KVM Forum 2025

Improving Windows Hypervisor-Protected Code Integrity (HVCI) Performance on KVM
2025-09-04 , Room 1

Enabling Windows HVCI on KVM currently poses significant performance challenges due to missing hardware acceleration enablement. This talk will briefly cover the value of HVCI, why Microsoft wants this enabled by default in Windows 11 and Server 2025, and provide details on our proposed KVM improvements to leverage hardware acceleration from both Intel and AMD.

Preexisting hardware acceleration support exists in the form of both Intel Mode Based Execute Control (MBEC) and AMD Guest Mode Execute Trap (GMET). Exposing these processor capabilities requires targeted modifications to KVM MMU and vendor CPU feature enablement code. In addition to implementation details, we’ll be providing detailed performance benchmarks for the current state and observed performance improvements.

Jon Kohler is a Principal Engineer on the Acropolis Hypervisor (AHV) Host R&D team at Nutanix. He's been with Nutanix since 2014, focusing on core platform performance and scalability in both the AOS Core Data Path and AHV Linux Kernel. His performance work includes profiling, visualization, and developing code from concept to production.

Sergey is a Senior Engineer on the Acropolis Hypervisor (AHV) Host R&D team at Nutanix.