SEVGuard: Protecting User Mode Applications Using Secure Encrypted Virtualization

Abstract

We present SEVGuard, a minimal virtual execution environment that protects the confidentiality of applications based on AMD’s Secure Encrypted Virtualization (SEV). Although SEV was primarily designed for the protection of VMs, we found a way to overcome this limitation and exclusively protect user mode applications. Therefore, we migrate the application into a hardware-accelerated VM and encrypt both its memory and register state. To avoid the overhead of a typical hypervisor, we built our solution on top of the plain Linux Kernel Virtual Machine (KVM) API. With the help of an advanced trapping mechanism, we fully support system and library calls from within the encrypted guest. Furthermore, we allow unmodified code to be transparently virtualized and encrypted by appropriate memory mappings. The memory needed for our minimal VM can be directly allocated within SEVGuard’s address space. We evaluated our execution environment regarding correctness and performance, confirming that SEVGuard can be practically used to protect existing legacy applications.