Secure Nested Paging

AMD SEV-SNP introduces a Reverse Map Table (RMP) to protect sensitive VMs from memory remapping, replay attacks, data corruption, and memory aliasing. The RMP is protected against direct software manipulation and can only be modified by special CPU instructions. An entry in the RMP contains the owner of the memory page, which can be a specific cVM, the hypervisor, or the AMD SP. It is indexed at the end of a page table walk by the host physical address when the hypervisor performs write operations or a cVM performs read or write operations. Only write operations by the hypervisor are checked for integrity, because read operations on a cVM-owned memory result in reading ciphertext. For cVMs, both checks must be performed to ensure that the cVM is not reading malicious data and that a malicious cVM is not attacking other cVMs by writing to their memory. In addition, for a cVM-owned page, the GPA is stored along with the ownership tag and checked to see if the current GPA of the page table walk matches the stored GPA. By additionally storing only a single GPA for each HPA, each HPA can be mapped to only a single GPA of a confidential VM. In addition to the GPA, a validation bit is stored for each confidential VM that has an entry in the RMP. This bit is initially set to 0 when the hypervisor assigns a new page to a cVM, and is only set to 1 when the guest VM issues a PVALIDATE instruction to accept the page. Pages accessed with the validation bit set to 0 always result in a #VC exception. It is now up to the guest VM to keep track of all assigned GPAs and not accept a page with an already assigned GPA.