How to use the RMP instruction (Use VMPL)

[ksy980324]

I have prepared a SEV-SNP enabled VM. (both host and guest are Ubuntu 20.04) I want to increase the VMPL permissions of a specific application running on the guest VM. I looked at the documentation and understood that I can specify VMPL through RMP access control. It seems that I can specify VMPL permissions via the RMPADJUST instruction.

However, when I tried to use the RMP command on the hypervisor, it failed. (I also tried it in the guest and it failed) How can I perform the RMP instructions? (How can I leverage the VMPL functionality?)

[tlendacky]

However, when I tried to use the RMP command on the hypervisor, it failed.

RMPADJUST can only be executed in guest context.

How can I perform the RMP instructions?

RMPADJUST can be used to change the VMPL permissions associated with a page. The VMPL permissions that can be changed must be for a less-privileged VMPL level. That is, if you are running at VMPL0, you can adjust the VMPL permissions for VMPL1, 2 and 3. If running at VMPL1, you can adjust the VMPL permissions for VMPL2 and 3, etc.

You must then have a vCPU that is running at the VMPL permission that you are targeting in order to leverage VMPL functionality. The support for multiple VMPL levels within the guest Linux OS does not exist and is something that you would need to develop.

[ksy980324]

Thank you for your reply. I have confirmed that RMPADJUST can be written and used as a kernel module. We have also confirmed that this command is not available in user space.

RMPADJUST requires a guest virtual address, RMP page size, and VMPL permission information as parameters. I want to verify that VMPL is working properly. I was wondering if there is a good way to check this.