Server Gurus Discussions

pavlevuletic · ‎07-03-2022

When using AMD SEV, Since the whole secure VM RAM is encrypted, if there are two users A and B logged onto the same secure VM (e.g. SSH) is user A (e.g. with root privileges) able to dump the content of the VM memory and this way to reveal the content of the B's data in use which is processed in that VM (RAM for both users should be encrypted with the same key)?
If the answer to 1. is yes, then: virtualization software provides a console access to the VMs which allows cloud provider to operate the VMs. Is this then the way cloud provider can have the access to the encrypted VM and see the users data in memory and bypass the protection? How can the user of the secure VM be sure that there is no such side entry into his/her VM?

devinmarco · ‎04-19-2023

AMD SEV (Secure Encrypted Virtualization) is a hardware feature that provides memory encryption for virtual machines. However, it is vulnerable to attacks through the hypervisor console. One solution to this issue is to use a hypervisor that supports SEV and provides additional security features. For example, the Xen hypervisor supports SEV and provides a feature called Virtual Machine Introspection (VMI) that can detect and prevent attacks through the hypervisor console. Another solution is to use a hardware-based security solution such as AMD's Secure Processor, which provides a secure environment for running security-sensitive code. Additionally, it is important to keep the hypervisor and firmware up to date with the latest security patches to prevent known vulnerabilities from being exploited.

Server Gurus Discussions

AMD SEV - attack through the hypervisor console