Linux 7.1 KVM Adds "Very Experimental" Support For pKVM Protected Guests

The Linux 7.1 kernel merge window has brought significant enhancements to Kernel-based Virtual Machine (KVM), particularly on the Arm side with the addition of "very experimental" support for pKVM protected guests. This feature represents a major step toward achieving full isolation between virtual machines and their host systems.

pKVM Protected Guests: The Technical Details

The pKVM protected guest functionality works by unmapping pages from the host as they are faulted into the guest, then sharing them back from the guest using pKVM hypercalls. This approach creates a more secure boundary between the host and guest environments, reducing the attack surface and potential for malicious code to escape from a compromised virtual machine.

For now, this support remains highly experimental. Users should expect their kernel to be tainted when launching such a guest, indicating the use of non-standard, potentially unstable features. To enable this functionality, the kernel must be built with the new CONFIG_ARM_PVKM_GUEST option, and guests must be launched with the kvm-arm.mode=protected parameter.

Broader KVM Changes in Linux 7.1

Beyond the pKVM protected guest support, Linux 7.1 includes several other notable KVM improvements across different architectures:

s390 Architecture Updates

• Added support for ESA 31-bit guests inside nested hypervisors
• This enhancement improves compatibility with legacy mainframe workloads

x86 Architecture Updates

• KVM now supports advertising support for AVX-512 BMM (Bit Matrix Multiply) instructions
• These instructions are coming with upcoming AMD Zen 6 processors
• This allows virtual machines to utilize the latest vector processing capabilities

AMD SEV-SNP Enhancements

• Various minor changes to improve the security-focused SEV-SNP feature
• These updates continue to refine AMD's secure encrypted virtualization technology

General Improvements

• Various hardening improvements across the KVM codebase
• Multiple minor changes that enhance stability and performance

The full list of KVM changes merged for Linux 7.1 can be found in the official pull request documentation.

Implications for Virtualization Security

The introduction of pKVM protected guests represents an important evolution in virtualization security. By creating stronger isolation between host and guest environments, this feature addresses one of the longstanding concerns in virtualization: the potential for malicious code to break out of a virtual machine and compromise the underlying host system.

While the current implementation is experimental and comes with the caveat of kernel tainting, it demonstrates the Linux kernel community's commitment to advancing virtualization security. As this feature matures through testing and refinement, it could become a standard option for security-sensitive workloads that require the highest levels of isolation.

For organizations running Arm-based virtualization workloads, particularly in cloud environments or multi-tenant scenarios, pKVM protected guests offer a promising path toward stronger security guarantees without sacrificing the flexibility and efficiency of virtualization.

Getting Started with pKVM Protected Guests

For those interested in testing this experimental feature, the process involves:

1. Building a Linux 7.1 kernel with CONFIG_ARM_PVKM_GUEST enabled
2. Configuring your virtual machine launch parameters to include kvm-arm.mode=protected
3. Understanding that kernel tainting will occur, which may affect support options
4. Testing in non-production environments due to the experimental nature

As with all experimental kernel features, users should exercise caution and thoroughly test in controlled environments before considering deployment in production systems.

The Linux 7.1 KVM enhancements demonstrate the ongoing innovation in open-source virtualization technology, with particular emphasis on security improvements that address modern computing challenges.