No More Turtles: The SecondaryVM Framework - An Alternative to Nested Virtualization

Abstract

Although nested virtualization has been well-designed in the community, there still exist several challenges that remain to be addressed. For instance, enabling such feature exposes more attack surfaces, since the implementation of nested virtualization heavily enlarges the code base of hypervisors. Furthermore, in the emerging field of confidential computing, encrypted VM technology such as AMD SEV and Intel TDX does not support nested virtualization. To address these challenges, the presenters propose an alternative to nested virtualization, namely a SecondaryVM framework. In this framework, a primary VM is booted within a cgroup partition and given the capability to launch secondary VMs in the same cgroup. The presenters will show current implementation progress, challenges, and future use cases of this framework, such as allowed operations/processes issued by primary VMs, network communications among primary and secondary VMs, storage/images of the secondary VMs, and deployment with diverse platforms (Libvirt, Kubevirt, etc.).