Introduction

Most hypervisors intercept the CPUID instruction to present a modified feature set to the guest. This behavior is critical for use cases like live migration across different hardware models, and disabling features that the emulator does not handle.

However, this interception introduces a detectable side effect. Timing attacks are a common method for virtual machine (VM) detection because VM exits are relatively expensive operations. On Intel CPUs that support Virtual Machine Extensions (VMX), executing CPUID unconditionally causes a VM exit. Without manual mitigation of the transition overhead, the resulting latency serves as a flag of hypervisor presence.

Rebuilding a the full linux kernel when modifying KVM for the purposes of patching VM exit RDTSC timings is a tedious process. Thankfully, the linux kernel is modular and can be built in pieces and incrementally upgraded.

This can be accomplished relatively safely by following the rough steps outlined below:

1. Fully build the kernel once, and loading this built kernel.

2. Compile only KVM as a module.

3. Kill all running VMs.