270 likes | 454 Views
Intel Virtualization Technology. Rich Uhlig Gil Neiger Dion Rodgers Amy L. Santoni Fernando C.M. Martins Andrew V. Anderson Steven M. Bennett Alain Kägi Felix H. Leung Larry Smith. 碩一 朱君平. Outline. Virtualization Usage models and workloads
E N D
Intel VirtualizationTechnology Rich Uhlig Gil Neiger Dion Rodgers Amy L. Santoni Fernando C.M. Martins Andrew V. Anderson Steven M. Bennett Alain Kägi Felix H. Leung Larry Smith 碩一 朱君平 Distributed System
Outline • Virtualization • Usage models and workloads • Challenges to virtualizing Intel architectures • Addressing virtualization challenges in software • VT-x architecture overview • VT-i architecture overview • Solving virtualization challenges with VT-x and VT-i Distributed System
Virtualization • Make it run multiple operating systems. virtual machines (VMs) • VMM is a layer of system software. • Arbitrate accesses to the underlying physical host platform’s resources. VM0 VM1 VMn App0 App0 App1 App1 Appn Appn ... ... Guest OS0 Guest OS1 Guest OSn Guest OSn Virtual Machine Monitor (VMM) Virtual Machine Monitor (VMM) Platform HW Platform HW Memory Memory Processor/CS Processor/CS I/O Devices I/O Devices Distributed System
Virtualizationcapabilities Isolating multiple softwarestacks in their own VMscan improve: security-Intrusions can be confined to the VM. reliability-Software failures in one VM do not affect the other VMs. Distributed System
Virtualization makes it possible to consolidateindividual workloads onto asingle physicalplatform, reducing the total cost. For server and clint can imporvemanageability. Distributed System
By encapsulating a guest’s state within a VM virtualization can decouple the guest from the hardware migrate to a different platform. Distributed System
Virtualization Usage Models • Benefits of virtualization include improved utilization, manageability, and reliability of systems. • Virtualization has a broad range of usages. Distributed System
Challenges to virtualizing Intel architectures • Intel microprocessors provide protection of a 2-bit privilege level. • Ring 0: for most privileged software. Ex: kernel. • Ring 3: for least privileged software. Ex: applications. Most IA software uses only privilege levels 0 and 3. Nonvirtualized system Distributed System
Because a VMM cannot allow a guest OS such control, a guest OS cannot execute at privilege level 0. • IA-based VMMs must use ring deprivileging, a technique that runs all guest software at a privilege level greater than 0. Guests in 64-bitmode can’t use on IA-32 processors. (b) the 0/1/3 model for ring deprivileging (c) the 0/3/3 model for ring deprivileging Distributed System
Ring deprivileging causes numerousvirtualization challenges: • Ring aliasing-Problem when software is run at a privilege level otherthan the level for which it waswritten. • Address-space compression- Challenges of protecting these portions of the virtual-address space and supporting guest accesses. • The VMM could run entirely within the guest’s virtual-addressspace. • The VMM must prevent guest access to those portions of the guest’s virtual-address space that the VMM is using. • Guestattempts to access these portions of the address spacemustgenerate transitions to the VMM, which canemulate support them. Distributed System
Nonfaulting access to privileged state-The IA-32 architectures include instructions that access privileged state and do not fault when executed with insufficient privilege. • Example: Software can execute the instructions that write to these registers (LGDT, LIDT, LLDT, and LTR) only at privilege level 0. Software can execute the instructions that read from these registers(SGDT, SIDT, SLDT, and STR) at any privilege level. If guest OS using the latter instructions could determine that it does not have full control of the CPU. Distributed System
Adverse impacts on guest transitions- • Original, SYSENTER always effects a transition to privilege level 0, and SYSEXIT will fault if executed outside that privilege level. • Executions of SYSENTER by a guest application will cause a transition to the VMM and not to the guest OS. The VMM must thus emulate every guest execution of SYSENTER. • Execution of SYSEXIT by a guest OS will cause a fault to the VMM. Thus, the VMM must emulate every guest execution of SYSEXIT. Distributed System
Interrupt virtualization- • IA-32 architecture provide mechanisms for masking external interrupts, preventing their delivery when the OS is not ready for them. • VMM will likely manage external interrupts and deny guest software the ability to control interrupt masking. • The other challenges when a VMM has a “virtual interrupt” to deliver to a guest. A virtual interrupt should be delivered only when the guest has unmasked interrupts. Distributed System
Ring compression- • Because segment limits do not apply in 64-bit mode, paging must be used in this mode. • Because IA-32 paging does not distinguish privilege levels 0-2, the guest OS must run at privilege level 3. • Thus, the guest OS will run at the same privilege level as guest applications and will not be protected from them. • Access to hidden state-IA-32 does not provide mechanisms for saving and restoring these hidden components of a guest context when changing VMs. Distributed System
Addressing virtualization challenges in software • VMM designers have solutions that modify guest software: • Source guest OS Modifications. • Binary guest OS Modifications. • They offers high performance and does not require making changes to guest applications. • A disadvantage is that it limits the range of supported operating systems. Virtualization of current IA CPUs require complex software workarounds. Distributed System
Intel virtualization technology • VT-x : Intel Virtualization Technology of IA-32. • VT-i : Intel Virtualization Technology of Itanium architecture. • Apps run deprivileged in ring 3. • OS runs deprivileged in ring 0. • VMM runs in new mode with full privilege. VM0 VM1 VMn App0 App1 Appn ... Guest OS0 Guest OS1 Guest OSn Virtual Machine Monitor (VMM) Platform HW Memory Processor/CS I/O Devices Distributed System
VT-x architecture overview • VT-x augments IA-32 with two new forms of CPU operation: • VMX root operation: Fully privileged, runs for VM monitor. • VMX non-root operation: Not fully privileged, runs for guest software . Both forms of operation support all four privilege levels. (d) system using VT-x or VT-i Distributed System
VM Entry and VM Exit • VM Entry • Transition from VMM to guest . • Enters VMX non-root operation. • Loads processor state from guest state of VMCS . • VM Exit • Transition from guest to VMM. • Enters VMX root operation. • Saves guest state in VMCS. • Loads host state from VMCS. VM0 VM1 App0 App1 ... Guest OS0 Guest OS1 VM Exit VM Entry Virtual Machine Monitor (VMM) Platform HW Distributed System Processor/CS I/O Devices Memory
virtual-machine control structure (VMCS) • VMCS manages VM entriesand VM exits and processor behavior in VMX non-rootoperations. • Only one VMCS active per virtual processor at any given time. • The VMCS is divided into two sections: • The guest-state area. • The host-state area. Distributed System
VM 1 VM 2 VM n Ring 3 Ring 3 Ring 3 Ring 0 Ring 0 Ring 0 VMCS 1 VMCS n VMCS 2 Ring 3 Ring 0 Load processor state from the guest-state area. VT-x Operations Save processor state tothe guest-state area and then load processor statefrom the host-state area. VMX Non-root Operation . . . VM Exit VMX Root Operation VMXON VMRESUME VMLAUNCH Distributed System
Principal Causes of VMEXIT • State-based exits allow function virtualization • CPUID, RDMSR, WRMSR, RDPMC, RDTSC, MOV DR • Selective exception and I/O exiting reduce unnecessaryexits • 32-entry exception bitmap, I/O-port access bitmap VT-x includesVM executioncontrol fields thatsupport a varietyof virtualizationstrategies for IA-32. Distributed System
Solving virtualization challenges with VT-x and VT-i • Address-space compression: • With VT-x, every transition between guest softwareand the VMM can change the linear-address space. • Allowing the guest software full use of its own address space. • Ring aliasing and ring compression: • They allow a VMM to run guest software at its intended privilege level. • Problems that a guest OS executes at the same privilege level as guest applications is also solved. Distributed System
Nonfaulting access to privileged state: • A VMM based on VT-x does not require control of the guest privilege level. • VT-x allows guest software running at privilege level 0 to use the instructions LGDT, LIDT, LLDT, LTR, SGDT, SIDT, SLDT, and STR. • Guest transitions : • Guest software cannot use the IA-32 instructions SYSENTER and SYSEXIT if the guest OS runs outside privilege level 0. • With VT-x, a guest OS can run at privilege level 0, allowing use of these instructions. Distributed System
Interrupt virtualization: • VT-x includes an external-interrupt exiting VM execution control. When this control is set to 1, a VMM prevents guest control of interrupt masking. • VT-x also includes an interrupt-window exiting VM-execution control. VMM can set this control when it has a virtual interrupt to deliver to a guest. • Access to hidden state: • VT-x includes in the guest-state area of the VMCS fields corresponding to CPU state. • The processor loads values from these VMCS fields on every VM entry and saves into them on every VM exit. Distributed System