Request for SEV-SNP Support in CloudStack for Enhanced Virtualization Security

[sl4sh73r]

ISSUE TYPE

• Bug Report
• Improvement Request
• Enhancement Request
• Feature Idea
• Documentation Report
• Other

COMPONENT NAME

Virtualization, Security

CLOUDSTACK VERSION

4.18.2.4

OS / ENVIRONMENT

Ubuntu 22.04

SUMMARY

CloudStack does not currently support SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging), a critical security feature for enhancing the protection of virtualized environments. SEV-SNP is designed to secure workloads by preventing hypervisor attacks and ensuring that VM memory remains encrypted even from the host.

I would like to know when SEV-SNP will be supported in CloudStack, and how it can be used once integrated. This feature is especially important for those utilizing AMD's SEV technology and seeking to ensure their VMs are as secure as possible.

EXPECTED RESULTS

• CloudStack should provide support for SEV-SNP in an upcoming release, allowing users to take advantage of enhanced security for their virtualized workloads.
• Documentation or configuration options detailing how to enable and utilize SEV-SNP once available.

ACTUAL RESULTS

Currently, there is no support for SEV-SNP in CloudStack, which limits the ability to fully leverage AMD's SEV capabilities for securing virtualized environments.

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template!

[btzq]

@sl4sh73r to my knowledge, SEV-SNP is a feature in the Server BIOS. Cloudstack is just an orchestrator of the KVM level.

You should be able to turn on the SEV-SNP, and Cloudstack doesnt need to know about it.

The only issue i think you will have is live migration. But this is not an issue to Cloudstack but to all Live Migration technologies with confidential computing. I remember even Google Cloud talks about this limitation in their docs.