The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

Similar documents
Virtualization. Pradipta De

Chapter 5 C. Virtual machines

Module 1: Virtualization. Types of Interfaces

Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Virtual Machines. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Operating Systems 4/27/2015

Lecture 5: February 3

CS370 Operating Systems

Lecture 7. Xen and the Art of Virtualization. Paul Braham, Boris Dragovic, Keir Fraser et al. 16 November, Advanced Operating Systems

The Architecture of Virtual Machines Lecture for the Embedded Systems Course CSD, University of Crete (April 29, 2014)

Distributed Systems COMP 212. Lecture 18 Othon Michail

Learning Outcomes. Extended OS. Observations Operating systems provide well defined interfaces. Virtual Machines. Interface Levels

references Virtualization services Topics Virtualization

CHAPTER 16 - VIRTUAL MACHINES

Virtualization. Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels

COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy

Virtualization. ! Physical Hardware Processors, memory, chipset, I/O devices, etc. Resources often grossly underutilized

Virtualization. Starting Point: A Physical Machine. What is a Virtual Machine? Virtualization Properties. Types of Virtualization

Virtualization. Dr. Yingwu Zhu

System Virtual Machines

W11 Hyper-V security. Jesper Krogh.

CS-580K/480K Advanced Topics in Cloud Computing. VM Virtualization II


Virtual machine architecture and KVM analysis D 陳彥霖 B 郭宗倫

System Virtual Machines

CSCE 410/611: Virtualization!

CS370 Operating Systems

OS Virtualization. Why Virtualize? Introduction. Virtualization Basics 12/10/2012. Motivation. Types of Virtualization.

CSCI 8530 Advanced Operating Systems. Part 19 Virtualization

Virtualization. Virtualization

Virtualization. ...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania.

24-vm.txt Mon Nov 21 22:13: Notes on Virtual Machines , Fall 2011 Carnegie Mellon University Randal E. Bryant.

Cloud Computing Virtualization

Virtual Machine Monitors!

Virtualization Introduction

Virtualization (II) SPD Course 17/03/2010 Massimo Coppola

CSCE 410/611: Virtualization

COS 318: Operating Systems. Virtual Machine Monitors

CS370: Operating Systems [Spring 2017] Dept. Of Computer Science, Colorado State University

Virtualization. Michael Tsai 2018/4/16

CLOUD COMPUTING IT0530. G.JEYA BHARATHI Asst.Prof.(O.G) Department of IT SRM University

Virtualization and memory hierarchy

Nested Virtualization and Server Consolidation

Virtual Machines. To do. q VM over time q Implementation methods q Hardware features supporting VM q Next time: Midterm?

LINUX Virtualization. Running other code under LINUX

Concepts. Virtualization

COLORADO, USA; 2 Usov Aleksey Yevgenyevich - Technical Architect, RUSSIAN GOVT INSURANCE, MOSCOW; 3 Kropachev Artemii Vasilyevich Manager,

Operating System Structure

Virtualization. Guillaume Urvoy-Keller UNS/I3S

Virtual Machine Security

CS370: Operating Systems [Spring 2017] Dept. Of Computer Science, Colorado State University

The only open-source type-1 hypervisor

What is KVM? KVM patch. Modern hypervisors must do many things that are already done by OSs Scheduler, Memory management, I/O stacks

CS 470 Spring Virtualization and Cloud Computing. Mike Lam, Professor. Content taken from the following:

Xen and the Art of Virtualization. Nikola Gvozdiev Georgian Mihaila

Advanced Operating Systems (CS 202) Virtualization

Lecture 5. KVM for ARM. Christoffer Dall and Jason Nieh. 5 November, Operating Systems Practical. OSP Lecture 5, KVM for ARM 1/42

CprE Virtualization. Dr. Yong Guan. Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University

Linux and Xen. Andrea Sarro. andrea.sarro(at)quadrics.it. Linux Kernel Hacking Free Course IV Edition

Hypervisor security. Evgeny Yakovlev, DEFCON NN, 2017

CSE543 - Computer and Network Security Module: Virtualization

Overview of System Virtualization: The most powerful platform for program analysis and system security. Zhiqiang Lin

CHAPTER 16 - VIRTUAL MACHINES

Virtualization and Security

Lecture 4: Extensibility (and finishing virtual machines) CSC 469H1F Fall 2006 Angela Demke Brown

A Survey on Virtualization Technologies

Xen and the Art of Virtualization

Originally prepared by Lehigh graduate Greg Bosch; last modified April 2016 by B. Davison

CSE 120 Principles of Operating Systems

Björn Döbel. Microkernel-Based Operating Systems. Exercise 3: Virtualization

I/O and virtualization

VIRTUALIZATION. Dresden, 2011/12/6. Julian Stecklina

CS 550 Operating Systems Spring Introduction to Virtual Machines

EE 660: Computer Architecture Cloud Architecture: Virtualization

Introduction to Cloud Computing and Virtualization. Mayank Mishra Sujesha Sudevalayam PhD Students CSE, IIT Bombay

NON SCHOLAE, SED VITAE

CIS Operating Systems CPU Mode. Professor Qiang Zeng Spring 2018

VIRTUALIZATION: IBM VM/370 AND XEN

System Call. Preview. System Call. System Call. System Call 9/7/2018

CSE543 - Computer and Network Security Module: Virtualization


1 Virtualization Recap

An overview of virtual machine architecture

CSC 5930/9010 Cloud S & P: Virtualization

Virtual Machine Systems

SUSE Linux Enterprise Server: Supported Virtualization Technologies

Introduction to Virtual Machines

Multiprocessor Scheduling. Multiprocessor Scheduling

Virtualization, Xen and Denali

Mach External pager. IPC Costs. Why the difference? Example of IPC Performance. First generation microkernels were slow Mach, Chorus, Amoeba

CSE543 - Computer and Network Security Module: Virtualization

Introduction to Virtual Machines. Carl Waldspurger (SB SM 89 PhD 95) VMware R&D

Virtual Machines. Virtual Machines

Virtualization and Virtual Machines. CS522 Principles of Computer Systems Dr. Edouard Bugnion

Micro VMMs and Nested Virtualization

LIA. Large Installation Administration. Virtualization

DISCO and Virtualization

Server Virtualization Approaches

Virtual Leverage: Server Consolidation in Open Source Environments. Margaret Lewis Commercial Software Strategist AMD

Transcription:

The Challenges of X86 Hardware Virtualization GCC- Virtualization: Rajeev Wankar 36

The Challenges of X86 Hardware Virtualization X86 operating systems are designed to run directly on the bare-metal hardware, so they naturally assume they fully own the computer hardware X86 architecture offers four levels of privilege known as Ring 0, 1, 2 and 3 to operating systems and applications to manage access to the computer hardware GCC- Virtualization: Rajeev Wankar 37

GCC- Virtualization: Rajeev Wankar 38 The Challenges of X86 Hardware Virtualization Conti.. Figure Courtesy: Understanding Full Virtualization, Paravirtualization, and Hardware Assist, VMware

The Challenges of X86 Hardware Virtualization Conti.. Virtualizing the X86 architecture requires placing a virtualization layer under the operating system to create and manage the virtual machines that deliver shared resources. Some sensitive instructions can t effectively be virtualized as they have different semantics when they are not executed in Ring 0. GCC- Virtualization: Rajeev Wankar 39

GCC- Virtualization: Rajeev Wankar 40 The Challenges of X86 Hardware Virtualization Conti.. The difficulty in trapping and translating these sensitive and privileged instruction requests at runtime was the challenge that originally made X86 architecture virtualization look impossible.

Security Rings and Privileged Modes Ring 0 is used by the kernel of the OS and rings 1 and 2 are used by the OS level services and Ring 3 is used by the user. Recent systems support only two levels with Ring 0 for the supervisor mode and Ring 3 for user mode Ring 3 Ring 2 Ring 1 Ring 0 Least privileged mode (user mode) Privileged modes Most privileged mode (supervisor mode) GCC-Virtualization: Rajeev Wankar 41

Supervisor mode If code is running in supervisor mode all the instructions (privileged and non-privileged) can be executed without any restriction. This mode is also called master mode, or kernel mode and it is generally used by the OS (or the hypervisor) to perform sensitive operations on hardware level resources. GCC-Virtualization: Rajeev Wankar 42

GCC-Virtualization: Rajeev Wankar 43 User mode If code running in user mode invokes the privileged instructions, hardware interrupts occur and trap the potentially harmful execution of the instruction.

Five Abstraction Levels GCC-Virtualization: Rajeev Wankar 44

Five Abstraction Levels GCC-Virtualization: Rajeev Wankar 45

Five Abstraction Levels GCC-Virtualization: Rajeev Wankar 46

Five Abstraction Levels GCC-Virtualization: Rajeev Wankar 47

Five Abstraction Levels GCC-Virtualization: Rajeev Wankar 48

Five Abstraction Levels GCC-Virtualization: Rajeev Wankar 49

Instruction Set Architecture Level Virtualization is performed by emulating a given ISA by the ISA of the host machine. MIPS binary code can run on an X86-based host machine The basic emulation method is through code interpretation interprets the source instructions to target instructions one by one GCC-Virtualization: Rajeev Wankar 50

Instruction Set Architecture Level Conti.. For better performance, dynamic binary translation is used. This approach translates basic blocks of dynamic source instructions to target instructions Instruction set emulation requires binary translation and optimization. V-ISA thus requires adding a processorspecific software translation layer to the compiler. GCC-Virtualization: Rajeev Wankar 51

Five Abstraction Levels GCC-Virtualization: Rajeev Wankar 52

Hardware Level Virtualization Virtualization technique that provides an abstract execution environment in terms of computer hardware on top of which a guest operating system can run. In this model, the guest is represented by the OS, the host by the physical computer hardware, the virtual machine by its emulation, and Virtual Machine Manager by the hypervisor GCC-Virtualization: Rajeev Wankar 53

Hardware Level Virtualization Conti Hardware level virtualization is also called system virtualization, since it provides ISA to VMs, which is the representation of the hardware interface of a system. This is to differentiate from process virtual machines, which expose ABI to VMs. GCC-Virtualization: Rajeev Wankar 54

GCC-Virtualization: Rajeev Wankar 55 Hardware Virtualization Reference Model Guest In memory representation Storage Virtual Image VMM Host emulation Virtual Machine binary translation instruction mapping interpretation Host

GCC-Virtualization: Rajeev Wankar 56 How it is done? Technique Virtualization Model Emulation Application Expose ABI to VMs Execution Environment Process Level High-Level VM Programming Language Virtualization Storage Multiprogramming Operating System Network Hardware-assisted Virtualization Expose ISA to VMs System Level Full Virtualization Hardware. Paravirtualization Partial Virtualization

Hypervisors A fundamental element of hardware virtualization is the hypervisor, or Virtual Machine Manager (VMM). It recreates a hardware environment, where guest operating systems are installed. GCC-Virtualization: Rajeev Wankar 57

VMM Design Requirements 1. The VMM is responsible for allocating hardware resources for programs; 2. it is not possible for a program to access any resource not explicitly allocated to it; and 3. it is possible under certain circumstances for a VMM to regain control of resources already allocated. Not all processors satisfy these requirements for a VMM. GCC-Virtualization: Rajeev Wankar 58

There are two major types of hypervisors: Type I and Type II. GCC- Virtualization: Rajeev Wankar 59

Five Abstraction Levels GCC-Virtualization: Rajeev Wankar 60

Type I Hypervisor Type I hypervisors run directly on top of the hardware. Therefore, they take the place of the operating systems. Interact directly with the ISA interface exposed by the underlying hardware, and emulate ISA interface in order to allow the management of the guest OS. This type of hypervisors is also called native virtual machine, since it run natively on hardware. GCC-Virtualization: Rajeev Wankar 61

Type II Hypervisor Type II hypervisors require the support of an OS to provide virtualization services. Type II hypervisors are programs managed by the OS, that interacts with OS through the ABI and emulate the ISA of virtual hardware for the guest OS. This type of hypervisors is also called hosted virtual machine, since it is hosted within an operating system. GCC-Virtualization: Rajeev Wankar 62

GCC-Virtualization: Rajeev Wankar 63 Hosted (left) and Native (right) VM Emulated ISA VM VM VM VM Virtual Machine Manager VM VM VM VM ABI Emulated ISA Operative System Virtual Machine Manager ISA ISA Hardware Hardware

GCC-Virtualization: Rajeev Wankar 64 Hosted (left) and Native (right) VM VMware Workstation KVM Virtual PC & Virtual Server VMware ESX Xen Hyper-V

GCC-Virtualization: Rajeev Wankar 65 Internal Organization of VMM dispatcher, allocator, and interpreter are three main modules that coordinate activity in order to emulate the underlying hardware: ISA Virtual Machine Instance Dispatcher Allocator Instructions (ISA) Interpreter Interpreter Routines Routines Virtual Machine Manager

GCC-Virtualization: Rajeev Wankar 66 VMM Internal Dispatcher: entry point of the monitor and reroutes the instructions issued by the virtual machine instance to one of the two other modules ISA Virtual Machine Instance Dispatcher Allocator Instructions (ISA) Interpreter Interpreter Routines Routines Virtual Machine Manager

GCC-Virtualization: Rajeev Wankar 67 VMM Internal Allocator: is responsible for deciding the system resources to be provided to the VM ISA Virtual Machine Instance Dispatcher Instructions (ISA) Interpreter Interpreter Routines Routines Allocator Virtual Machine Manager

Interpreter: it consists of interpreter routines. These are executed whenever a VM executes a privileged instruction: a trap is triggered and the corresponding routine is executed. VMM Internal ISA Virtual Machine Instance Dispatcher Allocator Instructions (ISA) Interpreter Interpreter Routines Routines Virtual Machine Manager GCC-Virtualization: Rajeev Wankar 68

VM Architecture The hypervisor provides hypercalls*** for the guest OSes and applications. Depending on the functionality, a hypervisor can assume a micro-kernel hypervisor architecture Or it can assume a monolithic hypervisor architecture for server virtualization *** A hypercall is a software trap from a domain (domain is one of the virtual machines that run on the system) to the hypervisor, just as a syscall is a software trap from an application to the kernel GCC-Virtualization: Rajeev Wankar 70

Continue.. A micro-kernel hypervisor includes only the basic and unchanging functions ex. physical memory management and processor scheduling The device drivers and other changeable components are outside the hypervisor. GCC-Virtualization: Rajeev Wankar 71

Continue A monolithic hypervisor implements all the aforementioned functions, including those of the device drivers. Therefore, the size of the hypervisor code of a micro-kernel hypervisor is smaller than that of a monolithic hypervisor GCC-Virtualization: Rajeev Wankar 72

Monolithic Vs Microkernel Hypervisor VM 1 Admin VM 2 Child VM 3 Child Virtualization Stack Virtualization Stack VM 1 Parent VM 2 Child VM 3 Child Drivers Drivers Drivers Hypervisor Drivers Drivers Drivers Drivers Drivers Drivers Drivers Drivers Drivers Hypervisor Hardware Hardware More simple than a modern kernel, but still complex Implements a driver model Third party vulnerability of drivers Simple partitioning functionality Increase reliability and minimizes Trusted Computing Base (TCB) No third-party code Drivers run within guests GCC-Virtualization: Rajeev Wankar 73

V-Alternatives for X86 architecture Three alternative techniques exist for handling sensitive and privileged instructions to virtualize the CPU on the X86 architecture: Full virtualization using binary translation OS assisted virtualization or paravirtualization Hardware assisted virtualization (first generation) GCC- Virtualization: Rajeev Wankar 74

Binary Translation of Guest OS Requests Using a VMM This system puts the VMM at Ring 0 and the guest OS at Ring 1. The VMM scans the instruction stream and identifies the privileged, control and behaviorsensitive instructions. When these instructions are identified, they are trapped into the VMM, then VMM emulates the behavior of these instructions. The method used in this emulation is called binary translation. GCC-Virtualization: Rajeev Wankar 76

GCC-Virtualization: Rajeev Wankar 77 Binary Translation of Guest OS Requests Using a VMM Conti Figure Courtesy: Understanding Full Virtualization, Paravirtualization, and Hardware Assist, VMware

Binary Translation of Guest OS Requests Using a VMM Conti Therefore, full virtualization combines binary translation and direct execution. The guest OS is completely decoupled from the underlying hardware. Consequently, the guest OS is unaware that it is being virtualized. The method is known a Full Virtualization with binary translation. GCC-Virtualization: Rajeev Wankar 78

OS Assisted Virtualization or Paravirtualization Paravirtualization refers to the communication between the guest OS and the hypervisor to improve performance and efficiency It involves modifying the OS kernel to replace non-virtualizable instructions with hyper calls that communicate directly with the virtualization layer hypervisor. GCC-Virtualization: Rajeev Wankar 79

GCC- Virtualization: Rajeev Wankar 80 Syscall and Hypercall A system call, or syscall, is the mechanism used by an application program to request service from the operating system. A hypervisor call, or hypercall, referred to the paravirtualization interface, by which a guest operating system could access hypervisor services.

GCC-Virtualization: Rajeev Wankar 81 X86 processor Para-Virtualization Architecture Ex. Xen, KVM, and VMware ESX Figure Courtesy: Understanding Full Virtualization, Paravirtualization, and Hardware Assist, VMware

OS Assisted Virtualization or Paravirtualization The hypervisor also provides hypercall interfaces for other critical kernel operations such as memory management, interrupt handling and time keeping Paravirtualization is different from full virtualization, where the unmodified OS does not know it is virtualized and sensitive OS calls are trapped using binary translation. Paravirtualization cannot support unmodified operating systems (e.g. Windows 2000/XP) GCC-Virtualization: Rajeev Wankar 82

KVM KVM (Kernel-Based VM) is a Linux paravirtualization (2.6.20 kernel) Memory management and scheduling activities are carried out by the existing Linux kernel. The KVM does the rest KVM is a hardware-assisted para-virtualization tool GCC-Virtualization: Rajeev Wankar 83

Para-Virtualization with Compiler Support While full virtualization architecture intercepts and emulates privileged and sensitive instructions at runtime, para-virtualization handles these instructions at compile time. Ex. Xen assumes such a para-virtualization architecture Guest OS running in a guest domain may run at Ring 1 instead of at Ring 0. GCC-Virtualization: Rajeev Wankar 84

Hardware Assisted Virtualization Hardware vendors are rapidly accepting the virtualization and developing new features to simplify virtualization techniques. Intel Virtualization Technology (VT-x) and AMD s AMD-V are the first wave. Above both target privileged instructions with a new CPU execution mode feature that allows the VMM to run in a new root mode below ring 0. GCC- Virtualization: Rajeev Wankar 88

GCC-Virtualization: Rajeev Wankar 89 The hardware assist approach to X86 virtualization Figure Courtesy: Understanding Full Virtualization, Paravirtualization, and Hardware Assist, VMware

Hardware Assisted Virtualization Privileged and sensitive calls are set to automatically trap to the hypervisor, removing the need for either binary translation or paravirtualization The guest state is stored in Virtual Machine Control Structures (VT-x) or Virtual Machine Control Blocks (AMD-V). First appeared on the IBM System/370 in 1972 Ex. Linux KVM, VMware Workstation, VMware Fusion, Microsoft Hyper-V, Microsoft Virtual PC, Xen, Parallels Desktop for Mac, Oracle VM Server for SPARC, VirtualBox and Parallels Workstation. GCC- Virtualization: Rajeev Wankar 90

Intel Hardware-Assisted CPU Virtualization GCC-Virtualization: Rajeev Wankar 91

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback