- Видео 444
- Просмотров 413 460
KVM Forum
США
Добавлен 17 окт 2013
Is OVMF too Slow for Serverless Confidential Computing? by Tobin Feldman-Fitzthum
Two recent papers about serverless confidential computing have identified key overheads when booting SEV and SNP guests with OVMF. Are these claims well-founded? This talk will show how to benchmark OVMF while avoiding common pitfalls and identify overhead introduced when confidential computing is enabled. Furthermore the talk will unravel whether overhead is the result of hardware requirements, firmware design, or implementation error. Will alternate firmware layouts and boot schemes (e.g. IGVM and the SVSM) ameliorate these issues or make them worse?
---
Tobin Feldman-Fitzthum
Tobin Feldman-Fitzthum is a Software Engineer at the T.J. Watson IBM Research Center. His focus is secure virtuali...
---
Tobin Feldman-Fitzthum
Tobin Feldman-Fitzthum is a Software Engineer at the T.J. Watson IBM Research Center. His focus is secure virtuali...
Просмотров: 134
Видео
Virtualizing Arm TrustZone on KVM by Chun Yen Lin & Shih-Wei Li
Просмотров 13028 дней назад
The mainline KVM currently does not support the virtualization of Arm’s TrustZone. This means virtual machines (VMs) running on KVM cannot leverage TrustZone to run a trusted execution environment (TEE), such as OP-TEE. To address this limitation, we have extended KVM to expose a virtual TrustZone to VMs. To virtualize TrustZone's CPU features, we multiplex the virtual EL3 and secure EL1 on the...
Securing Interrupt Delivery for SEV-SNP Guests by Melody (Huibo) Wang
Просмотров 8028 дней назад
While almost all VM operating systems support interrupt and exception handling, some operating system may have certain built-in assumptions about interrupt behavior based on bare-metal hardware. A malicious hypervisor can break down these assumptions and put guest drivers or guest OS kernels into an unexpected state which could lead to a security issue. To address this concern, SEV-SNP supports...
Emulating Hyper-V's Virtual Secure Mode (VSM) with QEMU and KVM by Nicolas Saenz Julienne
Просмотров 11428 дней назад
VSM is a virtualization-based security technology introduced by Microsoft that leverages the hypervisor's higher trust base to protect guest data against compromises. It introduces primitives that allow monitoring the guest's execution state from a higher privilege context, as well as enforcing memory access limitations beyond the guest's page tables. At the KVM Forum 2023, we introduced VSM an...
SNP Live Migration with guest-memfd and mirror VM by Tom Lendacky & Pankaj Gupta
Просмотров 15628 дней назад
For SEV SNP live migration support, a migration helper would run as a mirror VM. The mirror VM would use the existing KVM API's to copy the KVM context and populate the NPT page tables at page fault time. The mirror VM also does the dirty page tracking and finalizes the end of live migration. For designing the guest_memfd API's for the mirror VM, we want to consider the post copy use case as we...
The virtio-fs Kaleidoscope by German Maglione & Hanna Czenczek
Просмотров 11928 дней назад
We give a multifaceted insight into what’s going on with virtio-fs, from the current state and future prospects of live migration support, where we have made considerable progress, over experimental areas, to a look at performance. Some experimental areas are the support for non-vhost-user interfaces, such as /dev/fuse and vDPA/VDUSE, and to go beyond our simple passthrough driver, both via fil...
IOThread Virtqueue Mapping: Improving virtio-blk SMP scalability in QEMU by Stefan Hajnoczi
Просмотров 8628 дней назад
Guests with multiple vCPUs are commonplace and can submit I/O requests from any vCPU. While virtio-blk supports exposing multiple queues to the guest, QEMU processed all queues in a single thread until recently. This talk introduces the virtio-blk IOThread Virtqueue Mapping feature added in QEMU 9.0. This feature improves scalability by processing queues in a user-configurable number of threads...
Practical and efficient out-of-process storage backends by Kevin Wolf
Просмотров 5328 дней назад
As discussed in KVM Forum 2022, there are many good reasons why you might want to run your storage backends outside of the QEMU process that runs your VM, and the obvious answer to this is qemu-storage-daemon. But while naming a tool is an answer, it's not a full answer: QSD provides a variety of different export types - and more may be coming - that allow connecting it to the VM, and each has ...
The Road to Optimal CPU Virtualization on Hybrid Platform by Zhao Liu & Zhenyu Wang
Просмотров 4428 дней назад
Intel client platforms from Alderlake have begun to leverage hybrid CPU architectures, and hybrid CPU architectures can achieve a good balance of performance and power on bare metal. However, VMs are still unable to take advantage of the hybrid CPU architecture, not only because QEMU/KVM is unable to expose the P-core/E-core difference for VMs, but also because the P-core/E-core feature differe...
Solving the Sphinx's Riddle by John Snow
Просмотров 4128 дней назад
QEMU: Let's talk about QMP, QAPI, and our user-facing API documentation generated by Sphinx. Have you ever wondered what the difference between QMP and QAPI is, and have a deep-seated fear that not knowing the precise, technical answer will come to haunt you in five years when your new feature ships in an enterprise distribution? Have you ever laid awake in bed at night wondering what exactly t...
Qemu support for Windows Hypervisor Platform on Arm by Mohamed Mediouni
Просмотров 8028 дней назад
Starting from Windows 11 version 24H2, the Windows Hypervisor Platform APIs are available in preview form on Arm devices to enable usage of third party VMMs. This presentation will also cover the device extensibility support provided by Hyper-V for out of process PCIe devices with leveraging the Hyper-V VMM, and how this allows using Qemu's device emulation logic when still using the Hyper-V VM...
The KVM Backend for VirtualBox by Julian Stecklina & Martin Messer
Просмотров 6028 дней назад
In this presentation, we will share our experience of developing the KVM backend for VirtualBox. It allows VirtualBox to use KVM as a hypervisor and makes the VirtualBox third-party kernel modules unnecessary. VirtualBox is a vast C codebase that implements a full virtualization solution in a cathedral style. It consists of a tightly integrated kernel and userspace part with lots of flexibility...
Unwrapping virtio-video by Alexander Gordeev
Просмотров 7828 дней назад
I’ll be presenting the draft of virtio-video device specification, talking about the challenges we’re facing, and hoping to get your feedback on what’s needed to move toward standardization. Slides: pretalx.com/media/kvm-forum-2024/submissions/FVCBTL/resources/virtio-video-spec-slides_wbv37Wh.pptx Alexander Gordeev I am a full-time low-level/embedded Linux developer with 16 years of experience....
The many faces of virtio-gpu by Sergio Lopez Pascual
Просмотров 13128 дней назад
Among all the other virtio devices, virtio-gpu stands out due to its versatility. On the surface, it's a device that provides a paravirtualized GPU and display controller. But thanks to the powerful combination of its three main primitives (a virtqueue transport, shared memory and fences) it's today able to support multiple, specialized personalities to cover different use cases, enabling graph...
virtio-gpu - Where are we now? by Dorinda Bassey & Matej Hrica
Просмотров 17628 дней назад
This talk presents the current status and ongoing efforts to implement VirtIO GPU for infotainment systems in the automotive industry. We will highlight our decision to develop VirtIO GPU in Rust as a vhost-user device under the Rust-VMM project umbrella. Implementing VirtIO for hardware enables the deployment of Android on various VMMs that support VirtIO, such as Crosvm and QEMU. This approac...
The Challenges of building AI Infra on virtualization by Xin He & Hao Hong
Просмотров 7628 дней назад
The Challenges of building AI Infra on virtualization by Xin He & Hao Hong
vfio-cxl: CXL Type 2 Device Passthrough With VFIO by Zhi Wang
Просмотров 6328 дней назад
vfio-cxl: CXL Type 2 Device Passthrough With VFIO by Zhi Wang
vfio-platform: live and let die? by Eric Auger
Просмотров 5028 дней назад
vfio-platform: live and let die? by Eric Auger
Unleashing SR-IOV on Virtual Machines by Yui Washizu & Akihiko Odaki
Просмотров 7228 дней назад
Unleashing SR-IOV on Virtual Machines by Yui Washizu & Akihiko Odaki
Unleashing VFIO's Potential: Code Refactoring and New Frontiers in Device Virtualization
Просмотров 7228 дней назад
Unleashing VFIO's Potential: Code Refactoring and New Frontiers in Device Virtualization
Coconut-SVSM: Early attestation to unlock persistent state by Stefano Garzarella & Oliver Steffen
Просмотров 3228 дней назад
Coconut-SVSM: Early attestation to unlock persistent state by Stefano Garzarella & Oliver Steffen
COCONUT-SVSM on KVM: Progress, Plans, and Challenges by Jörg Rödel & Roy Hopkins
Просмотров 6228 дней назад
COCONUT-SVSM on KVM: Progress, Plans, and Challenges by Jörg Rödel & Roy Hopkins
Virtio and the chamber of secrets by Michael S. Tsirkin
Просмотров 6728 дней назад
Virtio and the chamber of secrets by Michael S. Tsirkin
Empowering confidential VMs in the cloud to use their own firmware upon instantiation.
Просмотров 6528 дней назад
Empowering confidential VMs in the cloud to use their own firmware upon instantiation.
Guest-side changes for confidential guests in Android by Will Deacon
Просмотров 4928 дней назад
Guest-side changes for confidential guests in Android by Will Deacon
SVSM and VM Privilege Level instantiation and execution by Tom Lendacky
Просмотров 5228 дней назад
SVSM and VM Privilege Level instantiation and execution by Tom Lendacky
Beneath the Surface: Analyzing Nested CVM Performance on KVM/QEMU and Linux Root Partition for...
Просмотров 3628 дней назад
Beneath the Surface: Analyzing Nested CVM Performance on KVM/QEMU and Linux Root Partition for...
The Confidential Computing Story part II: Early development across the stack: living in stilt house
Просмотров 4928 дней назад
The Confidential Computing Story part II: Early development across the stack: living in stilt house
The Confidential Computing Story part I: Rivers, dams and kernel development by Paolo Bonzini
Просмотров 7928 дней назад
The Confidential Computing Story part I: Rivers, dams and kernel development by Paolo Bonzini
Keeling Shoals
help me brother
help me brother
Cyberus Technology (6:48:06) - keep up the good work! Just amazing to see someone working so hard to help understand these concepts - well done!
Hello Yu, Do you have this presentation slides hosted online anywhere?
How can I get this files to run in my macOS? In git repos there’s no this branches
Great Q&A very insightful
why does an intern sound so snooty and dismissive lol.
Very nice Salil
Hi, the video title does not match with the video content!
How to create such EDK2 APPLICATION
Can you provide any tutorial or guide for this??
alex is brilliant, but the video editor, so annoying with zooming in and out of the slide constantly. just leave it alone!
This is driving me absolutely nuts.
the audio from the beginning to 1:30:00 is completely broken and it is not possible to understand 😞
but can you run vfio passthrough with memballoon
Thank You! This is great 🤲 I wish corporations were more open about knowledge in order to speed up innovation on a human scale.
I did not know how vfio and igb work although I use those drivers every day. This preso answers many of my questions. Thanks!
Is there any plan to release it in stable version of qemu?
and does it support on aarch64.
*Promo sm*
Yes but I am still missing on the practical purpose of all this. Virtualization generally has a purpose of effective sharing a large resource pool on a pumped up machine by a number of smaller virtual machines. What is the purpose of virtualizing a low powered and low resourced mobile device? Is it for the isolation benefit only?
Starts at 54:25
thanks
A very good video to watch with this one is DJ Ware differences ARM, x86 or RISC-V as it talks about the IOMMU on RISC like processors, and drops the names of some of the people working on these and the ISAs excetera. ruclips.net/video/u5YvTht7mb4/видео.html
Missed part is how to restore from those incremental backups.
How to use hugepages when passthrough GPU ? if enable THP for guest and host, does iommu can map with hugepage size
Goodness this footage is FUBAR
probably needs a new libvirtd-network daemon, just to co-exist with many different firewalls, including raw form of /etc/nftables.conf (aka systemctl start nftables.service).
Thanks. I've learned a lot.
Excellent talk! Very well paced.
Is there a mechanism by which this can be made faster?
Vsock is very slow for transmitting data from guest to host machine. I tried the setup and and modified it to send 20M transactions from guest to Host OS. It took more than 60 seconds for the task to complete. It seems that this is also going through KVM vhost_vsock.ko
Guest execution escape...
Awesome content and explanation. Thank you.
Hi KVM Forum, where could I find this library, or has Alessandro disposed it? 😅
1.5x works best
How to enable KVM
Compile a kernel with enabled kvm
Hello Yubin Chen, my name is Yubin Chen
Hi. Not sure if anyone's listening, but I'm curious if it'd be feasible to wire a mechanism like that for processes running directly on hosts? Essentially, I'd like to ask the kernel to send me a unix signal of my choice whenever it'd block on a page. The page should still get resolve asynchronously allowing me to get a completion notification later. I have looked at the code but it looks challenging for a kernel newb like me. :D
Four years later, I can say, "I, as a customer, am seeking this from virtio"
This is very useful if audio is fixed. Due to open room, there is large humming sound making it difficult to follow
Sir, I have few doubts in HCI, how can I contact you
Feels like a podcast. Instead of highlighting the slide and showing the user sometimes the video does the opposite.
In the highly commercial space of virtualisation, this keeps my hopes high for a open-source, truly capable virtualisation technology. Thanks for the awesome tool. Long live KVM-QEMU-LIBVIRT-VIRT-MANAGER
Really nice feature, Hope vDPA can conqure live migration support of hardware devices.
Can someone share with the slides over here??
Its been 6 moths , any status of this project?
Can I have a high resolution version of the speech ?
hi, about the benchmark, can you share your setup? (raw or qcow2? hdd or ssd?)
is it possible to use incremental backup on raw disk or ceph rbd?
This is what I call the art of making great presentations! Hats off to you Alex!
Great talk, thank you for the real comparison numbers.