mbs0221
commented
1 day ago Hello, many thanks for your interest. This project extends the Dune framework, supporting the execution of untrusted processes in user space at lower Virtual Machine Privilege Levels (VMPLs) on AMD SEV-SNP enabled systems. This enhancement aims to provide better isolation and security while allowing more flexible deployment of untrusted workloads. In previous work, we implemented this framework on AMD SEV-SNP purely in C language. We found the similarity between the two environments, namely Intel VT-x and AMD SEV-SNP. The Rust language can be very applicable in building such cross-platform and unified framework. Therefore, I decided to port source code to Rust. Currently, the porting task is still unfinished and untested.
As for Nested VM, the Hecate framework is a L1-hypervisor on AMD SEV-SNP, leveraging the VMPL feature. However, as official documents stated, the AMD SEV-SNP platform does not support nested virtualization. The lower VMPL can be treated as an isolated execution environment for process in guest CVM. More details can be found in recently published official slides on AMD SEV-SNP. Each VMPL can run separate guest OS.
Hello,
These projects could be a perfect fit for some work we're doing.
Is the goal/capability to have a VM within a VM?
We're looking at building a container only micro-OS
If anyone's interested, please ping me! Should be very cool.
Thank you!
Hans hans@zsl.ai