Google engineers have prepared a set of patches for the Linux kernel to extend the use of AMD Secure Encrypted Virtualization (SEV) and SEV-ES features. Secure SEV virtualization on EPYC processors separates VMs from the hypervisor and uses encrypted memory. SEV-ES functions are also used to protect the state of CPU registers.
The patches will provide support for local migration of encrypted virtual machines (VMs). Despite the fact that we are talking about moving VMs strictly within a single host, it is the transfer process that is the most vulnerable, as we need to securely transfer SEV metadata as well.
And this kind of migration itself is most often needed to dynamically change and update available VM resources. The add-on proposed by Google specialists is small & ; about 500 lines. It supports SEV/SEV-ES migration for the KVM hypervisor. However, this is just the beginning, in the future there will probably be other developments on the topic.