SlimVM is a Linux kernel module specifically designed for gVisor to provide hardware virtualization capabilities using Intel VT-x (VMX).
SlimVM is implemented based on DUNE.
Accelerate gVisor guest kernel sentry's system calls to the host kernel.
In a traditional gVisor + KVM setup, every guest syscall triggers a full VM exit, returns to the userspace sentry process, which then re-enters the kernel via a regular syscall — multiple expensive context switches on every operation:
gr0 (guest ring 0) -> hr0 (host ring 0, vm_exit)
-> hr3 (host ring 3, ioctl return)
-> hr0 (re-invoke syscall)
SlimVM eliminates this overhead. When the guest executes a VMCALL, the VM exits
into VMX root mode where SlimVM directly invokes the host kernel's syscall handler,
then immediately resumes the guest — no userspace round-trip:
gr0 (guest ring 0) -> hr0 (vmcall + direct function call)
This eliminates expensive context switches between user space and kernel space.
- Hardware Virtualization: Leverages Intel VT-x (VMX) and EPT (Extended Page Tables)
- System Call Interception: Intercepts and handles syscalls via
vmcallinstructions - Memory Isolation: Uses EPT for guest physical to host physical address translation
- Seccomp Integration: Supports seccomp-BPF filters for syscall filtering
- Multi-Version Support: Supports Linux kernels 5.10.y, 5.15.y, and 6.1.y
| Architecture | Status |
|---|---|
| x86_64 (Intel) | Supported |
| AMD | Planned |
| ARM | Planned |
Notice: SlimVM conflicts with the kvm module because both require exclusive
access to Intel VT-x hardware. You must remove kvm before using SlimVM:
sudo rmmod kvm_intel kvmMake sure the following dependencies are installed:
- Linux kernel headers for your target version (5.10.y, 5.15.y, or 6.1.y)
- GCC and standard build tools
- Root access for module installation
On Debian/Ubuntu:
sudo apt-get install build-essential linux-headers-$(uname -r)On RHEL/CentOS:
sudo yum install gcc kernel-devel-$(uname -r)Build for the current running kernel:
makeBuild for a specific kernel version (when headers are installed):
make BUILD_KERNEL=6.1.0Build using kernel source tree (for cross-compilation or custom kernels):
# Make sure the kernel source is prepared:
# cd /path/to/linux-6.1.y && make modules_prepare
make KSRC=/path/to/linux-6.1.y BUILD_KERNEL=6.1.yBuild with debug logging enabled (activates pr_debug output in dmesg):
make DEBUG=ysudo make installsudo insmod slimvm.ko
# or
sudo modprobe slimvmCheck if loaded successfully:
lsmod | grep slimvm
dmesg | tail -20sudo rmmod slimvmmake cleanSlimVM exposes runtime information via sysctl and procfs:
| Interface | Mode | Description |
|---|---|---|
/proc/sys/slimvm/slimvm_vcpu_num |
read-only | Total vCPU count across all instances |
/proc/sys/slimvm/slimvm_vm_num |
read-only | Total VM instance count |
/proc/sys/slimvm/slimvm_debug_enable |
read-write | Toggle runtime debug logging |
/proc/slimvm/vm_mem_stat |
read-only | Per-instance EPT memory statistics |
Example:
# Check number of active instances
cat /proc/sys/slimvm/slimvm_vm_num
# Enable runtime debug logging
echo 1 | sudo tee /proc/sys/slimvm/slimvm_debug_enable
# View per-instance EPT statistics (SID, 4K pages, 2M pages, invalidation stats)
cat /proc/slimvm/vm_mem_statsudo make uninstallIf you use SlimVM in your research, please cite our EuroSys 2026 paper:
@inproceedings{10.1145/3767295.3769332,
author = {Chai, Xiaohu and Hu, Keyang and Tan, Jianfeng and Bie, Tiwei and Tan, Guotao and Zhou, Tianyu and Shen, Anqi and Yang, Xinyao and Chen, Xin and Wang, Xu and Yu, Feng and He, Zhengyu and Du, Dong and Xia, Yubin and Chen, Kang and Chen, Yu},
title = {{SKernel}: An Elastic and Efficient Secure Container System at Scale with a Split-Kernel Architecture},
booktitle = {Proceedings of the European Conference on Computer Systems (EuroSys '26)},
year = {2026},
location = {Edinburgh, Scotland, UK},
numpages = {19},
publisher = {ACM},
address = {New York, NY, USA},
doi = {10.1145/3767295.3769332},
url = {https://doi.org/10.1145/3767295.3769332},
note = {April 27--30, 2026}
}Licensed under GPLv2, with some files dual-licensed as GPL-2.0 OR MIT (derived from DUNE). See LICENSE for details.