QEMU 11.0.0: Test AWS Nitro Enclaves Locally
QEMU 11 brings a new "nitro" accelerator for AWS Nitro Enclaves, more protection for confidential VMs, and extended support for many architectures.
(Image: heise medien)
QEMU 11.0.0 is here. The new version primarily expands cloud support, confidential computing, and various hardware architectures. Key new features include a new “nitro” accelerator for AWS Nitro Enclaves, additional security functions for encrypted VMs, and improvements to the graphics and storage stack. QEMU is a widely used open-source hypervisor and emulator. It supports full virtualization via KVM, WHPX, or HVF, as well as pure CPU emulation via TCG.
Run Nitro Enclaves Locally
A focus of version 11.0.0 is the new “nitro” accelerator. This allows AWS Nitro Enclaves to run natively in QEMU for the first time. These enclaves are highly isolated runtime environments within EC2 instances. They have neither network access nor persistent storage and are suitable for security-critical workloads such as key management or processing sensitive data. Developers can now test such scenarios locally in QEMU without having to rely on AWS infrastructure.
Videos by heise
More Protection for Confidential VMs
In the area of confidential computing, QEMU is expanding its support for hardware-based security mechanisms. New is the virtualization of Intel's Control-flow Enforcement Technology (CET), which hinders ROP, JOP, and COP attacks. Furthermore, KVM can now reset SEV-SNP and TDX VMs. To achieve this, QEMU initializes a new, encrypted guest context. SEV-SNP and TDX shield virtual machines from the host and encrypt their memory.
There are also advances in the hypervisor backends. QEMU is improving support for the MSHV and WHPX accelerators. On macOS, HVF now accelerates ARM workloads with the Scalable Matrix Extension 2 (SME2), provided the host CPU supports it.
Graphics and Storage
In the graphics stack, QEMU is extending virtio-gpu with the “DRM native context” mode for selected Linux graphics drivers. Additionally, different resolutions can be set per virtual display. This facilitates multi-monitor setups in VMs and improves the connection of modern graphics APIs.
In the block layer, the NFS driver now supports libnfs v6, and the developers have revised the curl and FUSE-based block drivers. This is particularly relevant for network storage and host-side image tools: QEMU improves the connection of images on NFS servers and sources accessible via HTTP(S)/FTP. Using FUSE, images can also be provided as raw images for host tools.
The Tiny Code Generator (TCG), QEMU's backend for pure software emulation, now supports C++ plugins directly in the source tree. This simplifies the development of analysis and instrumentation tools, for example, for tracing or performance profiling.
Extended Architecture Support
Furthermore, QEMU 11.0.0 expands support for numerous processor architectures. On ARM, the CPU features FEAT_ASID2 and FEAT_E2H0 are added, and TCG now emulates the Scalable Matrix Extension (SME). For x86, QEMU now supports Intel's upcoming Diamond Rapids processors. RISC-V receives several new ISA extensions and an improved representation of Control and Status Registers. LoongArch, HPPA, s390, and PowerPC also receive new functions such as extended ISA emulation, snapshot support, and additional boot options.
All information about QEMU 11 can be found in the Release Notes on the project's website.
(fo)
