The NetBSD team is developing a new NVMM hypervisor

The NetBSD project developers recently announced the creation of a new hypervisor and its associated virtualization stack, which are already included in the experimental branch of NetBSD-current and will be offered in the stable version of NetBSD 9.

NVMM still is limited to support for x86_64 architecture and offers two versions for the use of hardware virtualization mechanisms.

One of them is x86-SVM with support for AMD CPU virtualization and x86-VMX extensions for Intel CPUs.

In its current form, up to 128 virtual machines can be booted on a host, each of which can be allocated up to 256 virtual processor cores (VCPUs) and 128 GB of RAM.

About the NVMM hypervisor

In the presentation of this hypervisor, the developers of the NetBSD project explain that NVMM includes a driver that works at the system kernel level.

And that in addition coordinates access to hardware-based virtualization mechanisms and the Libnvmm stack, which runs in user space.

The interaction of kernel components and user space is done through IOCTL.

 One feature of NVMM that distinguishes it from hypervisors like KVM, HAXM, and Bhyve is that at the kernel level only the minimum required set of hardware virtualization mechanisms is performed and all computer emulation code is removed from the kernel upon user space.

This approach reduces the amount of code executed with elevated privileges and reduces risk that the entire system is compromised in case of attacks on vulnerabilities in the hypervisor.

Additionally, debugging and confounding your project is greatly simplified.

At the same time Libnvmm itself does not contain emulator functions, but only provides an API that allows to integrate NVMM support in existing emulators, for example in QEMU.

Virtualization API

The API covers functions such as creating and running a virtual machine, allocating memory to the guest system, and distributing the VCPU.

To increase security and reduce possible attack vectors, libnvmm only provides explicitly requested functions.

By default, complex controllers are not invoked automatically and cannot be used at all if they can be dispensed with.

NVMM tries to make simple solutions, without falling into complications and allowing yourself to control as many aspects of the job as possible.

The kernel level part of NVMM is pretty well integrated with the NetBSD kernel and enables you to achieve higher performance by reducing the number of context switches between the guest operating system and the host environment.

In the user space, libnvmm tries to add the typical I / O operations and without the need to do so, does not resort to system calls.

Performance

Unlike other cross-platform pseudo kernel drivers, like VirtualBox or HAXM, NVMM is well integrated into the NetBSD kernel and that allows to optimize changes context between the guests and the host, to avoid costly operations in certain cases.

Security

The memory allocation system is based on the pmap subsystem, that allows you to move the pages from the guest memory to the swap partition in case of lack of memory in the system.

NVMM is free of locks and global scales, allowing you to simultaneously use different CPU cores to run different guest virtual machines.

Based on QEMU, a solution was prepared using NVMM to enable hardware virtualization mechanisms.

Work is underway to incorporate the prepared patches into QEMU's main equipment.

The package QEMU + NVMM already allows you to successfully run guest systems with FreeBSD, OpenBSD, Linux, Windows XP / 7 / 8.1 / 10 and other operating systems on x86_64 systems with AMD and Intel processors (NVMM itself is not tied to a specific architecture).

The backend will be able to work on ARM64 systems). From additional application areas, NVMM also looked at isolation in the individual application test area.

Source: http://blog.netbsd.org


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.