microsoft/openvmm
Publicmirrored fromhttps://github.com/microsoft/openvmmAvailable
Guide/src/reference/architecture/openhcl.md
84lines · modecode
| 1 | # OpenHCL Architecture |
| 2 | |
| 3 | **Prerequisites:** |
| 4 | |
| 5 | - [Getting Started: OpenHCL](../../user_guide/openhcl.md). |
| 6 | - [Architecture: OpenVMM Architecture](./openvmm.md). |
| 7 | |
| 8 | * * * |
| 9 | |
| 10 | > This page is under construction |
| 11 | |
| 12 | ## Overview |
| 13 | |
| 14 | The following diagram offers a brief, high-level overview of the OpenHCL |
| 15 | Architecture. |
| 16 | |
| 17 |  |
| 18 | |
| 19 | ## VTLs |
| 20 | |
| 21 | OpenHCL currently relies on Hyper-V's implementation of [Virtual Trust Levels] |
| 22 | (VTLs) to implement the security boundaries necessary for running OpenVMM as a |
| 23 | paravisor. |
| 24 | |
| 25 | VTLs can be backed by: |
| 26 | |
| 27 | - Hardware-based [TEEs], like Intel [TDX] and AMD [SEV-SNP] |
| 28 | - Software-based constructs, like Hyper-V [VSM] |
| 29 | |
| 30 | OpenHCL runs within VTL2[^sk], and provides virtualization services to a Guest OS |
| 31 | running in VTL0. |
| 32 | |
| 33 | ## OpenHCL Linux |
| 34 | |
| 35 | By building on-top of Linux, OpenHCL is able to leverage the extensive Linux |
| 36 | software and development ecosystem, and avoid re-implementing various components |
| 37 | like core OS primitives, device drivers, and software libraries. As a result: |
| 38 | OpenHCL provides a familiar and productive environment for developers. |
| 39 | |
| 40 | The OpenHCL Linux Kernel uses a minimal kernel configuration, designed to host a |
| 41 | single specialized build of OpenVMM in userspace. |
| 42 | |
| 43 | In debug configurations, userspace may include additional facilities (such as an |
| 44 | interactive shell, additional perf and debugging tools, etc). Release |
| 45 | configurations use a lean, minimal userspace, consisting entirely of OpenHCL |
| 46 | components. |
| 47 | |
| 48 | * * * |
| 49 | |
| 50 | ## Scenario: Azure Boost Storage/Networking Translation |
| 51 | |
| 52 | Traditionally, Azure VMs have used Hyper-V VMBus-based synthetic networking and |
| 53 | synthetic storage for I/O. Azure Boost introduces hardware accelerated storage |
| 54 | and networking. It exposes different interfaces to guest VMs for networking and |
| 55 | storage. Specifically, it exposes a new proprietary [Microsoft Azure Network |
| 56 | Adapter] (MANA) and an NVMe interface for storage. |
| 57 | |
| 58 | OpenHCL is able to provide a compatibility layer for I/O virtualization on |
| 59 | Azure Boost enabled systems. |
| 60 | |
| 61 | Specifically, OpenHCL exposes Hyper-V VMBus-based synthetic networking and |
| 62 | synthetic storage for I/O to the guest OS in a VM. OpenHCL then maps those |
| 63 | synthetic storage and networking interfaces to the hardware accelerated |
| 64 | interfaces provided by Azure Boost. |
| 65 | |
| 66 | The following diagram shows a high level overview of how synthetic networking is |
| 67 | supported in OpenHCL over Microsoft Azure Network Adapter (MANA) |
| 68 | |
| 69 | <img src="./_images/openhcl-synthetic-nw.png" height="400" width="600"> <br> |
| 70 | |
| 71 | The following diagram shows a high level overview of how accelerated networking |
| 72 | is supported in OpenHCL over MANA |
| 73 | |
| 74 | <img src="./_images/openhcl-accelnet.png" height="400" width="600"> <br> <br> |
| 75 | |
| 76 | [^sk]: Why not VTL1? Windows already uses VTL1 in order to host the [Secure Kernel]. |
| 77 | |
| 78 | [VSM]: https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/vsm |
| 79 | [Virtual Trust Levels]: https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/vsm |
| 80 | [TDX]: https://www.intel.com/content/www/us/en/developer/tools/trust-domain-extensions/overview.html |
| 81 | [SEV-SNP]: https://www.amd.com/content/dam/amd/en/documents/epyc-business-docs/white-papers/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf |
| 82 | [TEEs]: https://en.wikipedia.org/wiki/Trusted_execution_environment |
| 83 | [Secure Kernel]: https://www.microsoft.com/en-us/security/blog/2020/07/08/introducing-kernel-data-protection-a-new-platform-security-technology-for-preventing-data-corruption/ |
| 84 | [Microsoft Azure Network Adapter]: https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-mana-overview |
| 85 | |