UNIT – IV

Hardware Virtualization

Syllabus :

Virtualization of CPU, memory and I/O devices: Hardware support for virtualization, CPU
virtualization, memory virtualization, I/O virtualization.

VIRTUALIZATION OF CPU, MEMORY, AND I/O DEVICES :

 To support virtualization, processors such as the x86 employ a special running mode and
instructions, known as hardware-assisted virtualization.
 In this way, the VMM and guest OS run in different modes and all sensitive instructions
of the guest OS and its applications are trapped in the VMM.
 To save processor states, mode switching is completed by hardware. For the x86
architecture, Intel and AMD have proprietary technologies for hardware-assisted
virtualization.

Hardware Support for Virtualization :

 Modern operating systems and processors permit multiple processes to run

simultaneously. If there is no protection mechanism in a processor, all instructions
from different processes will access the hardware directly and cause a system crash.
 Therefore, all processors have at least two modes, user mode and supervisor mode, to
ensure controlled access of critical hardware.
 Instructions running in supervisor mode are called privileged instructions. Other
instructions are unprivileged instructions.
 In a virtualized environment, it is more difficult to make OSes and applications run
correctly because there are more layers in the machine stack.
 The VMware ESX server architecture using para-virtualization. The VMware
Workstation is a VM software suite for x86 and x86-64 computers.
 This software suite allows users to set up multiple x86 and x86-64 virtual computers
and to use one or more of these VMs simultaneously with the host operating system.
The VMware Workstation assumes the host-based virtualization.
 Xen is a hypervisor for use in IA-32, x86-64, Itanium, and PowerPC 970 hosts.
Actually, Xen modifies Linux as the lowest and most privileged layer, or a
hypervisor. One or more guest OS can run on top of the hypervisor.
 KVM (Kernel-based Virtual Machine) is a Linux kernel virtualization infrastructure.
KVM can support hardware-assisted virtualization and paravirtualization by using
the Intel VT-x or AMD-v and VirtIO framework, respectively.
  The VirtIO framework includes a paravirtual Ethernet card, a disk I/O controller, a
balloon device for adjusting guest memory usage, and a VGA graphics interface
using VMware drivers.

Intel hardware support for virtualization of processor, memory, and I/O

devices.

CPU Virtualization :

 A VM is a duplicate of an existing computer system in which a majority of the VM

instructions are executed on the host processor in native mode.
 Thus, unprivileged instructions of VMs run directly on the host machine for higher
efficiency. Other critical instructions should be handled carefully for correctness and
stability.
 The critical instructions are divided into three categories:
Privileged instructions,
Controlsensitive instructions,
Behavior-sensitive instructions.
 Privileged instructions execute in a privileged mode and will be trapped if executed
outside this mode.
 Control-sensitive instructions attempt to change the configuration of resources used.
 Behavior-sensitive instructions have different behaviors depending on the
configuration of resources, including the load and store operations over the virtual
memory.
 A CPU architecture is virtualizable if it supports the ability to run the VM’s privileged
and unprivileged instructions in the CPU’s user mode while the VMM runs in supervisor
mode.
 When the privileged instructions including control- and behavior-sensitive instructions
of a VM are executed, they are trapped in the VMM.
 In this case, the VMM acts as a unified mediator for hardware access from different
VMs to guarantee the correctness and stability of the whole system. However, not all
CPU architectures are virtualizable.
 RISC CPU architectures can be naturally virtualized because all control- and behavior-
sensitive instructions are privileged instructions.
 Hardware-Assisted CPU Virtualization :
 This technique attempts to simplify virtualization because full or
paravirtualization is complicated. Intel and AMD add an additional mode called
privilege mode level (some people call it Ring-1) to x86 processors.
 Therefore, operating systems can still run at Ring 0 and the hypervisor can run at
Ring -1. All the privileged and sensitive instructions are trapped in the
hypervisor automatically.
 This technique removes the difficulty of implementing binary translation of full
virtualization. It also lets the operating system run in VMs without modification.

Intel hardware-assisted CPU virtualization.

 Although x86 processors are not virtualizable primarily, great effort is taken to
virtualize them. They are used widely in comparing RISC processors that the bulk
of x86-based legacy systems cannot discard easily. Virtualization of x86
processors is detailed in the following sections.
 Intel’s VT-x technology is an example of hardware-assisted virtualization. Intel
calls the privilege level of x86 processors the VMX Root Mode. In order to
control the start and stop of a VM and allocate a memory page to maintain the
CPU state for VMs, a set of additional instructions is added. At the time of this
writing, Xen, VMware, and the Microsoft Virtual PC all implement their
hypervisors by using the VT-x technology.

Memory Virtualization :

 Virtual memory virtualization is similar to the virtual memory support provided by

modern operating systems.
 In a traditional execution environment, the operating system maintains mappings of
virtual memory to machine memory using page tables, which is a one-stage mapping
from virtual memory to machine memory.
 All modern x86 CPUs include a memory management unit (MMU) and a translation
lookaside buffer (TLB) to optimize virtual memory performance.
 However, in a virtual execution environment, virtual memory virtualization involves
sharing the physical system memory in RAM and dynamically allocating it to the
physical memory of the VMs.
 That means a two-stage mapping process should be maintained by the guest OS and the
VMM, respectively: virtual memory to physical memory and physical memory to
machine memory.
 Furthermore, MMU virtualization should be supported, which is transparent to the guest
OS. The guest OS continues to control the mapping of virtual addresses to the physical
memory addresses of VMs.
 But the guest OS cannot directly access the actual machine memory. The VMM is
responsible for mapping the guest physical memory to the actual machine memory.

Two-level memory mapping procedure

 Since each page table of the guest OS has a separate page table in the VMM
corresponding to it, the VMM page table is called the shadow page table.
 Nested page tables add another layer of indirection to virtual memory. The MMU
already handles virtual-to-physical translations as defined by the OS. Then the
physical memory addresses are translated to machine addresses using another set
of page tables defined by the hypervisor.
 Since modern operating systems maintain a set of page tables for every process,
the shadow page tables will get flooded. Consequently, the performance overhead
and cost of memory will be very high.
 Processors use TLB hardware to map the virtual memory directly to the machine
memory to avoid the two levels of translation on every access. When the guest OS
changes the virtual memory to a physical memory mapping, the VMM updates
the shadow page tables to enable a direct lookup.
  It provides hardware assistance to the two-stage address translation in a virtual
execution environment by using a technology called nested paging.

EXTENDED PAGE TABLE BY INTEL :

Memory virtualization using EPT by Intel

 Since the efficiency of the software shadow page table technique was too low, Intel
developed a hardwarebased EPT technique to improve it, as illustrated . In addition, Intel
offers a Virtual Processor ID (VPID) to improve use of the TLB.
 Therefore, the performance of memory virtualization is greatly improved. The page
tables of the guest OS and EPT are all four-level. When a virtual address needs to be
translated, the CPU will first look for the L4 page table pointed to by Guest CR3.
 Since the address in Guest CR3 is a physical address in the guest OS, the CPU needs to
convert the Guest CR3 GPA to the host physical address (HPA) using EPT.
 In this procedure, the CPU will check the EPT TLB to see if the translation is there. If
there is no required translation in the EPT TLB, the CPU will look for it in the EPT.
 If the CPU cannot find the translation in the EPT, an EPT violation exception will be
raised.
 When the GPA of the L4 page table is obtained, the CPU will calculate the GPA of the
L3 page table by using the GVA and the content of the L4 page table.
 If the entry corresponding to the GVA in the L4page table is a page fault, the CPU will
generate a page fault interrupt and will let the guest OS kernel handle the interrupt.

I/O Virtualization :

 I/O virtualization involves managing the routing of I/O requests between virtual devices
and the shared physical hardware.
 At the time of this writing, there are three ways to implement I/O virtualization: full
device emulation, para-virtualization, and direct I/O.
 Full device emulation is the first approach for I/O virtualization. Generally, this
approach emulates well-known, real-world devices

Device emulation for I/O virtualization implemented inside the middle layer
that maps real I/O devices into the virtual devices for the guest device driver
to use.
 All the functions of a device or bus infrastructure, such as device enumeration,
identification, interrupts, and DMA, are replicated in software.
 This software is located in the VMM and acts as a virtual device. The I/O access requests
of the guest OS are trapped in the VMM which interacts with the I/O devices.
 A single hardware device can be shared by multiple VMs that run concurrently.
However, software emulation runs much slower than the hardware it emulates [10,15].
 The para-virtualization method of I/O virtualization is typically used in Xen. It is also
known as the split driver model consisting of a frontend driver and a backend driver.
 The frontend driver is running in Domain U and the backend driver is running in Domain
0. They interact with each other via a block of shared memory.
 The frontend driver manages the I/O requests of the guest OSes and the backend driver is
responsible for managing the real I/O devices and multiplexing the I/O data of different
VMs.
 Although para-I/O-virtualization achieves better device performance than full device
emulation, it comes with a higher CPU overhead.
 Direct I/O virtualization lets the VM access devices directly. It can achieve close-to-
native performance without high CPU costs.
 SV-IO defines one virtual interface (VIF) for every kind of virtualized I/O device, such
as virtual network interfaces, virtual block devices (disk), virtual camera devices
• Guest device driver Guest OS Device driver Device emulation I/O Stack Device driver
• Virtual device
• Real device – may be different from virtual device Virtualization layer
 • Virtualization layer – emulates the virtual device – remaps guest and real I/O addresses
– multiplexes and drives the physical device – I/O features.
 The VM ware Workstation runs as an application. It leverages the I/O device support in
guest OSes, host OSes, and VMM to implement I/O virtualization.
 The application portion (VM App) uses a driver loaded into the host operating system
(VM Driver) to establish the privileged VMM, which runs directly on the hardware.
 A given physical processor is executed in either the host world or the VMM world, with
the VM Driver facilitating the transfer of control between the two worlds. The VM ware
Workstation employs full device emulation to implement I/O virtualization.

Functional blocks involved in sending and receiving network packets.

 PART – A

1. For X86 architecture, which companies are having proprietary technology for [ C ]
hardware - assisted virtualization
A. AMD B. Intel C. Both a & b D. None
2. Instructions running in supervisor mode are called [ C]
A. Non privileged instructions C. Privileged instructions
B. Both D. None
3. KVM can support hardware-assisted virtualization and para virtualization [ D ]
by using what technology
A. VT-x C. Virt IO framework
B. AMD-v D. All of the above
4. Which instructions of VM can run directly on the top of host machine hardware [ A ]
A. Unprivileged C. Sensitive
B. Privileged D. Behavioural Sensitive
5. Privileged instructions can be executed by VMM using what system call [ A ]
A. TRAP C. Load
B. By changing configuration D. Store
6. Which one is act as unified mediator for hardware access from different VMS [ C ]
A. VM C. VMM
B. Guest OS D. Host OS
7. In Intel hardware-assisted CPU virtualization Guest OS runs in Ring [ A ]
A. Ring 0 C. Ring 2
B. Ring 1 D. Ring 3
8. In traditional execution environment, the OS maintains mapping between what [ A ]
using page tables
A. Virtual memory to Machine memory
B. Virtual memory to Physical memory
C. Virtual memory to Virtual memory
D. None
9. To optimize the virtual memory performance, the X86 CPUs includes [ C ]
A. MMU B. TLB C. Both a & b D. None
10. In memory virtualization which mapping process maintained by Guest OS [ B]
A. One Stage C. Three Stage
B. Two Stage D. Many Stage
11. The physical memory address are translated to machine address using page tables [ C ]
which are defined by whom
A. Guest OS C. Hypervisor
B. Host OS D. None
12. Memory virtualization supported companies [ D]
A. VM wave C. Intel
B. AMD D. All
13. Which I/O technique emulates the well known real world devices [ A]
A. Full device emulation C. Direct I/O
B. Para virtualization D. None
14. The para virtualization method of I/O virtualization used in [B ]
A. KVM B. Xen C. VM wave D. AMD
15. The front end driver and back end drivers of para virtualization of I/O [ A ]
devices on domains
A. Domain U and Domain O C. Ring 0 & Ring 1
B. Domain O and Domain U D. None
16. The fron tend drivers manages [ A ]
A. I/O request of Guest OS C. Real I/O devices
B. Memory request of Guest OS D. None
17. Multiplexing of I/O data from different VMs can be managed by [ B ]
in I/O para virtualization
A. Front end driver C. Block of shared memory
B. Back
C. end driver D. VMM
18. Which technology of Intel supports the remapping on I/O DMA transfers [ A ]
and device-generated interrupts
A. VT-d B. VT-x C. VT-i D. None

Part - B

Descriptive Type Questions:

1. Explain about hardware support for virtualization.

2. Give the classification of critical instructions and explain how they can be executed by
using CPU virtualization.
3. Describe Intel Hardware-Assisted CPU Virtualization.
4. Illustrate two-stage process of memory virtualization.
5. Define shadow page table and how it can be implemented by VMM in memory
virtualization?
6. Illustrate the I/O virtualization.
7. Write the classification of I/O virtualization and briefly discuss them.
8. Draw and discuss how the device emulation for I/O can be implemented at middle layer.
9. Discuss the extended page table by Intel for memory virtualization