Patrick Roy
Sessions
It has been several years since the last rust-vmm update at KVM Forum, but the community has continued to grow. Our goal remains the same: to provide reusable Rust crates that make it easier and faster to build virtualization solutions.
This talk will present the main progress and achievements from the past few years. It reviews how rust-vmm crates integrate into projects such as Firecracker, Cloud Hypervisor, libkrun, and virtiofsd. We will cover recent work supporting new architectures like RISC-V and additional operating systems. The talk will also discuss plans to consolidate all crates into a single monorepo to simplify development and releases. Finally, we will review the support for virtio and vhost-user devices that can be used by any VMM.
guest_memfd, introduced in Linux 6.8, receives a lot of attention in the context of confidential computing, with KVM support for Intel TDX, AMD SNP, ARM CCA and pKVM being built on top of it, where guest_memfd manages the VM’s encrypted/private memory. However, its design as “guest-first” memory also makes it attractive to for traditional, non-confidential VMs that wish to enjoy additional hardening against Spectre-style transient execution issues.
In this talk, we cover how guest_memfd with support for shared memory 1 can be used to run non-confidential VMs solely backed by guest_memfd. We further explore how this mode can be extended by removing direct map entries for guest_memfd folios 2, protecting guest memory from ~60% of Spectre-like transient execution issues, and how we plan to utilize this functionality in the Firecracker VMM.