Microsoft recently unveiled OpenHCL, an open-source paravisor that augments virtualization stacks to facilitate confidential computing VMs on Intel TDX and AMD SEV-SNP platforms. Written in Rust, well-known for its strong memory safety guarantees, OpenCL represents a milestone achievement for the open-source security community.
In this article, we investigate this announcement and its significance for Linux users and open-source advocates, examine OpenHCL's architecture and capabilities, and discuss two main approaches for running confidential VMs.
Understanding the Significance of OpenHCL for Linux Users & the Open-Source Security Community
The introduction of OpenHCL stands out for several reasons. Traditional virtual machine environments rely on hypervisors that pose potential security threats, making OpenHCL an attractive solution. Confidential computing seeks to mitigate these risks by isolating virtual machine operations from the hypervisor. OpenHCL was explicitly created as a paravisor within the confidential trust boundary for enhanced security. OpenHCL can also help customers secure general-purpose operating systems without regularly upgrading them. It allows businesses to leverage advanced computing technologies without incurring the costs and burdens of continually maintaining an OS.
Furthermore, OpenHCL supports various operating systems, including older versions of Linux and Windows. Backward compatibility ensures existing workloads can utilize computing advancements without significant modifications, and OpenHCL's open-source nature encourages community collaboration and transparency. Developers from around the globe can contribute to OpenHCL, helping ensure it evolves to meet the needs of various use cases while upholding high standards of security and performance. Furthermore, OpenHCL supports x86-64 and ARM64 platforms, making it highly flexible and capable of meeting multiple hardware configuration needs.
Examining OpenHCL Architecture & Capabilities
OpenHCL Virtualization Stack (source: Microsoft)The architecture of OpenHCL consists of various critical components designed to increase its functionality and versatility. OpenVMM (Virtual Machine Monitor) is, at its heart, written in Rust. OpenVMM provides essential services to guest VMs running within it while supporting confidential and non-confidential VMs. Its multiple user-mode processes provide essential guest services as it works with a minimal Linux kernel that reduces binary size and RAM usage for enhanced system efficiency. Another vital component is the boot loader, which works alongside VMM to support it. VMM configuration reduces binary size, while runtime RAM usage increases the system's overall efficiency.
OpenHCL provides device emulation and translation through standard interfaces, offering emulated devices like virtual Trusted Platform Modules (vTPM) and serial ports. Furthermore, OpenHCL enables device translation so hardware devices can be directly assigned to virtual machines without requiring changes to guest OSes; this feature allows VMs to take advantage of cutting-edge devices' improved performance.
Diagnosing issues within sensitive virtual machines (VMs) can be challenging, but OpenHCL's comprehensive diagnostics support simplifies this task and expedites troubleshooting in secure environments through dedicated methods.
OpenHCL's specialized capabilities for different confidential platforms further expand its utility. On Intel TDX platforms, OpenHCL operates as the L1 Virtual Machine Monitor of an Intel TDX confidential VM. In contrast, on AMD SEV-SNP platforms, it operates at the VMPL0 level of an SEV-SNP confidential VM. Both configurations ensure the paravisor can enforce required privilege levels to create secure execution environments on both platforms.
Approaches for Running Confidential VMs
There are two general approaches for operating confidential virtual machines (VMs):
- Fully Enlightened Guests: To adopt this method, one needs to modify their guest OS so it understands and manages all aspects of running as a confidential VM. These fully enlightened guests can directly communicate with confidential computing hardware to handle tasks such as memory encryption and device security. However, this approach may prove tedious due to the need for significant OS modifications and regular updates to keep pace with hardware advances.
- Relying on a Paravisor: In this approach, a paravisor such as OpenHCL implements all necessary confidential computing mechanisms for the guest OS. This enables guests to operate without knowing they are in a confidential environment. Existing operating systems (even legacy versions) can use confidential computing without extensive OS changes, providing more flexible and user-friendly ways of deploying confidential VMs within enterprises with diverse legacy systems.
OpenHCL Use Cases in Azure
Microsoft has taken an innovative and successful approach to confidential computing using OpenHCL-enabled virtual machines in Azure. Over 1.5 million virtual machines were running within a month using this approach. Azure supported numerous guest operating systems (such as older Windows and Linux kernel versions), providing customers an effortless path toward privacy-minded computing.
Comparison With COCONUT-SVSM
A second technology in the confidential computing space, COCONUT-SVSM aims to deliver services for virtual machines (VMs) with fully informed guests. While COCONUT-SVSM introduces new interfaces, OpenHCL takes an alternative approach by using existing standard architectural interfaces, making integration more straightforward without needing guest OS changes for device emulation or other services.
Our Final Thoughts on Microsoft's Announcement of OpenHCL
OpenHCL represents an exciting step forward for confidential computing. By creating an open-source, Rust-written paravisor, Microsoft has opened the doors to enhanced security, flexibility, and backward compatibility for Linux users and the larger open-source community. OpenHCL's robust architecture and support for Intel TDX and AMD SEV-SNP platforms demonstrate its broad scope for adoption.
As enterprises become more concerned with security and leverage confidential computing for their workloads, OpenHCL emerges as an attractive option. Its ability to offer advanced services for confidential and non-confidential VMs opens up secure cloud environments. Whether running legacy systems or planning new deployments, OpenHCL provides a flexible yet powerful toolset that will shape the future of virtualization.
