x86 virtualization

In computing, x86 virtualization refers to hardware virtualization for the x86 architecture. It allows multiple operating systems to simultaneously share x86 processor resources in a safe and efficient manner.

In the late 1990s x86 virtualization was achieved by complex software techniques, necessary to compensate for the processor's lack of virtualization support while attaining reasonable performance. In 2006, both Intel (VT-x) and AMD (AMD-V) introduced limited hardware virtualization support that allowed simpler virtualization software but offered very little speed benefits.[1] Greater hardware support, which allowed substantial speed improvements, came with later processor models.

Software-based virtualization

The following discussion focuses only on virtualization of the x86 architecture protected mode.

In protected mode the operating system kernel runs at a higher privilege such as ring 0, and applications at a lower privilege such as ring 3. In software-based virtualization, a host OS has direct access to hardware while the guest OSs have limited access to hardware, just like any other application of the host OS. One approach used in x86 software-based virtualization to overcome this limitation is called ring deprivileging, which involves running the guest OS at a ring higher than 0.[2]

Three techniques made virtualization of protected mode possible:

These techniques incur some performance overhead due to lack of MMU virtualization support, as compared to a VM running on a natively virtualizable architecture such as the IBM System/370.[4]:10[9]:17 and 21

On traditional mainframes, the classic type 1 hypervisor was self-standing and did not depend on any operating system or run any user applications itself. In contrast, the first x86 virtualization products were aimed at workstation computers, and ran a guest OS inside a host OS by embedding the hypervisor in a kernel module that ran under the host OS (type 2 hypervisor).[8]

There has been some controversy whether the x86 architecture with no hardware assistance is virtualizable as described by Popek and Goldberg. VMware researchers pointed out in a 2006 ASPLOS paper that the above techniques made the x86 platform virtualizable in the sense of meeting the three criteria of Popek and Goldberg, albeit not by the classic trap-and-emulate technique.[4]:2–3

A different route was taken by other systems like Denali, L4, and Xen, known as paravirtualization, which involves porting operating systems to run on the resulting virtual machine, which does not implement the parts of the actual x86 instruction set that are hard to virtualize. The paravirtualized I/O has significant performance benefits as demonstrated in the original SOSP'03 Xen paper.[10]

The initial version of x86-64 (AMD64) did not allow for a software-only full virtualization due to the lack of segmentation support in long mode, which made the protection of the hypervisor's memory impossible, in particular, the protection of the trap handler that runs in the guest kernel address space.[11][12]:11 and 20 Revision D and later 64-bit AMD processors (as a rule of thumb, those manufactured in 90 nm or less) added basic support for segmentation in long mode, making it possible to run 64-bit guests in 64-bit hosts via binary translation. Intel did not add segmentation support to its x86-64 implementation (Intel 64), making 64-bit software-only virtualization impossible on Intel CPUs, but Intel VT-x support makes 64-bit hardware assisted virtualization possible on the Intel platform.[13][14]:4

On some platforms, it is possible to run a 64-bit guest on a 32-bit host OS if the underlying processor is 64-bit and supports the necessary virtualization extensions.

Hardware-assisted virtualization

In 2005 and 2006, Intel and AMD (working independently) created new processor extensions to the x86 architecture. The first generation of x86 hardware virtualization addressed the issue of privileged instructions. The issue of low performance of virtualized system memory was addressed with MMU virtualization that was added to the chipset later.

Central processing unit

Virtual 8086 mode

Main article: Virtual 8086 mode

Based on painful experiences with the 80286 protected mode, which by itself was not suitable enough to run concurrent MS-DOS applications well, Intel introduced the virtual 8086 mode in their 80386 chip, which offered virtualized 8086 processors on the 386 and later chips. Hardware support for virtualizing the protected mode itself, however, became available 20 years later.[15]

AMD virtualization (AMD-V)

AMD Phenom CPU

AMD developed its first generation virtualization extensions under the code name "Pacifica", and initially published them as AMD Secure Virtual Machine (SVM),[16] but later marketed them under the trademark AMD Virtualization, abbreviated AMD-V.

On May 23, 2006, AMD released the Athlon 64 ("Orleans"), the Athlon 64 X2 ("Windsor") and the Athlon 64 FX ("Windsor") as the first AMD processors to support this technology.

AMD-V capability also features on the Athlon 64 and Athlon 64 X2 family of processors with revisions "F" or "G" on socket AM2, Turion 64 X2, and Opteron 2nd generation[17] and third-generation,[18] Phenom and Phenom II processors. The APU Fusion processors support AMD-V. AMD-V is not supported by any Socket 939 processors. The only Sempron processors which support it are Huron and Sargas.

AMD Opteron CPUs beginning with the Family 0x10 Barcelona line, and Phenom II CPUs, support a second generation hardware virtualization technology called Rapid Virtualization Indexing (formerly known as Nested Page Tables during its development), later adopted by Intel as Extended Page Tables (EPT).

The CPU flag for AMD-V is "svm". This may be checked in BSD derivatives via dmesg or sysctl and in Linux via /proc/cpuinfo.[19]

Intel virtualization (VT-x)

"Intel VT-x" redirects here. It is not to be confused with Intel VT-i.
Intel Core i7 (Bloomfield) CPU

Previously codenamed "Vanderpool", VT-x represents Intel's technology for virtualization on the x86 platform. On November 13, 2005, Intel released two models of Pentium 4 (Model 662 and 672) as the first Intel processors to support VT-x. The CPU flag for VT-x capability is "vmx"; in Linux, this can be checked via /proc/cpuinfo, or in Mac OS X via sysctl machdep.cpu.features.[19]

As of 2015, almost all newer server, desktop and mobile Intel processors support VT-x, with some of the Intel Atom processors as the primary exception.[20] With some motherboards, users must enable Intel's VT-x feature in the BIOS setup before applications can make use of it.[21]

Intel started to include Extended Page Tables (EPT),[22] a technology for page-table virtualization,[23] since the Nehalem architecture,[24][25] released in 2008. In 2010, Westmere added support for launching the logical processor directly in real mode  a feature called "unrestricted guest", which requires EPT to work.[26][27]

Since the Haswell microarchitecture (announced in 2013), Intel started to include VMCS shadowing as a technology that accelerates nested virtualization of VMMs.[28] The virtual machine control structure (VMCS) is a data structure in memory that exists exactly once per VM, while it is managed by the VMM. With every change of the execution context between different VMs, the VMCS is restored for the current VM, defining the state of the VM's virtual processor.[29] As soon as more than one VMM or nested VMMs are used, a problem appears in a way similar to what required shadow page table management to be invented, as described above. In such cases, VMCS needs to be shadowed multiple times (in case of nesting) and partially implemented in software in case there is no hardware support by the processor. To make shadow VMCS handling more efficient, Intel implemented hardware support for VMCS shadowing.[30]

VIA virtualization (VIA VT)

VIA Nano 3000 Series Processors[31] and higher support a so-called VIA VT virtualization technology compatible with Intel VT.

Interrupt virtualization (AMD AVIC and Intel APICv)

In 2012, AMD announced their Advanced Virtual Interrupt Controller (AVIC) targeting interrupt overhead reduction in virtualization environments.[32] This technology has materialize in hardware and (as announced) does not support x2APIC.[33] In 2016, AVIC is available on the AMD family 15h models 6Xh (Carrizo) processors and newer.

Also in 2012, Intel announced a similar technology for interrupt and APIC virtualization, which did not have a brand name at its announcement time.[34] Later, it was branded as APIC virtualization (APICv)[35] and it became commercially available in the Ivy Bridge EP series of Intel CPUs, which is sold as Xeon E5-26xx v2 (launched in late 2013) and as Xeon E5-46xx v2 (launched in early 2014).[36]

Graphics processing unit

Graphics Virtualization Technology (Intel GVT-d, GVT-g and GVT-s)

Graphics Virtualization Technology was introduced with Intel Iris Pro. Intel's integrated GPU can be either dedicatedly assigned to a virtual machine (GVT-d), shared between multiple virtual machines on a time-sharing basis while using native graphics driver (GVT-g), or shared between multiple virtual machines by using a virtual graphics driver (GVT-s).[37]

Chipset

Main article: I/O virtualization

Memory and I/O virtualization is performed by the chipset.[38] Typically these features must be enabled by the BIOS, which must be able to support them and also be set to use them.

I/O MMU virtualization (AMD-Vi and Intel VT-d)

An input/output memory management unit (IOMMU) allows guest virtual machines to directly use peripheral devices, such as Ethernet, accelerated graphics cards, and hard-drive controllers, through DMA and interrupt remapping. This is sometimes called PCI passthrough.[39]

An IOMMU also allows operating systems to eliminate bounce buffers needed to allow themselves to communicate with peripheral devices whose memory address spaces are smaller than the operating system's memory address space, by using memory address translation. At the same time, an IOMMU also allows operating systems and hypervisors to prevent buggy or malicious hardware from compromising memory security.

Both AMD and Intel have released their IOMMU specifications:

In addition to the CPU support, both motherboard chipset and system firmware (BIOS or UEFI) need to fully support the IOMMU I/O virtualization functionality in order for it to be actually usable. Only the PCI or PCI Express devices supporting function level reset (FLR) can be virtualized this way, as it is required for reassigning various device functions between virtual machines.[43][44] If a device to be assigned does not support Message Signaled Interrupts (MSI), it must not share interrupt lines with other devices for the assignment to be possible.[45] All conventional PCI devices routed behind a PCI/PCI-X-to-PCI Express bridge can be assigned to a guest virtual machine only all at once; PCI Express devices have no such restriction.

Network virtualization (VT-c)

PCI-SIG Single Root I/O Virtualization (SR-IOV)

PCI-SIG Single Root I/O Virtualization (SR-IOV) provides a set of general (non-x86 specific) I/O virtualization methods based on PCI Express (PCIe) native hardware, as standardized by PCI-SIG:[47]

In SR-IOV, the most common of these, a host VMM configures supported devices to create and allocate virtual "shadows" of their configuration spaces so that virtual machine guests can directly configure and access such "shadow" device resources.[49] With SR-IOV enabled, virtualized network interfaces are directly accessible to the guests,[50] avoiding involvement of the VMM and resulting in high overall performance;[48] for example, SR-IOV achieves over 95% of the bare metal network bandwidth in NASA's virtualized datacenter[51] and in the Amazon Public Cloud.[52][53]

See also

References

  1. A Comparison of Software and Hardware Techniques for x86 Virtualization, Keith Adams and Ole Agesen, VMware, ASPLOS’06 October 21–25, 2006, San Jose, California, USA"Surprisingly, we find that the first-generation hardware support rarely offers performance advantages over existing software techniques. We ascribe this situation to high VMM/guest transition costs and a rigid programming model that leaves little room for software flexibility in managing either the frequency or cost of these transitions.
  2. "Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization". Intel.com. 2006-08-10. Retrieved 2010-05-02.
  3. "USENIX Technical Program - Abstract - Security Symposium - 2000". Usenix.org. 2002-01-29. Retrieved 2010-05-02.
  4. 1 2 3 4 5 "A Comparison of Software and Hardware Techniques for x86 Virtualization" (PDF). VMware. Retrieved 8 September 2010.
  5. 1 2 U.S. Patent 6,397,242
  6. U.S. Patent 6,704,925
  7. "Virtualization: architectural considerations and other evaluation criteria" (PDF). VMware. Retrieved 8 September 2010.
  8. 1 2 U.S. Patent 6,496,847
  9. "VMware and Hardware Assist Technology" (PDF). Retrieved 2010-09-08.
  10. "Xen and the Art of Virtualization" (PDF).
  11. "How retiring segmentation in AMD64 long mode broke VMware". Pagetable.com. 2006-11-09. Retrieved 2010-05-02.
  12. "VMware and CPU Virtualization Technology" (PDF). VMware. Retrieved 2010-09-08.
  13. "VMware KB: Hardware and firmware requirements for 64bit guest operating systems". Kb.vmware.com. Retrieved 2010-05-02.
  14. "Software and Hardware Techniques for x86 Virtualization" (PDF). Retrieved 2010-05-02.
  15. Yager, Tom (2004-11-05). "Sending software to do hardware's job | Hardware - InfoWorld". Images.infoworld.com. Retrieved 2014-01-08.
  16. "33047_SecureVirtualMachineManual_3-0.book" (PDF). Retrieved 2010-05-02.
  17. "What are the main differences between Second-Generation AMD Opteron processors and first-generation AMD Opteron processors?". amd.com. Archived from the original on April 15, 2009. Retrieved 2012-02-04.
  18. "What virtualization enhancements do Quad-Core AMD Opteron processors feature?". amd.com. Archived from the original on April 16, 2009. Retrieved 2012-02-04.
  19. 1 2 To see if your processor supports hardware virtualization Intel 2012.
  20. "Intel Virtualization Technology List". Ark.intel.com. Retrieved 2010-05-02.
  21. "Windows Virtual PC: Configure BIOS". Microsoft. Retrieved 2010-09-08.
  22. Neiger, Gil; A. Santoni; F. Leung; D. Rodgers; R. Uhlig. "Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization" (PDF). Intel Technology Journal. Intel. 10 (3): 167–178. doi:10.1535/itj.1003.01. Retrieved 2008-07-06.
  23. Gillespie, Matt (2007-11-12). "Best Practices for Paravirtualization Enhancements from Intel Virtualization Technology: EPT and VT-d". Intel Software Network. Intel. Retrieved 2008-07-06.
  24. "First the Tick, Now the Tock: Next Generation Intel Microarchitecture (Nehalem)" (PDF) (Press release). Intel. Retrieved 2008-07-06.
  25. "Technology Brief: Intel Microarchitecture Nehalem Virtualization Technology" (PDF). Intel. 2009-03-25. Retrieved 2009-11-03.
  26. http://2013.asiabsdcon.org/papers/abc2013-P5A-paper.pdf:[] "Intel added unrestricted guest mode on Westmere micro-architecture and later Intel CPUs, it uses EPT to translate guest physical address access to host physical address. With this mode, VMEnter without enable paging is allowed."
  27. http://download.intel.com/products/processor/manual/326019.pdf:[] "If the “unrestricted guest” VM-execution control is 1, the “enable EPT” VM-execution control must also be 1"
  28. "4th-Gen Intel Core vPro Processors with Intel VMCS Shadowing" (PDF). Intel. 2013. Retrieved 2014-12-16.
  29. Understanding Intel Virtualization Technology (VT). Archived September 8, 2014, at the Wayback Machine. Retrieved 2014-09-01
  30. The 'what, where and why' of VMCS shadowing. Retrieved 2014-09-01
  31. VIA Introduces New VIA Nano 3000 Series Processors Archived January 22, 2013, at the Wayback Machine.
  32. Wei Huang, Introduction of AMD Advanced Virtual Interrupt Controller, XenSummit 2012
  33. Jörg Rödel (August 2012). "Next-generation Interrupt Virtualization for KVM" (PDF). AMD. Retrieved 2014-07-12.
  34. Jun Nakajimaa (2012-12-13). "Reviewing Unused and New Features for Interrupt/APIC Virtualization" (PDF). Intel. Retrieved 2014-07-12.
  35. Khang Nguyen (2013-12-17). "APIC Virtualization Performance Testing and Iozone". software.intel.com. Retrieved 2014-07-12.
  36. "Product Brief Intel Xeon Processor E5-4600 v2 Product Family" (PDF). Intel. 2014-03-14. Retrieved 2014-07-12.
  37. Sunil Jain (May 2014). "Intel Graphics Virtualization Update". Intel. Retrieved 2014-05-11.
  38. "Intel platform hardware support for I/O virtualization". Intel.com. 2006-08-10. Retrieved 2012-02-04.
  39. "Linux virtualization and PCI passthrough". IBM. Retrieved 10 November 2010.
  40. "AMD I/O Virtualization Technology (IOMMU) Specification Revision 1.26" (PDF). Retrieved 2011-05-24.
  41. "Intel Virtualization Technology for Directed I/O (VT-d) Architecture Specification" (PDF). Retrieved 2012-02-04.
  42. "Intel Virtualization Technology for Directed I/O (VT-d) Supported CPU List". Ark.intel.com. Retrieved 2012-02-04.
  43. "PCI-SIG Engineering Change Notice: Function Level Reset (FLR)" (PDF). pcisig.com. 2006-06-27. Retrieved 2014-01-10.
  44. "Xen VT-d". xen.org. 2013-06-06. Retrieved 2014-01-10.
  45. "How to assign devices with VT-d in KVM". linux-kvm.org. 2014-04-23. Retrieved 2015-03-05.
  46. "Intel Virtualization Technology for Connectivity (VT-c)". Intel.com. Retrieved 2014-05-27.
  47. "PCI-SIG I/O Virtualization (IOV) Specifications". Pcisig.com. 2011-03-31. Retrieved 2012-02-04.
  48. 1 2 "Intel Look Inside: Intel Ethernet" (PDF). Intel. November 27, 2014. p. 104. Retrieved March 26, 2015.
  49. Yaozu Dong, Zhao Yu, Greg Rose (2008). "SR-IOV Networking in Xen: Architecture, Design and Implementation". usenix.org. USENIX. Retrieved 2014-01-10.
  50. Patrick Kutch; Brian Johnson; Greg Rose (September 2011). "An Introduction to Intel Flexible Port Partitioning Using SR-IOV Technology" (PDF). Intel. Retrieved September 24, 2015.
  51. "NASA's Flexible Cloud Fabric: Moving Cluster Applications to the Cloud" (PDF). Intel. Retrieved 2014-01-08.
  52. "Enhanced Networking in the AWS Cloud". Scalable Logic. 2013-12-31. Retrieved 2014-01-08.
  53. "Enhanced Networking in the AWS Cloud - Part 2". Scalable Logic. 2013-12-31. Retrieved 2014-01-08.
This article is issued from Wikipedia - version of the 11/14/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.