## Summary AMD SEV-SNP is the successor to SEV-ES and provides hardened confidential computing capabilities for VMs, including full VM memory encryption with support for nested paging and attestation procedures. ### Goals - add support for AMD SEV-SNP for OpenStack releases 2024.2 and 2025.1 in YAOOK - users should be able to boot VMs secured with SEV-SNP on compute hosts that offer SEV-capable hardware using appropriate Nova flavor and Glance image attributes - attestation, measurement and verification procedures should complete successfully with a VM booted with SEV-SNP ### Current State - OpenStack introduced support for AMD SEV-**ES** in 2025.2 - OpenStack does not support AMD SEV-**SNP** yet but there are discussions upstream The AMD SEV-ES integration introduced upstream in 2025.2 lays the foundation for proper AMD SEV usage in Nova and does the heavy lifting. With some additions and changes, SEV-SNP support can be added on top of that. ## Implementation Adding support for AMD SEV-SNP usage in YAOOK for 2024.2 and 2025.1 consists of the following major steps: 1. (yaook/images) Backport upstream patchsets from 2025.2 adding support for SEV-ES to 2024.2 and 2025.1. 2. (yaook/images) Add downstream patches for SEV-SNP support based on the SEV-ES changes. 3. (yaook/images) Build and provide SEV-compatible OVMF firmware file for QEMU/libvirt in nova-compute image. 4. (yaook/operator) Implement necessary changes to compute host configuration and API behavior.