View
7
Download
0
Category
Preview:
Citation preview
IntelIntel®® Virtualization Virtualization Technology [VT]Technology [VT]
Sunil SaxenaIntel Corporation
2*Third party marks and brands are the property of their respective owners
Intel Confidential
Copyright Intel Corporation
INFORMATION IN THIS DOCUMENT IS PROVIDED IN INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTELCONNECTION WITH INTEL®® PRODUCTS.PRODUCTS. EXCEPT AS PROVIDED EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY RELATING TO SALE AND/OR USE OF INTEL PRODUCTS, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS, INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT, OR OTHER INFRINGEMENT OF ANY PATENT, COPYRIGHT, OR OTHER INTELLECTUAL PROPERTY RIGHT.INTELLECTUAL PROPERTY RIGHT.
INTEL MAY MAKE CHANGES TO SPECIFICATIONS, PRODUCT INTEL MAY MAKE CHANGES TO SPECIFICATIONS, PRODUCT DESCRIPTIONS, AND PLANS AT ANY TIME, WITHOUT NOTICE.DESCRIPTIONS, AND PLANS AT ANY TIME, WITHOUT NOTICE.
ALL DATES PROVIDED ARE SUBJECT TO CHANGE WITHOUT ALL DATES PROVIDED ARE SUBJECT TO CHANGE WITHOUT NOTICE.NOTICE.
3*Third party marks and brands are the property of their respective owners
Intel Confidential
Copyright Intel Corporation
Scope of this SessionScope of this Session
IntelIntel®® Virtualization Technology (VT)Virtualization Technology (VT)––Challenges of IA CPU virtualization todayChallenges of IA CPU virtualization today––VT closes virtualization holes by designVT closes virtualization holes by design––VTVT--x Technical Overview x Technical Overview –– IntelIntel®® LaGrandeLaGrande Technology (LT)Technology (LT)––VTVT--i Technical Overviewi Technical Overview––Status / Plans Xen with VTStatus / Plans Xen with VT
VT Roadmap VT Roadmap Additional ResourcesAdditional Resources
4*Third party marks and brands are the property of their respective owners
Intel Confidential
Copyright Intel Corporation
Platform Hardware
VM1
VM Monitor
VM0
Guest OS0
App AppApp ...
... Guest OS1
App AppApp ...
OS and Apps in a VM don't know that the
VMM exists or that they share CPU resources
with other VMs
VMM should run protected from all
Guest software
Challenges of Running a VMMChallenges of Running a VMM
VMM should isolate Guest SW stacks from
one another
VMM should present a virtual platform
interface to Guest SW
5*Third party marks and brands are the property of their respective owners
Intel Confidential
Copyright Intel Corporation
Platform Hardware
VM1
VM Monitor
VM0
Guest OS0
App AppApp ...
... Guest OS1
App AppApp ...
Run Guest OS above Ring-0 and have privileged instructions
generate faults...
Run VMM in Ring-0 as a collection of fault handlers
Current IA CPUs require sophisticated software techniquesCurrent IA CPUs require sophisticated software techniques
SW Solution: Guest Ring SW Solution: Guest Ring DeprivilegingDeprivileging
Top IA Virtualization Holes :• Ring Aliasing• Non-trapping instructions• Excessive Faulting• Interrupt Virtualization Issues• CPU state context switching• Addr Space Compression
Sophisticated Software Techniques :• Source guest OS Modifications• Binary guest OS Modifications
6*Third party marks and brands are the property of their respective owners
Intel Confidential
Copyright Intel Corporation
Platform Hardware
VM1
VM Monitor
VM0
Guest OS0
App AppApp ...
... Guest OS1
App AppApp ...
VMM preempts execution of Guest OS via new HW-based
transition mechanism
By designBy design, VT closes virtualization holes and , VT closes virtualization holes and the need for complex software workarounds the need for complex software workarounds
IntelIntel®® Virtualization TechnologyVirtualization Technology
Guest SW runs deprivileged in a new operating mode:
• Apps run deprivileged in ring 3• OS runs deprivileged in ring 0• VMM runs in new mode with full privilege
7*Third party marks and brands are the property of their respective owners
Intel Confidential
Copyright Intel Corporation
VM Entry and VM ExitVM Entry and VM ExitVM EntryVM Entry–– Transition from VMM to Guest Transition from VMM to Guest –– Enters VMX nonEnters VMX non--root operationroot operation
Loads Guest state and Exit criteria from VMCSLoads Guest state and Exit criteria from VMCS–– VMLAUNCHVMLAUNCH instruction used on initial entryinstruction used on initial entry
VMRESUMEVMRESUME instruction used on subsequent entriesinstruction used on subsequent entries
VM ExitVM Exit–– VMEXITVMEXIT instruction used on transition from Guest to VMMinstruction used on transition from Guest to VMM–– Enters VMX root operationEnters VMX root operation–– Saves Guest state in VMCSSaves Guest state in VMCS–– Loads VMM state from VMCSLoads VMM state from VMCS
Physical Host Hardware
VM1
VM Monitor
VM0
Guest OS0
App AppApp ......
Guest OS1
App AppApp ...
VM Exit VM Entry
8*Third party marks and brands are the property of their respective owners
Intel Confidential
Copyright Intel Corporation
IA-32Operation
VTVT--x Operationsx Operations Build Foil Build Foil
Ring 0
Ring 3VMX RootOperation
VMX Non-rootOperation
. . .Ring 0
Ring 3
VM 1
Ring 0
Ring 3
VM 2
Ring 0
Ring 3
VM n
VMXONVMLAUNCHVMRESUME
VM Exit VMCS2
VMCSn
VMCS1
9*Third party marks and brands are the property of their respective owners
Intel Confidential
Copyright Intel Corporation
Protected Key Operations Protected Key Operations & Sealed Storage& Sealed Storage
Protected Data Paths Protected Data Paths (Keyboard, Mouse, Graphics)(Keyboard, Mouse, Graphics)
Protected Execution Environments Protected Execution Environments (Protected Launch, DMA Protections)(Protected Launch, DMA Protections)
LPCLPCTPM v1.2TPM v1.2
USB
USB
LT builds on IntelLT builds on Intel®® Virtualization TechnologyVirtualization Technology
LT interoperates with an enabled OS to better defend against LT interoperates with an enabled OS to better defend against software based attackssoftware based attacks
LaGrande Technology* (LT)LaGrande Technology* (LT)
10*Third party marks and brands are the property of their respective owners
Intel Confidential
Copyright Intel Corporation
ItaniumItanium®® Virtualization VTVirtualization VT--ii
Virtualization-supported CPU
Guest Software(Virtualized)
Host Software/VMM
Host Virtual Address
Non-privilegedResources
Intercepts
PrivilegedResources
Build Foil
PSR.vm=1
PSR.vm=0
Processor Status Processor Status RegisterRegister
••TLB AccessesTLB Accesses
••Privileged Registers Privileged Registers (PSR, Control, Debug)(PSR, Control, Debug)
••Register Stack Register Stack Engine (RSE)Engine (RSE)
11*Third party marks and brands are the property of their respective owners
Intel Confidential
Copyright Intel Corporation
IntelIntel®® Virtualization Technology and XenVirtualization Technology and Xen
Xen Hypervisor
Domain UDomain 0
Platform
Native
Device
Drivers
BackendVirtual driver
AppApp
Front end Virtual D
rivers
AppApp AppApp
Enhanced Xen capability with Legacy Linux supportEnhanced Xen capability with Legacy Linux support
Control
Panel
Virtual PlatformVirtual Platform
Domain VMX
Unmodified Linux
Guest BIOSGuest BIOS
FE Virtual D
rivers
AppApp AppApp
Device
Models
Control
Platform with Intel® Virtualization Technology
Xenolinux Xenolinux
…
12*Third party marks and brands are the property of their respective owners
Intel Confidential
Copyright Intel Corporation
Status/Plans Status/Plans –– Xen with VTXen with VT
Completed Xen 3.0 itemsCompleted Xen 3.0 items––3232--bit VT, UP Linux guest, UP hostbit VT, UP Linux guest, UP host––6464--bit bit xenolinuxxenolinux and 32and 32--bit VT domainbit VT domain
Additional items for Xen 3.0Additional items for Xen 3.0––6464--bit VT domain, PCI/IOAPIC/ACPI in bit VT domain, PCI/IOAPIC/ACPI in
domain 0, guest FW, domain 0, guest FW, parapara--virtualized drivers, virtualized drivers, xenolinuxxenolinux in VT domainin VT domain
Plan for Xen 4.0Plan for Xen 4.0––Performance Optimization, SMP guests, Performance Optimization, SMP guests,
Windows guest, Security, ManagementWindows guest, Security, Management
13*Third party marks and brands are the property of their respective owners
Intel Confidential
Copyright Intel Corporation
VT Client RoadmapVT Client Roadmap2005 Lyndon2005 LyndonIntelIntel®® PentiumPentium®® 4 Processor4 Processor945G Chipset945G ChipsetHT, XD, EM64T, EIST, Intel AMT, HT, XD, EM64T, EIST, Intel AMT, VTVT
2006 Averill2006 AverillIntel Pentium 4 Processor & DCIntel Pentium 4 Processor & DCBroadwater Chipset Broadwater Chipset 2005 features plus Intel AMT2, 2005 features plus Intel AMT2, LTLT
2006 Napa2006 NapaMobile Dual Core Processor codeMobile Dual Core Processor code--named named ““YonahYonah””Chipset codeChipset code--named named ““CalistogaCalistoga””Wireless LAN solution codeWireless LAN solution code--named named ““GolanGolan””XD, EIST, XD, EIST, VTVT, Intel AMT, Intel AMT
14*Third party marks and brands are the property of their respective owners
Intel Confidential
Copyright Intel Corporation
2006 2006 BensleyBensley, , GlidewellGlidewellDempsey Dempsey Blackford & Blackford & GreencreekGreencreek2005 features plus 2005 features plus VTVT, IAMT, I/OAT, IAMT, I/OAT
2 Socket2 Socket
2 Socket2 Socket
≥≥ 4 Socket4 Socket
2005 2005 -- 2006 2006 Millington / DP MontvaleMillington / DP MontvaleIntelIntel®® 8870, Enabled8870, EnabledDual Core, MT, Foxton, Pellston, Dual Core, MT, Foxton, Pellston, VTVT
2005 2005 -- 2006 2006 Montecito / MontvaleMontecito / MontvaleIntelIntel®® 8870 / Enabled8870 / EnabledMT, Foxton, Pellston, MT, Foxton, Pellston, VTVT
VT Server RoadmapVT Server Roadmap
15*Third party marks and brands are the property of their respective owners
Intel Confidential
Copyright Intel Corporation
Additional ResourcesAdditional Resources
For specs / whitepapers / web resources:For specs / whitepapers / web resources:WWW.INTEL.COM/TECHNOLOGY/VTWWW.INTEL.COM/TECHNOLOGY/VT
For discussions on VT: For discussions on VT: Sunil.Saxena@Intel.ComSunil.Saxena@Intel.Com
16*Third party marks and brands are the property of their respective owners
Intel Confidential
Copyright Intel Corporation
Thank YouThank You
Recommended