Interrupt Security for Virtual Machines and Guest Environments: AMD SEV-SNP Restricted and Alternate Interrupt Injection
DOI:
https://doi.org/10.22399/ijcesen.5286Keywords:
AMD SEV-SNP, Confidential Computing, Interrupt Injection, Restricted Injection, Alternate Injection, KVMAbstract
Encrypting a virtual machine's memory addresses only one dimension of the confidential computing security problem. When the hypervisor retains architectural control over interrupt delivery, a malicious or compromised hypervisor can exploit interrupt injection to undermine the confidentiality and integrity guarantees that confidential virtual machines are designed to provide. Guest operating systems carry deep assumptions about interrupt behavior rooted in bare-metal execution, and violating those assumptions, even for a single instruction cycle, can place the guest kernel in states that neither hardware designers nor operating system developers planned for. AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) confronts this problem through two mutually exclusive hardware-enforced mechanisms: Restricted Interrupt Injection and Alternate Interrupt Injection. This article examines the architectural motivation for interrupt security, the design of the HV Doorbell Page (HVDB), the full interrupt delivery flow from the KVM hypervisor through to the Linux guest kernel, interrupt shadow handling, system vector dispatch optimization, preemption issues causing guest hangs at interrupt exit, and nested exception detection. The treatment connects each mechanism to published attacks, including the HECKLER interrupt injection exploit, and addresses the specific difficulties that have so far prevented upstream Linux kernel acceptance of the Restricted Injection implementation.
References
[1] Masanori Misono, et al., "Confidential VMs Explained: An Empirical Analysis of AMD SEV-SNP and Intel TDX," Proceedings of the ACM on Measurement and Analysis of Computing Systems, 2024. Available: https://dl.acm.org/doi/epdf/10.1145/3700418
[2] Robert Buhren, et al., "One Glitch to Rule Them All: Fault Injection Attacks Against AMD's Secure Encrypted Virtualization," arXiv, 2021. Available: https://arxiv.org/pdf/2108.04575
[3] Mengyuan Li, et al., "CipherLeaks: Breaking Constant-time Cryptography on AMD SEV via the Ciphertext Side Channel," USENIX, 2021. Available: https://www.usenix.org/system/files/sec21-li-mengyuan.pdf
[4] Benedict Schlüter, et al., "HECKLER: Breaking Confidential VMs with Malicious Interrupts," USENIX, 2024. Available: https://ahoi-attacks.github.io/heckler/heckler_usenix24.pdf .
[5] AMD, "AMD Secure Encrypted Virtualization (SEV)." Available: https://www.amd.com/en/developer/sev.html
[6] Tianyu Lan, "[RFC PATCH V3 00/16] x86/hyperv/sev: Add AMD sev-snp enlightened guest support on hyperv," Linux Kernel Mailing List, 2023. Available: https://lkml.org/lkml/2023/1/21/302
[7] AMD, "SEV-ES Guest-Hypervisor Communication Block Standardization," AMD Technical Information Portal, 2025. Available: https://docs.amd.com/v/u/en-US/56421
[8] Ashish Kalra, "Interrupt Security for AMD SEV-SNP," Linux Plumbers Conference 2022, Confidential Computing Microconference, September 2022. Available: https://lpc.events/event/16/contributions/1321/
[9] Melody (Huibo) Wang, "Securing Interrupt Delivery for SEV-SNP Guests," KVM Forum, 2024, Available: https://pretalx.com/kvm-forum-2024/talk/GWF9UC/
[10] https://lore.kernel.org/all/20230606075026.GA905437@hirez.programming.kicks-ass.net/
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 International Journal of Computational and Experimental Science and Engineering
This work is licensed under a Creative Commons Attribution 4.0 International License.
