Linux 7.1 KVM Adds "Very Experimental" Support For pKVM Protected Guests

The introduction of pKVM protected‑guest support on ARM marks a pivotal step toward true hardware isolation in Linux virtualization. By unmapping guest pages from the host and re‑sharing them via dedicated hypercalls, the feature reduces the attack surface for multi‑tenant cloud and edge environments. Although still labeled "very experimental" and requiring a kernel taint, it lays groundwork for future compliance‑driven workloads that demand strict separation between host and guest memory.

Beyond ARM, Linux 7.1 expands KVM’s cross‑platform capabilities. The s390 addition of ESA 31‑bit guest support inside nested hypervisors enables mainframe customers to run legacy workloads alongside modern containers, preserving investment in existing software stacks. On x86, the ability to advertise AVX‑512 Bit Matrix Multiply (BMM) instructions aligns KVM with AMD’s Zen 6 roadmap, promising substantial performance gains for AI and scientific computing tasks that rely on matrix operations. Minor tweaks to AMD SEV‑SNP and broader hardening measures further reinforce the security posture of the virtualization stack.

Collectively, these updates reinforce Linux’s position as the premier open‑source hypervisor for diverse data‑center architectures. Enterprises evaluating cloud‑native strategies can now consider Linux KVM for a broader set of workloads, from secure ARM edge nodes to high‑throughput AI inference on x86. As the ecosystem continues to converge on unified security standards, the experimental features in Linux 7.1 are likely to mature quickly, shaping the next generation of isolated, high‑performance virtual environments.