Open Daviiap opened 1 year ago
tlendacky
commented
11 months ago I was looking at this whitepaper about SEV-SNP and noticed that the VMPLs (Virtual Machine Privilege Levels) might be used to enable nested virtualization. However, I'm unsure if it is actually possible.
If it is possible, does anyone know if KVM already supports it?
It isn't possible to do true nested virtualization in an SNP guest of an SNP guest, even using multiple VMPL levels.
aep
commented
5 months ago is this a limitation on hardware level or does this repo just not provide software for it? asking because azure claims it does support nested SNP
Daviiap
commented
5 months ago Hi @aep! Can you send the link to these Azure docs?
aep
commented
5 months ago under NDA :(
tlendacky
commented
5 months ago It is a software limitation. It is related to the L0 hypervisor use of the NPT support for the L1 hypervisor. The L1 hypervisor must be a non-SEV guest in order to run an L2 SNP guest. I think the L1 guest can't be run using NPT and it also requires virtualizing PSP accesses, ASID assignments, etc. It's been a while since I've thought about it and may not have remembered everything correctly :).
aep
commented
5 months ago Looks like that's indeed the case on azure. The attestation for the first VM uh... dunno how much of that is confidential. But the nested VM looks good.
Can we create that same setup with KVM? Virtualizing the PSP doesn't sound too difficult given that it's a limited API surface. But no idea how ASIDs work.
tlendacky
commented
5 months ago Anything is possible, but we're still working on getting regular SNP host support upstream. Not sure where this would fall on the priority list of work we already have to do. Patches are always welcome and appreciated upstream.
aep
commented
5 months ago Yeah I'll ask the boss if we can contribute that but I can already imagine the answer 🙄
katexochen
commented
2 months ago As it sound possible and only an issue of priority, @Daviiap could you re-open the issue for tracking purpose and visibility?
mbs0221
commented
1 month ago referred to this work from Microsoft Research? Hecate: Lifting and Shifting On-Premises Workloads to an Untrusted Cloud
Hi, I'm working with SEV-SNP VMs and Kata Containers, and a question comes to mind: Is it possible to run nested SEV-SNP enabled VMs inside a SEV-SNP VM?
I was looking at this whitepaper about SEV-SNP and noticed that the VMPLs (Virtual Machine Privilege Levels) might be used to enable nested virtualization. However, I'm unsure if it is actually possible.
If it is possible, does anyone know if KVM already supports it?