(no title)

It looks like the host kernel is not in full control – there is a EL2-level hypervisor, pKVM [1] that is actually the highest-privilege domain. This is pretty similar to the Xen architecture [1] where the dom0 linux os in charge of managing the machine is running as a guest of the hypervisor.

1. https://source.android.com/docs/core/virtualization/architec... 2. https://wiki.xenproject.org/wiki/Xen_Project_Software_Overvi...

I don't know about Android, but AMD CPUs support encrypting regions of physical memory with different keys which are accessible only to one particular VM running, but also not accessible to the host:

AMD Secure Encrypted Virtualization (SEV)

https://www.amd.com/en/developer/sev.html

The architecture pattern is similar to Bromium/HP AX + Type 2 μXen on x86, https://www.youtube.com/watch?v=bNVe2y34dnM (2018), which ships on HP business PCs.

Bare metal runs a tiny L0 hypervisor making use of hardware support for nested virtualization. In turn, the L0 can run an L1 hypervisor, e.g. KVM or "host" OS, or minimal L1 VMs that are peers to the L1 "host"-guest of L0.

Google pKVM-for-Arm tech talk (2022), hopefully x86 will follow, https://www.youtube.com/watch?v=9npebeVFbFw

You can inspect their hypervisor code and verify the host kernel can not access the VM after creation but if you are running as root then you can obviously inspect whatever process is under host/hypervisor control.

You make the various hardware modules security context aware. You then give the host a separate security context from guests. You need a trusted hypervisor to bootstrap it.

Protected KVM on Arm64: A Technical Deep Dive, Quentin Perret (KVM Forum 2022), https://www.youtube.com/watch?v=9npebeVFbFw (first 5m)

It must be relying on a TPM somehow, right? That isn't possible with any normal software VM