The KVM Forum 2024 conference will take place in Brno, Czech Republic on September 22-23, 2024. KVM Forum brings together the Linux virtualization community, especially around the KVM stack, including QEMU and other virtual machine monitors. The Call for Presentations is open until June 8, 2024. You are invited to submit presentation proposals via the KVM Forum CfP page. All presentation slots will be 25 minutes + 5 minutes for questions. Suggested topics include: Scalability and Optimization Hardening and security Confidential computing Testing KVM and the Linux Kernel New Features and Arch ..read more

IBM Secure Execution for Linux -- the Linux Kernel Virtual Machine (KVM) based Confidential Computing technology for IBM LinuxONE and Linux on IBM Z -- now allows Secure Execution guests leverage secure passthrough access to up to 12 Crypto Express 8S adapter domains in accelerator or EP11 co-processor mode. Customers who require the highest level of protection (FIPS 140-2 level 4 certified) for their cryptographic keys and thus for their sensitive data can now have their workloads deployed as Secure Execution KVM guests with access to Hardware Security Modules (HSMs) if the provider uses IBM ..read more

Canonical released a new version of their Ubuntu server offering Ubuntu Server 23.10!  Highlights include HSM support for Secure Execution Further Crypto enhancements and extensions See the announcement on the mailing list here, and the blog entry at Canonical with all Z-specific highlights here. This release is very significant, since it marks a so-called LTS (Long Term Support) release, granting an extended service timeframe of up to 10 years, as illustrated here ..read more

We’d like to announce the availability of the QEMU 9.0.0 release. This release contains 2700+ commits from 220 authors. You can grab the tarball from our download page. The full list of changes are available in the changelog. Highlights include: block: virtio-blk now supports multiqueue where different queues of a single disk can be processed by different I/O threads gdbstub: various improvements such as catching syscalls in user-mode, support for fork-follow modes, and support for siginfo:read memory: preallocation of memory backends can now be handled concurrently using multiple threads in ..read more

During my work on SBSA Reference Platform I have spent lot of time in firmware’s code. Which mostly meant Tianocore EDK2 as Trusted Firmware is quite small. Writing all those ACPI tables by hand takes time. So I checked ConfigurationManager component which can do it for me. Introduction In 2018 Sami Mujawar from Arm contributed Dynamic Tables Framework to Tianocore EDK2 project. The goal was to have code which generates all ACPI tables from all those data structs describing hardware which EDK2 already has. In 2023 I was writing code for IORT and GTDT tables to generate them from ..read more

During last weeks we worked on getting rid of DeviceTree from EDK2 on SBSA Reference Platform. And finally we managed! All code is merged into upstream EDK2 repository. What? Someone may wonder where DeviceTree was in SBSA Reference Platform. Wasn’t it UEFI and ACPI platform? Yes, from Operating System point of view it is UEFI and ACPI. But if you look deeper you will see DeviceTree hidden inside our chain of software components: /dts-v1/; / { machine-version-minor = <0x03>; machine-version-major = <0x00>; #size-cells = <0x02> ..read more

Programming languages currently offer few defences against supply chain attacks where a malicious third-party library compromises a program. As I write this, the open source community is trying to figure out the details of the xz-utils backdoor, but there is a long history of supply chain attacks. High profile incidents have made plain the danger of shipping software built from large numbers dependencies, many of them unaudited and under little scrutiny for malicious code. In this post I will share ideas on future supply chain safe programming languages. Supply Chain Safe Programming Languages ..read more

Recently people asked me how to run SBSA Reference Platform for their own testing and development. Which shows that I should write some documentation. But first let me blog about it… Requirements To run SBSA Reference Platform emulation you need: QEMU (8.2+ recommended) EDK2 firmware files That’s all. Sure, some hardware resources would be handy but everyone has some kind of computer available, right? QEMU Nothing special is required as long as you have qemu-system-aarch64 binary available. EDK2 We provide EDK2 binaries on CodeLinaro server. Go to “latest/e ..read more

The certificates of the host key signing keys that are needed to verify host key documents will expire on April 24, 2024 for IBM z15 and LinuxONE III and on March 29, 2024 for IBM z16 and LinuxONE 4. Due to a requirement from the Certificate Authority (DigiCert), the renewed certificates are equipped with a new Locality value (“Armonk” instead of “Poughkeepsie”). These renewed certificates cause the current versions of the genprotimg, pvattest, and pvsecret tools to fail the verification of host key documents. The IBM Z team is preparing updates of the genprotimg, pvattest, and pvsecret tools ..read more

KubeVirt makes it possible to run virtual machines on Kubernetes alongside container workloads. Virtual machines are configured using VirtualMachineInstance YAML. But under the hood of KubeVirt lies the same libvirt tooling that is commonly used to run KVM virtual machines on Linux. Accessing libvirt can be convenient for development and troubleshooting. Note that bypassing KubeVirt must be done carefully. Doing this in production may interfere with running VMs. If a feature is missing from KubeVirt, then please request it. The following diagram shows how the user's VirtualMachineInstance is t ..read more