From 72f295a3f04e43307dea9af29657ee96fb1c47a5 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 11 Dec 2025 14:11:47 +0000 Subject: [PATCH] Provide option to enable AMD SEV-SNP --- etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index afe23b2..26fcc29 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -256,6 +256,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" ## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks. ## SEV extends SME to VMs by encrypting the memory of each with a unique key for guest isolation. ## SEV-ES (Encrypted State) extends SEV by encrypting each guests virtual CPU register state during VM exits. +## SEV-SNP (Secure Nested Paging) extends SEV by activating hardware-level memory integrity. ## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP). ## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI. ## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME. @@ -275,6 +276,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mem_encrypt=on" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev=1" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_es=1" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_snp=1" ## Prevent processes from writing to block devices that are mounted by filesystems. ## Enhances system stability and security by protecting against runaway privileged processes.