Some Important Terms

 Virtual Machine (VM): An instance of of an

operating system running on a virtualized
system. Also known as a virtual or guest OS.

 hypervisor: The underlying virtualization

system sitting between the guest OSes and the
hardware. Also known as a Virtual Machine
Monitor (VMM).
 Requirements of a VMM
Developed by Popek & Goldberg in 1974:
1. Provides environment identical to underlying
hardware.
2. Most of the instructions coming from the guest OS
are executed by the hardware without being
modified by the VMM.
3. Resource management is handled by the VMM
(this all non-CPU hardware such as memory and
peripherals).
 Introduction
 Virtualization: Providing an interface to
software that maps to some underlying
system.
 A one-to-one mapping between a guest and
the host on which it runs
Virtualized system should be an “efficient,
isolated duplicate” of the real one.

 Process virtual machine just supports a process;

system virtual machine supports an entire
system.
 Why
Virtualize?
 Reasons for Virtualization
 Hardware Economy
 Versatility
 Environment Specialization
 Security
 Safe Kernel Development
 OS Research
Benefits of Virtualization

Sharing of resources helps cost reduction

Isolation: Virtual machines are isolated from each other as if
they are physically separated
Encapsulation: Virtual machines encapsulate a complete
computing environment
Hardware Independence: Virtual machines run independently
of underlying hardware
Portability: Virtual machines can be migrated between different
hosts.
 Virtualization Architecture

• A Virtual machine (VM) is an isolated runtime

environment (guest OS and applications)
• Multiple virtual systems (VMs) can run on a single
physical system
 Multiple Software Multiple Software
Applications Applications

Operating System Operating System

Virtual Server 1 Virtual Server 2

Hypervisor

Hardware

CPU Memory NIC DISK

•Can run multiple OS simultaneously.

•Each OS can have different hardware configuration.
•Efficient utilization of hardware resources.
•Each virtual machine is independent.
•Save electricity, initial cost to buy servers, space etc.
•Easy to manage and monitor virtual machines centrally.
 Process Virtualization
 VM interfaces with
single process
 Application sees
“virtual machine” as Application
address space,
Virtualization Layer
registers, and
instruction set .
OS
 Examples:
 Multiprogramming Hardware
 Emulation for binaries
 High-level language
VMMs (e.g., JVM)
 System Virtualization

Application
Application
OS
OS
Virtualization Layer
Virtualization Layer
OS

Hardware
Hardware

Classical Hosted Virtualization/

Virtualization/Native Emulation
Bare Metal
UNF University of
NORTH FLORIDA Hypervisor implementation approaches
Bare metal Approach
VM VM VM
• Type I Hypervisor.
• Runs directly on the system hardware.
• May require hardware assisted
virtualization technology support by the
CPU.

Hypervisor • Limited set of hardware drivers

provided by the hypervisor vendor.
Kernel Driver • E.g.: Xen, VMWare ESXi

Hardware

11
Type 2
UNF University of
NORTH FLORIDA Hypervisor implementation approaches
Hosted Approach
VM VM • Type II Hypervisor.
• Runs virtual machines on top of a
Applications host OS (windows, Unix etc.)

Hypervisor
• Relies on host OS for physical
resource management.
• Host operating system provides
drivers for communicating with the
server hardware.
Host Operating System • E.g.: VirtualBox

Hardware

13
 System Virtualization
 Interfaces with operating system
 OS sees VM as an actual machine—memory, I/O,
CPU, etc
 Classic virtualization: virtualization layer runs
atop the hardware.
 Usually found on servers (Xen, VMWare ESX)
 Hosted or whole-system virtualization:
virtualization runs on an operating system
 Popular for desktops (VMWare Workstation, Virtual
PC)
Roles of the Hypervisor
Isolating/Emulating resources
CPU: Scheduling virtual machines Push to HW /
Memory: Managing memory Pre-allocation

I/O: Emulating I/O devices Remove

Networking Push to side

Managing virtual machines
 Emulatio
n to a system so that it can
 Providing an interface
run on a system with a different interface
 Lets compiled binaries, OSes run on architectures
with different ISA (binary translation)
 Performance usually worse than classic
virtualization.

 Example: QEMU
 Breaks CPU instructions into small ops, coded in
C.
 C code is compiled into small objects on native
ISA.
 dyngen utility runs code by dynamically
stitching objects together (dynamic code
generation).
UNF University of
NORTH FLORIDA
Full virtualization
• Enables hypervisors to
run an unmodified guest
operating system (e.g.
Multiple Software Multiple Software
Applications Applications Windows 2003 or XP).
Operating System Operating System • Guest OS is not aware
Virtual Server 1 Virtual Server 2 that it is being virtualized.

Hypervisor
• E.g.: VMware uses a
combination of direct
Hardware execution and binary
translation techniques to
achieve full virtualization
CPU Memory NIC DISK of server systems.

19
UNF University of
NORTH FLORIDA
 Binary Translation with Full Virtualization

 “Hardware is functionally
identical to underlying
architecture.”
 Typically accomplished
through interpretation or
binary translation.
 Advantage: Guest OS will run
without any changes to
source code.
 Disadvantage:Complex,
usually slower than
paravirtualization.
UNF University of
NORTH FLORIDA
Para virtualization
• Involves explicitly
modifying guest operating
Multiple Software Multiple Software system (e.g. SUSE Linux
Applications Applications
Enterprise Server 11) so
Para virtualized Para virtualized
Guest
Operating System
Guest
Operating System
that it is aware of being
Virtual Server 1 Virtual Server 2
virtualized to allow near
native performance.
Hypervisor / VMM • Improves performance.
Hardware • Lower overhead.
• E.g.: Xen supports both
Hardware Assisted
CPU Memory NIC DISK
Virtualization (HVM) and
Para-Virtualization (PV).

22
UNF University of
NORTH FLORIDA
 Paravirtualization
 Replace certain
unvirtualized sections of OS
code with
virtualization-friendly code.

 Virtual architecture “similar

but not identical to the
underlying architecture.”

 Advantages:
 easier, lower virtualization
overhead

 Disadvantages:
 requires modifications to
guest OS
UNF University of
NORTH FLORIDA
UNF University of
NORTH FLORIDA
 Performance
 Modern VMMs based around
trap-and-emulate .
 When a guest OS executes a
privileged instruction,
control is passed to VMM
(VMM “traps” on Guest OS
instruction), which decides CPU_INST
how to handle instruction .
 VMM generates instructions TRAP VMM
to handle trapped
instruction (emulation). CPU_INST1

 Non-privileged instructions EXEC

do not trap (system stays in
guest context).
CPU_INST
 Trap-and-Emulate Problems

 Trap-and-emulate is expensive
 Requires context-switch from guest OS mode to VMM.
 x86 is not trap-friendly

 Guest’s CPL privilege level is visible in hardware registers; cannot

change it in a way that the guest OS cannot detect .

 Some instructions are not privileged, but access privileged

systems (page tables, for example) .
 Hardware-Assisted Virtualization
 Hardware virtualization-assist released in 2006 .
 Intel, AMD both have technologies of this type.
 Introduces new VMX runtime mode.
 Two modes: guest (for OS) OD
 OP and root (for VMM).
 Privileged are trapped in HVM, handled by HardWare
without Binary Translation
 Each mode has all four CPL privilege levels available .
 Switching from guest to VMM does not require changes in
privilege level.
 Root mode supports special VMX instructions.
UNF University of
NORTH FLORIDA
 Virtualization
 Privileged Instructions
Challenges
 Handling architecture-imposed instruction privilege
levels.
 Performance Requirements

 Holding down the cost of VMM activities.

 Memory Management

 Managing multiple address spaces efficiently.

 I/O Virtualization
 Handling I/O requests from multiple operating
systems.
 Memory Virtualization
 Virtualization software must find a way to handle paging requests of operating
systems, keeping each set of pages separate.
 Memory virtualization must not impose too much overhead, or performance
and scalability will be impaired.
 Guest OS must each have an address space, be convinced that it has access
to the entire address space.
 SOLUTION: most modern VMMs add an additional layer of abstraction
in address space .

Machine Address—bare hardware address.

Physical Address—VMM abstraction of machine address, used by guest

os.
Guest maintains virtual-to-physical page tables.

VMM maintains p-map structure containing physical-to-machine page

mappings.
 virtua physical physical
l
a b machine
b c

fram
e

Page Table for Pmap

Program m structure in
on VM n. VMM.

VM to MM USING PT(PM)
TLB& MMU for high performance

That’s a lot of lookups!

 Shadow Page Tables
 Shadow page tables map virtual memory to
machine memory .
 One page table maintained per guest OS.
 TLB(Translation Look aside Buffer) caches results
from shadow page tables.

 Shadow page tables must be kept consistent

with guest pages.
 VMM updates shadow page tables when
pmap (physical-to-machine) records are
updated.

 VMM now has access to virtual

addresses, eliminating two page table
lookups.
 Direct
 Direct accessAccess
to hardware is not permitted by the
Popek and Goldberg model .
 VMWare and Xen both bend this rule, allow guests to
access hardware directly in certain cases.
 Xen uses validated access model .
 Fine-grained control over direct access.

 VMWare allows user-mode instructions to bypass BT, go

straight to CPU .

 Memory accesses are sometimes batched to

minimize context switches.
 CPU Virtualization

*Intel and AMD add an additional mode called privilege mode level
(some people call it Ring-1) to x86 processors

*hypervisor can run at Ring -1

*privileged and sensitive instructions are trapped in the hypervisor

automatically
 Guest OS

Gues
t
Drive
r
Virtua
l
Devic
eVMM

Virtua
l
Driver
Physical Device

Many I/O devices are time- sensitive or

require low latency .
 device emulation
 VMM presents guest OS with a virtual device
 Preserves security, handles concurrency, but imposes
more overhead.
I/O Virtualization Problems
 Multiplexing
 How to share hardware access among multiple OSes.

 Switching Expense
 Low-level I/O functionality happens at the VMM level,
requiring a context switch.
 Xen
Virtualization
 Xen occupies privilege level 0; guest OS occupies privilege
level 1.
 OS code is modified so that high-privilege calls (hypercalls)
are made to and trapped by Xen .
 Xen traps guest OS instructions using table of exception
handlers.

 Frequently used handlers (e.g., system calls) have special

handlers that allow guest OS to bypass privilege level 0 .

 Approach does not work with page faults.

Device Manager and Controller Unmodified user software
Network flow in Xen