© 2012 VMware Inc. All rights reserved
ARM Core VirtualizationPrashanth Bungale, Sr. Member of Technical Staff, Mobile Virtualization
January 23rd 2012
Sponsored by MIT and VMware Academic Programs
VMware: www.vmware.com
VMware Labs: labs.vmware.com
2 Copyright ® VMware, Inc. All Rights Reserved.
Agenda
Mobile Virtualization and BYOD Use Case
Overview of ARM CPU State
ARM Instruction Set Virtualization
ARM MMU Virtualization
Comparison of x86 vs. ARM Virtualizability
3 Copyright ® VMware, Inc. All Rights Reserved.
CORPORATE
MVP – Manage Corporate Phone on Employee Owned Device
PERSONAL
♬
One Device – Two Phones
4 Copyright ® VMware, Inc. All Rights Reserved.
Benefits
For enterprises
• Safely support wide diversity of mobile phones accessing corporate assets
• Enforce security and compliance policies
• Reduce device expenses by supporting “bring your own device program”
• Manage Mobile and Desktop from a single interface
• Write corporate applications once and make them portable to multiple platforms
For employees
• No need to carry two devices anymore
• Have freedom of choice in terms of device they can use for work
5
ARM
Predominant architecture in mobile phone world
Over 15 billion chips shipped to date
Over 10 million chips shipped every day
Looking to enter the server/datacenter market in future
5
6
ARM CPU State
Coprocessor Registers
Copyright ® VMware, Inc. All Rights Reserved.
7
CPSR: Current Program Status Register
N Z C V QIT
[1:0]J Reserved GE[3:0] IT[7:2] E A I F T M[4:0]
Current Processor ModeInterrupt
Masks
ISETSTATE
ITSTATE
ENDIANSTATEE
Execution State Registers:
Privileged-only Access Registers
Condition Flags
Execution State Registers
Copyright ® VMware, Inc. All Rights Reserved.
8
Dealing with Sensitive Instructions
• Interpretation / Full Emulation
• Binary Translation
• Para-Virtualization
• Shallow Para-Virtualization: replace sensitive instructions
• Deep Para-Virtualization: replace sensitive subsystems
• Binary Patching / Pre-Virtualization
• Hardware Assisted Virtualization
8Copyright ® VMware, Inc. All Rights Reserved.
9
Lightweight Para Virtualization: 1-1 Hypercalls
Replace sensitive instructions with 1-1 Hypercalls
• Use trap instruction to issue hypercall
• Encode hypercall type & original instruction bits in hypercall hint
• Example:
Trap and Emulate Semantics
• Upon trapping into the monitor, decode the hypercall type and the original instruction bits, and emulate instruction semantics
mrs r8, cpsr swi 0x088000
mrs Rd, R <cpsr/spsr>
Copyright ® VMware, Inc. All Rights Reserved.
10
MMU Virtualization
Shadow PT
• Intercept guest MMU events of interest
• Data/Prefetch Aborts, TTBR deltas, PT deltas, TLB ops
• Maintain (lazily) VMM-controlled, trusted shadow PT
Para-Virtualized trusted guest PT
• Highly intrusive to guest MMU software
Hardware virtualization support
• Nested / 2-stage Page Tables: VA->PA; PA->MA
Copyright ® VMware, Inc. All Rights Reserved.
11
Privilege Levels & Access Permissions
Guest always executes in machine User mode
• Protect monitor/host from guest
• Avoid virtualization holes
How to protect guest privileged from guest user? 6 distinct guest access permissions
{PNA-UNA, PRW-UNA, PRW-URO, PRW-URW, PRO-UNA, PRO-URO}
Only 3 shadow access permission equivalence classes
{{PNA-UNA, PRW-UNA, PRO-UNA}, {PRW-URO, PRO-URO}, {PRW-URW}}
{{P**-UNA}, {P**-URO}, {P**-URW}}
No injective mapping possible!
Copyright ® VMware, Inc. All Rights Reserved.
12
Dual Shadow Page Tables
Use two shadow page tables for each guest page table
• Privileged/User shadow PTs
• Switch on privilege mode switches
Guest AP Priv. Shadow AP User Shadow AP
PNA-UNA P**-UNA P**-UNA
PRW-UNA P**-URW P**-UNA
PRW-URO P**-URW P**-URO
PRW-URW P**-URW P**-URW
PRO-UNA P**-URO P**-UNA
PRO-URO P**-URO P**-URO
Copyright ® VMware, Inc. All Rights Reserved.
13
{User, Priv} Shadows
Guest page table
Shadow User page table
Shadow Priv. page table
Copyright ® VMware, Inc. All Rights Reserved.
14
Comparison of ARM vs. x86 Virtualizability
Sensitive Instructions
[3] John Scott Robin and Cynthia Irvine, Analysis of the Intel Pentium’s Ability to Support a Secure Virtual Machine Monitor, USENIX Security Symposium, 2000.
Type of Sensitive Instructions
Violating Goldberg’s
Requirement #
X86 [3] ARM
Sensitive Register Access
3B SGDT, SIDT, SLDT, SMSW, PUSHF/POPF
-
Protection System References
3C LAR, LSL, VERR, VERW, PUSH/POP, CALL, JMP, INT n, RET, STR, MOVE
LDM/STM (user regs), LDRT/STRT (“As User”)
Both 3B & 3C - MRS, MSR, CPS, SRS, RFE, DPSPC,
LDM (exc. return)
Copyright ® VMware, Inc. All Rights Reserved.
15
Comparison of ARM vs. x86 Virtualizability
Ring compression – protection mechanisms
• x86: Segmentation + Paging
• ARM: Paging (+ domains?)
Instruction execution vs. Data Read/Write protection
• x86: CS for instruction fetch vs. DS/other for data access
• ARM: No explicit distinction b/w execute and read protection
Cache architecture
• x86: Largely transparent; PIPT across all versions
• ARM: Exposes a lot of the cache architecture; VIVT/VIPT/PIPT
Copyright ® VMware, Inc. All Rights Reserved.
16
Comparison of ARM vs. x86 Virtualizability
Instruction size
• x86: Variable
• ARM: Fixed -> enables in-place patching mechanisms
I/O
• x86: I/O instructions + memory-mapped I/O
• ARM: Only memory-mapped I/O
Copyright ® VMware, Inc. All Rights Reserved.
17 Copyright ® VMware, Inc. All Rights Reserved.
Thank You!
18
Next in IAP VMware Mobile Virtualization series…
Mobile I/O virtualization
• Mobile VMs interact with virtual I/O devices
• E.g. touchscreen, display, storage, GPS, Bluetooth, WiFi, GSM, GPU, cameras, accelerometers, audio, keyboard, etc.
• Explore I/O virtualization techniques with a mobile focus
Application-level virtualization
• Deprivileged hypervisor design and implementation
• Distribute a hypervisor via a mobile app store
Programming exercise
• Based on today’s talk and the concepts from application-level virt.
• Complete the exercise, enter a draw for exciting prize (iPad!)