Loading…
KVM Forum 2019 has ended
October 31 - November 1
Lyon Convention Centre - Lyon, France
More information for KVM Forum 2019

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

KVM Forum Track 1 [clear filter]
Thursday, October 31
 

09:30 CET

Libvirt: Never too Late to Learn New Tricks - Daniel Berrange, Red Hat
A period of increased disruption has begun in the virtualization
space with new applications such as Kubernetes, KubeVirt and Kata Containers
challenging traditional virtual machine usage paradigms. The libvirt developers have responded with self examination, reconsidering historic decisions, identifying what is required to stay relevant to modern developer & application needs.

The talk will outline the many significant changes and plans to come out of this exercise. Dramatic changes to the build system with the replacement of autotools by a cutting edge, easy to use alternative. The benefits of adoption of the glib2 library to replace current APIs and GNULIB. The potential for using the modern Rust and Golang languages. Modularization of the libvirt daemon and enabling daemon-less embedded use of the KVM driver. A switch from email based development to well known web based tooling.

Speakers
DB

Daniel Berrangé

Senior Principal Software Engineer, Red Hat
Daniel is a long term contributor in the open source virtualization space working at Red Hat. A lead architect of the libvirt project since its inception, frequent contributor & subsystem maintainer to QEMU and has involved in many other projects including OpenStack, GTK-VNC, libosinfo... Read More →


Thursday October 31, 2019 09:30 - 10:00 CET
Forum 3

10:00 CET

Firecracker: Lessons from the Trenches - Andreea Florescu & Alexandra Iordache, Amazon
Firecracker is an open source VMM written in Rust, leveraging KVM to provide isolation for multi-tenant, serverless workloads like containers and functions. It is currently used in production by AWS Lambda and AWS Fargate.

Each Firecracker process has a low memory overhead, it boots virtual machines in as little as 125 milliseconds and oversubscribes host resources in order to pack thousands of microVMs on a single host. But in a multi-tenant environment, the most important requirement is properly enforcing the security isolation of workloads.

In this talk we will go over the design decisions we took when building Firecracker, showcasing the advantages as well as the limitations of this VMM. What does it take to run Firecracker at scale? Are Rust’s builtin protection mechanisms enough to ensure smooth sailing in production? Come and find out!

Speakers
avatar for Andreea Florescu

Andreea Florescu

Software Development Engineer, Amazon
I am a software engineer with the Amazon Web Services Firecracker team. I am passionate about open source and, beyond Firecracker, I am also contributing to rust-vmm, a community effort to create a shared set of Rust-based Virtual Machine Monitor components. So far I’ve been talking... Read More →
avatar for Alexandra Iordache

Alexandra Iordache

Software Development Engineer, Amazon
Alexandra is a software development engineer at AWS and one of the maintainers of the Firecracker project. Her work is centered on the Firecracker virtual machine monitor.



Thursday October 31, 2019 10:00 - 10:30 CET
Forum 3
  KVM Forum Track 1
  • Session Slides Included YES

11:00 CET

ZERO: Next Generation Virtualization Platform for Huawei Cloud - Jinsong Liu & Zhichao Huang, Huawei
Virtualization technologies build the infrastructure of cloud computing. However, with more and more VMs and workloads running on cloud, traditional virtualization technologies exposed some weakness under cloud environment, i.e., virtualization overhead, performance fluctuation, and higher cost overhead, etc. ZERO is Huawei’s next generation virtualization platform – targeted achieving 4 '0's: '0' reserved for CPU, '0' reserved for memory, ‘0’virtualization overhead, and ’0’ performance fluctuations. By designing ZERO virtualization chip, ZERO System offloads overhead to ZERO chip&card, including all network I/O, all storage I/O, and all cloud control plane. By designing split-hypervisor, ZERO leaves a very small and silent hypervisor at X86/ARM server, therefor improving overall resource utilization and performance. Currently ZERO1.0 has been launched on Huawei Cloud, supporting both VM and bare metal instances, and supports both X86 and ARM server.

Speakers
ZH

Zhichao Huang

Senior Software Engineer, Huawei
Zhichao Huang is a senior software engineer from Huawei. He has 12 years working experience on Linux/Virtualization.



Thursday October 31, 2019 11:00 - 11:30 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

11:30 CET

How KVM-based Hybrid Deployment Powers Bytedance’s Biggest Day Ever - Lu Ye & Zhenwei Pi, Bytedance
During the Spring Festival Gala, the instantaneous traffic is several hundred times that of normal, and the burst traffic during the activity greatly exceeds the current capacity of the IDCs. At the same time, to ensure the QoS of the mixed deployment online services, the isolation level of various resources is very high in every aspect, not limited to page cache, cpu scheduling capability, memory bandwidth, etc. In this session, Ye Lu & Zhenwei will introduce how the decision KVM-based Hybrid deployment solution is made, the performance optimization at the landing, and the system monitoring after virtualization, such as more accurate network analysis tools to distinguish app backend error, physical network outage, virtualized network failure. The solution help services go through the traffic peaks and improve the overall resource utilization of the IDCs.

Speakers
ZP

Zhenwei Pi

Bytedance
Zhenwei Pi is working as a cloud computing engineer in ByteDance. He is responsible for the IaaS architecture of ByteDance’s production environment, including private cloud and edge computing cloud.
YL

Ye Lu

Cloud Computing Enginneer, Bytedance
Yelu is working as a cloud computing engineer in ByteDance, which has more than 600 millions active users and hundreds of thousands of servers all over the world. She is responsible for the IaaS architecture of ByteDance’s production environment, including private cloud and edge... Read More →



Thursday October 31, 2019 11:30 - 12:00 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

12:00 CET

Seamless Cloud System Upgrade with VMM Fast Restart - Jason Zeng, Intel
Frequent updates (software and firmware) become a major pain point to Cloud Service Providers. There have been some approaches to address this, for example hot patching, live migration, etc., but there still have some limitations for each of them. VMM fast restart tries to propose an alternative solution, which leverages kexec-based fast rebooting of host machine while keeping VM states in memory across reboot, to achieve short service downtime, high success rate and low management overhead.

This talk will introduce the technical approaches, current status of development, and future plans of VMM fast restart. Related challenges will also be described in this talk.

Speakers
JZ

Jason Zeng

Software Engineer, Intel Coporation
Jason Zeng is a software engineer from Intel virtualization team, focusing on various KVM/virtualization features and projects. Currently he is working on VMM Fast Restart project which aims to provide a solution for fast upgrading and rebooting VMM/host kernel while impose less impact... Read More →



Thursday October 31, 2019 12:00 - 12:30 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

13:45 CET

Pushing Device Emulation into the Guest - Alexander Graf, AWS
Ever since KVM was created, the tenant split has always been very clear: KVM inside the Linux kernel provides an abstraction layer for CPU and close-to-CPU hardware, guests run as if they were on real hardware and user space (QEMU usually) emulates real world hardware.

It's about time we start to reconsider that split though. With spectre mitigations in place, exiting guest context suddenly becomes much more expensive than before. From a general security point of view we ideally want to run as little code as we can in host context. Also, with device assignment becoming commodity, maybe we can build faster virtual devices if we think out of the box.

In this presentation I will introduce a prototype I've been working on that implements legacy device emulation inside guest firmware and explain all the security as well as tenant split benefits that brings.

Speakers
AG

Alexander Graf

Principal Software Engineer, Amazon
Alexander joined Amazon just this year. In his previous life he worked on fancy things like SUSE Studio, QEMU, KVM, openSUSE and SLES on ARM and U-Boot. Whenever something really useful comes to his mind, he tends to implement it. Among others he did Mac OS X virtualization using... Read More →



Thursday October 31, 2019 13:45 - 14:15 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

14:15 CET

KVM Address Space Isolation - Alexandre Chartre & Liran Alon, Oracle
Recent vulnerabilities like L1 Terminal Fault (L1TF) and Microarchitectural Data Sampling (MDS) have shown that the cpu hyper-threading architecture is prone to leaking data with speculative execution attacks.

With KVM, a guest VM can use speculative execution attacks to leak data from the sibling hyper-thread, thus potentially accessing data from the host kernel, from the hypervisor or from another VM.

Kernel Address Space Isolation is a project aims to use address spaces to isolate some parts of the kernel to prevent leaking sensitive data. If KVM can be run in an address space containing no sensitive data, and separated from the full kernel address space, then KVM would be immune from leaking secrets.

A first proposal to implement KVM Address Space Isolation and early discussions are available here: https://lkml.org/lkml/2019/5/13/515

Speakers
avatar for Liran Alon

Liran Alon

Virtualization Architect, Oracle
Liran Alon is the Virtualization Architect of OCI Israel (Oracle Cloud Infrastructure). He is involved and lead projects in multiple areas of the company's public cloud offering such as Compute, Networking and Virtualization. In addition, Liran is a very active KVM contributor (mostly... Read More →
AC

Alexandre Chartre

Consulting Developer, Oracle
Alexandre Chartre is a Consulting Developer in the Linux and Virtualization engineering team at Oracle. Lately, he has been focusing on security issues on Linux, in particular on Spectre and Meltdown issues (and all variants and derivatives) and their impact on virtualization and... Read More →



Thursday October 31, 2019 14:15 - 14:45 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

14:45 CET

Virtualization Based Hardening: Securing Container Workloads and Beyond - Jun Nakajima, Intel & Andrei Lutas, Bitdefender
One concern of container workloads has always been the limited process isolation provided by the hosting OS. With Virtualization Based Hardening (VBH), a new set of security policies can be enforced by an open source thin-layer hypervisor, which can prevent compromised containers from tampering the OS kernel or other containers, through a set of memory exploit and attack techniques. Intel, together with Bitdefender, worked on several memory introspection use-cases designed to defend container workloads against zero day binary exploits. We will review a few CVEs as examples.

In addition, the set of APIs exposed by the HV is intended to assist anyone in implementing hardening modules for containers. The solution can be used for other scenarios, such as debugging. We also present a tool for kernel developers which can help in some uncommon tasks such as finding self-modified kernel code.

Speakers
avatar for Jun Nakajima

Jun Nakajima

Sr. Principal Engineer, Intel Corp.
Jun Nakajima is a Senior Principal Engineer at the Intel Open Source Technology Center, leading open source virtualization, such as KVM and Xen. Jun presented a number of times at technical conferences, including KVM Forum, Xen Summit, LinuxCon, OpenStack Summit, and USENIX. He has... Read More →
AL

Andrei Lutas

Senior Team Lead, Bitdefender SRL
Andrei joined Bitdefender in October 2008, as a junior virus researcher. Initial responsibilities included reverse engineering of malicious samples, adding signatures for malicious files, developing disinfection routines and developing code-similarity methods and systems. He joined... Read More →



Thursday October 31, 2019 14:45 - 15:15 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

15:45 CET

Virtio Device Fuzzing - Dmitrii Stepanov, Yandex
For the cloud providers it is important to keep private user data secure. One way to achieve it is to fuzz the interfaces available to the guest, to find new vulnerabilities and ways of exploitation. One of such surface is the emulated devices used by the guest machines.

We present the approach to fuzz virtio devices based on AFL to find a bugs. We evaluate this approach by
fuzzing the virtio devices in SPDK and QEMU. Find several crashes, hangs and filed new CVE (CVE-2019-9547). Also to make the approach useful for our Cloud production case, we integrate it with the CI for each release.

Speakers
avatar for Dmitrii Stepanov

Dmitrii Stepanov

Software Engineer, Yandex
10+ years of system-level development: gdb, gcc, linux, rtos. Right now i'm working on the Yandex Cloud project (https://cloud.yandex.com/), as part of the Kernel-Hypervisor team. My ongoing projects are: - virtio-blk device optimization, stability and security - host security (from... Read More →



Thursday October 31, 2019 15:45 - 16:15 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

16:15 CET

Protected Virtual Machines for s390x - Claudio Imbrenda, IBM
Traditionally, system administrators have been able to access all data on a running system, including memory belonging to Virtual Machines (VMs). Bugs in the hypervisor have also allowed cross-VM attacks.

A new upcoming feature for the s390x architecture will prevent those security issues, allowing VM guests to be protected from a broken or malicious hypervisor, without using memory encryption, while at the same time requiring a minimum amount of changes in the guest.

This presentation will introduce the technology, the architectural extensions, the unique features, and how KVM and Qemu have been adapted to exploit it. The presentation will also cover the typical lifecycle of host and guest, including interactions with the firmware.

Speakers
avatar for Claudio Imbrenda

Claudio Imbrenda

Developer, IBM
KVM and Qemu developer on s390x for IBM.



Thursday October 31, 2019 16:15 - 16:45 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

16:45 CET

Improving and Expanding SEV Support - Thomas Lendacky, AMD
AMD continues to improve and expand the support for SEV in the kernel/hypervisor. This talk will focus on the current development activities around SEV, such as eliminating memory pinning, live migration and SEV-ES.

Speakers
TL

Thomas Lendacky

PMTS Software Engineer, AMD
Tom Lendacky is a member of the Linux OS group at Advanced Micro Devices. He is responsible for enabling and enhancing support for AMD processor features in the Linux kernel. He is currently working on extending the SEV support to enable SEV-ES (Secure Encrypted Virtualization - Encrypted... Read More →



Thursday October 31, 2019 16:45 - 17:15 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES
 
Friday, November 1
 

09:00 CET

Bring a Scalable IOV Capable Device into Linux World - Xin Zeng & Yi Liu, Intel
Intel has introduced a new hardware-assisted IO virtualization technology, i.e. scalable IOV which provides much better flexibility and scalability in sharing of I/O devices like network interface cards, GPUs, and hardware accelerators across containers and VMs compared to the existing one - SR-IOV. In this presentation, the authors will take an overview of the scalable IOV technology from platform and device's perspective, introduce how to enable a typical scalable IOV device driver through vfio-mdev framework, how to compose the virtual device from scalable IOV capable device and bring up this virtual device, how the virtual device works and how the scalable IOV capable device works together with another PASID based technology SVA(Shared Virtual Address) in virtualization environment.

Speakers
XZ

Xin Zeng

Software Engineer, Intel
Xin Zeng is a software engineer of Network Platform Group at Intel Data Center Group. He is now working on virtualization projects for Intel QuickAssist Technology product. Intel QuickAssist Technology can be used to handle compute-intensive security and compression operations that... Read More →
avatar for Yi Liu

Yi Liu

Software Engineer, Intel Corporation
Yi is a software engineer from Intel Virtualization team, focusing on I/O virtualization technology. He works on Shared Virtual Memory, Scalable IOV and vIOMMU stuffs in recent years. He has been invited to give presentation at LPC 2017, LinuxCon Beijing 2018 and KVM Forum 2018, Intel... Read More →



Friday November 1, 2019 09:00 - 09:30 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

09:30 CET

Toward a Virtualization World Built on Mediated Pass-Through - Kevin Tian, Intel
Mediated pass-through provides many merits, e.g. flexible resource management, easy-to-scale, composability, etc. while still sustaining good user experience regarding to performance and feature. While VFIO introduces basic mediated pass-through support (mdev) since kernel 4.10, there are many inspiring values to be further explored atop. In this talk, Kevin Tian will introduce their work on extending VFIO mdev framework in three main areas: enriching the portfolio of mediation capabilities efficiently, using mediation framework to bridge hardware gaps, and bringing mediation capability in nested virtualization environment. Along the road mediated pass-through could become a corner-stone toward uncompromised cloud experience in pass-through usages.

Speakers
KT

Kevin Tian

Principal Engineer, Intel
Kevin is a virtualization veteran from Intel with 16 years experience in open source virtualization projects (KVM, Xen, etc.), including multiple presentations in associated conferences. He is currently a software architect in Open source Technology Center of Intel, with current focus... Read More →



Friday November 1, 2019 09:30 - 10:00 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

10:00 CET

muser: Mediated User Space Device - Thanos Makatos, & Swapnil Ingle, Nutanix
Meet muser, a framework built on top of vfio/mdev for implementing PCI devices in userspace. It consists of a kernel module that acts as the mediated device and a userspace library where the core of the device is implemented. Applications using libmuser must only provide a description and callbacks for read/write.

muser abstracts the complexity yet allows tremendous flexibility. It manages interrupts, the PCI config space, memory translation, handles interaction with vfio/mdev and much more. While allowing customization where needed (for power users), it can also offer bindings for various languages. To prove simplicity, we will write and test a device live during the talk!

This is very useful with QEMU, where devices presented via vfio can be directly passed to VMs. It also enables a single userspace process to manage devices for multiple VMs, which has performance benefits.

Speakers
avatar for Thanos Makatos

Thanos Makatos

Member of Technical Staff, Nutanix
I'm a software engineer with experience in storage systems, virtualization, software-defined storage, and HCI.
avatar for Swapnil Ingle

Swapnil Ingle

Member of technical staff, Nutanix
I am a software engineer working with Nutanix on Acropolis hypervisor. I have experience in storage protocols, RDMA, block layer and filesystems.


muser pdf

Friday November 1, 2019 10:00 - 10:30 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

11:00 CET

Reports of my Bloat Have Been Greatly Exaggerated - Paolo Bonzini, Red Hat, Inc.
Is QEMU bloated? Insecure? Obsolete? What are QEMU's tasks when virtualizing a modern guest, and how do they change for various workloads and scenarios? The aim of this talk is to provide hard data on the security and size of various components of QEMU, explain how the build can be tailored to minimize code size, attack surface and startup time, and give ideas for future development of QEMU. I will also shortly present the tools that helped me gather the data, so that anyone can reproduce my experiments in the future.

Speakers
avatar for Paolo Bonzini

Paolo Bonzini

Distinguished Engineer, Red Hat, Inc.
Paolo is a long-time KVM contributor and co-maintainer; he also co-maintains some subsystems in QEMU. He works at Red Hat.



Friday November 1, 2019 11:00 - 11:30 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

11:30 CET

Playing Lego with Virtualization Components - Andreea Florescu, Amazon & Samuel Ortiz, Intel
rust-vmm is an open-source project that maintains a set of high-quality virtualization building blocks. It allows developers to focus on their VMM key differentiators rather than re-implementing components like KVM API wrappers, virtio devices and memory models.

In this presentation we go over the design and structure of the project, as well as the fundamentals of building VMMs using rust-vmm. We start by describing why we think Rust is the right language. We also highlight the implications of splitting virtualization components into standalone, separate repositories. Next, we look at how rust-vmm is used in practice by Rust based VMMs and what changes are required to make the transition from a single repo model to one where packages are consumed from a shared, multi-repo. Finally, we outline how the modular nature of rust-vmm can be leveraged by non Rust based VMMs like QEMU.

Speakers
avatar for Andreea Florescu

Andreea Florescu

Software Development Engineer, Amazon
I am a software engineer with the Amazon Web Services Firecracker team. I am passionate about open source and, beyond Firecracker, I am also contributing to rust-vmm, a community effort to create a shared set of Rust-based Virtual Machine Monitor components. So far I’ve been talking... Read More →
avatar for Samuel Ortiz

Samuel Ortiz

Principal Software Engineer, Intel
I currently work at Intel’s Open Source Technology Center where I’m busy with the cloud-hypervisor and Kata Containers projects. I’ve previously talked at the KVM Forum, the Open Infrastructure Summit, KubeCon and various other random open source conferences.



Friday November 1, 2019 11:30 - 12:00 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

12:00 CET

Building a Firmware for Virtual Machines using Rust - Rob Bradford, Intel Corporation
In the recent past there has been an explosion of innovation in the technology area around Virtual Machine Monitors (also known as hypervisors) based around the Rust programming language including Google’s crosvm for ChromeOS, Amazon’s Firecracker for containers and Intel's Cloud Hypervisor project.

One defining aspect of all the Rust hypervisors that are active or under development is that they do not use a traditional firmware for booting the guest operating system and instead boot directly into a Linux kernel under the control of the host. This limitation makes it much harder to use the hypervisor to provide a general purpose Virtual Machine, often known as a “pet”. In order to mitigate this we have developed the Rust Hypervisor Firmware to allow these Rust based hypervisors to load customer controlled operating systems and enable a wider range of uses.


Speakers
RB

Rob Bradford

Software Engineer, Intel Corporation
Rob has worked on Open Source at Intel for over 10 years on a wide variety of projects spanning from client user experiences, to graphics, to system software and now cloud technologies. In the field of cloud technologies Rob has been a key contributor to the Cloud Integrated Advanced... Read More →



Friday November 1, 2019 12:00 - 12:30 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

13:45 CET

Improving MMU Scalability in x86 KVM - Ben Gardon, Google
The x86 KVM MMU has significant scaling issues with many VCPUs and lots of RAM. Over the last year, we have made substantial improvements to the x86 KVM MMU in the direct-mapped TDP case, to reduce lock contention and memory overheads, with the goal of migrating VMs with 416 VCPUs and 12TB of memory. With these changes, the x86 KVM MMU can handle EPT/NPT violations from all VCPUs in parallel, requires ~99% less MMU memory overhead in steady state with 2M pages, simplifies the implementation of MMU operations, and more. This talk will cover new synchronization models, abstractions, and data structures, and details of the performance we have gained from them.

Speakers
avatar for Ben Gardon

Ben Gardon

Software Engineer, Google
I work to make the x86 KVM MMU more scalable and performant.



Friday November 1, 2019 13:45 - 14:15 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

14:15 CET

Micro-Optimizing KVM VM-Exits - Andrea Arcangeli, Red Hat Inc.
Many common workloads aren't sensitive to the VM-Exit performance or they can be optimized through device assignment. The focus of this presentation will be on those workloads that are sensitive to the VM-Exit performance and that cannot avoid triggering high frequency VM-Exits. Those workloads aren't common, but they can materialize in the guest with some applications like databases. Incidentally those are also the workloads that show the biggest impact from the software mitigations of some CPU model speculative execution vulnerabilities.

The KVM x86-64 VM-Exits are already highly optimized, but there is still room for improvement. We'll first analyze the impact of various software mitigations on the VM-Exit execution and then how we can change KVM in order to Micro-Optimize the VM-Exit further, with, but also without, the software mitigations enabled.

Speakers
avatar for Andrea Arcangeli

Andrea Arcangeli

Distinguished Engineer, Red Hat
Andrea Arcangeli joined Red Hat in 2008 because of his interest in working on the KVM Virtualization Hypervisor, with a special interest in virtual machine memory management. He worked on many parts of the Linux Kernel, especially on the Virtual Memory subsystem. Andrea started working... Read More →



Friday November 1, 2019 14:15 - 14:45 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

14:45 CET

Boosting Dedicated Instances by KVM Tax Cut - Wanpeng Li, Tencent Cloud
The KVM hypervisor is at the core of cloud computing, some customers from financial, online shopping, and gaming etc more prefer the dedicated instances to avoid resources contention from multi-tenant, and the security can be guaranteed by isolation. However, without more hypervisor optimizations, cloud providers still can't provide performance that is "indistinguishable from metal."

In this presentation,we will introduce some features which can reduce the tax from kvm hypervisor for dedicated instances include: Exitless Timer, KVM_HINTS_DEDICATED performance hint, allow userspace to disable MWAIT/HLT/PAUSE vmexits, adaptively tune advance lapic timer and adaptive halt-polling in guest/host to reduce latency.

Speakers
avatar for Wanpeng Li

Wanpeng Li

Linux Kernel Contributor, Tencent Cloud
Wanpeng Li is a 8 years experienced Linux kernel/virtualization developer who works in Tencent Cloud currently. He mainly focus on KVM, scheduler and memory management. In KVM, he contributes a lot of features to improve performance and stability. He has experience worked in IBM LTC... Read More →



Friday November 1, 2019 14:45 - 15:15 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

16:15 CET

Enhancing KVM for Guest Protection and Security - Jun Nakajima, Intel Corp.
We have been working on KVM to better protect and isolate guests, and propose a more secure and yet simpler architecture, where 1) guest memory is isolated from the host except the areas for I/O buffers, 2) no MMIO emulation is used. Since it piggybacks on the Linux systems, KVM tends to have more attack surfaces compared with other VMMs, making the guest more vulnerable. For example, the kernel or QEMU can easily access data of the guests today. Even if we have memory encryption technologies, it’s also easy for them to corrupt data of the guests (accidentally or intentionally) or use potential side channels.

In our architecture, we need to make limited changes to guests, but this provides more protection and simplification, compared with other approaches like XPFO, where the user-level still has access to the entire guest memory. We share our experiences and data based on our PoC.

Speakers
avatar for Jun Nakajima

Jun Nakajima

Sr. Principal Engineer, Intel Corp.
Jun Nakajima is a Senior Principal Engineer at the Intel Open Source Technology Center, leading open source virtualization, such as KVM and Xen. Jun presented a number of times at technical conferences, including KVM Forum, Xen Summit, LinuxCon, OpenStack Summit, and USENIX. He has... Read More →



Friday November 1, 2019 16:15 - 16:45 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES

16:45 CET

Advanced VMI on KVM: A Progress Report - Mihai Dontu, Bitdefender
This talk is a follow-up to our 2017 one called “Bringing Commercial Grade Virtual Machine Introspection to KVM”. Since then we have made a lot of progress with regards to performance and stability, and are also on track to include support for three Intel features that can greatly help with scalability: VMFUNC, #VE and SPP. We also came across a surprise: in our tests, the speed of the more involved guest-to-hypervisor communication channel used on KVM (BSD sockets on top of vhost-vsock) comes very close to Xen’s lightweight event channel. And we have the numbers to prove it.

Speakers
MD

Mihai Donțu

Engineering Manager, Bitdefender
I lead the Linux development team at Bitdefender and I am currently involved in integrating our HVI technology with open source hypervisors like Xen and KVM



Friday November 1, 2019 16:45 - 17:15 CET
Forum 2
  KVM Forum Track 1
  • Session Slides Included YES