Copyright Notice These slides are distributed under the Creative Commons Attribution 3.0 License ! You are free: • to share — to copy, distribute and transmit the work Virtual Machines • to remix — to adapt the work ! Under the following conditions: • Attribution. You must attribute the work (but not in any way that suggests that the author endorses you or your use of the work) as follows: • “Courtesy of Gernot Heiser, UNSW” COMP9242 2009/S2 Week 6 ! The complete license text can be found at http:// creativecommons.org/licenses/by/3.0/legalcode ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License 2 Virtual Machines Virtual Machines, Simulators and Emulators ! “A virtual machine (VM) is an efficient, isolated duplicate of a real machine” Simulator ! Duplicate: VM should behave identically to the real machine !" Provides a functionally accurate software model of a machine • Programs cannot distinguish between execution on real or virtual hardware " "# ""May run on any hardware • Except for: !" Is typically slow (order of 1000 slowdown) ! Fewer resources available (and potentially different between executions) Emulator ! Some timing differences (when dealing with devices) ! Isolated: Several VMs execute without interfering with each other !" Provides a behavioural model of hardware (and possibly S/W) ! Efficient: VM should execute at a speed close to that of real hardware " !" Not fully accurate • Requires that most instruction are executed directly by real hardware "" " Reasonably fast (order of 10 slowdown) Virtual machine !" Models a machine exactly and efficiently "" " Minimal showdown " !" Needs to be run on the physical machine it virtualizes (more or less) ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License 3 ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License 4 Types of Virtual Machines Virtual Machine Monitor (VMM), aka Hypervisor ! Contemporary use of the term VM is more general ! Program that runs on real hardware to implement the virtual machine ! Call virtual machines even if there is nor correspondence to an existing real ! Controls resources machine • Partitions hardware Guest OS • E.g: Java virtual machine • Schedules guests • Can be viewed as virtualizing at the ABI level • Mediates access to shared resources Hypervisor • Also called process VM ! e.g. console OS ! We only concern ourselves with virtualizing at the ISA level • Performs world switch • ISA = instruction-set architecture (hardware-software interface) ! Implications: Hardware Hardware • Also called system VM • Hypervisor executes in privileged mode • Will later see subclasses of this • Guest software executes in unprivileged mode • Privileged instructions in guest cause a trap into hypervisor • Hypervisor interprets/emulates them • Can have extra instructions for hypercalls ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License 5 ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License 6 Why Virtual Machines? Why Virtual Machines? ! Historically used for easier sharing of expensive mainframes ! Renaissance in recent years for improved isolation • Run several (even different) OSes on same machine ! Server/desktop virtual machines • Each on a subset of physical resources • Improved QoS and security • Can run single-user single-tasked OS in time-sharing system • Uniform view of hardware ! legacy support • Complete encapsulation • “world switch” between VMs VM1 Apps VM2 Apps ! replication VM1 Apps VM2 Apps ! Gone out of fashion in 80’s ! migration • Time-sharing OSes common-place ! • Hardware too cheap to worry... Guest Guest checkpointing Guest Guest OS OS ! debugging OS OS • Different concurrent OSes ! e.g.: Linux and Windows Virt RAM Virt RAM • Total mediation Virt RAM Virt RAM ! Would be mostly unnecessary Hypervisor • if OSes were doing their job... Hypervisor Mem. region Mem. region Mem. region Mem. region RAM RAM ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License 7 ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License 8 Native vs. Hosted VMM VMM Types Native/Classic/Bare-metal/Type-I Hosted/Type-II Classic: as above Guest OS Guest OS Hosted: run on top of another operating system • e.g. VMware Player/Fusion Hypervisor Hypervisor Whole-system: Virtual hardware and operating system • Really an emulation • E.g. Virtual PC (for Macintosh) Host OS Hardware Physically partitioned: allocate actual processors to each VM Logically partitioned: time-share processors between VMs Hardware Co-designed: hardware specifically designed for VMM ! Hosted VMM can run besides native apps • E.g. Transmeta Crusoe, IBM i-Series • Sandbox untrusted apps • Run second OS Pseudo: no enforcement of partitioning • Less efficient: • Guests at same privilege level as hypervisor ! Guest privileged instruction traps into OS, forwarded to hypervisor • Really abuse of term “virtualization” ! Return to guest requires a native OS system call • e.g. products with “optional isolation” • Convenient for running alternative OS environment on desktop ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License 9 ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License 10 Virtualization Mechanics Virtualization Mechanics: Address Translation ! Traditional “trap and emulate” approach: Application (Virtual) guest • guest attempts to access physical resource page table ld r0, adr Guest • hardware raises exception (trap), invoking hypervisor's exception handler virtual address • hypervisor emulates result, based on access to virtual resource Shadow page table Hypervisor mirrors guest's ! Most instructions do not trap Virt PT ptr page table updates • makes efficient virtualization possible • requires that VM ISA is (almost) same as physical processor ISA Hypervisor's Guest guest memory Guest OS physical map address PT ptr Guest VMM ld r0, curr_thrd Exception Hypervisor ld r1, (r0,ASID)! lda r1, vm_reg_ctxt Physical mv CPU_ASID, r1 ld r2, (r1,ofs_r0)! address l s d sp, (r1,kern_stk)! to r2, (r1,ofs_ASID)! dat a ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License 11 ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License 12 Requirements for Virtualization Trap-and-Emulate Requirements Definitions: ! ! Privileged instruction: executes in privileged mode, traps in user mode An architecture is virtualizable if all sensitive instructions are privileged • Note: trap is required, NO-OP is insufficient! ! Can then achieve accurate, efficient guest execution ! Privileged state: determines resource allocation • by simply running guest binary on hypervisor • Includes privilege mode, addressing context, exception vectors, … ! VMM controls resources ! Sensitive instruction: control-sensitive or behaviour-sensitive ! Virtualized execution is indistinguishable from native, except: • control sensitive: changes privileged state • Resources more limited (running on smaller machine) • behaviour sensitive: exposes privileged state • Timing is different (if there is an observable time source) ! includes instructions which are NO-OPs in user but not privileged mode ! Recursively virtualizable machine: ! Innocuous instruction: not sensitive • VMM can be built without any timing dependence Note: Guest VMM • Some instructions are inherently sensitive ld r0, curr_thrd Exception ! e.g. TLB load ld r1, (r0,ASID)! lda r1, vm_reg_ctxt • Others are sensitive in some context mv CPU_ASID, r1 ld r2, (r1,ofs_r0)! l s ! e.g. store to page table d sp, (r1,kern_stk)! to r2, (r1,ofs_ASID)! ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License 13 ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License 14 Virtualization Overheads Unvirtualizable Architectures ! VMM needs to maintain virtualized privileged machine state ! x86: lots of unvirtualizable features • processor status • e.g. sensitive PUSH of PSW is not privileged • addressing context • segment and interrupt descriptor tables in virtual memory • device state... • segment description expose privileged level ! Itanium: mostly virtualizable, but ! VMM needs to emulate privileged instructions • • translate between virtual and real privileged state interrupt vector table in virtual memory • THASH instruction exposes hardware page tables address • e.g. guest ! real page tables ! MIPS: mostly virtualizable, but ! Virtualization traps are be expensive on modern hardware • kernel registers k0, k1 (needed to save/restore state) user-accessible • can be 100s of cycles (x86) • performance issue with virtualizing KSEG addresses ! Some OS operations involve frequent traps ! ARM: mostly virtualizable, but • STI/CLI for mutual exclusion • some instructions undefined in user mode (banked registers, CPSR) • frequent page table updates during fork()... • PC is a GPR, exception return in MOVS to PC, doesn’t trap • MIPS KSEG address used for physical addressing in kernel ! Most others have problems too ! Recent architecture extensions provide virtualization support hacks ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License 15 ©2009 Gernot Heiser UNSW/NICTA. Distributed under Creative Commons Attribution License 16 Impure Virtualization Binary Translation ! Used