Reputation: 1
Can the hypervisor and AMD SEV VMs share memory?
I was wondering if modifying the KVM would allow the hypervisor and VM to share memory.
I've been studying SEV, AMD's memory encryption technology, and this question came up. Is it possible for the hypervisor and VM to share memory? I don't have a detailed knowledge of KVM, so I can only guess.
I can imagine the following ways.
- modify the KVM so that some of the memory for the VM to use is shared memory
- pre-allocate shared memory on the host and modify KVM to allow the VM to use that memory
I wonder if the above 2 methods are possible. If it is, it would be possible to use SEV-SNP's VMPL feature to control the hypervisor's access to shared memory.
Upvotes: 0
Views: 233
Answers (1)
Reputation: 23
Your question is a little unclear whether you're referring to SEV or SEV-SNP. They're incremental features available on different generations of EYPC CPUs.
AMD does refer to as SEV, SEV-ES, SEV-SNP as SEV technologies.
Yes, a hypervisor and VM can share memory in SEV, SEV-ES, as well as SEV-SNP. Support for this is baked into the hardware.
Check out "Encrypted Memory" on page 12 in the whitepaper - AMD Memory Encryption by Kaplan, Powell, and Woller (emphasis mine):
One of the key features of SEV is that guest VMs are able to choose which data memory pages they would like to be private. This choice is done using the standard CPU page tables, and is fully controlled by the guest. Private memory is encrypted with the guest-specific key, while shared memory may be encrypted with the hypervisor key. This feature allows VMs to mark selected pages of memory data they want to keep confidential (private), and others to be used for communication with other VMs or the hypervisor. In a typical arrangement, the guest would map all of its code and data as private, except for specific shared pages that it chooses to expose.
To achieve a shared page between the VM and the Hypervisor, the guest will have to set the enCrypted bit (C-bit; bit 47) in the Page Table Entry of a page to 0. Once done, the guest and host can use that page to communicate.
This is also very well explained in SEV-SNP's whitepaper AMD SEV-SNP: Strengthening VM Isolation with Integrity Protection and More (in particular, see Page States on page 11).
Since you ask about SEV-SNP at the end: this is being worked on since linux 6.9 - see rmp_make_shared. As of linux 6.11-rc1, kvm_rmp_make_shared exists.
Upvotes: 1
Related Questions
- What are the benefits of a Hypervisor VM?
- can we install a hypervisor inside a OS created by another hypervisor?
- How does a Hypervisor distinguish multiple VMs running on it and isolate them from the underlying h/w?
- Multiseat setup for fun and profit: hypervisors and other choices
- Use RHEL KVM virt-v2v to convert vm from "vmware server 2.0.2"
- Who assigns the Private and Public address for a Guest OS hosted on a hypervisor?