| 1 | <?xml version='1.0' encoding='UTF-8'?>
|
|---|
| 2 | <!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
|
|---|
| 3 | <topic xml:lang="en-us" id="hwvirt-details">
|
|---|
| 4 | <title>Details About Hardware Virtualization</title>
|
|---|
| 5 |
|
|---|
| 6 | <body>
|
|---|
| 7 | <p>
|
|---|
| 8 | With Intel VT-x, there are two distinct modes of CPU operation:
|
|---|
| 9 | VMX root mode and non-root mode.
|
|---|
| 10 | </p>
|
|---|
| 11 | <ul>
|
|---|
| 12 | <li>
|
|---|
| 13 | <p>
|
|---|
| 14 | In root mode, the CPU operates much like older generations of
|
|---|
| 15 | processors without VT-x support. There are four privilege
|
|---|
| 16 | levels, called rings, and the same instruction set is
|
|---|
| 17 | supported, with the addition of several virtualization
|
|---|
| 18 | specific instruction. Root mode is what a host operating
|
|---|
| 19 | system without virtualization uses, and it is also used by a
|
|---|
| 20 | hypervisor when virtualization is active.
|
|---|
| 21 | </p>
|
|---|
| 22 | </li>
|
|---|
| 23 | <li>
|
|---|
| 24 | <p>
|
|---|
| 25 | In non-root mode, CPU operation is significantly different.
|
|---|
| 26 | There are still four privilege rings and the same instruction
|
|---|
| 27 | set, but a new structure called VMCS (Virtual Machine Control
|
|---|
| 28 | Structure) now controls the CPU operation and determines how
|
|---|
| 29 | certain instructions behave. Non-root mode is where guest
|
|---|
| 30 | systems run.
|
|---|
| 31 | </p>
|
|---|
| 32 | </li>
|
|---|
| 33 | </ul>
|
|---|
| 34 | <p>
|
|---|
| 35 | Switching from root mode to non-root mode is called "VM entry",
|
|---|
| 36 | the switch back is "VM exit". The VMCS includes a guest and host
|
|---|
| 37 | state area which is saved/restored at VM entry and exit. Most
|
|---|
| 38 | importantly, the VMCS controls which guest operations will cause
|
|---|
| 39 | VM exits.
|
|---|
| 40 | </p>
|
|---|
| 41 | <p>
|
|---|
| 42 | The VMCS provides fairly fine-grained control over what the guests
|
|---|
| 43 | can and cannot do. For example, a hypervisor can allow a guest to
|
|---|
| 44 | write certain bits in shadowed control registers, but not others.
|
|---|
| 45 | This enables efficient virtualization in cases where guests can be
|
|---|
| 46 | allowed to write control bits without disrupting the hypervisor,
|
|---|
| 47 | while preventing them from altering control bits over which the
|
|---|
| 48 | hypervisor needs to retain full control. The VMCS also provides
|
|---|
| 49 | control over interrupt delivery and exceptions.
|
|---|
| 50 | </p>
|
|---|
| 51 | <p>
|
|---|
| 52 | Whenever an instruction or event causes a VM exit, the VMCS
|
|---|
| 53 | contains information about the exit reason, often with
|
|---|
| 54 | accompanying detail. For example, if a write to the CR0 register
|
|---|
| 55 | causes an exit, the offending instruction is recorded, along with
|
|---|
| 56 | the fact that a write access to a control register caused the
|
|---|
| 57 | exit, and information about source and destination register. Thus
|
|---|
| 58 | the hypervisor can efficiently handle the condition without
|
|---|
| 59 | needing advanced techniques such as CSAM and PATM described above.
|
|---|
| 60 | </p>
|
|---|
| 61 | <p>
|
|---|
| 62 | VT-x inherently avoids several of the problems which software
|
|---|
| 63 | virtualization faces. The guest has its own completely separate
|
|---|
| 64 | address space not shared with the hypervisor, which eliminates
|
|---|
| 65 | potential clashes. Additionally, guest OS kernel code runs at
|
|---|
| 66 | privilege ring 0 in VMX non-root mode, obviating the problems by
|
|---|
| 67 | running ring 0 code at less privileged levels. For example the
|
|---|
| 68 | SYSENTER instruction can transition to ring 0 without causing
|
|---|
| 69 | problems. Naturally, even at ring 0 in VMX non-root mode, any I/O
|
|---|
| 70 | access by guest code still causes a VM exit, allowing for device
|
|---|
| 71 | emulation.
|
|---|
| 72 | </p>
|
|---|
| 73 | <p>
|
|---|
| 74 | The biggest difference between VT-x and AMD-V is that AMD-V
|
|---|
| 75 | provides a more complete virtualization environment. VT-x requires
|
|---|
| 76 | the VMX non-root code to run with paging enabled, which precludes
|
|---|
| 77 | hardware virtualization of real-mode code and non-paged
|
|---|
| 78 | protected-mode software. This typically only includes firmware and
|
|---|
| 79 | OS loaders, but nevertheless complicates VT-x hypervisor
|
|---|
| 80 | implementation. AMD-V does not have this restriction.
|
|---|
| 81 | </p>
|
|---|
| 82 | <p>
|
|---|
| 83 | Of course hardware virtualization is not perfect. Compared to
|
|---|
| 84 | software virtualization, the overhead of VM exits is relatively
|
|---|
| 85 | high. This causes problems for devices whose emulation requires
|
|---|
| 86 | high number of traps. One example is a VGA device in 16-color
|
|---|
| 87 | mode, where not only every I/O port access but also every access
|
|---|
| 88 | to the framebuffer memory must be trapped.
|
|---|
| 89 | </p>
|
|---|
| 90 | </body>
|
|---|
| 91 |
|
|---|
| 92 | </topic>
|
|---|
