Intel Engineer Proposes Software-Based KVM Protected Memory Extension

Written by Michael Larabel in Virtualization on 24 May 2020 at 09:00 AM EDT. 8 Comments
VIRTUALIZATION
While modern AMD EPYC CPUs support Secure Encrypted Virtualization (SEV) and Intel more recently has been working on MKTME for similarly offering hardware-backed total memory encryption, an Intel open-source engineer has now proposed a software-based solution for protected memory support for KVM virtualization.

The proposed KVM protected memory extension is a software-based solution for protecting guest memory from unauthorized host access, at least in partial form. This prevents the host kernel from accidentally leaking guest data, host user-space access to guest data, and similar solutions. But unlike Intel MKTME and AMD SEV, this does not provide full protection against the host kernel being compromised or hardware-based attacks.

Basically this KVM protected memory extension would offer some additional safeguards in a virtualized environment but not as thorough as the modern hardware-based protections.

Currently this KVM extension is being proposed under a "request for comments" flag and the patches knowingly need further improvement before any potential mainlining. More details on this security proposal via this kernel mailing list thread by Intel's Kirill Shutemov.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week