[2016] Kernel Protection Using Hardware-Based Virtualization by Jun Nakajima & Sainath Grandhi

We propose that the Linux run in virtualization mode, activating hardware virtualization features to improve security and monitoring. Hardware enforced virtualization features can be used for hardening the kernel, by protecting key kernel data structures and locking the processor state when the processor is executing in guest mode. Security features from the latest processors can be added to virtual processors. Kernels running on platforms with processors from older generations are benefitted. For the bare-metal, we have added a thin hypervisor to the kernel, and we have extended KVM for guest kernels so that they can identify this capability as a CPU feature, become enlightened and work with the hypervisor to lock and monitor kernel resources and processor state. In this talk we will present the idea, its benefits and the work we have done in Linux/KVM. Sainath Grandhi Intel Work for Intel in Open Source Virtualization group. Work on Xen and KVM kernel feature enabling. Currently working on a project that is a solution to run containers with a hypervisor underneath to provide security and resource isolation. Jun Nakajima Intel Open Source Technology Center, Senior Principal Engineer San Francisco Bay Area Jun Nakajima is a Senior Principal Engineer leading open source virtualization and cloud projects, such as, KVM, Xen, and OpenStack at the Intel Open Source Technology Center. Jun has been working on various virtualization projects for almost a decade, and NFV is one of his ongoing projects. Jun presented a number of times at technical conferences, including KVM Forum, Xen Summit, and USENIX. He has over 20 years of experience with operating system internals and virtualization. Slides: http://www.linux-kvm.org/images/4/40/...