The VMware Hypercall API is integrated into Linux 6.11 to enable confidential computing.

In the field of virtualization, the Linux 6.11 kernel brings significant innovations, including the integration of the VMware Hypercall API. This new development promises to enhance the VMware guest virtual device interface in a more CPU architecture-independent way, and to facilitate support for confidential computing technologies such as Intel Trust Domain Extensions (TDX) and AMD Secure Encrypted Virtualization (SEV).

Innovations in virtualization with VMware Hypercall API
The introduction of the VMware Hypercall API, presented and merged last week for Linux 6.11, can be summarized simply as:

“Adding a unified layer of VMware Hypercall API that should be used by all callers instead of homemade solutions. This will enable the addition of support for confidential computing solutions like TDX.”

Previously, innovations in VMware hypercalls were scattered throughout the kernel and heavily relied on inline assembly code. With this new VMware Hypercall API layer, the process is unified, and functionality surrounding memory encryption and confidential computing is improved.

Improvements in virtualization infrastructure
The primary goal of the VMware Hypercall API is to enhance support for virtual devices and the VMware guest interface in a way that is less dependent on CPU architecture. This is crucial for supporting new features in the VMware virtualization space, such as Intel TDX and AMD SEV-ES.

The latest series of patches highlights the VMware Hypercall API’s effort for the Linux kernel as:

“The invocations of VMware hypercalls were scattered throughout the kernel, implementing the same ABI in asm-inline. With encrypted memory and confidential computing, it became more challenging to maintain all changes in these hypercall implementations.

The intent of this patch set is to introduce an architecture-independent VMware hypercall API layer that other subsystems, such as device drivers, can call, while hiding the architecture-specific implementation behind it.

The first patch introduces low and high-capacity function families of vmware_hypercall, with some minor improvements there. And the last patch adds support for TDX hypercalls.”

Impact and future perspectives
This new development was briefly included in the “x86/vmware” branch of the tip/tip.git repository but seems that the branch was subsequently reset. Despite this, it is expected that the VMware Hypercall API support will be ready for integration into the mainline and reappear in the x86/vmware branch of TIP before the opening of the Linux 6.11 merge window in July.

The integration of the VMware Hypercall API in the Linux 6.11 kernel represents a significant advancement in virtualization and confidential computing. By unifying and improving the way hypercalls are handled, this API not only makes life easier for developers working with multiple CPU architectures but also sets the stage for supporting new and advanced security and performance features in virtualized environments. With this integration, Linux continues to position itself as a robust and adaptable operating system for modern computing and virtualization demands.

Scroll to Top