2024-09-23 –, Hall C+D
VSM is a virtualization-based security technology introduced by Microsoft that leverages the hypervisor's higher trust base to protect guest data against compromises. It introduces primitives that allow monitoring the guest's execution state from a higher privilege context, as well as enforcing memory access limitations beyond the guest's page tables.
At the KVM Forum 2023, we introduced VSM and the challenges we faced in emulating it in KVM. We have made significant progress since then, and more importantly, we settled on an innovative design based on the concept of sharing multiple KVM VMs within a single QEMU VM. We call these “Companion VMs.” In this talk, we will revisit the core VSM concepts and delve into how we managed to model VSM's privileged execution contexts as distinct KVM VMs. Additionally, we will discuss how this approach could be utilized in the context of confidential computing (SEV SNP VMPLs) or to enhance device emulation security by moving it into the guest context. Ultimately, we will provide an update on our efforts to upstream our work in both KVM and QEMU.
Sr. Kernel & Hypervisor engineer at AWS. Passionate about HW/SW interfaces, the Linux kernel and open-source collaboration.