Protected Execution Facility

Guerney Hunt
IBM Research

Security remains a key concern for both traditional and cloud computing workloads. One objective is keeping applications (or containers) secure in the presence of attacks or compromised components, including the underlying systems. This talk presents how these challenges are addressed on the Power Architecture.

We present the Protected Execution Facility ― an architecture modification for IBM Linux and OpenPower Linux servers ― along with the associated firmware, the Protected Execution Ultravisor which provides additional security to virtual machines ― called secure virtual machines (SVMs). The Protected Execution Facility concurrently supports both normal VMs and SVMs.

We review the main components of the architectural modifications and how they are exploited by the Protected Execution Ultravisor. We also describe the tooling required to build an SVM. Finally, we discuss the protections provided to SVMs and the current set of restrictions.