KVM Forum 2019 has ended
October 31 - November 1
Lyon Convention Centre - Lyon, France
More information for KVM Forum 2019
Back To Schedule
Friday, November 1 • 16:15 - 16:45
Enhancing KVM for Guest Protection and Security - Jun Nakajima, Intel Corp.

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
We have been working on KVM to better protect and isolate guests, and propose a more secure and yet simpler architecture, where 1) guest memory is isolated from the host except the areas for I/O buffers, 2) no MMIO emulation is used. Since it piggybacks on the Linux systems, KVM tends to have more attack surfaces compared with other VMMs, making the guest more vulnerable. For example, the kernel or QEMU can easily access data of the guests today. Even if we have memory encryption technologies, it’s also easy for them to corrupt data of the guests (accidentally or intentionally) or use potential side channels.

In our architecture, we need to make limited changes to guests, but this provides more protection and simplification, compared with other approaches like XPFO, where the user-level still has access to the entire guest memory. We share our experiences and data based on our PoC.

avatar for Jun Nakajima

Jun Nakajima

Sr. Principal Engineer, Intel Corporation
Jun Nakajima is a Senior Principal Engineer at the Intel Open Source Technology Center, leading virtualization and security for open source projects. Jun presented a number of times at technical conferences, including LSS, KVM Forum, Xen Summit, LinuxCon, OpenStack Summit, and USENIX... Read More →

Friday November 1, 2019 16:15 - 16:45 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES