QingTian Hypervisor

Lightweight Design

Unlike traditional Type-1 Hypervisor, QingTian Hypervisor is designed to be lightweight.

• Full offloading architecture: The traditional management plane and I/O data plane are offloaded to QingTian Cards. QingTian Hypervisor only retains basic virtualization and device passthrough capabilities, and provision 100% server resources to tenant VMs. The management plane of QingTian Cards manages the lifecycle of VMs running on QingTian Hypervisor through the vsock secure channel. All virtual disks and virtual network interfaces are presented as standard virtio-PCI devices through QingTian Cards. The devices ensure performance and support flexible hot swap and live migration.
• Huawei Cloud EulerOS 2.0: An in-house lightweight, stateless virtualization OS. It removes all kernel modules and software packages that are irrelevant to virtualization, and only retains the components and modules necessary for running hypervisor. The system is compact, easy to transfer, and supports quick fixing of kernel vulnerabilities.
• VRAM: an in-house pageless lightweight memory management system that discards the traditional memory paging management. It reduces the management overheads by dozens of times while maintaining the memory compatibility of VMs.

Minimum Attack Surface

Compared with the traditional hypervisor, the lightweight QingTian Hypervisor also considers the impact of various external attack sources on the virtualization data plane. QingTian Hypervisor minimizes the attack surface using the following technologies:

• Minimal TCB: The software code has been streamlined, only retaining the basic code for virtualization.
• No network: Network functions are removed. QingTian Hypervisor interacts with QingTian Cards only through the vsock secure channel to further reduce the attack risks on the management plane.
• No storage: The server does not have local disks, disk file systems, or configuration files. Logs and monitoring data are periodically recorded to the cloud through APIs. No status data can be edited or modified externally.
• CPU pinning: VMs are bound to dedicated CPUs, eliminating the need for QingTian Hypervisor to schedule CPUs. This avoids overhead of context switching and mitigates side-channel attacks.
• Strong isolation: Hardware-assisted virtualization and Huawei-developed VRAM memory management ensure that VMs cannot access each other's memory and I/O resources.

Anti-tamper Design

With the streamlined, lightweight software package, QingTian Hypervisor performs trusted verification during the secure boot of the host. QingTian Controller uses the authenticated encryption with associated data (AEAD) algorithm to protect the confidentiality and integrity of sensitive configuration data during the boot process. The configuration data is decrypted only when the encryption and decryption context is in the expected trusted environment. At the runtime of QingTian Hypervisor, the memory file system is configured to be read-only, and trusted audit is enabled to prevent VM escape or tampering by external software. The QingTian Hypervisor software package upgrade also needs to be verified through CRC and certificates to ensure that the software package is not tampered with during transmission.

System Hot Upgrade

Traditional hypervisor system software upgrades require shutdown or service migration before deployment. This may interrupt customer services and result in low upgrade efficiency. QingTian Hypervisor is updated periodically. To meet upgrade requirements in different scenarios, QingTian Hypervisor provides comprehensive secure hot upgrade, including function-level hot patches, component-level hot replacement, and in-place hot upgrade of the entire hypervisor system. Customer services are almost unaware of the upgrade. Thanks to the key capability of in-place hot upgrade of QingTian Hypervisor, large-scale parallel upgrades can be quickly performed within a cluster without service migrations and host reboot. Software versions can be released quickly. Throughout the upgrade process, the system continues to enforce complete security policies and defense capabilities.