Skip to content

Provide the option to enable AMD SEV-ES and SEV-SNP #341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
adrelanos merged 4 commits into from
Dec 19, 2025
Merged

Provide the option to enable AMD SEV-ES and SEV-SNP #341

adrelanos merged 4 commits into from
Dec 19, 2025

Conversation

@raja-grewal
Copy link
Contributor

@raja-grewal raja-grewal commented Dec 11, 2025

This pull request provides the options to enable two extensions of AMD Secure Encrypted Virtualization (SEV):

  • SEV-ES (Encrypted State) extends SEV by encrypting each guests virtual CPU register state during VM exits, and
  • SEV-SNP (Secure Nested Paging) extends SEV by activating hardware-level memory integrity.

As per suggested in #338 (comment) by @ArrayBolt3.

Changes

There are no changes to the functionality of the codebase.

Provide the disabled by default options:

kvm_amd.sev_es=1
kvm_amd.sev_snp=1

Mandatory Checklist

  • Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:

Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

Optional Checklist

The following items are optional but might be requested in certain cases.

  • I have tested it locally
  • I have reviewed and updated any documentation if relevant
  • I am providing new code and test(s) for it

This was referenced Dec 12, 2025
Open
Merged
ArrayBolt3
ArrayBolt3 approved these changes Dec 14, 2025
View reviewed changes
Copy link
Contributor

@ArrayBolt3 ArrayBolt3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, merged into my arraybolt3/trixie branch. Thank you!

@raja-grewal
Copy link
Contributor Author

raja-grewal commented Dec 16, 2025

Note I have added an importance reference regarding the scenarios in which AMD SME can causes breakages from my similar contributions to secureblue/secureblue#1631 (comment). In summary, these niche problematic cases should also not be looked at as much of concern by us either as we also force enable IOMMU.

This should pave the way for us in the future to also enable AMD SME and SEV by default. However, that should be done in a separate issue/PR.

@ArrayBolt3
Copy link
Contributor

ArrayBolt3 commented Dec 16, 2025

Thanks, merged that into my branch also.

@adrelanos adrelanos merged commit 2106ed5 into Kicksecure:master Dec 19, 2025
@raja-grewal raja-grewal deleted the amd_encrypt_sev branch December 19, 2025 23:24
@raja-grewal raja-grewal mentioned this pull request Dec 24, 2025
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ArrayBolt3 ArrayBolt3 ArrayBolt3 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@raja-grewal @ArrayBolt3 @adrelanos