Vgpu_unlock: Unlock vGPU functionality for consumer grade GPUs

Last modified on April 12, 2021

Release vGPU functionality for individual grade GPUs.


This software is amazingly untested, train at your have risk.


This software permits utilizing Geforce and Quadro GPUs with the NVIDIA vGPU
machine. NVIDIA vGPU most incessantly easiest helps a few Tesla GPUs however since some
Geforce and Quadro GPUs half the linked bodily chip as a result of the Tesla that's easiest
a machine limitation for these GPUs. This software goals to exhaust this limitation.


  • This software requires Python3, probably the most up-to-date mannequin is beneficial.
  • The python bundle "frida" is required. pip3 arrange frida.
  • The software requires the NVIDIA GRID vGPU driver.
  • "dkms" is required as a result of it simplifies the strategy of rebuilding the
    driver alot. Install DKMS with the bundle supervisor to your OS.

Set up:

Within the next instructions will get pleasure from to net changed with
the trail to this repository on the intention system and will get pleasure from to be
changed with the mannequin of the NVIDIA GRID vGPU driver.

Install the NVIDIA GRID vGPU driver, net apparent to arrange it as a dkms module.

./nvidia-installer --dkms

Modify the twin carriageway begining with ExecStart= in /lib/systemd/system/nvidia-vgpud.supplier
and /lib/systemd/system/nvidia-vgpu-mgr.supplier to train vgpu_unlock as
executable and lunge the genuine executable as a result of the principle argument. Ex:

ExecStart=/vgpu_unlock /usr/bin/nvidia-vgpud

Reload the systemd daemons:

systemctl daemon-reload

Modify the file /usr/src/nvidia-/nvidia/os-interface.c and add the
following line after the traces begining with #include to starting with of the

#include "/vgpu_unlock_hooks.c"

Modify the file /usr/src/nvidia-/nvidia/nvidia.Kbuild and add the
following line on the underside of the file.

ldflags-y +=-T /kern.ld

Get away the nvidia kernel module utilizing dkms:

dkms exhaust -m nvidia -v  --all

Rebuild and reinstall the nvidia kernel module utilizing dkms:

dkms arrange -m nvidia -v 



This script will easiest work if there exists a vGPU related Tesla GPU that
makes train of the linked bodily chip as a result of the explicit GPU being extinct.

The machine it really works

vGPU supported?

In dispute in confidence to resolve if a apparent GPU helps the vGPU functionality the
driver appears to be on the PCI instrument ID. This identifier along side the PCI vendor
ID is irregular for each type of PCI instrument. In dispute in confidence to allow vGPU toughen we
should prepare the driving force that the PCI instrument ID of the put in GPU is perception of as one among
the instrument IDs extinct by a vGPU nice GPU.

Userspace script: vgpu_unlock

The userspace corporations and merchandise nvidia-vgpud and nvidia-vgpu-mgr makes train of the ioctl syscall
to give attention to with the kernel module. Namely they learn the PCI instrument ID
and determines if the put in GPU is vGPU nice.

The python script vgpu_unlock intercepts all ioctl syscalls between the
executable specified as a result of the principle argument and the kernel. The script then
modifies the kernel responses to tag a PCI instrument ID with vGPU toughen
and a vGPU nice GPU.

Kernel module hooks: vgpu_unlock_hooks.c

In dispute in confidence to interchange data with the GPU the kernel module maps the bodily
maintain position of the PCI bus into its have digital maintain position. Right right here is carried out
utilizing the ioremapkernel features. The kernel module then reads and writes
data into that mapped maintain position. Right right here is carried out utilizing the memcpy kernel

By together with the vgpu_unlock_hooks.c file into the os-interface.c file we will
train C preprocessor macros to interchange and intercept calls to the iormeap and
memcpy features. Doing this allows us to care for an idea of what's mapped
the construct and what data that's being accessed.

Kernel module linker script: kern.ld

Right here's a modified mannequin of the default linker script equipped by gcc. The
script is modified to area the .rodata fragment of nv-kernel.o into .data
fragment as a substitute of .rodata, making it writable. The script additionally present the
symbols vgpu_unlock_nv_kern_rodata_beg and vgpu_unlock_nv_kern_rodata_end
to allow us to clutch the construct that fragment begins and ends.

The machine all of it comes collectively

After boot the nvidia-vgpud supplier queries the kernel for all put in GPUs
and assessments for vGPU talent. This identify is intercepted by the vgpu_unlock
python script and the GPU is made vGPU nice. If a vGPU nice GPU is discovered
then nvidia-vgpu creates an MDEV instrument and the /sys/class/mdev_bus listing
is created by the system.

vGPU models can now be created by echoing UUIDs into the originate information inside the
mdev bus illustration. This is able to perchance originate additional constructions representing
the distinctive vGPU instrument on the MDEV bus. These models can then be assigned to VMs,
and when the VM begins this is able to perchance starting the MDEV instrument. This causes nvidia-vgpu-mgr
to launch talking with the kernel utilizing ioctl. Yet once more these calls are
intercepted by the vgpu_unlock python script and when nvidia-vgpu-mgr asks if
the GPU is vGPU nice the answer is modified to traipse. After that test it
makes an try to initialize the vGPU instrument occasion.

Initialization of the vGPU instrument is dealt with by the kernel module and it
performs its have test for vGPU talent, this one is a puny bit additional difficult.

The kernel module maps the bodily PCI maintain differ 0xf0000000-0xf1000000 into
its digital maintain position, it then performs some magical operations which we
develop not really know what they attain. What we attain know is that after these operations
it accesses a 128 bit fee at bodily maintain 0xf0029624, which we identify the
magic fee. The kernel module additionally accessses a 128 bit fee at bodily
maintain 0xf0029634, which we identify the predominant fee.

The kernel module then has a few lookup tables for the magic fee, one
for vGPU nice GPUs and one for the others. So the kernel module appears to be for the
magic fee in each of those lookup tables, and whether it is discovered that desk entry
additionally encompasses a position of AES-128 encrypted data blocks and a HMAC-SHA256

The signature is then validated by using the predominant fee talked about earlier to
calculate the HMAC-SHA256 signature over the encrypted data blocks. If the
signature is sexy, then the blocks are decrypted utilizing AES-128 and the linked

Interior of the decrypted data is as quickly as extra the PCI instrument ID.

So in clarify for the kernel module to easily get dangle of the GPU as vGPU nice the magic
fee will have to be inside the desk of vGPU nice magic values, the predominant has
to generate a sufficient HMAC-SHA256 signature and the AES-128 decrypted data blocks
has to own a vGPU nice PCI instrument ID. If any of those assessments fail, then
the error code 0x56 "Call not supported" is returned.

In dispute in confidence to net these assessments lunge the hooks in vgpu_unlock_hooks.c will uncover
for a ioremap identify that maps the bodily maintain differ that possess the magic
and key values, recalculate the addresses of these values into the digital
maintain position of the kernel module, remember memcpy operations discovering out at these
addresses, and if such an operation happens, make a copy of the fee until each
are identified, come throughout the lookup tables inside the .rodata fragment of nv-kernel.o, acquire
the signature and knowledge bocks, validate the signature, decrypt the blocks, edit
the PCI instrument ID inside the decrypted data, reencrypt the blocks, regenerate the
signature and insert the magic, blocks and signature into the desk of vGPU
nice magic values. And that is what they attain.

Read More

Similar Products:

Recent Content