Description
The KVM microconference will focus on KVM itself, as well as KVM's touchpoints with other kernel subsystems. Topics that are primarily aimed at something other than KVM are firmly out of scope and will be rejected. Please consider the Confidential Computing MC, the VFIO/IOMMU/PCI MC, or KVM Forum 2024 if you have a virtualization topic that isn't directly related to KVM internals.
Linux kernel vulnerabilities can be mitigated with kernel self-protection mechanisms include control-register pinning and memory page protection restrictions. Unfortunately, none is bullet proof because they are implemented at the same level as the vulnerabilities they try to protect against. To get a more effective defense, we propose to implement some of these protection mechanisms out of...
Problem Statement
Rolling out KVM bug fixes and feature upgrades requires unloading KVM modules, which disrupts guests.
Multi-KVM is a proposal to allow multiple, independent KVM modules to be loaded, unloaded, and run concurrently on the same Linux host to:
- Upgrade and rollback KVM without disrupting running VMs and other
KVMs on the host. - Enable running KVM modules...
Hypervisor live update is a mechanism to support updating a hypervisor in a way that has limited impact to running virtual machines. This is done by pausing/serialising running VMs, kexec-ing into a new kernel, starting new VMM processes and then deserialising/resuming the VMs so that they continue running from where they were. So far, all public approaches with KVM neglected device assignment...
Windows Credential Guard is a security feature that provides protection to user credentials by utilizing Hyper-V's Virtual Secure Mode (VSM) hypervisor enlightenments. This feature comes enabled by default in Windows 11 and is becoming a prerequisite in the industry. However, KVM has not been able to support it due to its complexity and intrusiveness.
We published a VSM proof of concept...
