LKRG _is_ compatible with virtualization, both host and guest, and with bleeding-edge kernels

Posted Feb 5, 2026 5:53 UTC (Thu) by solardiz (guest, #35993)
Parent article: Linux Kernel Runtime Guard reaches its 1.0 release

Thank you for writing this story, Daroc! We're seeing a spike of interest in LKRG due to Singularity and your story.

Unfortunately, there are some subtle errors in the story, and one that's not subtle: what it says about presumed LKRG incompatibility with virtualization is wrong. LKRG in default configuration runs on most virtualization hosts just fine. In fact, even the LKRG website is currently hosted in a VM on a host that has LKRG loaded.

I can see how you could have arrived at the wrong conclusion by skimming our documentation. We do mention two related compatibility issues. One is limited to VirtualBox hosts only (not something you'd use on a server, and we give a setting to change if you do need to run LKRG on your VirtualBox host, which then works). The other is limited to a non-default configuration of LKRG. In other words, LKRG in default configuration is fully compatible e.g. with a typical KVM and libvirt setup.

Also there's no issue with "bleeding-edge kernels". While LKRG releases are somewhat infrequent and so their documentation (and my 1.0 release announcement from September) doesn't mention the currently latest kernels, we do test with latest in our Continuous Integration setup, and when necessary update our code to be compatible. For example, currently LKRG git is compatible with up to 6.19-rc kernels inclusive (6.19 isn't officially out yet), and the 1.0 release with up to 6.18.y inclusive (these were not out at the time of our release, but we often get lucky like that).

to post comments

LKRG _is_ compatible with virtualization, both host and guest, and with bleeding-edge kernels

Posted Feb 5, 2026 12:35 UTC (Thu) by daroc (editor, #160859) [Link] (1 responses)

Oh, I see! You're right, I thought that the documented VirtualBox problem extended to other VM setups as well. Do you happen to know what it is about VirtualBox that causes the problem if libvirt doesn't have it?

I'll go poke in corrections to the article.

LKRG _is_ compatible with virtualization, both host and guest, and with bleeding-edge kernels

Posted Feb 5, 2026 18:55 UTC (Thu) by solardiz (guest, #35993) [Link]

As I recall, the VirtualBox host kernel module triggered our pCFI, which suggests their code uses some hack resulting in unexpected kernel stack layout. It could also be that their kernel module was built in a way inconsistent with how the kernel was built, resulting in stack frames or/and unwinding data inconsistent with the kernel build's. We did not investigate this for real - our current suggestion is to relax our pCFI if running on a VirtualBox host. Also, this issue hasn't been re-reported for years, so maybe it was specific to a certain combination of kernel and VirtualBox builds (IIRC, it was only reported by the Whonix maintainer, who then included our workaround), or it's gone by now, or this combination is rare and everyone who has it and would have re-reported it reads our documentation first. Our GitHub issue is https://github.com/lkrg-org/lkrg/issues/82 with no comments added since 2022.