📃
Confidential Computing 101
HomeTechnologyTry CC!
  • Welcome
  • Confidential Computing
    • What is Confidential Computing
    • What problems Confidential Computing solves
      • Bare Metal
      • Docker
      • Kubernetes
      • Knative
    • Why Confidential Computing
    • How Confidential Computing works
      • Memory Encryption
      • Workload Attestation
      • Confidential Boot
      • Sealing / Binding
      • Secret Provisioning
    • Technology Overview
    • Cloud Service Providers
  • Technology in depth
    • Intel SGX
      • Getting Started
        • Bare Metal Server Installation
        • Enclave Development Environment
        • Intel SGX SDK Setup
      • Technology
        • 🎭Features
        • 💂Threat Model
        • 🆚Versions
        • 🟦Concepts
          • 🏦Memory Encryption
          • 👮Local and Remote Attestation
          • 🖼️DCAP-Attestation Framework
          • 🔑Secret Key Provisioning
      • enclaive Development Kit
        • 🏢Architecture
        • 🌪️Workflow
        • 🌍Tutorials
          • Azure DCdsv3, DCsv2, or DCsv3 Setup
          • Redis in cK8s
          • MongoDB in cK8s
          • K8s + HashiCorp Vault on Azure DCsv3
      • Vault Remote Attestation Plug-In
        • 🏃‍♂️Initialization
        • 👮Attestation
        • ⚙️Configuration
    • Intel TDX
      • Getting Started
        • Azure
        • AWS
        • GCP
      • Technology
        • History
          • VT
          • TME/MKTME
          • SGX
        • Features
        • Threat Model
        • Concepts
          • Architecture
            • TDX Module
          • Memory Encryption
            • Confidentiality and Integrity
            • Keys and Key Management
          • TD Partitioning
          • DCAP-Attestation
            • Overview
            • Platform Registration
            • Attestation Report
    • AMD SEV
      • Getting Started
        • Azure
        • AWS
        • GCP
      • Technology
        • History
        • Threat Model
        • SME Concepts
          • Use Models
        • SEV-SNP Concepts
          • Features
            • Integrity Threats
            • Reverse Map Table
            • Page Validation
            • Page States
            • Virtual Machine Privilege Levels
            • Interrupt/Exception Protection
            • Trusted Platform Information
            • TCB Versioning
            • VM Launch & Attestation
            • VM Migration
            • Side Channels
          • Use Cases
          • Architecture
            • Encrypted Memory
            • Key Management
          • Software Implications
    • ARM CC
      • Technology
        • Introduction
        • Threat Model
        • Design
        • Comparison
    • Attestation Methods
      • Raw Attestation
      • Raw Attestation with Secure-Boot
      • Raw Attestation with a vTPM
        • AMD Secure VM Service Module and vTPMs
      • Raw Attestation with paravirtualized TPM
  • Resources
    • Youtube
    • Github
    • Products
Powered by GitBook
On this page

Was this helpful?

  1. Technology in depth
  2. AMD SEV
  3. Technology
  4. SEV-SNP Concepts
  5. Features

Reverse Map Table

Last updated 11 months ago

Was this helpful?

As mentioned earlier, SEV-SNP relies on a novel data structure known as the Reverse Map Table (RMP) to enforce various integrity guarantees. The RMP is a system-wide data structure that contains an entry for each 4k page of DRAM available for VM usage. Its primary purpose is to track the ownership of each memory page, which can belong to the hypervisor, a specific VM, or the AMD-SP. To maintain memory security, write access is restricted to only the owner of a particular page. The RMP is integrated with standard x86 page tables to control memory restrictions and page access rights.

In the native mode (non-VM), virtual addresses are translated into physical addresses using standard x86 page tables. Once this translation is complete, the resulting physical address is used to index the RMP. The RMP entry is then read and checked. If the entry indicates that the page is owned by the hypervisor, the checks pass, and a new Translation Lookaside Buffer (TLB) entry is created. However, if the page is not hypervisor-owned, the table-walk faults (#PF), and the access is denied.

In an SEV-SNP VM, the RMP check is more intricate. The virtual address undergoes translation to a Guest Physical Address (GPA) through AMD-V 2-level paging. The GPA is then further translated to a System Physical Address (SPA), which is used to index the RMP. The entry in the RMP is inspected to confirm that the page is owned by the specific guest, mapped at the particular GPA, and contains the expected mapping information. If any of these checks fail, an exception is raised, and the access is denied.

Not all memory accesses require an RMP check. For instance, read accesses from the hypervisor or non-SEV-SNP guests are exempted since data confidentiality is already protected through AES memory encryption. However, all write accesses, regardless of the mode, necessitate an RMP check. This includes standard memory writes and A/D-bit updates during page table walks. The results of RMP checks are cached in the CPU TLB and related structures to improve efficiency.

Due to the critical role of the RMP in enforcing memory access control, it is not directly writable by software. Special CPU instructions are available to enable manipulation of RMP entries, allowing the hypervisor to assign pages to specific guests or reclaim them. When necessary, hardware automatically performs TLB invalidations to ensure that all processors in the system receive updated RMP entry information, maintaining memory security across all cores.

RMP Checks
Drawing