AMD SEV-SNP in VeriProof
AMD Secure Encrypted Virtualization — Secure Nested Paging (SEV-SNP) is the AMD CPU technology that underpins VeriProof’s Confidential Notary for Enterprise Federated deployments. This page explains how it is deployed and what guarantees it provides.
What SEV-SNP does
AMD SEV-SNP operates at the CPU level. When a VM or container is designated as an SEV-SNP confidential computing workload:
- Memory encryption: The CPU encrypts all memory pages belonging to the workload using an AES-128 key managed by the AMD Secure Processor (firmware), not the host OS or hypervisor. The cloud provider’s hypervisor sees only ciphertext.
- Memory integrity protection: SNP adds memory integrity protection to prevent the host from substituting or aliasing memory pages. This closes attack vectors that SEV and SEV-ES left open.
- VM authorization levels: Each VM is assigned an authorization level that determines which entities (guest, hypervisor, firmware) can access which memory pages.
- Hardware attestation reports: The CPU generates a signed report (using an AMD root key rooted in hardware) that binds together: the VM’s unique identity, the measurement of the code loaded into it, and a customer-supplied nonce or public key.
Deployment in VeriProof
The Confidential Notary runs as an Azure Container Instance (ACI) in the customer’s own Azure subscription, configured as an AMD SEV-SNP TEE:
Customer Azure Subscription
┌──────────────────────────────────────────────────────────┐
│ Azure Container Instance — Confidential Computing │
│ ┌────────────────────────────────────────────────────┐ │
│ │ AMD SEV-SNP Hardware Boundary │ │
│ │ │ │
│ │ Confidential Notary Process │ │
│ │ ├── Receives OTLP session data from SDK │ │
│ │ ├── Computes SHA-256 Merkle commitment │ │
│ │ ├── Encrypts session record (AES-256-GCM) │ │
│ │ ├── Writes ciphertext → Customer PostgreSQL/Blob │ │
│ │ └── Sends 32-byte commitment → VeriProof │ │
│ │ │ │
│ │ Memory is hardware-encrypted; plaintext not │ │
│ │ accessible to Azure infrastructure or VeriProof │ │
│ └────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────┘The ACI sidecar at http://127.0.0.1:8081/attest/raw provides the local attestation endpoint. The Confidential Notary calls this endpoint when it starts to obtain a hardware attestation report, which it submits to Microsoft Azure Attestation (MAA) for independent verification.
What the hardware protects
| Threat | Protection |
|---|---|
| Cloud provider hypervisor reading session memory | ✅ Memory encrypted by AMD Secure Processor; hypervisor sees ciphertext only |
| VeriProof infrastructure administrator accessing data in processing | ✅ Same as above — memory not accessible outside the TEE boundary |
| Code tampering before TEE loads | ✅ Detected by attestation measurement mismatch |
| Network interception of session data | ✅ TLS from SDK to TEE endpoint; data decrypted only inside TEE |
SEV-SNP protects data in use — during active processing inside the TEE. Data at rest (stored in PostgreSQL or Blob) is protected by a separate encryption layer. Data in transit is protected by TLS.
Azure MAA integration
The Confidential Notary integrates with the Azure MAA (Microsoft Azure Attestation) service to obtain a verifiable attestation token. The flow on startup:
- The notary generates an ephemeral RSA key pair
- It calls the ACI attestation sidecar with the public key as
runtimeData - The sidecar returns an AMD SNP hardware report that includes a hash of the public key
- The notary submits this report to the Azure MAA endpoint
- MAA validates the hardware report against AMD’s certificate chain and returns a signed JWT attestation token
- The token binds the notary’s identity, code measurement, and ephemeral public key into a single verifiable claim
This token can be checked against the expected code measurement to verify that the running notary process is the correct, unmodified VeriProof build.
Availability
AMD SEV-SNP in ACI requires Azure Confidential Computing-capable VM SKUs. VeriProof’s Enterprise deployment templates select Standard_DC*s_v3 or Standard_DC*ds_v3 series nodes, which are available in:
- Azure East US
- Azure West Europe
- Azure Southeast Asia
- (and others — check Azure’s current Confidential Computing availability list)
Enterprise deployments through Azure Marketplace’s Managed Application model select the region during provisioning.
Next steps
- Attestation & Verification — how to validate a MAA attestation token
- Data Flow & Isolation — what data is processed inside the TEE and what leaves it
- Enterprise Architecture — full Enterprise Federated deployment guide