I think it would be useful to combine CVM with non-CC GPUs. It may not be entirely safe, but it could be considered as an option to GPU more widely used.
when I examined the code of Nvidia Open GPU Kernel Modules, I found that Nvidia has implemented checks and processing for SEV, presumably decrypting the relevant memory. Like code in nv-vm.c, when unencrypted set to true(should be true inside sev), all the allocations go to dma_alloc_coherent, which should make memory decrypted. All the maps go to nv_adjust_pgprot, and make memory decrypted.
But when I use 3090 with AMD SEV, after GPU processing, the data turns into ciphertext.
When I use SNP, I encounter error Unsupported exit-code 0x404 in #VC exception, which seems to occur when memory is set as shared and pvalidate is called, resulting in the memory being invalidated. I think that decrypted memory shouldn’t trigger #VC exception.
Here is a link to some discussion regarding the IOMMU setup and how dma_alloc_coherent is expected to be used under SEV, SEV-SNP modes.
NVIDIA’s main use-case for confidential computing includes isolation from physical attacks as well as from the hypervisor. Using shared but unencrypted memory violates the definition, as both of these attack vectors would essentially be opened.
You’re free to modify the open source to make such changes (however, you will fail attestation) if you’d like to give it a shot, however!
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.