Search

How to Enable SEV-SNP

Garry Gayles
Garry Gayles
  • Updated

 

SEV-SNP stands for Secure Encrypted Virtualization - Secure Nested Paging, a technology developed by AMD as part of its confidential computing initiative. It is designed to enhance the security of virtual machines ( VMs ) running on AMD EPYC processors by protecting them from potentially malicious hypervisors and other threats.

 

To enable SEV-SNP, configure both the BIOS and potentially the hypervisor.

First, ensure BIOS is updated to support SEV-SNP. 

Next, set BIOS to enable SEV and SEV-ES

Also, configure SNP Memory Coverage ( RMP Table ) . 

Finally, it may be necessary to adjust IOMMU settings and potentially use a custom kernel for the guest VM. 

 

Detailed Checklist

 

1. BIOS Configuration:

  • Update BIOS:
    • Ensure BIOS version is up to date and supports AMD SEV-SNP.
  • Enable SEV and SEV-ES: 
    • Locate the "SEV Enabled" and "SEV-ES ASID Space Limit" options in your BIOS settings ( typically under AMD CBS or similar ) . 
    • Enable SEV
    • Set the SEV-ES ASID Space Limit to a non-zero number (higher is better). 
  • Configure SNP Memory Coverage:
    • Enable SNP Memory ( RMP Table ) Coverage to cover all of memory.  This reserves memory for SNP and creates the Required Memory Protection ( RMP ) table. 
    • Adjust SNP ASID space limit.  This parameter determines how many ASIDs can be used for SEV-SNP guests.
  • Configure IOMMU:
    • Disable vIOMMU ( virtual IOMMU ) for better security and compatibility with SEV-SNP. 

2. Hypervisor Configuration ( If applicable ) :

  • SEV-SNP Support:
  • Ensure that the system hypervisor (e.g., KVM, QEMU) supports SEV-SNP.  It may be necessary to enable the relevant feature gate in the hypervisor configuration. 
  • Configure Guest VM:
    Specify it to use SEV-SNP.  This may involve adding specific options to the VM configuration file or using hypervisor command-line tools. 
  • Firmware and Bootloader:
    It may be necessary to use specific firmware/bootloader images (e.g., OVMF) that support SEV-SNP. 

3. Optional: Kernel and Driver Adjustments:

  • Update OS
    •  sudo apt update
    •  sudo apt upgrade

4. Final Step:

  • Reboot: Reboot the system to apply BIOS changes and or OS updates.

Related to

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.