Microsoft crafts Rust hypervisor to power Azure workloads

Microsoft earlier this month published code for a new hypervisor, or virtual machine monitor (VMM), written in Rust.

OpenVMM is a type 2 hypervisor, which runs atop an operating system, as opposed to a type 1 hypervisor that runs on bare metal and interacts directly with hardware. Thus it has more in common with Oracle VM VirtualBox, VMware Workstation, or Microsoft Virtual PC than VMware ESXi, KVM, or Microsoft Hyper-V.

Rust turns out to be rather popular for virtualization. Cloud Hypervisor, a type 2 VMM written in Rust, dates back to 2019. Amazon and Google have also developed Rust-based VMMs, Firecracker (type 1) and crosvm (type 2), respectively.

However, OpenVMM is a work in progress and Microsoft warns that it's not ready for production use, noting the experience of running it in a traditional host context is not all that pleasant.

"At this time, OpenVMM on the host is not yet ready to run end-user workloads, and should be treated more akin to a development platform for implementing new OpenVMM features, rather than a ready-to-deploy application," the project website says.

What's more, the software's management interfaces aren't yet well documented, device performance remains unoptimized, some features are missing, and there's no API stability guarantee.

But aside from that, the project at least shows Microsoft, like its peers, is expanding its Rust footprint to provide stronger memory safety guarantees - which has become an international mandate because security turns out to be fairly important. Microsoft developers have also discussed [PDF] their appreciation for Rust's modern language features, its crates ecosystem, its analysis tools, and the ability to still use C APIs to talk directly to hardware.

To the extent that it works, OpenVMM runs on Linux (x64, via KVM or MSHV APIs), macOS (Aarch64, via the Hypervisor.framework API), and Windows (x64 and Aarch64, via the Windows Hypervisor Platform API).

OpenVMM was developed primarily for use with OpenHCL, a Linux-based para-virtualization layer for confidential VMs that is also built in Rust. As discussed last month at the Linux Plumbers Conference in Vienna, Austria, OpenHCL is an execution environment that runs OpenVMM as a paravisor.

A paravisor runs within the guest at a higher privilege level, as opposed to a hypervisor that runs within a separate privileged host or root partition.

As the conference talk explains, "Guest operating systems generally require modifications, referred to as enlightenments, to run under different Confidential computing architectures such as AMD SEV-SNP or Intel TDX. To support unenlightened guests, a software component called a paravisor is required.

"The paravisor runs at a higher privilege level within the guest to provide the appropriate abstractions and security guarantees that the unenlightened guest is unable to implement. The paravisor may additionally offer additional services such as emulated devices like a TPM [Trusted Platform Module] or device translation between the host and the unenlightened guest."

Why bother? Well, for Microsoft, this approach allows existing workloads to use its Azure Boost hardware accelerator without modifying the guest VM image - the guest gets access to faster IO and security features directly, rather than through the host, through a new virtualization layer. It also lets existing operating systems run in hardware-backed Confidential VMs, and supports Trusted Launch VMs.

At some point in the future, OpenVMM may get enough polish to use without too much pain. ®