1.1.12 Virtualization

The following notable virtualization features are implemented in Unbreakable Enterprise Kernel Release 5:

  • KVM updated to include backported bug fixes.  KVM features in the upstream 4.15 and 4.16 kernels are backported into UEK R5. Many of these patches offer better stability and resolve bugs and performance issues.

  • Secure Encrypted Virtualization (SEV) for AMD-V enabled.  AMD's Secure Encrypted Virtualization (SEV) feature that extends the AMD-V architecture has been enabled in UEK R5 and upstream patches from the 4.16 kernel have been backported to ensure that the latest features and functionality are available. Hardware that supports SEV can use this feature to run multiple virtual machines under the control of a hypervisor in a more secure fashion. Private memory space can be encrypted with a guest-specific key, while shared memory space can be encrypted with a hypervisor key. This feature can protect data on guest virtual machines from a potentially compromised hypervisor.

  • User-Mode Instruction Prevention (UMIP) for Intel enabled.  Intel's UMIP feature has been enabled in UEK R5 and upstream patches from the 4.16 kernel have been backported to ensure that the latest features and functionality are available. UMIP is a security feature present in newer Intel processors, that can prevent the execution of certain instructions if the Current Privilege Level (CPL) is greater than 0. UMIP helps to protect access to system-wide settings such as the global and local descriptor tables, the task register and the interrupt descriptor table. UMIP has specifically been integrated with KVM to enable support for UMIP within a virtualized environment.

  • Paravirtual TLB shootdown implemented.  Patches have been applied to implement a KVM paravirtual translation lookaside buffer (TLB) shootdown algorithm. TLB is a memory cache that reduces the time taken to access a memory location. TLB shootdown is an operation that runs on multi-processor machines to flush the TLB on all processors to ensure that page restrictions are respected. Typically, TLB shootdown is managed by the host scheduler. In environments where multi-CPU virtual machines are running, VCPUs are not scheduled simultaneously. This can waste CPU cycles and cause synchronization latency, particularly in oversubscribed situations. The paravirtual TLB shootdown code helps to resolve this and makes TLB invalidation significantly more effective.