 Hello everyone, my name is Andrea and I'm one of the RASVMM maintainers. Today I will be talking about RASVMM and what we've been doing in 2020 giving you an overview of what's in the past, in the present, and also what we are looking at in the future. So, for those of you who don't know RASVMM, I will just quickly go through what RASVMM is. RASVMM, it's an open source project that provides virtualization components that are written in Rust. So these components correspond to Rust packages which are also called crates. You can find more details about it in the GitHub page in RASVMM community. RASVMM has been used in production since 2019, and it was mostly used by VMMs, virtual machine monitors. So, as examples, we have Firecracker, Cloud Hypervisor, Alibaba Cloud Sandbox, and also Enix. An interesting shift that we've seen in 2020 is that besides VMMs, there are other applications that are using RASVMM in production, such as Lipkey Run and Dragonfly container image service. Now, before I can actually talk about what is the state of RASVMM now, let me just quickly go over how we are defining several stages of these components in RASVMM. So, first of all, we have the empty crates, so empty components. These are the components that we agreed to have as part of RASVMM, and it all started from one idea that was submitted as a GitHub issue into the RASVMM community repository. In this GitHub issue, people are supposed to talk about the component and pretty much describing why is this component useful for the project and a short design overview. After the empty crate is created, we start the design discussions and we do not expect things to be perfect while the crate is in development. So, people actually can submit incomplete components that they are not feature complete or maybe don't have the full documentation or test just to get things started. So, we do have requirements for in terms of quality and documentation is before we are publishing these components on Crates.io. So, in order to publish a component to Crates.io from RASVMM, we are expecting to see a few things. So, the most important thing is that we want all the crates to have the same quality bar. So, all of the crates need to be tested using the RASVMM CI. So, in terms of testing, we are expecting a line coverage of between 80 and 90%, at least this is what we've been having in the past in the case that we already published. In terms of documentation, one thing that is important and maybe special about the RASVMM project is that RASVMM is not providing an application, it's just providing essentially virtualization libraries. So, you will need to write the documentation for the public interface as well as high level design overview. Once all of these things are done, we are publishing the crate on Crates.io and we are declaring it essentially production already. So, now we can look at the component status from this point of view. So, last year at KVM Forum I presented this slide and I talked a bit of what are the components that we published already and what are the components that are in development. For the published ones, there were mostly bindings so that these auto-generated code and things have changed a bit since last year. First of all, we have crates that have been moving from empty crates to actually being crates in development. One of them is V-host where the effort was mostly done by people from IBM, Intel and Alibaba. And then we also had crates that became stale and we had a few PRs there open but nothing really happened and we have to go and go back and figure out what is with this component and how we can make it useful in the future. Then we also published a few components so we published the Linux loader and VM memory so essentially these components are now ready to be used in production. In terms of new development, we started working on a few new crates. One of them is V-host user backend which again this main effort is coming from IBM and Intel Alibaba. And also VFIO iOctos which is the same group of people that are developing these components. The interesting thing is the VMM reference, we've been talking about it quite a lot and now it's finally in development. The VMM reference implementation has two purposes. So one of them is to be able to test the integration of RASVMM components directly in RASVMM so as part of RASVMM instead of the products that are using RASVMM. And the second purpose is to give people an overview or an example of how to glue together these RASVMM components. In 2020 we've also looked at adding event manager, the event manager which is providing abstractions for event-based applications and also the SuperIo which is actually the first crate that we have that provides emulation. So this is the first crate published on Crate.io with emulation. So even though it's just legacy devices, we're pretty excited that we have the first code there. We also invested some time in security and testing. One of the things that we looked at is adding performance test because previously we were only doing integration test and unit test. So for the performance test we added a pipeline for running the test and also we added benchmarks in a few repositories. Now there is a catch because some of these benchmarks are actually taking a really long time to run. So for some of them we can run them as part of the continuous integration and on each pull request, like for example the event manager. But for others it actually takes quite a lot of time to run them, like for example via memory where the benchmarks take more than one hour. So for the via memory use case we need to find some infrastructure and set up the infrastructure essentially to be able to do nightly runs and report the results somehow. We also started investing more in the security aspect. So the first thing that we did was to essentially do a code audit for the code that is already published on Crate.io. And we were looking mostly at things like what is the input, what is the output, who is, what are the trusted actors and what are the untrusted actors. And based on this we will also work on a threat model, which is expected to come in the following weeks. In the code audit we were actually able to find a few security vulnerabilities. So they're both fixed and new versions are released. One of them is in via memory, and the vulnerability might lead to a null of service. So essentially the bug in the memory was that reads and writes were not atomic when we were expecting them to be. In VMs where I owe the bug was in the serial console emulation, and it could again lead to a denial of service, because we were allowing unbounded memory to be allocated for this one. Now the embargo just ended so we have a CD ID allocation in progress. And but if you want to know more about the details, you can also see this on the on a public GitHub issue. In the community, we were trying to see how is the resume community doing. For this we use the GitHub API is because it was the most accessible thing. And unfortunately, GitHub only does code contributions, and from like the the general assumption is that contributions code contributions are not all contributions but also looking at issues and discussions because we had people finding bugs in resume and and participating at discussions and this should count as contributions as well but we, we didn't manage to capture them in any way. But looking at the graph on the right side, we captured all the resume components and it looks like the contributions pretty much stay the same throughout the year. So we have a few spikes where that correspond to the time when we added new components to RASVMM. For contributing, we also worked on making it easier to start contributing on RASVMM so we started adding the good first issue label. And actually, if you click on that link it will take you to the GitHub page with all the issues in RASVMM that are good first issues. And we also added the label help wanted for people that want to contribute and maybe it's not their first request. And then, if these two searches are still not good enough and you don't find something that is interesting. There is also a search for issues that do not have an owner, and you can search through those to see issues that are not actively worked on. So encouraging people to start contributing and to ask us any question on RASVMM channel, the SEC channel, and also using our email address. In terms of future investments, we are currently in a process of gathering feedback. We want to understand if there are areas of improvement that we should be looking at. We are basically asking contributors to RASVMM but also consumers of RASVMM to provide feedback. So if you have any feedback on these areas you can either send me an email or just reach to us on Slack that would be really, really helpful. We're also working on establishing a process for reporting security vulnerabilities. In terms of utilization components, we are mostly working now on the host user backend. For VertiO we are starting with VertiO over MMIO and again in the following weeks we are expecting to see a few PRs here related to block network and if time allows also VSOC. We are also working on VCO abstractions, PCI, VFIO, and on the security side of things fuzzing for emulation code. That was all I had. Thank you and please reach out to me if you have any questions.