Microsoft ya ba da sanarwar buɗaɗɗen tushen Layer don daidaitawa na OpenHCL da na'ura mai saka idanu OpenVMM, wanda aka haɓaka musamman don tsara aikin OpenHCL. An rubuta lambar OpenVMM da OpenHCL a cikin Rust kuma ana rarraba ta ƙarƙashin lasisin MIT. OpenVMM tana nufin hypervisors mataki na biyu waɗanda ke aiki a cikin zoben tsaro iri ɗaya tare da kernel ɗin tsarin aiki, kama da samfura kamar VirtualBox da VMware Workstation. Yana goyan bayan aiki a saman tsarin runduna dangane da Linux (x86_64), Windows (x86_64, Aarch64) da macOS (x86_64, Aarch64), ta amfani da KVM, SHV (Microsoft Hypervisor), WHP (Windows Hypervisor Platform) da Hypervisor virtualization APIs da aka bayar. ta hanyar tsarin bayanan OS.
Daga cikin fasalulluka masu goyan baya a cikin OpenVMM:
- Boot a cikin yanayin UEFI da BIOS, taya kai tsaye na kernel Linux;
- Taimakon paravirtualization dangane da direbobin Virtio (virtio-fs, virtio-9p, virtio-net, virtio-pmem)
- Tallafin paravirtualization na tushen VMBus (storvsp, netvsp, vpci, framebuffer);
- Kwaikwayo na vTPM, NVMe, UART, i440BX + PIIX4 chipset, IDE HDD, PCI da VGA;
- Baya don isar da zane-zane, na'urorin shigar da bayanai, consoles, ajiya da samun damar hanyar sadarwa;
- Gudanarwa ta hanyar haɗin layin umarni, na'ura mai ba da hanya tsakanin hanyoyin sadarwa, gRPC da ttrpc.
An sanya OpenHCL a matsayin yanayi tare da abubuwan da suka shafi paravirtualization (paravisor) da ke gudana a saman ma'auni na OpenVMM. Maɓalli mai mahimmanci na tsarin haɓakawa bisa OpenVMM da OpenHCL shine cewa kayan aikin paravirtualization ba su gudana a gefen tsarin tsarin ba, amma a cikin injin kama-da-wane tare da tsarin baƙo. Keɓance Layer na paravirtualization daga tsarin aikin baƙo yana tabbatar da buɗaɗɗen hypervisor mataki na biyu. Lokacin amfani da ita ta wannan hanyar, ana iya ɗaukar OpenHCL azaman firmware kama-da-wane da ke gudana a matakin gata mafi girma fiye da tsarin aiki da ke gudana a cikin yanayin baƙi.
Ana aiwatar da rarrabuwar tsarin baƙo da abubuwan OpenHCL ta amfani da ma'anar matakan amana (VTL, Virtual Trust Level), don aiwatar da su duka hanyoyin software da fasahar kayan masarufi, kamar Intel TDX (Trust Domain Extensions). ), AMD SEV-SNP (Tabbataccen Rufaffen Mahimmanci-Amintacce Nested Paging) da ARM CCA (Confidential Compute Architecture). Don gudanar da abubuwan da aka haɗa na OpenHCL, ana amfani da ƙwanƙwasa gini na kernel na Linux, wanda ya haɗa da ƙananan ƙananan abubuwan da ake buƙata don gudanar da OpenVMM.
OpenHCL na iya gudana akan dandamali x86-64 da ARM64, kuma yana goyan bayan Intel TDX, AMD SEV-SNP da ARM CCA don ƙarin keɓewa. OpenHCL ya haɗa da saitin sabis, direbobi da masu kwaikwayon da ake amfani da su don tsara damar yin amfani da kayan aiki, tabbatar da aikin na'urori masu kama da juna a gefen tsarin baƙo da yin koyi da na'urorin kayan aiki (misali, guntu don adana maɓallan cryptographic - vTPM) ana iya yin koyi da su.
Don fassara hanyar shiga zuwa kayan aiki a ɓangaren tsarin baƙo, ana amfani da direbobin da ke akwai waɗanda ke da ikon yin amfani da paravirtualization, ko kuma ana iya ɗaure na'urori kai tsaye zuwa na'urar kama-da-wane, wanda ke ba da damar ƙaura tsarin baƙo na yanzu zuwa yanayin da ke tushen OpenHCL ba tare da gyara ba. OpenHCL kuma ya haɗa da abubuwan bincike da gyara kurakurai. injunan kama-da-wane, an yi ta amfani da kari don tabbatar da sirrin kwamfuta.
Ba kamar aikin buɗe tushen COCONUT-SVSM (Secure VM Service Module) ba, wanda ke ba da ayyuka da na'urori masu kwaikwayon tsarin baƙi waɗanda ke gudana cikin sirri. injunan kama-da-wane (CVM, Injin Sirri na Intanet), OpenHCL yana ba da damar amfani da hanyoyin sadarwa na yau da kullun a cikin tsarin baƙi, yayin da COCONUT-SVSM ke buƙatar shirya hulɗa ta musamman da SVSM, yin canje-canje ga tsarin baƙi da amfani da direbobi daban-daban.
Daga cikin aikace-aikace na OpenHCL paravisor, irin wannan yanayin kamar canjin tsarin da ake ciki don amfani da Azure Boost hardware accelerators ba tare da buƙatar yin canje-canje ga hoton diski na baƙo ba; Gudun baƙon da ke akwai a cikin injunan kama-da-wane waɗanda ke ba da lissafin sirri (misali, dangane da Intel TDX da AMD SEV-SNP); ƙungiyar tabbatar da ingantattun injuna ta amfani da UEFI Secure Boot da yanayin vTPM.
An lura daban cewa aikin OpenVMM yana mai da hankali kan amfani tare da OpenHCL kuma har yanzu bai shirya don amfani da shi kaɗai akan tsarin runduna don aiwatar da samarwa ta masu amfani da ƙarshe ba. Daga cikin matsalolin OpenVMM da ke hana amfani da shi a cikin mahallin mahalli a cikin al'ada na al'ada, a waje da OpenHCL, an ambaci waɗannan abubuwa masu zuwa: takardun shaida mara kyau na dubawar sarrafawa; rashin ingantaccen ingantaccen aikin baya don ajiya, cibiyar sadarwa da zane-zane; rashin tallafi ga wasu direbobi (misali, IDE drives da PS/2 mice); babu tabbacin kwanciyar hankali da aiki na API. A lokaci guda, haɗin OpenVMM da OpenHCL ya riga ya kai matakin aiwatar da masana'antu kuma Microsoft yana amfani da shi a cikin dandalin Azure (Azure Boost SKU) don tallafawa aikin fiye da 1.5 na inji mai mahimmanci.
source: budenet.ru
