 5.13 merge window is already coming up quickly in just a few weeks now, so presumably this work won't be ready until at least Linux 5.14, but stay tuned to Phoronix for other updates as to the status of this open-source virtualization work. In any case hopefully won't take too long and we'll see what enterprise Linux distribution vendors may pick up these patches early for offering SEV-SNP functionality on EPYC 7003 series servers. It would be nice if the SEV-SNP kernel support was already mainlined and ready for day-one on EPYC Milan without resorting to out-of-tree patches (i.e. more like Intel's very timely pre-launch Linux support) with only rare exceptions, but at least progress is being made by AMD to offer more punctual Linux feature support and they are slowly but surely moving in that right direction.