Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to use the RMP instruction (Use VMPL) #208

Open
ksy980324 opened this issue Mar 12, 2024 · 2 comments
Open

How to use the RMP instruction (Use VMPL) #208

ksy980324 opened this issue Mar 12, 2024 · 2 comments

Comments

@ksy980324
Copy link

ksy980324 commented Mar 12, 2024

I have prepared a SEV-SNP enabled VM. (both host and guest are Ubuntu 20.04)
I want to increase the VMPL permissions of a specific application running on the guest VM.
I looked at the documentation and understood that I can specify VMPL through RMP access control.
It seems that I can specify VMPL permissions via the RMPADJUST instruction.

However, when I tried to use the RMP command on the hypervisor, it failed. (I also tried it in the guest and it failed)
How can I perform the RMP instructions?
(How can I leverage the VMPL functionality?)

@tlendacky
Copy link
Collaborator

tlendacky commented Mar 12, 2024

However, when I tried to use the RMP command on the hypervisor, it failed.

RMPADJUST can only be executed in guest context.

How can I perform the RMP instructions?

RMPADJUST can be used to change the VMPL permissions associated with a page. The VMPL permissions that can be changed must be for a less-privileged VMPL level. That is, if you are running at VMPL0, you can adjust the VMPL permissions for VMPL1, 2 and 3. If running at VMPL1, you can adjust the VMPL permissions for VMPL2 and 3, etc.

You must then have a vCPU that is running at the VMPL permission that you are targeting in order to leverage VMPL functionality. The support for multiple VMPL levels within the guest Linux OS does not exist and is something that you would need to develop.

@ksy980324
Copy link
Author

Thank you for your reply.
I have confirmed that RMPADJUST can be written and used as a kernel module.
We have also confirmed that this command is not available in user space.

RMPADJUST requires a guest virtual address, RMP page size, and VMPL permission information as parameters.
I want to verify that VMPL is working properly.
I was wondering if there is a good way to check this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants