1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
#+title: Virtualization & Emulation
#+date: 2026-06-15 Mon
#+author: W. Kosior
#+email: wkosior@agh.edu.pl
* Hypervisors
- type 1
- Xen
- WMWare ESX
- type 2
- QEMU
- Bochs
- VirtualBox
- VMWare Workstation
- Hyper-V?
- KVM?
* KVM & Hyper-V
- hypervisor included in the kernel
- Linux (KVM)
- Windows kernel (Hyper-V)
- used as backend (QEMU, VMWare Workstation)
- VirtualBox to drop custom kernel module
- sporadically with distinction (according to Wikipedia)
- Virtual Machine Monitor (VMM) — userspace application
- hypervisor — kernel part
* Virtualiation Approaches
- code interpretation
- binary compilation
- trapping privileged, state-changing instructions
- guest code in non-privileged mode
- emulated interrupts & IO
- MMU → "shadow tables"
- limitation: only compatible architectures
- e.g., x86 / x86_64 on x86_64
- problem: not all instructions trapped
- x86 & ARM extensions
- paravirtualization
* Hardware-Assisted Virtualization
- what:
- trap-and-emulate enablers (where needed)
- Intel VT-x, AMD-V, ARMv7-A Virtualization Extensions
- not needed: Power, RISC-V
* Hardware-Assisted Virtualization, Cont.
- what:
- trap-and-emulate enablers (where needed)
- Intel VT-x, AMD-V, ARMv7-A Virtualization Extensions
- not needed: Power, RISC-V
- hardware-virtualized privileged state (e.g., extra)
- hardware-virtualized address translation (e.g., 2-level translation in ARM)
- hardware-virtualized IO (e.g., Intel VT-d, AMD-V 2.0)
- hardware-virtualized interrupts (e.g., Intel VT-x)
- …
* Hardware-Assisted Virtualization, Cont…
- what:
- trap-and-emulate enablers (where needed)
- Intel VT-x, AMD-V, ARMv7-A Virtualization Extensions
- not needed: Power, RISC-V
- hardware-virtualized privileged state (e.g., extra)
- hardware-virtualized address translation (e.g., 2-level translation in ARM)
- hardware-virtualized IO (e.g., Intel VT-d, AMD-V 2.0)
- hardware-virtualized interrupts (e.g., Intel VT-x)
- …
- some support in major architectures
- x86_64, ARM, Power, RISC-V
- exceptions
- e.g., Intel Atom
* Xen
# wget -O XenFuPandaWiki.png https://wiki.xenproject.org/resources/assets/XenFuPandaWiki.png?60ae8
[[./XenFuPandaWiki.png]]
- dom0
- domU
* Xen Virtualization Modes
- PV
- HVM
- PVH
* VM vs Container
- ?
* VM vs Container, Cont.
- ?
- Xen: 18 security advisories in 2026
- Linux: over 2k CVEs
- /(is that comparable?)/
* VM vs Container, Cont…
- ?
- Xen: 18 security advisories in 2026 (15 in 2025)
- Linux: over 2k CVEs in 2026
- /(is that comparable?)/
- combination: VM + unprivileged user account
- defense in depth
- unprivileged user (no root)
- user mode (lockdown kernel module)
- VM
* Qubes OS
* Qubes OS & Xen Architecture Support
- x86_64
- ARMv7 + Virtualization Extensions
- ARMv8
* Qubes OS & Xen Architecture Support, Cont.
- x86_64
- ARMv7 + Virtualization Extensions
- ARMv8
- 2025 — Xen RISC-V support
* Application-Level Emulation
- e.g., AArch64 on x86_64
- vice-versa
- QEMU User space emulator
- Rosetta2
- binfmt_misc
|
