What Is Processor Virtualization Technology?
In computing, lots of things can be made virtual and there are various types of virtualization: network, desktop and application virtualization. There are some challenges involved in virtualization modern processors (i.e. those built on x86 architect
In computing, many things can be made virtual, and there are various types of virtualization: network, desktop, and application virtualization. There are some challenges involved in the virtualization of modern processors (i.e., those built on x86 architecture), which has led to the development of different types of virtualization technology.
Hardware - or processor, or platform - virtualization is usually meant when people refer to “virtualization.” In hardware virtualization, the hardware of the actual system - or host - is “hidden,” and one or more simulated virtual environments are created in which virtual systems - or guests - can operate.
Virtual Machine Monitors (VMM) or Hypervisors
The software that makes virtualization possible is called the hypervisor. Also known as a Virtual Machine Monitor (VMM), the intermediary manages the resources and requests between the host and guest systems, thereby keeping them separate. A hypervisor is either bare-metal, where it's installed directly on the hardware (i.e., where the host OS usually sits), or it's hosted, in which case it runs from inside the OS.
A bare-metal hypervisor is considered more efficient and robust because it has direct access to physical resources. On the other hand, a hosted hypervisor provides greater flexibility but can reflect lower performance levels because requests to the hardware have a much longer return journey.
Full Virtualization
As the name suggests, full virtualization requires every single aspect of the physical hardware to be reflected in the virtual machine so that any software can run independently and unmodified in the virtual system. It also requires that the virtual computer be completely contained, as if in a bubble. Nothing done within the virtual system can affect anything outside of that bubble and vice versa.
In their 1974 article "Formal Requirements for Virtualizable Third Generation Architectures," Popek and Goldberg outline the conditions required for full virtualization to be considered successful.
IBM first achieved full virtualization in the 1960s: the computer architecture and processors they were using had everything needed to fulfill the requirements laid out by Popek and Goldberg. However, later processors, built using (what is now deemed) industry-standard x86 architecture, have some limitations, which mean they do not fulfill those requirements.
The fundamental difference between the two is the ability to “trap and emulate” privileged instructions.
Trap and Emulate
Privileged instructions are those that have the potential to affect the proper functioning of the OS. Non-privileged instructions require no specific permissions and can be successfully executed by user-level applications. Control-sensitive instructions change the processor privilege level, and behavior-sensitive instructions are those whose behavior depends on the privilege level in which it is executed.
When a program or application executes a privileged instruction without the correct privilege level, the processor traps it from going any further and raises a warning flag. In a virtualized system, the hypervisor sees this flag, which then emulates the instruction needed to complete the process and keep everything in the guest system running smoothly.
In x86 architecture, the trap and emulate process does not work for several reasons.
This is the main reason it was long considered impossible to virtualize processors built in this way.
Challenges in Virtualizing x86 processors
X86 architecture is organized into 4 rings of decreasing privilege, and the Operating System is designed to sit directly on the hardware where it has full control over the physical resources. This is within Ring 0, the highest privilege level: this is the only ring in which privileged instructions can be executed. User-level applications occupy Ring 3, which is furthest away from the hardware and offers the lowest privilege level.
Remember, the VMM can either be bare-metal (i.e., occupying Ring 0) or hosted within the software (Ring 3). The virtual system itself is a user application and, therefore, will always be in Ring 3.
The structure of x86 architecture makes virtualization difficult in the following ways:
- If the VMM is in Ring 3, it won't have the necessary permission to execute any privileged instructions needed by the virtual system.
- If the VMM is in Ring 1 (because the host OS is in Ring 0), any privileged instruction will bypass it.
- Sensitive instructions can be privileged or non-privileged but, in a virtual system, can only be executed from Ring 3. This can cause instructions to fail and/or produce different results than if they were executed from Ring 0.
- Not all sensitive instructions are privileged, which means they will not automatically be trapped or intercepted by the VMM, regardless of which Ring it occupies.
- Similarly, not all sensitive instructions can be virtualized properly, so; even if they could be trapped, it might not be possible to emulate them.
These challenges were successfully overcome in 1998 by the software company VMware. They achieved full virtualization of the x86 processor through a combination of Binary Translation and direct execution.
Binary Translation
As mentioned above, some sensitive instructions within the x86 architecture cannot be effectively virtualized. This is because all instructions are written in binary code. So VMWare developed a way of translating all the instructions from the guest OS from binary code into a different computer “language.” They called this Binary Translation.
Because the instructions have been translated, it doesn't matter whether they were previously classified as privileged, non-privileged, or sensitive. Instead, all instructions from the guest OS go directly to the VMM. Therefore, the VMM has to sit in Ring 0 to execute all instructions from the guest OS.
The guest OS is not itself modified and remains unaware of being virtualized. Instead, it occupies Ring 1, which allows it a higher privilege level than user applications running within the virtual OS. All other user applications remain in Ring 3 and can send their non-privileged instructions directly to the host system. VMWare calls this direction execution.
Hardware-Assisted Virtualization
Intel and AMD developed this technique, and processors including the extra features (named Intel VT and AMD-V, respectively) have been available on the market since 2006. In this method, the difficulties involved with successfully executing privileged and sensitive instructions are overcome by adding extra features built into the actual hardware of the host system. For example, in hardware-assisted virtualization, the CPU is designed with an additional execution layer below Ring 0.
The Guest OS sits within Ring 0, and the VMM sits below this in Root Mode Privilege Level. All privileged and sensitive instructions now go directly to the VMM. They are automatically trapped and, where necessary, emulated in this new layer which removes the need for any binary translation. Requests and instructions from user applications in Ring 3 still go directly to the host system hardware.
Hardware-Assisted Virtualization can match performance levels of Binary Translation for the most part, but it does include a very rigid programming model that is not easily amended. Thus, any instances where performance does fall behind can only improve with time and advances in technology.
Paravirtualization
In paravirtualization, also known as OS-assisted virtualization, the guest OS is modified in a way that replaces its non-virtualizable privileged instructions with hypercalls that go directly to the hypervisor. Communication between guest OS and hypervisor also allows for the relocation of complex tasks to the host system, where they can be completed more quickly than in the virtual system.
While this improves performance and efficiency, paravirtualization cannot be considered full virtualization because the guest OS cannot run unmodified, is aware that it is virtualized, and can communicate with both the hypervisor and other guest systems.
Paravirtualization is available on Linux but is not compatible with Windows.
Virtualization Technology: A Recap
- Full virtualization requires the guest OS to run unmodified and entirely separate from the host system. This was achieved in the 1960s by IBM in various ways but was considered impossible to recreate on modern x86 processors for many years.
- VMware first achieved virtualization of the x86 platform in 1998 through Binary Translation, which completely re-codes all privileged and sensitive instructions from the guest OS.
- Intel and AMD developed hardware enhancements for their processors, which have been available since 2006, which allows the guest OS to stay in the highest privilege level, Ring 0, by adding an extra level below this for the VMM. All sensitive and privileged instructions are automatically directed here, and so there is no need for Binary Translation.
- Paravirtualization, or OS-assisted virtualization, is not the same as full virtualization. The guest OS is aware that it's virtualized and communicates directly with the hypervisor, receiving sensitive and privileged instructions as hypercalls. Therefore, this type of virtualization is not compatible with most operating systems.