Description
The KVM microconference will focus on KVM itself, as well as KVM's touchpoints with other kernel subsystems. Topics that are primarily aimed at something other than KVM are firmly out of scope and will be rejected. Please consider the Confidential Computing MC, the VFIO/IOMMU/PCI MC, or KVM Forum 2024 if you have a virtualization topic that isn't directly related to KVM internals.
-
Mr Madhavan Venkataraman (Microsoft), Mickaël Salaün (Microsoft)14/11/2023, 09:30
Linux kernel vulnerabilities can be mitigated with kernel self-protection mechanisms include control-register pinning and memory page protection restrictions. Unfortunately, none is bullet proof because they are implemented at the same level as the vulnerabilities they try to protect against. To get a more effective defense, we propose to implement some of these protection mechanisms out of...
Go to contribution page -
Anish Ghulati, Sean Christopherson (Google)14/11/2023, 10:15
Problem Statement
Rolling out KVM bug fixes and feature upgrades requires unloading KVM modules, which disrupts guests.
Multi-KVM is a proposal to allow multiple, independent KVM modules to be loaded, unloaded, and run concurrently on the same Linux host to:
- Upgrade and rollback KVM without disrupting running VMs and other
KVMs on the host. - Enable running KVM modules...
- Upgrade and rollback KVM without disrupting running VMs and other
-
Isaku Yamahata (Intel)14/11/2023, 10:45
In this session, discuss the options for unifying KVM API for
protected guests. What kind of APIs should/can be unified, and what
kind of APIs should allow vendor-specific APIs.At this moment, each technology for protected guests adapts its APIs
Go to contribution page
to construct a guest and make it ready to run. APIs to debug a
protected guest when guest debugging is allowed. There are several
user... -
Alexander Graf, James Gowans (Amazon EC2)14/11/2023, 11:30
Hypervisor live update is a mechanism to support updating a hypervisor in a way that has limited impact to running virtual machines. This is done by pausing/serialising running VMs, kexec-ing into a new kernel, starting new VMM processes and then deserialising/resuming the VMs so that they continue running from where they were. So far, all public approaches with KVM neglected device assignment...
Go to contribution page -
Nicolas Saenz Julienne (AWS)14/11/2023, 12:15
Windows Credential Guard is a security feature that provides protection to user credentials by utilizing Hyper-V's Virtual Secure Mode (VSM) hypervisor enlightenments. This feature comes enabled by default in Windows 11 and is becoming a prerequisite in the industry. However, KVM has not been able to support it due to its complexity and intrusiveness.
We published a VSM proof of concept...
Go to contribution page -
Fuad Tabba (Google)14/11/2023, 12:40
Abstract
Please consider as a submission for a small topic.
In this talk we, present the current approach for supporting [guest private memory][1] in [Protected KVM (pKVM)][2] on [Android][3] for Arm64.
Support for confidential computing is rapidly becoming more popular, with hardware-supported solutions such as Intel's TDX, AMD's SEV, and Arm's CCA, and software-based...
Go to contribution page -
The latest POWER10 systems run unprivileged paravirtual linux guests
atop of a firmware hypervisor called PHYP. To enable workloads relying
on virtualization primitives it is necessary to allow those guests
to create "nested" guests themselves with minimal overhead.We will discuss a new PHYP API that makes this possible and
Go to contribution page
the KVM PPC changes to make use of it and some of the... -
The latest POWER10 systems run unprivileged paravirtual linux guests
atop of a firmware hypervisor called PHYP. To enable workloads relying
on virtualization primitives it is necessary to allow those guests
to create "nested" guests themselves with minimal overhead.We will discuss a new PHYP API that makes this possible and
Go to contribution page
the KVM PPC changes to make use of it and some of the...