Siemens free hypervisor release . The hypervisor supports x86_64 systems with VMX+EPT or SVM+NPT (AMD-V) extensions, as well as ARMv7 and ARMv8/ARM64 processors with virtualization extensions. Separately image generator for the Jailhouse hypervisor based on Debian packages for supported devices. Project code licensed under GPLv2.
The hypervisor is implemented as a module for the Linux kernel and provides virtualization at the kernel level. Components for guest systems are already included in the main Linux kernel. Isolation management uses hardware virtualization mechanisms provided by modern CPUs. Jailhouse's hallmarks are its lightweight implementation and focus on tying virtual machines to a fixed CPU, RAM area, and hardware devices. This approach allows one physical multiprocessor server to ensure the operation of several independent virtual environments, each of which is assigned to its own processor core.
With a hard binding to the CPU, the overhead of the hypervisor is minimized and its implementation is greatly simplified, since there is no need to execute a complex resource allocation scheduler - the allocation of a separate CPU core ensures that no other tasks are performed on this CPU. The advantage of this approach is the ability to provide guaranteed access to resources and predictable performance, which makes Jailhouse a suitable solution for creating real-time tasks. The downside is limited scalability, limited by the number of CPU cores.
In Jailhouse terminology, virtual environments are referred to as "cameras" (cells, in the context of jailhouse). Inside the camera, the system looks like a single-socket server, showing performance to the performance of a dedicated CPU core. The camera can run an arbitrary operating system environment, as well as truncated environments for running one application or specially prepared individual applications designed to solve real-time tasks. The configuration is set in , which determine the CPU allocated to the environment, memory regions and I / O ports.
In the new release
- Added support for Raspberry Pi 4 Model B and Texas Instruments J721E-EVM platforms;
- ivshmem device used to organize interaction between cells. On top of the new ivshmem, you can implement a transport for VIRTIO;
- Implemented the ability to disable the creation of large memory pages (hugepage) to block the vulnerability on Intel processors, which allows an unprivileged attacker to initiate a denial of service that causes the system to hang in the "Machine Check Error" state;
- For systems with ARM64 processors, support for SMMUv3 (System Memory Management Unit) and TI PVU (Peripheral Virtualization Unit) is implemented. Added support for PCI for isolated environments running on top of hardware (bare-metal);
- On x86 systems for root cameras, it is possible to enable the CR4.UMIP (User-Mode Instruction Prevention) mode provided by Intel processors, which allows you to prohibit the execution in user space of some instructions, such as SGDT, SLDT, SIDT, SMSW and STR, which can be used in attacks aimed at elevating privileges in the system.
Source: opennet.ru