Jailhouse is a Linux-based partitioning hypervisor (It has been developed as a free GPLv2 software project). Is capable of running full applications or operating systems (adapted) in addition to Linux. For this purpose, configure the virtualization characteristics of CPUs and devices of the platform hardware so that none of these domains, called "cells," can interfere with each other in an unacceptable way.
This means that Jailhouse doesn't emulate resources that you don't have. Simply divides hardware into isolated compartments called "cells" They are entirely dedicated to guest software called "inmates".
About Jailhouse
Jailhouse is optimized for simplicity rather than the richness of features. Unlike full-featured Linux-based hypervisors like KVM or Xen, Jailhouse does not support resource over commitment like CPU, RAM or devices. It does not do any programming and only virtualizes those resources in software, which are essential for a platform and cannot be partitioned on hardware.
Once Jailhouse is activated, it runs fully, meaning it takes full control over the hardware and requires no external support.
The hypervisor is implemented as a module for the Linux kernel and provides kernel-level virtualization. Guest components are already included in the main Linux kernel.
To control isolation, hardware virtualization mechanisms are used provided by modern CPUs. Jailhouse's distinguishing features are its lightweight implementation and its orientation towards linking virtual machines to a fixed CPU, RAM area, and hardware devices. This approach allows the operation of several independent virtual environments on a physical multiprocessor server, each of which is assigned its own processor core.
With a tight link to the CPU, the overhead of the hypervisor operation is minimized and its implementation is greatly simplified, since there is no need to perform a complex resource allocation scheduler - allocating a separate CPU core ensures that it is not perform other tasks on this CPU.
The advantage of this approach is the ability to provide guaranteed access to resources and predictable performance, making Jailhouse a suitable solution for creating real-time tasks. The downside is limited scalability, which is based on the number of CPU cores.
About the new version of Jailhouse 0.12
Currently, Jailhouse is in its version 0.12 and it highlights the support for the Raspberry Pi 4 Model B and Texas Instruments J721E-EVM.
In addition to the ivshmem device used to organize the interaction between cells, has been redesigned and that it can also implement the transport for VIRTIO.
The ability to disable the creation of large memory pages (huge page) was implemented to block the CVE-2018-12207 vulnerability on Intel processors, allowing an unprivileged attacker to initiate a denial of service, leading to freezing system in the "Machine Verification Error" state.
For systems with ARM64 processors, SMMUv3 is supported (System Memory Management Unit) and TI PVU (Peripheral Virtualization Unit). For sandbox environments that run on top of the computer, PCI support has been added.
On x86 systems it is possible to enable CR4 mode. (User mode instruction prevention) provided by Intel processors, which allows to prohibit the execution of certain instructions in user space, such as SGDT, SLDT, SIDT, SMSW and STR, which can be used in attacks aimed at increasing the privileges on the system.
Get Jailhouse
Jailhouse supports operation on x86_64 systems with VMX + EPT or SVM + NPT (AMD-V) extensions, as well as on processors ARMv7 and ARMv8 / ARM64 with virtualization extensions.
Though in addition, an image generator is being developed that is based on Debian packages for compatible devices.
You can find the compilation and installation instructions, as well as other information In the following link.