Microsoft Releases OpenHCL, an Open Source Paravisor

Microsoft recently released OpenHCL, a new virtualization layer that provides guest virtual machines (VMs) with accelerated IO and added security features.

This lightweight paravisor was written in Rust and “designed with strong memory safety principles,” says Hari Pulapaka in an introductory blog post.

A paravisor, explains Caroline Perez-Vargas, “executes within the confidential trust boundary and provides the virtualization and device services needed by a general-purpose operating system (OS), enabling existing VM workloads to execute securely.” In other words, it’s “essentially an execution environment that runs within the guest VM – at a higher privilege level than the guest OS – and provides various services to the guest.”

OpenHCL runs on both x86-64 and Arm64 platforms and offers services to both confidential and non-confidential VMs, including:

• Device emulation via standard device interfaces.
• Device translation via standard device interfaces, such as NVMe to para-virtualized SCSI, allowing assignment of hardware devices directly to VMs (accelerated IO) without requiring guest OS changes.
• Diagnostics support, which facilitates debugging confidential VMs.
• Support for guests that are not fully enlightened – such as Windows and older versions of Linux – to run on confidential computing platforms via standard architectural interfaces (for confidential VMs specifically).

The company has also released a virtual machine monitor component of OpenHCL, called OpenVMM. This modular, cross-platform tool, written in Rust, is available on GitHub under the MIT license and supports a variety of host operating systems, architectures, and virtualization backends.

Read more about OpenHCL and OpenVMM.