Protected KVM on Arm64: A Technical Deep Dive - Quentin Perret, Google
Protected KVM (a.k.a. pKVM) is an extension of KVM/arm64 providing a Confidential Computing solution for Arm v8.0+ CPUs. pKVM targets SoCs that don't feature Confidential Computing hardware extensions, which makes it applicable to a wide spectrum of domain-spaces, including mobile (Android). pKVM extends the existing KVM/arm64 nVHE hypervisor with the ability to manage the CPU's stage-2 MMU, hence allowing the enforcement of access-control restrictions on host accesses to guest memory. In this talk, we will do a technical deep dive on pKVM, describe its architecture and implementation [1], and discuss opportunities for sharing core infrastructure (e.g. memory management) with other Confidential Computing solutions such as Intel TDX, AMD SEV or Arm CC-A. [1] lore.kernel.or...