Welcome to SEV OS Certification

April 3, 2026 · View on GitHub

The purpose of this repository is to provide a unified framework for testing and certifying operating system support for AMD Secure Encrypted Virtualization (SEV) features. These are hardware-enabled security features that provide confidentiality and integrity of VM memory through per-VM encryption keys. Self-service tools are provided to run a series of certification tests using an AMD EPYC server, allowing for any user/organization to verify SEV support on a particular OS.

Note: Currently only linux distributions supported by mkosi are compatible with this framework. Please take a look at few important key points about sev-certify project here.

Certification Matrix

This table contains operating systems that have undergone certification testing for AMD features through this repository.

OSStatusEPYC 7003EPYC 9004EPYC 8005EPYC 9005
CentOS 10c3.0.0-0
Debian 13N/A
Debian Forkyc3.0.0-0
Fedora 41c3.0.0-0
Rocky 10.1c3.0.0-0
Ubuntu 25.04c3.0.0-0
Ubuntu 25.10c3.0.0-0

✅ Latest Level Certified ❌ Latest Level Not Certified ⚠️ Backwards Compatibility Issues - see hardware tables

See Certificate Level Definitions for the features certified at each level.

Self-Service Certification Tools

Users/Organizations may target their own SEV-enabled EPYC server for self-service certification runs. Follow our guide on running an automated certification test here.

Each certification run automatically creates a GitHub Issue containing the results and assigning a certification level. Issues are tagged by OS and SEV feature to facilitate searching and tracking.

Images

Host and Guest images are constructed in GitHub Workflows via mkosi. Host images are designed to be booted on a SEV-enabled EPYC server, and are configured with a series of tests in the form of custom systemd services that will run on an embedded guest image. The resulting host and guest images are available in GitHub releases.

Users seeking to verify AMD Secure Encrypted Virtualization (SEV) features features for an Operating System not included in the currentsev-certify project can utilize our guide here.

Key Points

  • Host and guest artifacts under 'devel' tag in sev-certify are purely for development and testing purpose, and may not be a good fit for production purpose.
  • Each host image will have an embedded guest image.
  • When a host image is booted on the server, host images are installed in RAM.
  • Guest images will "fail" if SNP isn't enabled.
  • Host will automatically reboot when done.