Virtualization of CPU, Memory, And I/O Devices

• To support virtualization, processors such as the x86 employ a special running mode and instructions,
known as hardware-assisted virtualization.
• In this way, the VMM and guest OS run in different modes and all sensitive instructions of the guest OS and
its applications are trapped in the VMM.
• To save processor states, mode switching is completed by hardware.

Hardware Support for Virtualization

• Modern operating systems and processors permit multiple processes to run simultaneously.
• If there is no protection mechanism in a processor, all instructions from different processes will access the
hardware directly and cause a system crash.
• Therefore, all processors have at least two modes, user 7 mode and supervisor mode, to ensure controlled
access of critical hardware.
• Instructions running in supervisor mode are called privileged instructions. Other instructions are
unprivileged instructions.
• In a virtualized environment, it is more difficult to make OSes and applications run correctly because there
are more layers in the machine stack.
CPU Virtualization
• Unprivileged instructions of VMs run directly on the host machine for higher efficiency.
Other critical instructions should be handled carefully for correctness and stability.
• The critical instructions are divided into three categories: privileged instructions, controls
sensitive instructions, and behavior sensitive instructions.
• Privileged instructions execute in a privileged mode and will be trapped if executed
outside this mode.
• Control-sensitive instructions attempt to change the configuration of resources used.
Behavior-sensitive instructions have different behaviors depending on the configuration of
resources, including the load and store operations over the virtual memory.
• A CPU architecture is virtualizable if it supports the ability to run the VM’s privileged and
unprivileged instructions in the CPU’s user mode while the VMM runs in supervisor mode.
When the privileged instructions including control- and behavior-sensitive instructions of a
VM are executed, they are trapped in the VMM.
Hardware-Assisted CPU Virtualization
• Intel's virtualization technology is available in two versions: VT-x, for x86 processors;
and VT-i, for Itanium (i.e., IA-64) processors.
• Intel and AMD add an additional mode called privilege mode level (some people call it
Ring-1) to x86 processors. Therefore, operating systems can still run at Ring 0 and the
hypervisor can run at Ring -1. All the privileged and sensitive instructions are trapped in
the hypervisor automatically.
• If there is software such as VMware that enables virtualization, why implement Virtualization
Technology inside the CPU? The advantage is that CPUs with Virtualization Technology have some
new instructions to control virtualization.
• With them, controlling software (called VMM, Virtual Machine Monitor) can be simpler, thus
improving performance compared to software-based solutions.
• When the CPU has support to Virtualization Technology, the virtualization is said to be hardware-
based or hardware-assisted.
• Processors with Virtualization Technology have an extra instruction set called Virtual Machine
Extensions or VMX.
• VMX brings 10 new virtualization-specific instructions to the CPU: VMPTRLD, VMPTRST,
VMCLEAR, VMREAD, VMWRITE, VMCALL, VMLAUNCH, VMRESUME, VMXOFF, and
VMXON.
• There are two modes to run under virtualization: VMX root operation and VMX non-root operation.
• Usually, only the virtualization controlling software, called Virtual Machine Monitor (VMM), runs
under root operation, while operating systems running on top of the virtual machines run under non-
root operation. Software running on top of virtual machines is also called “guest software.”
• To enter virtualization mode, the software should execute the VMXON instruction and then call the
VMM software. The VMM software can enter each virtual machine using the VMLAUNCH
instruction, and exit it by using the VMRESUME instruction. If the VMM wants to shutdown and
exit the virtualization mode, it executes the VMXOFF instruction.
More recent processors have an extension
called EPT (Extended Page Tables), which
allows each guest to have its own page table to
keep track of memory addresses. Without this
extension, the VMM has to exit the virtual
machine to perform address translations. This
exiting-and-returning task reduces performance.
Therefore, the EPT increases virtualization
performance.
• Even though the Intel Virtualization Technology was released in 2005, not all current
processors from Intel support this technology. The easiest way to verify if your CPU
supports this technology is to run the Intel Processor Identification Utility.
• After you download and install this program, run it and go to the “CPU Technologies”
tab. There you will see, besides “Intel (R) Virtualization Technology,” whether your CPU
supports it or not. Also, you can see whether your CPU supports the Extended Page
Tables (EPT), besides “Intel VT-x with Extended Page Tables.”
Memory Virtualization
• Virtual memory virtualization is similar to the virtual memory support provided by modern operating systems.
• In a traditional environment, the OS maintains page table for mappings of virtual memory to machine memory, which
is a one-stage mapping.
• All modern x86 CPUs include a memory management unit (MMU) and a translation look aside buffer (TLB) to
optimize virtual memory performance.
• However, in a virtual execution environment, virtual memory virtualization involves sharing the physical system
memory in RAM and dynamically allocating it to the physical memory of the VMs.
• A two-stage mapping process should be maintained by the guest OS and the VMM, respectively: virtual memory to
physical memory and physical memory to machine memory.
• The VMM is responsible for mapping the guest physical memory to the actual machine memory in guest OS.
• Since each page table of the guest OSes has a separate page table in the VMM corresponding to it, the VMM page
table is called the shadow page table.
• VMware uses shadow page tables to perform virtual-memory-to-machine-memory address translation.
• Processors use TLB hardware to map the virtual memory directly to the machine memory to avoid the two levels of
translation on every access.
• When the guest OS changes the virtual memory to a physical memory mapping, the VMM updates the shadow page
tables to enable a direct lookup.
I/O virtualization
• It involves managing the routing of I/O requests
between virtual devices and the shared physical
hardware.
• There are three ways to implement I/O
virtualization:
Full device emulation
Para-virtualization
Direct I/O.
Full device emulation:
• All the functions of a device like device
enumeration, identification, interrupts, and DMA,
are replicated in software and it is located in the
VMM and acts as a virtual device.
• The I/O access requests of the guest OS are
trapped in the VMM which interacts with the I/O
devices.
Para-virtualization
• It is a split driver model consisting of a
frontend driver and a backend driver.
• The frontend driver is running in Domain
U and the backend driver is running in
Domain 0.
• They interact with each other via a block
of shared memory.
• The frontend driver manages the I/O
requests of the guest OS and the backend
driver is responsible for managing the
real I/O devices and multiplexing the I/O
data of different VMs.
• Although para-I/O-virtualization
achieves better device performance than
full device emulation, it comes with a
higher CPU overhead.
Direct I/O virtualization
• It lets the VM access devices directly.
• It can achieve close-to-native performance without high CPU costs.
• Another way to help I/O virtualization is via self-virtualized I/O (SV-IO).
• The key idea is to control and make use of the rich resources of a multicore processor.
• All tasks associated with virtualizing an I/O device are encapsulated in SV-IO.
• SV-IO defines one virtual interface (VIF) for every kind of virtualized I/O device, such as
virtual network interfaces, virtual block devices (disk), virtual camera devices, and others.
• The guest OS interacts with the VIFs via VIF device drivers.
• Each VIF consists of two message queues.
• One is for outgoing messages to the devices and the other is for incoming messages from
the devices.
• In addition, each VIF has a unique ID for identifying it in SV-IO.