Intel® Virtualization Technology [VT]

Transcription

Intel® Virtualization
Technology [VT]
Sunil Saxena
Intel Corporation
Intel Confidential
y INFORMATION IN THIS DOCUMENT IS PROVIDED IN
CONNECTION WITH INTEL® PRODUCTS. EXCEPT AS PROVIDED
IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH
PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND
INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY
RELATING TO SALE AND/OR USE OF INTEL PRODUCTS,
INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS
FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR
INFRINGEMENT OF ANY PATENT, COPYRIGHT, OR OTHER
INTELLECTUAL PROPERTY RIGHT.
y INTEL MAY MAKE CHANGES TO SPECIFICATIONS, PRODUCT
DESCRIPTIONS, AND PLANS AT ANY TIME, WITHOUT NOTICE.
y ALL DATES PROVIDED ARE SUBJECT TO CHANGE WITHOUT
NOTICE.
Copyright Intel Corporation
*Third party marks and brands are the property of their respective owners
2
Intel Confidential
Scope of this Session
y Intel® Virtualization Technology (VT)
– Challenges of IA CPU virtualization today
– VT closes virtualization holes by design
– VT-x Technical Overview
– Intel® LaGrande Technology (LT)
– VT-i Technical Overview
– Status / Plans Xen with VT
y VT Roadmap
y Additional Resources
3
Challenges of Running a VMM
Intel Confidential
OS and Apps in a VM
don't know that the
VMM exists or that they
share CPU resources
with other VMs
VM0
App
App
...
VM1
App
App
Guest OS0
...
VM Monitor
Platform Hardware
App
Guest OS1
...
App
VMM should isolate
Guest SW stacks from
one another
VMM should run
protected from all
Guest software
VMM should present a
virtual platform
interface to Guest SW
4
Intel Confidential
SW Solution: Guest Ring Deprivileging
Run Guest OS above Ring-0 and
have privileged instructions
generate faults...
VM0
App
App
...
VM1
App
App
Guest OS0
...
VM Monitor
Platform Hardware
App
Guest OS1
Run VMM in Ring-0 as a
collection of fault handlers
...
App
Top IA Virtualization Holes :
• Ring Aliasing
• Non-trapping instructions
• Excessive Faulting
• Interrupt Virtualization Issues
• CPU state context switching
• Addr Space Compression
Sophisticated Software Techniques :
• Source guest OS Modifications
• Binary guest OS Modifications
Current IA CPUs require sophisticated software techniques
5
Intel Confidential
Intel® Virtualization Technology
VM0
App
App
...
Guest SW runs deprivileged
in a new operating mode:
VM1
App
App
Guest OS0
...
VM Monitor
Platform Hardware
App
Guest OS1
...
App
• Apps run deprivileged in ring 3
• OS runs deprivileged in ring 0
• VMM runs in new mode with full privilege
VMM preempts execution of
Guest OS via new HW-based
transition mechanism
By design, VT closes virtualization holes and
the need for complex software workarounds
6
Intel Confidential
VM Entry and VM Exit
y VM Entry
– Transition from VMM to Guest
– Enters VMX non-root operation
Loads Guest state and Exit criteria from VMCS
– VMLAUNCH instruction used on initial entry
VMRESUME instruction used on subsequent entries
y VM Exit
– VMEXIT instruction used on transition from Guest to VMM
– Enters VMX root operation
VM0
VM1
– Saves Guest state in VMCS
App
App ... App
App
App
– Loads VMM state from VMCS
...
Guest OS0
VM Exit
...
Guest OS1
VM Entry
VM Monitor
Physical Host Hardware
App
7
Intel Confidential
VT-x Operations
VM 1
VMX
Non-root
Operation
VM Exit
VMX Root
IA-32
Operation
Build Foil
VM 2
VM n
Ring 3
Ring 3
Ring 0
Ring 0
Ring 0
VMCS
1
VMCS
2
VMCS
n
...
Ring 3
Ring 3
VMRESUME
VMLAUNCH
VMXON
Ring 0
8
Intel Confidential
LaGrande Technology* (LT)
LT builds on Intel® Virtualization Technology
Protected Execution Environments
(Protected Launch, DMA Protections)
Protected Key Operations
& Sealed Storage
(Keyboard, Mouse, Graphics)
TPM v1.2
USB
Protected Data Paths
LPC
LT interoperates with an enabled OS to better defend against
software based attacks
9
Intel Confidential
Itanium® Virtualization VT-i
Processor Status
Register
Guest Software
(Virtualized)
PSR.vm=1
Host Software/
VMM
Intercepts
Non-privileged
Resources
Privileged
Resources
Host Virtual Address
PSR.vm=0
•TLB Accesses
•Privileged Registers
(PSR, Control, Debug)
•Register Stack
Engine (RSE)
Virtualization-supported CPU
Build Foil
10
Intel Confidential
Intel® Virtualization Technology and Xen
Domain 0
Domain U
Front end
Virtual
Drivers
Backend
Virtual
driver
Native
Device
Drivers
Xenolinux
…
App
App
App
FE
Virtual
Drivers
Device
Models
Control
Panel
App
App
Domain VMX
Unmodified Linux
Guest BIOS
Xenolinux
Virtual Platform
Xen Hypervisor
Platform with Intel®
Platform
Virtualization Technology
Enhanced Xen capability with Legacy Linux support
11
Intel Confidential
Status/Plans – Xen with VT
y Completed Xen 3.0 items
– 32-bit VT, UP Linux guest, UP host
– 64-bit xenolinux and 32-bit VT domain
y Additional items for Xen 3.0
– 64-bit VT domain, PCI/IOAPIC/ACPI in
domain 0, guest FW, para-virtualized drivers,
xenolinux in VT domain
y Plan for Xen 4.0
– Performance Optimization, SMP guests,
Windows guest, Security, Management
12
VT Client Roadmap
Intel Confidential
2005 Lyndon
Intel® Pentium® 4 Processor
945G Chipset
HT, XD, EM64T, EIST, Intel AMT, VT
2006 Averill
Intel Pentium 4 Processor & DC
Broadwater Chipset
2005 features plus Intel AMT2, LT
2006 Napa
Mobile Dual Core Processor code-named “Yonah”
Chipset code-named “Calistoga”
Wireless LAN solution code-named “Golan”
XD, EIST, VT, Intel AMT
13
VT Server Roadmap
2005 - 2006
Intel Confidential
2 Socket
Millington / DP Montvale
Intel® 8870, Enabled
Dual Core, MT, Foxton, Pellston, VT
≥ 4 Socket
2005 - 2006
Montecito / Montvale
Intel® 8870 / Enabled
MT, Foxton, Pellston, VT
2006 Bensley, Glidewell
2 Socket
Dempsey
Blackford & Greencreek
2005 features plus VT, IAMT, I/OAT
14
Intel Confidential
Additional Resources
y For specs / whitepapers / web resources:
WWW.INTEL.COM/TECHNOLOGY/VT
y For discussions on VT:
[email protected]
15
Intel Confidential
Thank You
16

Intel® Virtualization Technology [VT]

Transcription

Similar documents

CF-SX4 Fact Sheet

See more

2016 ASMO MGR Member Brochure_LoRes_PRINT.indd

Taming Your Indicator Consumption Pipeline

NP905-B16C

genesis 2000

MSI Z87 XPOWER Datasheet

specification

PDF Format - Brokenhaze