NOVA microhypervisor brings AMD DMA isolation to shared AI infrastructure

BlueRock has issued the latest open-source release of its NOVA Microhypervisor with DMA remapping support for AMD platforms that have IOMMU hardware virtualization. The capability is enabled by default and extends hardware-level isolation across virtual machines, devices, and memory in shared execution environments.

Background on NOVA

NOVA combines microkernel and hypervisor functions in a small trusted computing base. It uses a capability-based authorization model and provides mechanisms for virtualization, spatial and temporal separation, scheduling, communication, and platform resource management. Multiple unmodified guest operating systems can run concurrently on machines with hardware virtualization features.

The codebase is written almost entirely in C++, with roughly 3.7% assembly, and supports ARMv8-A (aarch64) and x86_64 processors, including Intel VT-x with VMX and EPT, and AMD-V with SVM and NPT. The aarch64 builds target boards from Allwinner, Amlogic, Broadcom, HiSilicon, NVIDIA, NXP, Qualcomm, Renesas, Rockchip, Texas Instruments, and Xilinx.

New DMA protections on AMD

The AMD IOMMU integration is a core enforcement mechanism within the platform. NOVA can prevent hardware devices assigned to one virtual machine from accessing the memory of neighboring workloads, enforce memory access controls at per-device and per-memory-page granularity, abort unauthorized memory transactions through the IOMMU, and optionally record DMA remapping faults for diagnostic analysis.

“While many security bugs are exploited from the CPU, there is an equally large attack surface on the chipset side that can be exploited from a faulty device driver. Without IOMMU protections, a compromised device driver can DMA-read arbitrary regions of memory compromising confidentiality or DMA-write arbitrary regions of memory compromising integrity. Device drivers make up a significant portion of every operating system and are usually the lowest-quality software parts,” Harold Byun, CEO of BlueRock, told Help Net Security.

Scale and predictability for AI workloads

NOVA supports virtual machines with up to 256TB of physical memory and 128 petabytes of virtual address space per workload. According to Byun, “Maintaining such large address spaces requires deep 5-level radix trees for the page tables. NOVA can maintain its page tables completely lockless; there are no locking primitives that would limit the scalability of concurrent updates to disjoint memory regions.”

On execution predictability across AI workloads, Byun said Protection Domains are isolated to specific sets of cores in a configurable way, with the configuration effectively functioning as an allocation. NOVA can operate alongside a virtual machine manager to coordinate allocations based on performance requirements. CPU caches can also be partitioned for different quality of service classes to provide additional optimization and prioritization.

Other hardware features

On x86 platforms, NOVA can be built with optional Control-Flow Enforcement Technology support, including Indirect Branch Tracking and Supervisor Shadow Stacks. The default build omits control-flow protection due to CPU requirements and runtime overhead. On TXT-enabled platforms, NOVA performs a measured launch to establish a Dynamic Root of Trust for Measurement when a matching SINIT Authenticated Code Module is present in TXT memory.

Verification, licensing, and history

Formal specification and proofs for NOVA are maintained on a separate GitLab branch under the BlueRock Security group. The source code is licensed under GPL v2, with copyrights spanning 2009 through 2026 across Technische Universitaet Dresden, Intel, FireEye, and BlueRock Security. The project remains experimental.

Context for AI infrastructure

AI systems are moving from experimental workloads into continuously running production infrastructure, BlueRock said, with rising inference costs and growing operational pressure on operators. The company said future AI infrastructure architectures will require isolation, predictability, reduced trusted complexity, and streamlined execution at scale. The DMA remapping feature enforces protections beneath guest operating systems and aims to preserve isolation if workloads are compromised.

The source code for the NOVA microhypervisor is available for free on GitHub.

Must read:

• 25 open-source cybersecurity tools that don’t care about your budget
• GitHub CISO on security strategy and collaborating with the open-source community

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!