# Analysis on AMD SME and SVE * SME (Secure Memory Encryption) * SEV (Secure Encrypted Virtualization) * secure processor, SoC * * encrypt memory regions in page-table granularity by setting C-bits ## Problem * data will be loaded to memory in plaintext * Intel SGX, require reconstruct of software or build from scratch * AMD SEV doest not encrypt VMCB and general purpose registers * hypervisor can breach their privacy * change register to disable SEV during context switch * SEV-ES solve this * VMCB -> CPU Virtualization, NPT * DMA -> Para-virtualized IO, memory sharing * hypervisor still manage guest memory mapping and key sharing mechanism * SEV cannot encrypt DMA * SEV does not work on two sharing memory guest # Fidelius * software-based extention to the SEV * separates the management of critical resources from service provisioning * revokes the permission of accessing specific resources from the untrusted hypervisor * performance: same privilege level as the hypervisor * resue SEV API * enable booting from encrypted kernel image * remember malicious code might be inserted during boot * paravirtualized interface * working prototype on Xen