€•ÜKŒsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ%/translations/zh_CN/virt/kvm/arm/pkvm”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ%/translations/zh_TW/virt/kvm/arm/pkvm”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ%/translations/it_IT/virt/kvm/arm/pkvm”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ%/translations/ja_JP/virt/kvm/arm/pkvm”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ%/translations/ko_KR/virt/kvm/arm/pkvm”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒPortuguese (Brazilian)”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ%/translations/pt_BR/virt/kvm/arm/pkvm”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh–sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ%/translations/sp_SP/virt/kvm/arm/pkvm”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh·sbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1hµhhh²hh³Œ?/var/lib/git/docbuild/linux/Documentation/virt/kvm/arm/pkvm.rst”h´KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒProtected KVM (pKVM)”h]”hŒProtected KVM (pKVM)”…””}”(hhÏh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhhÊh²hh³hÇh´KubhŒ paragraph”“”)”}”(hŒã**NOTE**: pKVM is currently an experimental, development feature and subject to breaking changes as new isolation features are implemented. Please reach out to the developers at kvmarm@lists.linux.dev if you have any questions.”h]”(hŒstrong”“”)”}”(hŒ**NOTE**”h]”hŒNOTE”…””}”(hhåh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhhßubhŒª: pKVM is currently an experimental, development feature and subject to breaking changes as new isolation features are implemented. Please reach out to the developers at ”…””}”(hhßh²hh³Nh´NubhŒ reference”“”)”}”(hŒkvmarm@lists.linux.dev”h]”hŒkvmarm@lists.linux.dev”…””}”(hhùh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”Œmailto:kvmarm@lists.linux.dev”uh1h÷hhßubhŒ if you have any questions.”…””}”(hhßh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KhhÊh²hubhÉ)”}”(hhh]”(hÎ)”}”(hŒOverview”h]”hŒOverview”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjh²hh³hÇh´K ubhÞ)”}”(hXBooting a host kernel with '``kvm-arm.mode=protected``' enables "Protected KVM" (pKVM). During boot, pKVM installs a stage-2 identity map page-table for the host and uses it to isolate the hypervisor running at EL2 from the rest of the host running at EL1/0.”h]”(hŒBooting a host kernel with ‘”…””}”(hj$h²hh³Nh´NubhŒliteral”“”)”}”(hŒ``kvm-arm.mode=protected``”h]”hŒkvm-arm.mode=protected”…””}”(hj.h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j,hj$ubhŒÒ’ enables “Protected KVM†(pKVM). During boot, pKVM installs a stage-2 identity map page-table for the host and uses it to isolate the hypervisor running at EL2 from the rest of the host running at EL1/0.”…””}”(hj$h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Khjh²hubhÞ)”}”(hX pKVM permits creation of protected virtual machines (pVMs) by passing the ``KVM_VM_TYPE_ARM_PROTECTED`` machine type identifier to the ``KVM_CREATE_VM`` ioctl(). The hypervisor isolates pVMs from the host by unmapping pages from the stage-2 identity map as they are accessed by a pVM. Hypercalls are provided for a pVM to share specific regions of its IPA space back with the host, allowing for communication with the VMM. A Linux guest must be configured with ``CONFIG_ARM_PKVM_GUEST=y`` in order to issue these hypercalls.”h]”(hŒJpKVM permits creation of protected virtual machines (pVMs) by passing the ”…””}”(hjFh²hh³Nh´Nubj-)”}”(hŒ``KVM_VM_TYPE_ARM_PROTECTED``”h]”hŒKVM_VM_TYPE_ARM_PROTECTED”…””}”(hjNh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j,hjFubhŒ machine type identifier to the ”…””}”(hjFh²hh³Nh´Nubj-)”}”(hŒ``KVM_CREATE_VM``”h]”hŒ KVM_CREATE_VM”…””}”(hj`h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j,hjFubhX5 ioctl(). The hypervisor isolates pVMs from the host by unmapping pages from the stage-2 identity map as they are accessed by a pVM. Hypercalls are provided for a pVM to share specific regions of its IPA space back with the host, allowing for communication with the VMM. A Linux guest must be configured with ”…””}”(hjFh²hh³Nh´Nubj-)”}”(hŒ``CONFIG_ARM_PKVM_GUEST=y``”h]”hŒCONFIG_ARM_PKVM_GUEST=y”…””}”(hjrh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j,hjFubhŒ$ in order to issue these hypercalls.”…””}”(hjFh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Khjh²hubhÞ)”}”(hŒ$See hypercalls.rst for more details.”h]”hŒ$See hypercalls.rst for more details.”…””}”(hjŠh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Khjh²hubeh}”(h]”Œoverview”ah ]”h"]”Œoverview”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K ubhÉ)”}”(hhh]”(hÎ)”}”(hŒIsolation mechanisms”h]”hŒIsolation mechanisms”…””}”(hj£h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj h²hh³hÇh´K ubhÞ)”}”(hŒDpKVM relies on a number of mechanisms to isolate PVMs from the host:”h]”hŒDpKVM relies on a number of mechanisms to isolate PVMs from the host:”…””}”(hj±h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K"hj h²hubhÉ)”}”(hhh]”(hÎ)”}”(hŒCPU memory isolation”h]”hŒCPU memory isolation”…””}”(hjÂh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj¿h²hh³hÇh´K%ubhÞ)”}”(hŒ9Status: Isolation of anonymous memory and metadata pages.”h]”hŒ9Status: Isolation of anonymous memory and metadata pages.”…””}”(hjÐh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K'hj¿h²hubhÞ)”}”(hŒÞMetadata pages (e.g. page-table pages and '``struct kvm_vcpu``' pages) are donated from the host to the hypervisor during pVM creation and are consequently unmapped from the stage-2 identity map until the pVM is destroyed.”h]”(hŒ-Metadata pages (e.g. page-table pages and ‘”…””}”(hjÞh²hh³Nh´Nubj-)”}”(hŒ``struct kvm_vcpu``”h]”hŒstruct kvm_vcpu”…””}”(hjæh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j,hjÞubhŒ¢â€™ pages) are donated from the host to the hypervisor during pVM creation and are consequently unmapped from the stage-2 identity map until the pVM is destroyed.”…””}”(hjÞh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K)hj¿h²hubhÞ)”}”(hX„Similarly to regular KVM, pages are lazily mapped into the guest in response to stage-2 page faults handled by the host. However, when running a pVM, these pages are first pinned and then unmapped from the stage-2 identity map as part of the donation procedure. This gives rise to some user-visible differences when compared to non-protected VMs, largely due to the lack of MMU notifiers:”h]”hX„Similarly to regular KVM, pages are lazily mapped into the guest in response to stage-2 page faults handled by the host. However, when running a pVM, these pages are first pinned and then unmapped from the stage-2 identity map as part of the donation procedure. This gives rise to some user-visible differences when compared to non-protected VMs, largely due to the lack of MMU notifiers:”…””}”(hjþh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K.hj¿h²hubhŒ bullet_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hŒEMemslots cannot be moved or deleted once the pVM has started running.”h]”hÞ)”}”(hjh]”hŒEMemslots cannot be moved or deleted once the pVM has started running.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K5hjubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjh²hh³hÇh´Nubj)”}”(hŒ7Read-only memslots and dirty logging are not supported.”h]”hÞ)”}”(hj,h]”hŒ7Read-only memslots and dirty logging are not supported.”…””}”(hj.h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K6hj*ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjh²hh³hÇh´Nubj)”}”(hŒJWith the exception of swap, file-backed pages cannot be mapped into a pVM.”h]”hÞ)”}”(hŒJWith the exception of swap, file-backed pages cannot be mapped into a pVM.”h]”hŒJWith the exception of swap, file-backed pages cannot be mapped into a pVM.”…””}”(hjEh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K7hjAubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjh²hh³hÇh´Nubj)”}”(hXDonated pages are accounted against ``RLIMIT_MLOCK`` and so the VMM must have a sufficient resource limit or be granted ``CAP_IPC_LOCK``. The lack of a runtime reclaim mechanism means that memory locked for a pVM will remain locked until the pVM is destroyed.”h]”hÞ)”}”(hXDonated pages are accounted against ``RLIMIT_MLOCK`` and so the VMM must have a sufficient resource limit or be granted ``CAP_IPC_LOCK``. The lack of a runtime reclaim mechanism means that memory locked for a pVM will remain locked until the pVM is destroyed.”h]”(hŒ$Donated pages are accounted against ”…””}”(hj]h²hh³Nh´Nubj-)”}”(hŒ``RLIMIT_MLOCK``”h]”hŒ RLIMIT_MLOCK”…””}”(hjeh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j,hj]ubhŒD and so the VMM must have a sufficient resource limit or be granted ”…””}”(hj]h²hh³Nh´Nubj-)”}”(hŒ``CAP_IPC_LOCK``”h]”hŒ CAP_IPC_LOCK”…””}”(hjwh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j,hj]ubhŒ{. The lack of a runtime reclaim mechanism means that memory locked for a pVM will remain locked until the pVM is destroyed.”…””}”(hj]h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K9hjYubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjh²hh³hÇh´Nubj)”}”(hŒ©Changes to the VMM address space (e.g. a ``MAP_FIXED`` mmap() over a mapping associated with a memslot) are not reflected in the guest and may lead to loss of coherency.”h]”hÞ)”}”(hŒ©Changes to the VMM address space (e.g. a ``MAP_FIXED`` mmap() over a mapping associated with a memslot) are not reflected in the guest and may lead to loss of coherency.”h]”(hŒ)Changes to the VMM address space (e.g. a ”…””}”(hj™h²hh³Nh´Nubj-)”}”(hŒ ``MAP_FIXED``”h]”hŒ MAP_FIXED”…””}”(hj¡h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j,hj™ubhŒs mmap() over a mapping associated with a memslot) are not reflected in the guest and may lead to loss of coherency.”…””}”(hj™h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K=hj•ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjh²hh³hÇh´Nubj)”}”(hŒ\Accessing pVM memory that has not been shared back will result in the delivery of a SIGSEGV.”h]”hÞ)”}”(hŒ\Accessing pVM memory that has not been shared back will result in the delivery of a SIGSEGV.”h]”hŒ\Accessing pVM memory that has not been shared back will result in the delivery of a SIGSEGV.”…””}”(hjÃh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K@hj¿ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjh²hh³hÇh´Nubj)”}”(hX'If a system call accesses pVM memory that has not been shared back then it will either return ``-EFAULT`` or forcefully reclaim the memory pages. Reclaimed memory is zeroed by the hypervisor and a subsequent attempt to access it in the pVM will return ``-EFAULT`` from the ``VCPU_RUN`` ioctl(). ”h]”hÞ)”}”(hX&If a system call accesses pVM memory that has not been shared back then it will either return ``-EFAULT`` or forcefully reclaim the memory pages. Reclaimed memory is zeroed by the hypervisor and a subsequent attempt to access it in the pVM will return ``-EFAULT`` from the ``VCPU_RUN`` ioctl().”h]”(hŒ^If a system call accesses pVM memory that has not been shared back then it will either return ”…””}”(hjÛh²hh³Nh´Nubj-)”}”(hŒ ``-EFAULT``”h]”hŒ-EFAULT”…””}”(hjãh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j,hjÛubhŒ“ or forcefully reclaim the memory pages. Reclaimed memory is zeroed by the hypervisor and a subsequent attempt to access it in the pVM will return ”…””}”(hjÛh²hh³Nh´Nubj-)”}”(hŒ ``-EFAULT``”h]”hŒ-EFAULT”…””}”(hjõh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j,hjÛubhŒ from the ”…””}”(hjÛh²hh³Nh´Nubj-)”}”(hŒ ``VCPU_RUN``”h]”hŒVCPU_RUN”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j,hjÛubhŒ ioctl().”…””}”(hjÛh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KBhj×ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjh²hh³hÇh´Nubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ*”uh1j h³hÇh´K5hj¿h²hubeh}”(h]”Œcpu-memory-isolation”ah ]”h"]”Œcpu memory isolation”ah$]”h&]”uh1hÈhj h²hh³hÇh´K%ubhÉ)”}”(hhh]”(hÎ)”}”(hŒCPU state isolation”h]”hŒCPU state isolation”…””}”(hj8h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj5h²hh³hÇh´KIubhÞ)”}”(hŒStatus: **Unimplemented.**”h]”(hŒStatus: ”…””}”(hjFh²hh³Nh´Nubhä)”}”(hŒ**Unimplemented.**”h]”hŒUnimplemented.”…””}”(hjNh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjFubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KKhj5h²hubeh}”(h]”Œcpu-state-isolation”ah ]”h"]”Œcpu state isolation”ah$]”h&]”uh1hÈhj h²hh³hÇh´KIubhÉ)”}”(hhh]”(hÎ)”}”(hŒDMA isolation using an IOMMU”h]”hŒDMA isolation using an IOMMU”…””}”(hjmh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjjh²hh³hÇh´KNubhÞ)”}”(hŒStatus: **Unimplemented.**”h]”(hŒStatus: ”…””}”(hj{h²hh³Nh´Nubhä)”}”(hŒ**Unimplemented.**”h]”hŒUnimplemented.”…””}”(hjƒh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhj{ubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KPhjjh²hubeh}”(h]”Œdma-isolation-using-an-iommu”ah ]”h"]”Œdma isolation using an iommu”ah$]”h&]”uh1hÈhj h²hh³hÇh´KNubhÉ)”}”(hhh]”(hÎ)”}”(hŒProxying of Trustzone services”h]”hŒProxying of Trustzone services”…””}”(hj¢h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjŸh²hh³hÇh´KSubhÞ)”}”(hŒMStatus: FF-A and PSCI calls from the host are proxied by the pKVM hypervisor.”h]”hŒMStatus: FF-A and PSCI calls from the host are proxied by the pKVM hypervisor.”…””}”(hj°h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KUhjŸh²hubhÞ)”}”(hŒ€The FF-A proxy ensures that the host cannot share pVM or hypervisor memory with Trustzone as part of a "confused deputy" attack.”h]”hŒ„The FF-A proxy ensures that the host cannot share pVM or hypervisor memory with Trustzone as part of a “confused deputy†attack.”…””}”(hj¾h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´KXhjŸh²hubhÞ)”}”(hŒtThe PSCI proxy ensures that CPUs always have the stage-2 identity map installed when they are executing in the host.”h]”hŒtThe PSCI proxy ensures that CPUs always have the stage-2 identity map installed when they are executing in the host.”…””}”(hjÌh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´K[hjŸh²hubeh}”(h]”Œproxying-of-trustzone-services”ah ]”h"]”Œproxying of trustzone services”ah$]”h&]”uh1hÈhj h²hh³hÇh´KSubhÉ)”}”(hhh]”(hÎ)”}”(hŒProtected VM firmware (pvmfw)”h]”hŒProtected VM firmware (pvmfw)”…””}”(hjåh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjâh²hh³hÇh´K_ubhÞ)”}”(hŒStatus: **Unimplemented.**”h]”(hŒStatus: ”…””}”(hjóh²hh³Nh´Nubhä)”}”(hŒ**Unimplemented.**”h]”hŒUnimplemented.”…””}”(hjûh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hãhjóubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kahjâh²hubeh}”(h]”Œprotected-vm-firmware-pvmfw”ah ]”h"]”Œprotected vm firmware (pvmfw)”ah$]”h&]”uh1hÈhj h²hh³hÇh´K_ubeh}”(h]”Œisolation-mechanisms”ah ]”h"]”Œisolation mechanisms”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K ubhÉ)”}”(hhh]”(hÎ)”}”(hŒ Resources”h]”hŒ Resources”…””}”(hj"h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjh²hh³hÇh´KdubhÞ)”}”(hŒÏQuentin Perret's KVM Forum 2022 talk entitled "Protected KVM on arm64: A technical deep dive" remains a good resource for learning more about pKVM, despite some of the details having changed in the meantime:”h]”hŒÕQuentin Perret’s KVM Forum 2022 talk entitled “Protected KVM on arm64: A technical deep dive†remains a good resource for learning more about pKVM, despite some of the details having changed in the meantime:”…””}”(hj0h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kfhjh²hubhÞ)”}”(hŒ+https://www.youtube.com/watch?v=9npebeVFbFw”h]”hø)”}”(hj@h]”hŒ+https://www.youtube.com/watch?v=9npebeVFbFw”…””}”(hjBh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”j@uh1h÷hj>ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÝh³hÇh´Kjhjh²hubeh}”(h]”Œ resources”ah ]”h"]”Œ resources”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´Kdubeh}”(h]”Œprotected-kvm-pkvm”ah ]”h"]”Œprotected kvm (pkvm)”ah$]”h&]”uh1hÈhhh²hh³hÇh´Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”hÇuh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hÍNŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”Œentry”Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j‰Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”hÇŒ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(jcj`jjšjjj2j/jgjdjœj™jßjÜjjj[jXuŒ nametypes”}”(jc‰j‰j‰j2‰jg‰jœ‰j߉j‰j[‰uh}”(j`hÊjšjjj j/j¿jdj5j™jjjÜjŸjjâjXjuŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nh²hub.