Skip to main content

Overview

Xloud enforces virtual machine security at the hypervisor layer — below the guest OS — through a combination of isolation controls, hardware security features, and network policy enforcement. This agentless model means security policies apply regardless of what runs inside the VM, making it suitable for regulated environments, multi-tenant deployments, and zero-trust architectures.
Prerequisites
  • Xloud Cloud Platform with XAVS or XPCI
  • Administrator or project-member role in Xloud Identity
  • For vTPM: XPCI license with Barbican key management enabled
  • For Secure Boot: UEFI-compatible image with the appropriate properties set

Hypervisor Isolation

Each virtual machine runs in a fully isolated compute process. The hypervisor enforces the following isolation primitives:
ControlDescription
Process isolationEach VM runs as a separate process owned by a dedicated service account
Namespace separationVirtual network and storage namespaces are per-tenant
seccomp filteringRestricts system calls available to the hypervisor process
AppArmor confinementMandatory access control profile limits hypervisor file and network access
Resource limitsCPU pinning and memory hard limits prevent noisy-neighbor interference
Xloud uses dedicated service users for the compute hypervisor process. These accounts have no login shell and no home directory. The AppArmor profile is enforced in complain mode by default and can be switched to enforce mode via the hardening guide.

Security Groups

Security groups provide stateful L3/L4 firewalling for virtual machine network interfaces. Rules are enforced at the hypervisor’s virtual switch layer — traffic that does not match an allow rule is silently dropped before reaching the VM.

Open Security Groups

Navigate to Project → Network → Security Groups in the Xloud Dashboard.

Create a new security group

Click Create Security Group. Provide a name (e.g., web-servers) and an optional description.

Add inbound rules

Click Manage Rules on the new group, then Add Rule:
FieldExample ValueNotes
RuleCustom TCP RuleOr use presets: SSH, HTTP, HTTPS
DirectionIngressInbound to the VM
Port Range443Single port or range (e.g., 8000-8080)
RemoteCIDRRestrict by IP range
CIDR10.0.0.0/8Limit to internal network only
The default security group permits all outbound traffic and blocks all inbound traffic. Always create explicit inbound rules for required ports.

Attach to an instance

Navigate to Project → Compute → Instances, open the instance, and select Edit Security Groups from the Actions menu. Add the new group and remove the default group if not needed.
The security group is listed in the instance details. Test connectivity using nc or curl from an allowed source.

vTPM (Virtual Trusted Platform Module)

Enterprise Virtual TPM provides a hardware-backed cryptographic identity to virtual machines. vTPM state is encrypted using a key stored in Xloud Key Management (Barbican) and is portable across live migrations.

Use Cases

  • Full-disk encryption (BitLocker, LUKS with TPM unsealing)
  • Measured boot and attestation
  • Certificate and secret sealing to the platform

Enable vTPM on an Instance

Create a vTPM-enabled flavor

Navigate to Admin → Compute → Flavors. Create or edit a flavor and set the extra specification:
KeyValue
hw:tpm_modeltpm-crb
hw:tpm_version2.0

Launch instance with vTPM flavor

Launch the instance using the vTPM-enabled flavor. The hypervisor provisions a software TPM process backed by the platform key management service.
Inside the VM, verify TPM presence: ls /dev/tpm0 or tpm2_getcap properties-fixed.

Encrypted Volumes

Block storage volumes can be encrypted using LUKS (Linux Unified Key Setup). Encryption keys are managed by Xloud Key Management and are never stored on the compute node.

Create an encrypted volume type

Navigate to Admin → Volume → Volume Types. Create a new type (e.g., encrypted-ssd) and configure the encryption provider:
FieldValue
Providernova.volume.encryptors.luks.LuksEncryptor
Cipheraes-xts-plain64
Key Size256
Control Locationfront-end

Create an encrypted volume

Navigate to Project → Volumes → Create Volume. Select the encrypted volume type. The system generates and stores the encryption key in Xloud Key Management automatically.
The volume details page shows Encryption as Yes.

Secure Boot (UEFI)

Secure Boot prevents unsigned bootloaders and kernels from loading on virtual machines. It is supported for images that include UEFI firmware.
Enable Secure Boot on an image
openstack image set --property hw_firmware_type=uefi \
  --property hw_machine_type=q35 \
  --property os_secure_boot=required \
  ubuntu-24.04-secure
Verify Secure Boot properties
openstack image show ubuntu-24.04-secure \
  -c properties -f json | python3 -m json.tool
Use os_secure_boot=optional to allow instances to boot with or without Secure Boot. Use required to enforce it — instances will fail to boot if the image does not support UEFI Secure Boot.

Anti-Affinity for Workload Isolation

Server groups with anti-affinity rules ensure that critical workloads are distributed across separate physical hosts, preventing a single hypervisor failure from taking down multiple replicas simultaneously.
Create anti-affinity server group
openstack server group create \
  --policy anti-affinity \
  production-web-tier
Launch instances in the group
openstack server create \
  --flavor m1.large \
  --image ubuntu-24.04 \
  --network private-net \
  --hint group=<server-group-id> \
  web-node-01
Anti-affinity placement may fail if there are insufficient compute hosts. Xloud returns a scheduling error rather than placing instances on the same host when the policy cannot be satisfied.

Live Migration Security

Live migrations transmit VM memory state across the network. Xloud encrypts migration streams using TLS to prevent eavesdropping on in-transit memory contents.
/etc/xavs/globals.d/_60_migration_security.yml
nova_live_migration_tunnelled: "yes"
nova_console_allowed_origins: "https://<dashboard-hostname>"
When nova_live_migration_tunnelled is enabled, migration traffic is routed through the compute service’s encrypted channel rather than directly between hypervisors. This adds a small latency overhead but ensures the migration stream is protected end-to-end.

Next Steps

Network Security

Security groups, FWaaS micro-segmentation, and VLAN/VXLAN isolation

Data Security

Volume encryption, key management, and encrypted backups

Hardening Guide

AppArmor enforcement, SSH hardening, and hypervisor node hardening

Security Groups (Compute)

Detailed security group management for compute instances