What Is Processor Virtualization Technology?


In computing, lots of things can be made virtual and there are various types of virtualization: network, desktop and application virtualization. There are some challenges involved in virtualization modern processors (i.e. those built on x86 architect

Author: Trey Williams
Category: Hardware
Author: Trey Williams
Category: Hardware



In computing, lots of things can be made virtual and there are various types of virtualization: network, desktop and application virtualization. There are some challenges involved in virtualization modern processors (i.e. those built on x86 architecture), which has led to the development of different types of virtualization technology.

Hardware - or processor, or platform - virtualization is usually what is meant when people refer to “virtualization”. In hardware virtualization, the hardware of the actual system - or host - is “hidden” and one or more simulated virtual environments are created in which virtual systems - or guests - can operate.

Virtual Machine Monitors (VMM) or Hypervisors

The software that makes virtualization possible is called the hypervisor. Also known as a Virtual Machine Monitor (VMM), it is the intermediary that manages the resources and requests between the host and guest systems, thereby keeping them separate. A hypervisor is either bare-metal, where it’s installed directly on the hardware (i.e. where the host OS usually sits), or it’s hosted, in which case it runs from inside the OS. 

A bare-metal hypervisor is considered more efficient and robust because it has direct access to the physical resources. A hosted hypervisor provides greater flexibility but can reflect lower performance levels because requests to the hardware have a much longer return journey.

Full Virtualization

As the name suggests, full virtualization requires every single aspect of the physical hardware to be reflected in the virtual machine so that any software can run independently and unmodified in the virtual system. It also requires that the virtual computer be completely contained, as if in a bubble. Nothing done within the virtual system can be allowed to affect anything outside of that bubble, and vice versa.

In their 1974 article "Formal Requirements for Virtualizable Third Generation Architectures", Popek and Goldberg outline the conditions required for full virtualization to be considered successful. 

IBM first achieved full virtualization in the 1960s: the computer architecture and processors they were using had everything it needed to fulfil the requirements laid out by Popek and Goldberg. Later processors, built using (what is now deemed) industry-standard x86 architecture, have some limitations which mean they do not fulfil those requirements.

The fundamental difference between the two is the ability to “trap and emulate” privileged instructions. 

Trap and Emulate

Privileged instructions are those that have the potential to affect the proper functioning of the OS. Non-privileged instructions require no specific permissions and can be successfully executed by user-level applications. Control sensitive instructions change the processor privilege level and behavior sensitive instructions are those whose behavior depends on the privilege level in which it is executed.

When a privileged instruction is executed by a program or application without the correct privilege level, the processor traps it from going any further and raises a warning flag. In a virtualized system, this flag is seen by the hypervisor which then emulates the instruction needed to complete the process and keep everything in the guest system running smoothly.

In x86 architecture, the trap and emulate process does not work, for a number of reasons. 

This is the main reason it was long considered impossible to virtualize processors built in this way.

Challenges in Virtualizing x86 processors

X86 architecture is organized into 4 rings of decreasing privilege and the Operating System is designed to sit directly on the hardware where it has full control over the physical resources. This is within Ring 0, the highest level of privilege: this is the only ring in which privileged instructions can be executed. User-level applications occupy Ring 3, which is furthest away from the hardware and offers the lowest level of privilege.

Remember, the VMM can either be bare-metal (i.e. occupying Ring 0) or hosted within the software (in Ring 3). The virtual system itself is a user application and therefore will always be in Ring 3.

The structure of x86 architecture makes virtualization difficult in the following ways:

  • If the VMM is in Ring 3, it won’t have the necessary permission to execute any privileged instructions needed by the virtual system.
  • If the VMM is in Ring 1 (because the host OS is in Ring 0), any privileged instruction will bypass it.
  • Sensitive instructions can be privileged or non-privileged but in a virtual system, can only be executed from Ring 3. This can cause instructions to fail and/or produce different results than if they were executed from Ring 0.
  • Not all sensitive instructions are privileged, which means they will not automatically be trapped or intercepted by the VMM, regardless of which Ring it occupies.
  • Similarly, not all sensitive instructions can be virtualized properly so, even if they could be trapped, it might not be possible to emulate them.

These challenges were successfully overcome in 1998 by the software company VMware. They achieved full virtualization of the x86 processor through a combination of Binary Translation and direct execution.

Binary Translation

As mentionedabove, some sensitive instructions within the x86 architecture cannot be effectively virtualized. All instructions are written in binary code. VMWare developed a way of translating all the instructions coming from the guest OS from binary code into a different computer “language”. They called this Binary Translation.

Because the instructions have been translated, it doesn’t matter whether they were previously classified as privileged, non-privileged or sensitive. Instead, all instructions from the guest OS go directly to the VMM. The VMM has to sit in Ring 0 so it can execute all instructions from the guest OS.

The guest OS is not itself modified and remains unaware of being virtualized. It occupies Ring 1, which allows it a higher privilege level than user applications running within the virtual OS. All other user applications remain in Ring 3 and can send their non-privileged instructions directly to the host system. VMWare call this direction execution.

Hardware-Assisted Virtualization

This technique was developed by Intel and AMD and processors including the extra features (named Intel VT and AMD-V, respectively) have been available on the market since 2006. In this method, the difficulties involved with successfully executing privileged and sensitive instructions are overcome through the addition of extra features built in to the actual hardware of the host system. In hardware-assisted virtualization, the CPU is designed with an additional execution layer below Ring 0. 

The Guest OS sits within Ring 0 and the VMM sits below this in Root Mode Privilege Level. All privileged and sensitive instructions now go directly to the VMM. They are automatically trapped and, where necessary, emulated in this new layer which removes the need for any binary translation. Requests and instructions from user applications in Ring 3 still go directly to the host system hardware.

Hardware-Assisted Virtualization is capable of matching performance levels of Binary Translation for the most part but it does include a very rigid programming model which is not easily amended. Any instances where performance does fall behind can only improve with time and advances in technology.

Paravirtualization

In paravirtualization, also known as OS-assisted virtualization, the guest OS is modified in a way that replaces its non-virtualizable privileged instructions with hypercalls which go directly to the hypervisor. Communication between guest OS and hypervisor also allows for the relocation of complex tasks to the host system, where they can be completed more quickly than in the virtual system. 

While this serves to improve performance and efficiency, paravirtualization cannot be considered full virtualization because the guest OS cannot run unmodified, is aware that it is virtualized and can communicate with both the hypervisor and other guest systems.

Paravirtualization is available on Linux but is not compatible with Windows.

Virtualization Technology: A Recap

  • Full virtualization requires the guest OS to run unmodified and entirely separately from the host system. This was achieved in the 1960s by IBM in various ways but was considered impossible to recreate on modern x86 processors for many years.
  • Virtualization of the x86 platform was first achieved by VMware in 1998 through the use of Binary Translation, which completely re-codes all privileged and sensitive instructions from the guest OS.
  • Intel and AMD developed hardware enhancements for their processors which have been available since 2006 which allows the guest OS to stay in the highest privilege level, Ring 0, by adding an extra level below this for the VMM. All sensitive and privileged instructions are automatically directed here and so there is no need for Binary Translation.
  • Paravirtualization, or OS-assisted virtualization, is not the same as full virtualization because the guest OS is aware that it’s virtualized and communicates directly with the hypervisor, which receives sensitive and privileged instructions as hypercalls. This type of virtualization is not compatible with most operating systems.