Protected Execution Facility: Enhancing Security for Virtual Machines

Explore the Protected Execution Facility, an architectural modification for IBM Linux and OpenPower Linux servers, in this informative conference talk by Guerney D. H. Hunt from IBM Research. Delve into the challenges of keeping applications and containers secure in the face of attacks and compromised components. Learn about the associated firmware, the Protected Execution Ultravisor, which provides additional security to virtual machines, known as secure virtual machines (SVMs). Discover how this facility supports both normal VMs and SVMs concurrently, and understand the protections and restrictions applied to SVMs. Compare vendor approaches to providing security in potentially compromised hypervisor or OS environments. Gain insights into creating and running SVMs, base principles, architecture implications, revocation, limitations, and boot changes. Examine interfaces to the Ultravisor ultra calls, KVM changes, kernel modifications, and hardware alterations. Conclude with a summary of the Protected Execution Facility and an overview of relevant IBM secure processor products and research.