“Architecting the Confidential - VM Guest OS in Rust: Runtime, Kernel Standard Library, and Kernel Services"

In this talk, Zehuan will introduce how to architect and design an operating system that runs within a confidential virtual machine (such as CVM). This will be divided into three main modules: the kernel runtime, the kernel standard library, and kernel services.

The kernel runtime is closest to the platform side and is responsible for implementing the platform abstraction layer, the kernel boot module, and the host-side backend server. Built on top of this, the kernel standard library, inspired by the Rust-STD API, provides a set of standard library functionalities. Developers can use this kernel standard library to develop unikernels running in the Guest VM at Ring0 privilege level. By simply changing compilation options, these unikernels can be configured to run on confidential VMs like TDX and SEV or on regular VMs.

Leveraging the aforementioned standard library and runtime, we have developed a Unix-like operating system kernel that is compatible with the Linux ABI. This allows conventional applications to run, without any modifications, on a CVM kernel with a smaller trusted computing base (TCB).

We hope that after attending this presentation, the audience will gain a deeper understanding of system kernel architecture and will be equipped to use the provided development libraries to create their own Unix-like kernels or compile application services into unikernels.

Zehuan Li is a Senior Software Engineer at Ant Group. His expertise lies in developing Trusted Execution Environment (TEE) infrastructure and operating system kernels, including Library Operating Systems and VM-Based Operating Systems. He is a core contributor to the projects like LibraryOS Occlum, VM-Based Occlum, and apache/incubator-teaclave-sgx-sdk. He is passionate about using Rust to build robust and reliable underlying systems.