From 6a17255307c1d3b397ad38ab8f3bb8a14a3c5ca5 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 11 Dec 2025 14:11:26 +0000
Subject: [PATCH 1/3] Provide option to enable AMD SEV-ES

---
 etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index 33722f6..afe23b2 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -255,6 +255,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
 ## Enable AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV).
 ## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks.
 ## SEV extends SME to VMs by encrypting the memory of each with a unique key for guest isolation.
+## SEV-ES (Encrypted State) extends SEV by encrypting each guests virtual CPU register state during VM exits.
 ## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP).
 ## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI.
 ## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME.
@@ -273,6 +274,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mem_encrypt=on"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev=1"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_es=1"
 
 ## Prevent processes from writing to block devices that are mounted by filesystems.
 ## Enhances system stability and security by protecting against runaway privileged processes.

From 72f295a3f04e43307dea9af29657ee96fb1c47a5 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 11 Dec 2025 14:11:47 +0000
Subject: [PATCH 2/3] Provide option to enable AMD SEV-SNP

---
 etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index afe23b2..26fcc29 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -256,6 +256,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
 ## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks.
 ## SEV extends SME to VMs by encrypting the memory of each with a unique key for guest isolation.
 ## SEV-ES (Encrypted State) extends SEV by encrypting each guests virtual CPU register state during VM exits.
+## SEV-SNP (Secure Nested Paging) extends SEV by activating hardware-level memory integrity.
 ## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP).
 ## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI.
 ## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME.
@@ -275,6 +276,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mem_encrypt=on"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev=1"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_es=1"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_snp=1"
 
 ## Prevent processes from writing to block devices that are mounted by filesystems.
 ## Enhances system stability and security by protecting against runaway privileged processes.

From 7d901213029f17e7d0a4dccc671b3bfd476bab13 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 11 Dec 2025 14:12:18 +0000
Subject: [PATCH 3/3] Add reference for AMD SEV

---
 etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 1 +
 1 file changed, 1 insertion(+)

diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
index 26fcc29..ad4169a 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
+++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared
@@ -267,6 +267,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
 ## https://www.kernel.org/doc/html/latest/virt/kvm/x86/amd-memory-encryption.html
 ## https://docs.amd.com/v/u/en-US/memory-encryption-white-paper
 ## https://docs.amd.com/v/u/en-US/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more
+## https://github.com/AMDESE/AMDSEV
 ## https://en.wikichip.org/wiki/x86/sme
 ## https://lore.kernel.org/lkml/YWvy9bSRaC+m1sV+@zn.tnic/T/#m01bcb37040b6b0d119d385d9a34b9c7ac4ce5f84
 ## https://mricher.fr/post/amd-memory-encryption/