AMD's Secure Encrypted Virtualization (SEV) has become the default choice for confidential computing in public clouds. Azure, Google Cloud, and NVIDIA all back it for AI workloads. The pitch is compelling: hardware-level memory encryption that keeps hypervisors blind to VM contents.
The encryption layer is solid. SEV isolates VM memory using per-guest keys managed by AMD's Secure Processor. Not even the cloud provider can inspect what's running. For regulated industries pooling training data, that's valuable. Two banks training a fraud detection model in a shared environment: SEV guarantees neither can peek at the other's data.
The gap appears when you look past the encrypted bytes. SEV doesn't hide operational behavior. Timing patterns, memory access sequences, computation shapes: all visible to anyone monitoring the system. For AI inference, where model architecture and input characteristics leak through execution patterns, this matters.
Compare Intel SGX, which creates encrypted enclaves for specific application code. SGX protects smaller attack surfaces but requires rebuilding apps around it. SEV encrypts entire VMs with no guest OS changes. Cloud providers favor the path of least friction.
SEV-SNP, the latest variant, added memory integrity checks via Reverse Map Table. It addresses tampering but doesn't solve the side-channel observation problem. Operations still have observable shapes. Cache timing attacks remain viable in containerized environments, per recent container escape research.
The enterprise trade-off: SEV provides strong data protection with minimal implementation overhead. What you give up is behavioral opacity. For workloads where computation patterns reveal sensitive information, that's not theoretical risk.
Worth noting: Intel TDX and ARM CCA are positioning as alternatives with broader attestation frameworks. The market hasn't picked winners yet. What's clear is that first-generation confidential computing solves data exposure but leaves metadata leakage largely unaddressed.
If you're deploying confidential AI VMs, understand what you're actually getting. The fortress is real. The windows are still open.