Improving Windows Hypervisor-Protected Code Integrity (HVCI) Performance on KVM
Enabling Windows HVCI on KVM currently poses significant performance challenges due to missing hardware acceleration enablement. This talk will briefly cover the value of HVCI, why Microsoft wants this enabled by default in Windows 11 and Server 2025, and provide details on our proposed KVM improvements to leverage hardware acceleration from both Intel and AMD.
Preexisting hardware acceleration support exists in the form of both Intel Mode Based Execute Control (MBEC) and AMD Guest Mode Execute Trap (GMET). Exposing these processor capabilities requires targeted modifications to KVM MMU and vendor CPU feature enablement code. In addition to implementation details, we’ll be providing detailed performance benchmarks for the current state and observed performance improvements.