Explore the COCONUT Secure VM Service Module (SVSM) in this 30-minute KVM Forum conference talk. Delve into the world of confidential virtual machines (CVMs) and learn how the threat model shifts the hypervisor out of the trusted computing base (TCB). Discover the ongoing efforts to harden Linux against misbehaving device emulations and understand why certain security-sensitive devices require emulation within the TCB. Examine how the COCONUT SVSM leverages VM privilege levels on AMD SEV-SNP hardware to provide secure services and device emulations for CVMs. Gain insights into the project's origins, its relationship with other SVSM implementations, and its integration into the KVM virtualization stack. Explore the underlying design principles and engage in discussions about future plans, including ideas for emulating security-sensitive devices and data storage solutions.
Overview
Syllabus
The COCONUT Secure VM Service Module
Taught by
KVM Forum