Notes

https://docs.openstack.org/security-guide/_images/sVirt_Diagram_1.png

https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf

Every KVM is just one separate Linux process, whose safety is ensured using SELinux/sVirt, and resources are allocated using CGroups.

sVirt

Each KVM-based virtual machine is a process which is labeled by SELinux, effectively establishing a security boundary around each virtual machine. This security boundary is monitored and enforced by the Linux kernel, restricting the virtual machine’s access to resources outside of its boundary, such as host machine data files or other VMs.

sVirt isolation is provided regardless of the guest operating system running inside the virtual machine. Linux or Windows VMs can be used. Additionally, many Linux distributions provide SELinux within the operating system, allowing the virtual machine to protect internal virtual resources from threats.

KVM-based virtual machine instances are labelled with their own SELinux data type, known as svirt_image_t. Kernel level protections prevent unauthorized system processes, such as malware, from manipulating the virtual machine image files on disk. When virtual machines are powered off, images are stored as svirt_image_t

The svirt_image_t label uniquely identifies image files on disk, allowing for the SELinux policy to restrict access. When a KVM-based compute image is powered on, sVirt appends a random numerical identifier to the image. sVirt is capable of assigning numeric identifiers to a maximum of 524,288 virtual machines per hypervisor node, however most OpenStack deployments are highly unlikely to encounter this limitation.

SELinux manages user roles. These can be viewed through the -Z flag, or with the semanage command. On the hypervisor, only administrators should be able to access the system, and should have an appropriate context around both the administrative users and any other users that are on the system.

To ease the administrative burden of managing SELinux, many enterprise Linux platforms utilize SELinux Booleans to quickly change the security posture of sVirt.

https://linux.die.net/man/8/virt_selinux

Ex.
SELinux Boolean Description
virt_use_comm Allow virt to use serial/parallel communication ports.
virt_use_fusefs Allow virt to read FUSE mounted files.
virt_use_nfs Allow virt to manage NFS mounted files.
virt_use_samba Allow virt to manage CIFS mounted files.
virt_use_sanlock Allow sanlock to manage virt lib files.
virt_use_sysfs Allow virt to manage device configuration (PCI).
virt_use_usb Allow virt to use USB devices.
virt_use_xserver Allow virtual machine to interact with the X Window System.

KVM is a Linux kernel module, so we need to check if it is already downloaded and if not, then download it.

It is possible that hardware virtualization is not enabled in BIOS. That's why, if kvm_intel/kvm_amd modules don't load, check BIOS settings.

Despite the fact that KVM uses hardware virtualization, KVM can use paravirtualization for some I/O devices drivers, which ensures the increase in performance for certain use cases.

KVM can do nested virtualization: a VM inside of a VM.