Intel Engineer Proposes Software-Based KVM Protected Memory Extension
While modern AMD EPYC CPUs support Secure Encrypted Virtualization (SEV) and Intel more recently has been working on MKTME for similarly offering hardware-backed total memory encryption, an Intel open-source engineer has now proposed a software-based solution for protected memory support for KVM virtualization.
The proposed KVM protected memory extension is a software-based solution for protecting guest memory from unauthorized host access, at least in partial form. This prevents the host kernel from accidentally leaking guest data, host user-space access to guest data, and similar solutions. But unlike Intel MKTME and AMD SEV, this does not provide full protection against the host kernel being compromised or hardware-based attacks.
Basically this KVM protected memory extension would offer some additional safeguards in a virtualized environment but not as thorough as the modern hardware-based protections.
Currently this KVM extension is being proposed under a "request for comments" flag and the patches knowingly need further improvement before any potential mainlining. More details on this security proposal via this kernel mailing list thread by Intel's Kirill Shutemov.
The proposed KVM protected memory extension is a software-based solution for protecting guest memory from unauthorized host access, at least in partial form. This prevents the host kernel from accidentally leaking guest data, host user-space access to guest data, and similar solutions. But unlike Intel MKTME and AMD SEV, this does not provide full protection against the host kernel being compromised or hardware-based attacks.
Basically this KVM protected memory extension would offer some additional safeguards in a virtualized environment but not as thorough as the modern hardware-based protections.
Currently this KVM extension is being proposed under a "request for comments" flag and the patches knowingly need further improvement before any potential mainlining. More details on this security proposal via this kernel mailing list thread by Intel's Kirill Shutemov.
8 Comments