Cloud Hypervisor 52 Supports AMD SEV-SNP, Enabling Confidential VMs on KVM
The latest version of the Rust-based VMM "Cloud Hypervisor" has been released, supporting AMD SEV-SNP for confidential VMs in Linux KVM environments, enhancing both security and performance.
Cloud Hypervisor 52 Released, Supporting Confidential VMs with AMD SEV-SNP on KVM
The Rust-based virtual machine monitor (VMM) designed for cloud workloads, Cloud Hypervisor, has released its latest version, 52. The most noteworthy update in this release is its ability to launch confidential virtual machines (Confidential VMs) on processors supporting AMD SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging) within Linux KVM environments.
From an Intel-Initiated Project to a Collaborative Development
Cloud Hypervisor originated as an open-source project by Intel. However, in recent years, its development has been driven by contributions from a diverse set of organizations, including Microsoft, Cyberus Tech, and Ant, in addition to Intel. This release is a testament to the growth and community-driven development of the project.
Key New Features and Security Fixes
In addition to AMD SEV-SNP support, Cloud Hypervisor 52 includes several significant enhancements:
- Security Fixes: Addressed a use-after-free vulnerability in the VirtIO-Block asynchronous I/O path.
- Device Passthrough Enhancements: Added support for VFIO device passthrough via iommufd/vfio-cdev.
- Improved Live Migration: Introduced multi-connection TCP for live migration functionality.
- Enhanced Storage Performance: Enabled asynchronous QCOW2 backend using IO_uring.
- Scheduling Optimization: Implemented new core scheduling options for vCPU threads.
Implications for Cloud Security
AMD SEV-SNP is a hardware-based security feature that encrypts virtual machine memory to protect it even from hypervisors. With Cloud Hypervisor now supporting this feature over KVM, Linux-based cloud environments can better accommodate workloads requiring robust data protection. This development complements existing support for SEV-SNP on Microsoft MSHV, making equivalent features available on KVM as well. It represents a significant step forward in promoting confidential computing within open-source virtualization technologies.
This release is a feature-rich milestone that underscores the maturity of Cloud Hypervisor as a VMM for cloud workloads.
Frequently Asked Questions
- What is AMD SEV-SNP?
- AMD SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging) is a hardware-based security feature built into AMD EPYC processors. It automatically encrypts the memory of virtual machines, protecting data even from hypervisor administrators, such as those at cloud providers. This enables secure execution of sensitive workloads in the cloud.
- What are the primary use cases for Cloud Hypervisor?
- Cloud Hypervisor is an open-source VMM (virtual machine monitor) designed for cloud workloads on Linux and Windows. Written in Rust, it emphasizes security and performance. It is primarily used to efficiently and securely run virtual machines in cloud-native environments.
- Why is this upgrade significant?
- This upgrade enables Cloud Hypervisor to support confidential VMs with AMD SEV-SNP on KVM environments. It expands the options for confidential computing within the Linux ecosystem, a critical advancement for industries and applications requiring stringent data privacy and security measures.
Comments