Introducing Virtualization Support to Ironclad

In this article we will cover one of the newest features in Ironclad, type 2 virtualization support, design choices, uses, and the interfaces used.

What virtualization brings to Ironclad

Virtualization comes in many shapes and sizes, Ironclad implements a “Type 2”, or “hosted” hypervisor, which is exposed by the OS instead of transparently by the hardware.

Virtualization enables Ironclad to be used as a hypervisor for accelerated virtual machines targeting the same architecture as the running system, which has tons of uses for service-providing, containerization, and several security applications.

This was previously possible with full software emulation using virtualization software like QEMU’s TCG emulation, but this is often prohibitely slow and inefficient when compared with hardware giving us the building blocks to assemble our own virtual machines.

How virtualization is exposed, and NVMM

The most common use of type 2 hypervisors is by emulator software like QEMU or VirtualBox for interfacing with hardware acceleration using the operating system’s APIs.

A big focus in Ironclad has always been to use as many previously existing building blocks as we can to make development easier and more interoperable - and when it comes to virtualization interfaces, many pre-existing ones come to mind, such as Linux’s Kernel Virtual Machine (KVM), or FreeBSD/Illumos’s Bhyve. Therefore, we chose to implement NetBSD’s Virtual Machine Monitor (NVMM) as Ironclad’s virtualization interface.

NVMM is exposed in Ironclad in the form of a set of syscalls, which are themselves wrapped and exposed to userland by our own re-implementation of the libnvmm library, which can be found here.

We chose NVMM due to its minimal nature when compared with the ever-sprawling KVM and Bhyve, while being supported by many big emulators, namely QEMU, which was already ported to Gloire.

NVMM was also the option that required the least amount of Linux-isms. In Ironclad, we are way less virtual device and ioctl-reliant for device interfaces and we instead prefer to use syscalls - this makes nvmm and libnvmm a much better match for Ironclad’s already existing codebase over the naked ioctl calls via /dev/kvm of QEMU’s KVM port.

Current progress and hardware support

For now, virtualization support is only provided for x86_64 systems, for Intel and AMD systems, by using their VT-x and AMD-V interfaces respectively.

All of this work is now available on Ironclad’s development branch, and will make its way to releases of Ironclad and Gloire.

For an example on how to use these interfaces, one can check the tests we have written for libnvmm, which are installed as part of the libnvmm package.