Publication
KVM Forum 2021
Short paper

Secure Live Migration of Encrypted VMs

View publication

Abstract

Most Confidential Computing platforms, such as AMD SEV, encrypt guest memory and CPU state, not allowing the hypervisor to access either. This complicates live VM migration. In a non-secure setting, the hypervisor copies memory from the source node to the destination node and coordinates the CPU state of the source VM and destination VM. In a secure setting, without access to guest memory or CPU state, the hypervisor needs help from a trusted agent inside the guest to facilitate live migration. We are implementing live migration support in firmware. In this session, we will describe in detail the current and future challenges for migrating encrypted VMs. We will walk through our modified firmware and demonstrate how it can be used with QEMU and SEV VMs.

Date

15 Sep 2021

Publication

KVM Forum 2021