Kernel-based Virtual Machine (KVM)
KVM is a unique and popular open-source hypervisor built into Linux distributions that allows creations of VMs on the Linux OS. It has characteristics of both Type 1 and Type 2 hypervisors. Since KVM is a kernel module of Linux, it converts the host OS itself into a bare metal Type 1 hypervisor. On the other hand, it is part of the code that interacts with other applications, which can compete with other kernel modules for resources, giving the installation some characteristics of Type 2.
KVM offers all the hardware, compute, and storage support of Type 1 hypervisors, including live migration of VMs, scalability, scheduling, and low latency. VMs created with KVM are empirically known to be secure.
Many manufacturers tweak their devices to provide extra support for hypervisors by building in hardware acceleration technology, which speeds up tasks related to virtualization. Intel and AMD, for example, add support for nested virtualization and extensions that enable second-level address translation.
These extensions perform process-intensive tasks that are central to creating and managing virtual resources. Without these assists, the hypervisor would need to handle these tasks with software instructions, which would limit performance as well as the number of VMs that can be created by the system.
Since Type 1 hypervisors are more common in the enterprise, where hardware and software are typically used as a combined and managed solution for specific workloads, they are built to even rely on hardware acceleration support, which is usually enabled through the system’s BIOS. On the other hand, Type 2 hypervisors are capable of taking advantage of native hardware acceleration, but substitute for these tasks via software emulation if the necessary features or support aren’t available.
Hypervisor Capability Expansion
Today, there are a whole lot of subcategories within the umbrella of virtualization: Hardware virtualization, Server virtualization, Desktop virtualization, OS virtualization, Network virtualization, Storage virtualization, Data virtualization, Application virtualization, Datacenter virtualization, CPU virtualization, GPU virtualization, and Cloud virtualization, to name a few.
There are different variations of hypervisors that enable one or more of the types of virtualizations listed above. They can run on specific, proprietary hardware, or independently of the hardware, depending on the environment or architecture. Storage hypervisors, for instance, act as a management interface for storage devices or networks, just as if they were servers. They can run inside an OS hypervisor, or even as a separate VM on its own.
VM-based systems are technically isolated from the hardware, host OS, and each other, so any compromised VM shouldn’t typically affect the entire system. However, if the hypervisor itself is compromised, then data and applications in all VMs are threatened. Naturally, it is a prime target for attackers, because they gain control of all VMs and hardware by hacking into it.
Hypervisors are vulnerable to malicious code coming from rogue VMs. Such incidents have been reported but rarely publicized. In theory, it is possible to create rootkits (such as this and this) that install themselves as a hypervisor below the OS. This process is called “hyperjacking” and is difficult to detect or prevent, because this malware can intercept low-level machine code operations below the OS kernel.
It is best for IT security to know the workings of the hypervisor inside out, or at least use a known vendor who provides generic protection.
How to Choose the Right Hypervisor?
Choosing a hypervisor for a particular function depends on the size of the company, the criticality of the operations or workload, the capital and operational costs, the existing IT infrastructure, and the IT expertise and skills available in-house.
Typically, SMBs or organizations that are starting out with virtualization and hybrid clouds can make do with a Type 2 hypervisor that’s easier to set up. If latency is not a critical issue and the number of dynamic virtual machines needed isn’t very high, a Type 2 hypervisor is a great option.
On the other hand, when performance is an absolute must for the workload, and big data or business-critical transactions are processed, a Type 1 hypervisor is best suited. Enterprise admins can configure the hypervisors to dynamically allocate resources according to application priorities or peak usage times, as well as securely isolate VMs performing different functions from each other.
Some other considerations for choosing the appropriate hypervisor are:
Complexity: Is the hypervisor easy to deploy, manage, and troubleshoot? What does the console look like? Is it just software or a combination of hardware and software? Does it require a specialist to operate or will an IT generalist be able to get the hang of it?
For IT organizations that like to be in control of their virtualization and converged deployments, there are virtualization management tools available that show comprehensive views of multiple hypervisors and virtualization assets. Admins can monitor their connections to applications, servers, and storage devices, and act on the capacity planning and optimization recommendations. They can also identify and troubleshoot performance or security issues without logging in to separate hypervisor terminals.