X86 virtualization
Encyclopedia
In computing
, x86 virtualization is the facility that allows multiple operating system
s to simultaneously share x86 processor resources in a safe and efficient manner, a facility generically known as hardware virtualization
. In the late 1990s x86 virtualization was achieved by complex software techniques which overcame the processor's lack of virtualization support and attained reasonable performance. In the mid 2000s, both Intel and AMD added hardware support to their processors making virtualization software simpler, and later hardware changes provided substantial speed improvements.
of the x86 architecture.
In protected mode the operating system runs at a higher privilege such as ring
0, and applications at a lower privilege such as ring 3. Similarly, a host OS must control the processor while the guest OS' are prevented from direct access to the hardware. One approach used in x86 software-based virtualization is called ring deprivileging, which involves running the guest OS at a ring higher than 0.
Three techniques made virtualization of protected mode possible:
These techniques incur some performance overhead due to lack of MMU virtualization support, as compared to a VM running on a natively virtualizable architecture such as the IBM System/370
.
On traditional mainframes, the classic type 1 hypervisor was self-standing and did not depend on any operating system or run any user applications itself. In contrast, the first x86 virtualization products were aimed at workstation computers, and ran a guest OS inside a host OS by embedding the hypervisor in a kernel module that ran under the host OS (type 2 hypervisor).
There has been some controversy whether the x86 architecture with no hardware assistance is virtualizable as described by Popek and Goldberg
. VMware
researchers pointed out in a 2006 ASPLOS paper that the above techniques made the x86 platform virtualizable in the sense of meeting the three criteria of Popek and Goldberg, albeit not by the classic trap-and-emulate technique. However, as of 2009 some academics claimed that it is not.
A different route was taken by other systems like Denali
, L4
, and Xen, known as paravirtualization
, which involves porting operating systems to run on the resulting virtual machine, which does not implement the parts of the actual x86 instruction set that are hard to virtualize. The paravirtualized I/O has significant performance benefits as demonstrated in the original SOSP'03 Xen paper.
(AMD64) did not allow for a software-only full virtualization due to the lack of segmentation support in long mode
, which made the protection of the hypervisor's memory impossible, in particular, the protection of the trap handler that runs in the guest kernel address space. Revision D and later 64-bit AMD processors (as a rule of thumb, those manufactured in 90 nm or less) added basic support for segmentation in long mode, making it possible to run 64-bit guests in 64-bit hosts via binary translation. Intel did not add segmentation support to its x86-64 implementation (Intel 64), making 64-bit software-only virtualization impossible on Intel CPUs, but Intel VT-x support makes 64-bit hardware assisted virtualization possible on the Intel platform.
On some platforms, it is possible to run a 64-bit guest on a 32-bit host OS if the underlying processor is 64-bit and supports the necessary virtualization extensions.
AMD developed its first generation virtualization extensions under the code name "Pacifica", and initially published them as AMD Secure Virtual Machine (SVM), but later marketed them under the trademark AMD Virtualization, abbreviated AMD-V.
On May 23, 2006, AMD released the Athlon 64 ("Orleans"), the Athlon 64 X2 ("Windsor") and the Athlon 64 FX ("Windsor") as the first AMD processors to support this technology.
AMD-V capability also features on the Athlon 64
and Athlon 64 X2
family of processors with revisions "F" or "G" on socket AM2
, Turion 64 X2, and Opteron
2nd generation
and 3rd-generation,
Phenom
and Phenom II
processors. The APU
Fusion
processors support AMD-V. AMD-V is not supported by any Socket 939 processors. The only Sempron processors
which support it are Huron and Sargas.
AMD Opteron CPUs beginning with the Family 0x10 Barcelona line, and Phenom II CPUs, support a second generation hardware virtualization technology called Rapid Virtualization Indexing
(formerly known as Nested Page Tables during its development), later adopted by Intel as Extended Page Table
s (EPT).
(The CPU flag for AMD-V is "svm". This may be checked in Linux
via
Previously codenamed "Vanderpool", VT-x represents Intel's technology for virtualization on the x86 platform.
On November 13, 2005, Intel released two models of Pentium 4 (Model 662 and 672) as the first Intel processors to support VT-x
not all Intel processors supported VT-x, which Intel uses to segment its market
. Support for VT-x may even vary between different versions (as identified by Intel's sSpec Number) of the same model number.
For a complete and up-to-date list see the Intel website.
Even in May, 2011, the Intel CPU P6100 which is in laptops does not support hardware virtualization http://ark.intel.com/Product.aspx?id=50175.
With some motherboards, Intel's VT-x feature must be enabled in the BIOS
before applications can make use of it.
Intel started to include Extended Page Table
s (EPT),
a technology for page-table virtualization,
since the Nehalem architecture.
(The CPU flag for VT-x is "vmx". This may be checked in Linux
via
. Typically these features must be enabled by the BIOS, which must be able to support them and also be set to use them.
s to directly use peripheral
devices, such as Ethernet, accelerated graphics cards, and hard-drive controllers, through DMA
and interrupt
remapping. This is sometimes called PCI passthrough.
Both AMD and Intel have released specifications:
Address Translation Services (ATS): this supports native IOV across PCI-E via address translation. It requires support for new transactions to configure such translations.
Single Root IOV
(SR-IOV): this supports native IOV in existing single root complex PCI-E topologies. It requires support for new device capabilities to configure multiple virtualized configuration spaces.
Multi-Root IOV (MR-IOV): this supports native IOV in new topologies (e.g., blade servers) by building on SR-IOV to provide multiple root complexes which share a common PCI-E hierarchy.
In SR-IOV, the most common of these, a host VMM configures supported devices to create and allocate virtual "shadows" of their configuration spaces so that virtual machine guests can directly configure and access such "shadow" device resources.
Computing
Computing is usually defined as the activity of using and improving computer hardware and software. It is the computer-specific part of information technology...
, x86 virtualization is the facility that allows multiple operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s to simultaneously share x86 processor resources in a safe and efficient manner, a facility generically known as hardware virtualization
Hardware virtualization
Computer hardware virtualization is the virtualization of computers or operating systems. It hides the physical characteristics of a computing platform from users, instead showing another abstract computing platform...
. In the late 1990s x86 virtualization was achieved by complex software techniques which overcame the processor's lack of virtualization support and attained reasonable performance. In the mid 2000s, both Intel and AMD added hardware support to their processors making virtualization software simpler, and later hardware changes provided substantial speed improvements.
Software-based virtualization
The following discussion focuses only on virtualization of protected modeProtected mode
In computing, protected mode, also called protected virtual address mode, is an operational mode of x86-compatible central processing units...
of the x86 architecture.
In protected mode the operating system runs at a higher privilege such as ring
Ring (computer security)
In computer science, hierarchical protection domains, often called protection rings, are a mechanism to protect data and functionality from faults and malicious behaviour . This approach is diametrically opposite to that of capability-based security.Computer operating systems provide different...
0, and applications at a lower privilege such as ring 3. Similarly, a host OS must control the processor while the guest OS' are prevented from direct access to the hardware. One approach used in x86 software-based virtualization is called ring deprivileging, which involves running the guest OS at a ring higher than 0.
Three techniques made virtualization of protected mode possible:
- Binary translationBinary translationIn computing, binary translation is the emulation of one instruction set by another through translation of code. Sequences of instructions are translated from the source to the target instruction set...
is used to rewrite in terms of ring 3 instructions certain ring 0 instructions, such as POPF, that would otherwise fail silently or behave differently when executed above ring 0, making the classic trap-and-emulate virtualization impossible. To improve performance, the translated basic blockBasic blockIn computing, a basic block is a portion of the code within a program with certain desirable properties that make it highly amenable to analysis. Compilers usually decompose programs into their basic blocks as a first step in the analysis process...
s need to be cached in a coherent way that detects code patching (used in VxDVxDVxD is the device driver model used in Microsoft Windows/386, the 386 enhanced mode of Windows 3.x, Windows 9x, and to some extend also by the Novell DOS 7, OpenDOS 7.01, and DR-DOS 7.02 multitasker...
s for instance), the reuse of pages by the guest OS, or even self-modifying code. - A number of key data structures used by a processor need to be shadowedShadow memoryShadow memory describes a computer science technique in which potentially every byte used by a program during its execution has a shadow byte or bytes. These shadow bytes are typically invisible to the original program and are used to record information about the original piece of data...
. Because most operating systems use paged virtual memory, and granting the guest OS direct access to the MMUMemory management unitA memory management unit , sometimes called paged memory management unit , is a computer hardware component responsible for handling accesses to memory requested by the CPU...
would mean loss of control by the virtualization managerHypervisorIn computing, a hypervisor, also called virtual machine manager , is one of many hardware virtualization techniques that allow multiple operating systems, termed guests, to run concurrently on a host computer. It is so named because it is conceptually one level higher than a supervisory program...
, some of the work of the x86 MMU needs to be duplicated in software for the guest OS using a technique known as shadow page tables. This involves denying the guest OS any access to the actual page table entries by trapping access attempts and emulating them instead in software. The x86 architecture uses hidden state to store segment descriptors in the processor, so once the segment descriptors have been loaded into the processor, the memory from which they have been loaded may be overwritten and there is no way to get the descriptors back from the processor. Shadow descriptor tables must therefore be used to track changes made to the descriptor tables by the guest OS. - I/O device emulation: Unsupported devices on the guest OS must be emulated by a device emulatorEmulatorIn computing, an emulator is hardware or software or both that duplicates the functions of a first computer system in a different second computer system, so that the behavior of the second system closely resembles the behavior of the first system...
that runs in the host OS.
These techniques incur some performance overhead due to lack of MMU virtualization support, as compared to a VM running on a natively virtualizable architecture such as the IBM System/370
System/370
The IBM System/370 was a model range of IBM mainframes announced on June 30, 1970 as the successors to the System/360 family. The series maintained backward compatibility with the S/360, allowing an easy migration path for customers; this, plus improved performance, were the dominant themes of the...
.
On traditional mainframes, the classic type 1 hypervisor was self-standing and did not depend on any operating system or run any user applications itself. In contrast, the first x86 virtualization products were aimed at workstation computers, and ran a guest OS inside a host OS by embedding the hypervisor in a kernel module that ran under the host OS (type 2 hypervisor).
There has been some controversy whether the x86 architecture with no hardware assistance is virtualizable as described by Popek and Goldberg
Popek and Goldberg virtualization requirements
The Popek and Goldberg virtualization requirements are a set of conditions sufficient for a computer architecture to support system virtualization efficiently. They were introduced by Gerald J. Popek and Robert P. Goldberg in their 1974 article "Formal Requirements for Virtualizable Third...
. VMware
VMware
VMware, Inc. is a company providing virtualization software founded in 1998 and based in Palo Alto, California, USA. The company was acquired by EMC Corporation in 2004, and operates as a separate software subsidiary ....
researchers pointed out in a 2006 ASPLOS paper that the above techniques made the x86 platform virtualizable in the sense of meeting the three criteria of Popek and Goldberg, albeit not by the classic trap-and-emulate technique. However, as of 2009 some academics claimed that it is not.
A different route was taken by other systems like Denali
Denali (operating system)
The Denali operating system is "an IA-32 virtual machine monitor, that allows for untrusted services to be run in isolated domains."...
, L4
L4 microkernel family
L4 is a family of second-generation microkernels, generally used to implement Unix-like operating systems, but also used in a variety of other systems.L4 was a response to the poor performance of earlier microkernel-base operating systems...
, and Xen, known as paravirtualization
Paravirtualization
In computing, paravirtualization is a virtualization technique that presents a software interface to virtual machines that is similar but not identical to that of the underlying hardware....
, which involves porting operating systems to run on the resulting virtual machine, which does not implement the parts of the actual x86 instruction set that are hard to virtualize. The paravirtualized I/O has significant performance benefits as demonstrated in the original SOSP'03 Xen paper.
64-bit
To protect the memory of the hypervisor (ring 0) from a guest OS running at ring 1, segmentation must be used. The initial version of x86-64X86-64
x86-64 is an extension of the x86 instruction set. It supports vastly larger virtual and physical address spaces than are possible on x86, thereby allowing programmers to conveniently work with much larger data sets. x86-64 also provides 64-bit general purpose registers and numerous other...
(AMD64) did not allow for a software-only full virtualization due to the lack of segmentation support in long mode
Long mode
In the x86-64 computer architecture, long mode is the mode where a 64-bit application can access 64-bit instructions and registers...
, which made the protection of the hypervisor's memory impossible, in particular, the protection of the trap handler that runs in the guest kernel address space. Revision D and later 64-bit AMD processors (as a rule of thumb, those manufactured in 90 nm or less) added basic support for segmentation in long mode, making it possible to run 64-bit guests in 64-bit hosts via binary translation. Intel did not add segmentation support to its x86-64 implementation (Intel 64), making 64-bit software-only virtualization impossible on Intel CPUs, but Intel VT-x support makes 64-bit hardware assisted virtualization possible on the Intel platform.
On some platforms, it is possible to run a 64-bit guest on a 32-bit host OS if the underlying processor is 64-bit and supports the necessary virtualization extensions.
Hardware assist
In 2005 and 2006, Intel and AMD (working independently) created new processor extensions to the x86 architecture. The first generation of x86 hardware support for virtualization addressed the issue of privileged instructions, with support for MMU virtualization added to the Chipset later.AMD virtualization (AMD-V)
On May 23, 2006, AMD released the Athlon 64 ("Orleans"), the Athlon 64 X2 ("Windsor") and the Athlon 64 FX ("Windsor") as the first AMD processors to support this technology.
AMD-V capability also features on the Athlon 64
Athlon 64
The Athlon 64 is an eighth-generation, AMD64-architecture microprocessor produced by AMD, released on September 23, 2003. It is the third processor to bear the name Athlon, and the immediate successor to the Athlon XP...
and Athlon 64 X2
Athlon 64 X2
The Athlon 64 X2 is the first dual-core desktop CPU designed by AMD. It was designed from scratch as native dual-core by using an already multi-CPU enabled Athlon 64, joining it with another functional core on one die, and connecting both via a shared dual-channel memory controller/north bridge and...
family of processors with revisions "F" or "G" on socket AM2
Socket AM2
The Socket AM2, renamed from Socket M2 , is a CPU socket designed by AMD for desktop processors, including the performance, mainstream and value segments...
, Turion 64 X2, and Opteron
Opteron
Opteron is AMD's x86 server and workstation processor line, and was the first processor which supported the AMD64 instruction set architecture . It was released on April 22, 2003 with the SledgeHammer core and was intended to compete in the server and workstation markets, particularly in the same...
2nd generation
and 3rd-generation,
Phenom
Phenom (processor)
Phenom is the 64-bit AMD desktop processor line based on the K10 microarchitecture, in what AMD calls family 10h processors, sometimes incorrectly called "K10h". Triple-core versions belong to the Phenom 8000 series and quad cores to the AMD Phenom X4 9000 series...
and Phenom II
Phenom II
Phenom II is a family of AMD's multi-core 45 nm processors using the AMD K10 microarchitecture, succeeding the original Phenom. Advanced Micro Devices released the Socket AM2+ version of Phenom II in December 2008, while Socket AM3 versions with DDR3 support, along with an initial batch of...
processors. The APU
Accelerated processing unit
An accelerated processing unit is a processing system that includes additional processing capability designed to accelerate one or more types of computations outside of a CPU. This may include a graphics processing unit used for general-purpose computing , a field-programmable gate array , or...
Fusion
AMD Fusion
AMD Fusion is the marketing name for a series of APUs by AMD. There are two flavors of Fusion currently available, one with its CPU logic based on the Bobcat core and the other its CPU logic based on the 10h core. In both cases the GPU logic is HD6xxx, which itself is based on the mobile variant of...
processors support AMD-V. AMD-V is not supported by any Socket 939 processors. The only Sempron processors
Sempron
Sempron has been the marketing name used by AMD for several different budget desktop CPUs, using several different technologies and CPU socket formats. The Sempron replaced the AMD Duron processor and competes against Intel's Celeron series of processors...
which support it are Huron and Sargas.
AMD Opteron CPUs beginning with the Family 0x10 Barcelona line, and Phenom II CPUs, support a second generation hardware virtualization technology called Rapid Virtualization Indexing
Rapid Virtualization Indexing
Rapid Virtualization Indexing is an AMD second generation hardware-assisted virtualization technology for the processor memory management unit ....
(formerly known as Nested Page Tables during its development), later adopted by Intel as Extended Page Table
Extended Page Table
Extended Page Tables is an Intel second generation x86 virtualization technology for the memory management unit . When this feature is active, the ordinary IA-32 page tables translate from linear addresses to guest-physical addresses...
s (EPT).
(The CPU flag for AMD-V is "svm". This may be checked in Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
via
/proc/cpuinfo.)Intel virtualization (VT-x)
On November 13, 2005, Intel released two models of Pentium 4 (Model 662 and 672) as the first Intel processors to support VT-x
not all Intel processors supported VT-x, which Intel uses to segment its market
Market segment
Market segmentation is a concept in economics and marketing. A market segment is a sub-set of a market made up of people or organizations with one or more characteristics that cause them to demand similar product and/or services based on qualities of those products such as price or function...
. Support for VT-x may even vary between different versions (as identified by Intel's sSpec Number) of the same model number.
For a complete and up-to-date list see the Intel website.
Even in May, 2011, the Intel CPU P6100 which is in laptops does not support hardware virtualization http://ark.intel.com/Product.aspx?id=50175.
With some motherboards, Intel's VT-x feature must be enabled in the BIOS
BIOS
In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....
before applications can make use of it.
Intel started to include Extended Page Table
Extended Page Table
Extended Page Tables is an Intel second generation x86 virtualization technology for the memory management unit . When this feature is active, the ordinary IA-32 page tables translate from linear addresses to guest-physical addresses...
s (EPT),
a technology for page-table virtualization,
since the Nehalem architecture.
(The CPU flag for VT-x is "vmx". This may be checked in Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
via
/proc/cpuinfo.)Chipset
Memory and I/O virtualization is performed by the chipsetChipset
A chipset, PC chipset, or chip set refers to a group of integrated circuits, or chips, that are designed to work together. They are usually marketed as a single product.- Computers :...
. Typically these features must be enabled by the BIOS, which must be able to support them and also be set to use them.
I/O MMU virtualization (AMD-Vi and VT-d)
An input/output memory management unit (IOMMU) enables guest virtual machineVirtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
s to directly use peripheral
Peripheral
A peripheral is a device attached to a host computer, but not part of it, and is more or less dependent on the host. It expands the host's capabilities, but does not form part of the core computer architecture....
devices, such as Ethernet, accelerated graphics cards, and hard-drive controllers, through DMA
Direct memory access
Direct memory access is a feature of modern computers that allows certain hardware subsystems within the computer to access system memory independently of the central processing unit ....
and interrupt
Interrupt
In computing, an interrupt is an asynchronous signal indicating the need for attention or a synchronous event in software indicating the need for a change in execution....
remapping. This is sometimes called PCI passthrough.
Both AMD and Intel have released specifications:
- AMD's I/O Virtualization Technology, "AMD-Vi", originally called "IOMMU".
- Intel's "Virtualization Technology for Directed I/O" (VT-d).
PCI-SIG I/O Virtualization (IOV)
PCI-SIG I/O Virtualization (IOV) are a set of general (non-x86 specific) PCI Express (PCI-E) based native hardware I/O virtualization methods standardized by PCI-SIG:Address Translation Services (ATS): this supports native IOV across PCI-E via address translation. It requires support for new transactions to configure such translations.
Single Root IOV
Single Root IOV
Single Root IOV is a virtualization technology defined and developed by PCI-SIG. Some of the contributors to the specification are Intel, IBM, HP, DELL. The industry recognized the problems of earlier to SR-IOV virutalization architectures and developing new devices that are natively shareable...
(SR-IOV): this supports native IOV in existing single root complex PCI-E topologies. It requires support for new device capabilities to configure multiple virtualized configuration spaces.
Multi-Root IOV (MR-IOV): this supports native IOV in new topologies (e.g., blade servers) by building on SR-IOV to provide multiple root complexes which share a common PCI-E hierarchy.
In SR-IOV, the most common of these, a host VMM configures supported devices to create and allocate virtual "shadows" of their configuration spaces so that virtual machine guests can directly configure and access such "shadow" device resources.
See also
- Timeline of virtualization development
- Virtual machineVirtual machineA virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
- Comparison of platform virtual machines
- Comparison of application virtual machinesComparison of Application Virtual MachinesThis article lists some software virtual machines that are typically used for allowing application bytecode to be portably run on many different computer architectures and operating systems. The application is usually run on the computer using an interpreter or just-in-time compilation...
- Hardware-assisted virtualization
- Network virtualizationNetwork virtualizationIn computing, Network Virtualization is the process of combining hardware and software network resources and network functionality into a single, software-based administrative entity, a virtual network...
- I/O virtualizationI/O virtualizationInput/output virtualization is a methodology to simplify management, lower costs and improve performance of servers in enterprise environments...
- Single Root IOVSingle Root IOVSingle Root IOV is a virtualization technology defined and developed by PCI-SIG. Some of the contributors to the specification are Intel, IBM, HP, DELL. The industry recognized the problems of earlier to SR-IOV virutalization architectures and developing new devices that are natively shareable...
- Operating system-level virtualizationOperating system-level virtualizationOperating system-level virtualization is a server virtualization method where the kernel of an operating system allows for multiple isolated user-space instances, instead of just one. Such instances may look and feel like a real server, from the point of view of its owner...