Intel Virtualization

Technology
 Outline
• Virtualization
• Usage models and workloads
• Challenges to virtualizing Intel architectures
• Addressing virtualization challenges in software
• VT-x architecture overview
• VT-i architecture overview
• Solving virtualization challenges with VT-x and
VT-i
 Virtualization
• Make it run multiple operating systems.

VM0 App0 VM1 App1 VMn Appn

...
Guest OS0 Guest OS1 Guest OSn
Guest OSn
virtual machines
Virtual Machine Monitor (VMM)
(VMs)
Platform HW
Processor/C
Memory I/O Devices
S

• VMM is a layer of system software.

• Arbitrate accesses to the underlying physical host platform’s
resources.
 Virtualization capabilities

• Isolating multiple software stacks in their own

VMs can improve:
security－Intrusions can be confined to the VM.
reliability－Software failures in one VM do not affect
the other VMs.
•Virtualization makes it possible to consolidate
individual workloads onto a single physical
platform, reducing the total cost.

•For server and client can improve manageability.

•By encapsulating a guest’s state within a VM
virtualization can decouple the guest from the
hardware migrate to a different platform.
 Virtualization Usage Models
• Benefits of virtualization include improved
utilization, manageability, and reliability of
systems.
• Virtualization has a broad range of usages.
 Challenges to virtualizing Intel
architectures
• Intel microprocessors provide protection of a
2-bit privilege level.
• Ring 0: for most privileged software. Ex: kernel.
• Ring 3: for least privileged software. Ex: applications.

Most IA software uses only

privilege levels 0 and 3.

(a) Nonvirtualized system

• Because a VMM cannot allow a guest OS such control, a
guest OS cannot execute at privilege level 0.

• IA-based VMMs must use ring deprivileging , a technique

that runs all guest software at a privilege level greater
than 0.

Guests in 64-bit mode can’t use on IA-32 processors.

(b) the 0/1/3 model for ring deprivileging (c) the 0/3/3 model for ring deprivileging
• Ring deprivileging causes numerous virtualization
challenges:
• Ring aliasing－ Problem when software is run at a privilege
level other than the level for which it was written.

• Address-space compression－ Challenges of protecting

these portions of the virtual-address space and supporting
guest accesses.
• The VMM could run entirely within the guest’s virtual-address
space.
• The VMM must prevent guest access to those portions of the
guest’s virtual-address space that the VMM is using.
• Guest attempts to access these portions of the address space
must generate transitions to the VMM, which can emulate
support them.
• Nonfaulting access to privileged state－The IA-32
architectures include instructions that access privileged
state and do not fault when executed with insufficient
privilege.

• Example:
Software can execute the instructions that write to these
registers (LGDT, LIDT, LLDT, and LTR) only at privilege level 0.
Software can execute the instructions that read from these
registers(SGDT, SIDT, SLDT, and STR) at any privilege level.

If guest OS using the latter instructions could

determine that it does not have full control of the
CPU.
• Adverse impacts on guest transitions－
• Original, SYSENTER always effects a transition to privilege
level 0, and SYSEXIT will fault if executed outside that
privilege level.

• Executions of SYSENTER by a guest application will cause

a transition to the VMM and not to the guest OS. The VMM
must thus emulate every guest execution of SYSENTER.

• Execution of SYSEXIT by a guest OS will cause a fault to

the VMM. Thus, the VMM must emulate every guest
execution of SYSEXIT.
• Interrupt virtualization－
• IA-32 architecture provide mechanisms for masking
external interrupts, preventing their delivery when the OS is
not ready for them.

• VMM will likely manage external interrupts and deny guest

software the ability to control interrupt masking.

• The other challenges when a VMM has a “virtual interrupt”

to deliver to a guest. A virtual interrupt should be delivered
only when the guest has unmasked interrupts.
• Ring compression－
• Because segment limits do not apply in 64-bit mode,
paging must be used in this mode.

• Because IA-32 paging does not distinguish privilege

levels 0-2, the guest OS must run at privilege level 3.

• Thus, the guest OS will run at the same privilege level as

guest applications and will not be protected from them.

• Access to hidden state－ IA-32 does not provide

mechanisms for saving and restoring these hidden
components of a guest context when changing VMs.
 Addressing virtualization challenges in
software
• VMM designers have solutions that modify guest software:
• Source guest OS Modifications.
• Binary guest OS Modifications.

• They offers high performance and does not require

making changes to guest applications.

• A disadvantage is that it limits the range of supported

operating systems.

Virtualization of current IA CPUs require

complex software workarounds.
 Intel virtualization technology
• VT-x : Intel Virtualization Technology of IA-32.
• VT-i : Intel Virtualization Technology of Itanium
architecture.
• Apps run deprivileged in ring 3.
VM0 VM1 VMn
• OS runs deprivileged in ring 0.
App0 App1 Appn
• VMM runs in new mode with full
... privilege.
Guest OS0 Guest OS1 Guest OSn

Virtual Machine Monitor (VMM)

Platform HW
Processor/C
Memory I/O Devices
S
 VT-x architecture overview
• VT-x augments IA-32 with two new forms of CPU
operation:
• VMX root operation:
Fully privileged, runs for VM monitor.

• VMX non-root operation:

Not fully privileged, runs for guest
software .

Both forms of operation support

all four privilege levels. (d) system using VT-x or VT-i
 Operating Modes

• VMX root operation:

– Fully privileged, intended for VM monitor
• VMX non-root operation:
– Not fully privileged, intended for guest software
– Reduces Guest SW privilege w/o relying on rings
– Solution to Ring Aliasing and Ring Compression
 VM Entry and VM Exit
• VM Entry
• Transition from VMM to guest .
• Enters VMX non-root operation.
• Loads processor state from guest state of VMCS .

• VM Exit
• Transition from guest to VMM.
• Enters VMX root operation.
VM0 VM1
• Saves guest state in VMCS. App0 App1

• Loads host state from VMCS. ...

Guest OS0 Guest OS1

VM Exit VM Entry
Virtual Machine Monitor (VMM)

Platform HW
Processor/C
Memory 19
I/O Devices
S
virtual-machine control structure (VMCS)

• VMCS manages VM entries and VM exits and

processor behavior in VMX non-root operations.

• Only one VMCS active per virtual processor at

any given time.

• The VMCS is divided into two sections:

• The guest-state area.
• The host-state area.
 Load processor state from the guest-state area.

VT-x Operations Save processor state to the guest-state area and

then load processor state from the host-state area.
VM 1 VM 2 VM n
VMX
Ring 3 Ring 3 Ring 3
Non-root ...
Operation Ring 0 Ring 0 Ring 0

VM Exit VMCS VMCS VMCS

1 2 n

VMX Root Ring 3

Operation VMXON
VMRESUME
VMLAUNCH Ring 0
Principal Causes of VMEXIT
• State-based exits allow function virtualization
• CPUID, RDMSR, WRMSR, RDPMC, RDTSC, MOV DR

• Selective exception and I/O exiting reduce

unnecessary exits
• 32-entry exception bitmap, I/O-port access bitmap

VT-x includes VM execution control fields that

support a variety of virtualization strategies for IA-32.
Solving virtualization challenges
with VT-x and VT-i
• Address-space compression:
• With VT-x, every transition between guest software and
the VMM can change the linear-address space.
• Allowing the guest software full use of its own address
space.

• Ring aliasing and ring compression:

• They allow a VMM to run guest software at its intended
privilege level.
• Problems that a guest OS executes at the same
privilege level as guest applications is also solved.
• Nonfaulting access to privileged state:
• A VMM based on VT-x does not require control of the
guest privilege level.
• VT-x allows guest software running at privilege level 0
to use the instructions LGDT, LIDT, LLDT, LTR, SGDT,
SIDT, SLDT, and STR.

• Guest transitions :
• Guest software cannot use the IA-32 instructions
SYSENTER and SYSEXIT if the guest OS runs outside
privilege level 0.
• With VT-x, a guest OS can run at privilege level 0, allowing
use of these instructions.
• Interrupt virtualization:
• VT-x includes an external-interrupt exiting VM
execution control. When this control is set to 1, a
VMM prevents guest control of interrupt masking.

• VT-x also includes an interrupt-window exiting

VM-execution control. VMM can set this control when it
has a virtual interrupt to deliver to a guest.

• Access to hidden state:

• VT-x includes in the guest-state area of the VMCS fields
corresponding to CPU state.
• The processor loads values from these VMCS fields on
every VM entry and saves into them on every VM exit.
 Format of VMCS Region

<----------------------------------4 KB= 4096 bytes---------------------------------------------------------->

<---------------------------------------4088 bytes ---------------------> 4 bytes 4 bytes

VMX VMCS
VMCS data(implementation specific format) –abort- revision
indicator identifier

Distributed System 26
 Format of VMCS Region
• A VMCS comprises of 4 KB contiguous bytes. The
format of VMCS region is:
Byte Contents
Offset
0 VMCS revision identifier(maintains VMCS data in different formats):
-Processors that maintain VMCS data in different formats, use different VMCS
revision identifiers.
- These identifiers enable s/ws to avoid using a VMCS region formatted for one
processor on a processor that uses a different format.
4 VMX abort indicator(writes a non-zero value if abort occurs):
-Contents of these bytes do not control processor operations in any way.
-A logical processor writes a non-zero value into these bytes if a VMX abort
occurs.
-s/ws may also write into this field.
8 VMCS data(Implementation specific format: Controls VMCS non-root
operations + VMX transitions):
- Those parts of the VMCS that control VMX-non-root operation and the VMX
transitions.
Distributed System 27
 Organization of VMCS Data
VMCS is organized into 6 logical groups:
– Guest State Area: Processor state is saved into this
area on VM Exits and loaded from there on VM
entries.
– Host State Area: Processor state is loaded from
the host-state area on VM exits.
– VM Execution control fields: These fields control
processor behavior in VMX non-root mode
operation. They determine in part the causes of
VM exits.

Distributed System 28
Organization of VMCS Data contd..
• VMCS is organized into 6 logical groups….:
– VM Exit control fields: Controls VM exits.
– VM Entry control fields: Controls VM entries.
– VM Exit information fields: These fields receive
information on VM exits and describe the cause
and the nature of VM exits. They are Read-Only.

Distributed System 29
 Ways that a VMM can share resources
between VMs
• VMM applies all 3 sharing methods, as needed, to create illusion
of platform ownership to each guest OS.

• Time Multiplexing:
– VMs are allowed direct access to resource for a period of time before
being context switched to another VM(e.g., CPU resource)
• Resource Partitioning:
– VMMs allocates “ownership” of physical resources to VMs
– Typically involves some remapping and protection mechanisms. e.g.,
• Physical memory
• Disk partitions
• Graphical display
• Mediating h/w interfaces:
– VMM retains direct ownership of physical resource
– VMM hosts device drivers as well as a virtualized device interface
– Virtual interface can be same as or different than physical device
Distributed System 30
 Some VM specific instructions
• Processors with VT have an extra instruction set called VM
Extensions or VMX
• VMX virtualization-specific instructions to the CPU
– VMPTRLD
– VMPTRST
– VMCLEAR
– VMREAD
– VMWRITE
– VMCALL
– VMLAUNCH
– VMRESUME
– VMXOFF
– VMXON
• A VMCS can be manipulated by the instructions:
– VMCLEAR
– VMPTRLD
– VMREAD
– VMWRITE
Distributed System 31