top | item 38540430

(no title)

jbott | 2 years ago

It looks like the host kernel is not in full control – there is a EL2-level hypervisor, pKVM [1] that is actually the highest-privilege domain. This is pretty similar to the Xen architecture [1] where the dom0 linux os in charge of managing the machine is running as a guest of the hypervisor.

1. https://source.android.com/docs/core/virtualization/architec... 2. https://wiki.xenproject.org/wiki/Xen_Project_Software_Overvi...

discuss

pjmlp|2 years ago

Commonly known as type 1 hypervisor architecture, by opposition to type 2 hypervisor, which run as OS services.

Ironically the revenge of microkernels, as most cloud workloads run on type 1 hypervisors.

bonzini|2 years ago

No, KVM is also a type 1 hypervisor but it doesn't attempt (with the exception of pKVM and of hardware protection features like SEV, neither of which is routinely used by cloud workloads) to protect the guest from a malicious host.