Formal Security Analysis of the AMD SEV-SNP Software Interface
Petar Paradžik, Ante Derek, Marko Horvat
TL;DR
This work presents the first formal, symbolic model of AMD SEV-SNP's software interface using the Tamarin Prover, covering remote attestation, key derivation, page swap, and live migration. It provides automated proofs for most secrecy, authentication, attestation, and freshness properties while uncovering platform-agnostic message weaknesses that enable formal platform-confusion and migration-related attacks. The findings show a critical trade-off between migration usability and strong platform binding in attestations, suggesting migration-policy enforcement as a key mitigation. Overall, the study advances rigorous security guarantees for SEV-SNP while outlining practical directions for closing identified gaps in real deployments.
Abstract
AMD Secure Encrypted Virtualization technologies enable confidential computing by protecting virtual machines from highly privileged software such as hypervisors. In this work, we develop the first, comprehensive symbolic model of the software interface of the latest SEV iteration called SEV Secure Nested Paging (SEV-SNP). Our model covers remote attestation, key derivation, page swap and live migration. We analyze the security of the software interface of SEV-SNP and formally prove that most critical secrecy, authentication, attestation and freshness properties do indeed hold in the model. Furthermore, we find that the platform-agnostic nature of messages exchanged between SNP guests and the AMD Secure Processor firmware presents a potential weakness in the design. We show how this weakness leads to formal attacks on multiple security properties, including the partial compromise of attestation report integrity, and discuss possible impacts and mitigations.