KVM With Linux 5.7 Supporting Protected/Secure VM Guests For IBM POWER + s390
Written by Michael Larabel in Virtualization on 5 April 2020 at 11:11 AM EDT. 2 Comments
VIRTUALIZATION --
Both of IBM's s390 and POWER CPU architectures are seeing secure/protected guest virtual machine support with KVM on the in-development Linux 5.7 kernel.

On the s390 front the Kernel-based Virtual Machine (KVM) code has support for protected virtual machines in conjunction with its ultravisor. The KVM s390 support for protected virtual machines (VMs) are where KVM can't access any of the guest's state like guest memory and guest registers. Protected Virtual Machines on s390 in turn become manages by their new ultravisor. These s390 guests can run in unencrypted mode at boot and then load an encrypted blob and transition to the encrypted Protected VM state. The code has gone through a few rounds of review and is ready for IBM s390 hardware with Linux 5.7.

Meanwhile for IBM POWER systems is a separate set of patches that introduce a new capability for enabling secure guests. This secure KVM guest support relies on POWER's Protected Execution Facility hardware and an ultravisor. The KVM guest can transition into the protected state at will while now the virtual machine has the capability so user-space can query the secure guest state and enabling it for a guest.

Beyond this encrypted/secure VM support for IBM POWER and s390, the KVM changes for Linux 5.7 also include GICv4.1 support for ARM, removal of 32-bit ARM support, various x86 improvements, and exposing new Intel Tiger Lake CPU capabilities to guests like AVX-512 VP2INTERSECT.

The initial batch of KVM updates in full for Linux 5.7 can be found via this mailing list post.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Popular News This Week