Splitting pKVM Into Discrete, Mutually Exclusive Address Spaces for Enhanced Security

Explore the advanced security features of pKVM, a confidential computing extension for KVM/arm64, in this 28-minute Linux Foundation talk. Dive into the proposed enhancements that create separate, independently tagged address spaces for improved isolation between host and guests. Learn how these changes mitigate potential vulnerabilities, reduce the impact of bugs, and minimize trust requirements for drivers. Examine the hypervisor's isolation mechanisms and common constructs used to prevent accidental data leakages. Gain insights into VCPU isolation, mobile isolation, exception levels, and strategies for dealing with buggy software in the context of confidential computing.