Instead, with a paravisor, there’s no need for special OS releases, and you can use whatever supported OS you like. You don’t have to wait for Microsoft, Canonical, Red Hat, or whomever to build, test, and package a confidential computing-ready release. If there’s a zero-day exploit with a security update for your chosen guest OS, you can simply roll it out as part of your standard OS and image update process.
Introducing OpenHCL
Azure’s paravisor used to be closed source, built on proprietary code. That’s all changed with the announcement of a new open source version, OpenHCL. OpenHCL is being developed on GitHub, where you can add your own contributions (if you sign Microsoft’s standard contributor license agreement). It’s designed to run on most common platforms, including Linux and macOS, and it works with Microsoft’s own hypervisors, with Apple’s Hypervisor framework, and with KVM. This includes both x64 and Arm64 environments.
Microsoft’s new paravisor architecture is relatively simple. It works with your existing hypervisor to provide an abstraction layer from the underlying hardware, with a host OS that provides support for management tools and storage. Inside an OpenHCL-enabled VM is a small Linux kernel that supports device drivers. On top of that is an OpenVMM environment that supports the guest OS.