A Secure and Formally Verified Linux KVM Hypervisor


Here we include the proofs for KCore splitting into 34 layers, for our verified KVM implementation, SeKVM.


34 Security-preserving layers

# Layer Specification Code Verification Source Code Refinement
34 TrapHandler TrapHandlerSpec TrapHandlerProofCode TrapHandlerCode TrapHandlerRefine
33 TrapHandlerRaw TrapHandlerRawSpec TrapHandlerRawProofCode TrapHandlerRawCode TrapHandlerRawRefine
32 TrapDispatcher TrapDispatcherSpec TrapDispatcherProofCode TrapDispatcherCode TrapDispatcherRefine
31 FaultHandler FaultHandlerSpec FaultHandlerProofCode FaultHandlerCode FaultHandlerRefine
30 MemHandler MemHandlerSpec MemHandlerProofCode MemHandlerCode MemHandlerRefine
  VCPU Context        
29 CtxtSwitch CtxtSwitchSpec CtxtSwitchProofCode CtxtSwitchCode CtxtSwitchRefine
28 VCPUOps VCPUOpsSpec VCPUOpsProofCode VCPUOpsCode VCPUOpsRefine
27 VCPUOpsAux VCPUOpsAuxSpec VCPUOpsAuxProofCode VCPUOpsAuxCode VCPUOpsAuxRefine
26 SmmuOps SmmuOpsSpec SmmuOpsProofCode SmmuOpsCode SmmuOpsRefine
25 SmmuAux SmmuAuxSpec SmmuAuxProofCode SmmuAuxCode SmmuAuxRefine
24 SmmuCore SmmuCoreSpec SmmuCoreProofCode SmmuCoreCode SmmuCoreRefine
23 SmmuCoreAux SmmuCoreAuxSpec SmmuCoreAuxProofCode SmmuCoreAuxCode SmmuCoreAuxRefine
22 SmmuRaw SmmuRawSpec SmmuRawProofCode SmmuRawCode SmmuRawRefine
21 BootOps BootOpsSpec BootOpsProofCode BootOpsCode BootOpsRefine
20 BootAux BootAuxSpec BootAuxProofCode BootAuxCode BootAuxRefine
19 BootCore BootCoreSpec BootCoreProofCode BootCoreCode BootCoreRefine
18 VMPower VMPowerSpec VMPowerProofCode VMPowerCode VMPowerRefine
17 MemOps MemOpsSpec MemOpsProofCode MemOpsCode MemOpsRefine
16 MemAux MemAuxSpec MemAuxProofCode MemAuxCode MemAuxRefine
15 PageMgmt PageMgmtSpec PageMgmtProofCode PageMgmtCode PageMgmtRefine
14 PageIndex PageIndexSpec PageIndexProofCode PageIndexCode PageIndexRefine
13 MemBlock MemBlockSpec MemBlockProofCode MemBlockCode MemBlockRefine
  SMMU Page Table        
12 MmioSPTOps MmioSPTOpsSpec MmioSPTOpsProofCode MmioSPTOpsCode MmioSPTOpsRefine
11 MmioSPTWalk MmioSPTWalkSpec MmioSPTWalkProofCode MmioSPTWalkCode MmioSPTWalkRefine
10 MmioPTWalk MmioPTWalkSpec MmioPTWalkProofCode MmioPTWalkCode MmioPTWalkRefine
9 MmioPTAlloc MmioPTAllocSpec MmioPTAllocProofCode MmioPTAllocCode MmioPTAllocRefine
  Page Table        
8 NPTOps NPTOpsSpec NPTOpsProofCode NPTOpsCode NPTOpsRefine
7 NPTWalk NPTWalkSpec NPTWalkProofCode NPTWalkCode NPTWalkRefine
6 PTWalk PTWalkSpec PTWalkProofCode PTWalkCode PTWalkRefine
5 PTAlloc PTAllocSpec PTAllocProofCode PTAllocCode PTAllocRefine
4 Locks LocksSpec LocksProofCode LocksCode LocksRefine
3 LockOpsH LockOpsHSpec LockOpsHProofCode LockOpsHCode LockOpsHRefine
2 LockOpsQ LockOpsQSpec LockOpsQProofCode LockOpsQCode LockOpsQRefine
1 LockOps LockOpsSpec LockOpsProofCode LockOpsCode LockOpsRefine

Bottom layer machine definition

These following definitions comprise the base layer of SeKVM’s refinement proofs. Note that AbsMachineState defines the machine state, and is used throughout the layer refinement proofs.

Top-layer invariants

These invariants are proven over only the top-level specification, TrapHandlerSpec. They are used in the top-level security proofs.

Top-layer Security


We demonstrate booting an Ubuntu 16.04 VM on our verified KVM implementation, SeKVM, running on an AMD Seattle Arm server. The server hardware has 8 CPUs and 16GB RAM. The demo VM is configured with 4 virtual CPUs, 12 GB RAM, and standard virtio network/block devices. We show the VM supports full Ubuntu Linux functionality, including disk encryption and networking. We first boot the VM from a LUKS-encrypted virtual disk, and login to its shell. We then run a script to download the Linux kernel source from kernel.org, over a virtual network interface backed by virtio.

SeKVM Demo