Virtualization demands from Popek and Goldberg

from Wikipedia, the free encyclopedia

The virtualization requirements of Popek and Goldberg are a set of requirements for a processor architecture , the fulfillment of which enables efficient virtualization based on this architecture. They were formulated by Gerald J. Popek and Robert P. Goldberg in their 1974 article Formal Requirements for Virtualizable Third Generation Architectures . Although the requirements were derived under simplifying assumptions, they nevertheless represent an excellent basis for determining whether a processor architecture can support efficient virtualization and offer approaches for the design of such architectures.

VMM definition

A Popek and Goldberg virtual machine is an efficient duplicate of a real processor; H. Everything that is possible on the real processor should also be possible in the same and more efficient manner on the virtual machine - in particular access to the processor, memory, but also peripheral devices.

A Virtual Machine Monitor (VMM, also known as a hypervisor ) is the implementation of the abstraction layer between the real processor and the virtual machine. Three factors play a special role in the analysis of the virtual environment provided by the VMM:

Equivalence / fidelity
A program that runs in the virtual environment should behave identically as it would if it were run on the equivalent real machine.
Resource control / security
The VMM must have complete control over the virtual resources .
Efficiency / performance
A statistically relevant proportion of processor instructions must be executed without the intervention of the VMM.

In Popek and Goldberg's terminology, a VMM must have all three properties in order to be considered such. In the terminology of the Smith and Nair (2005) book, VMMs are defined as those that meet the first two criteria (equivalence and resource control). Those VMMs that also meet the efficiency criterion are referred to there as efficient VMMs.

Popek and Goldberg describe the properties that the instruction set architecture of a physical processor must have in order to be able to support VMMs with the above properties. Your analysis derives the properties from a "third generation processor architecture" model, which is based on the systems currently in use at the time (e.g. IBM System / 360 , Honeywell 6000, DEC PDP-10 ), but is nevertheless generic enough to to be extended to modern processor architectures.

The model describes, among other things, a processor that has two modes ( privileged mode and user mode ) and has access to linear and uniformly addressable memory. It is assumed that part of the processor instruction set can only be executed in privileged mode and that memory is addressed relative to a base register called a relocation register . I / O operations and interrupts were not modeled in the model described.

Virtualization theorems

To derive their virtualization theorems that formulate sufficient (but not necessary) conditions for virtualization, Popek and Goldberg introduced a classification of the instruction set architecture into three non-disjoint classes:

Privileged instructions
Those instructions that are caught when the processor is executing in user mode and not caught when the processor is executing in privileged mode.
Control critical instructions
Those instructions that try to change the configuration of resources in the system.
Behavioral instructions
Those instructions, the result of which depends on the configuration of the system's resources.

The main results of Popek and Goldberg's analysis can then be summarized as follows:

Theorem 1 . An effective VMM can be set up for any third generation processor architectures if the set of control-critical instructions for a processor architecture represents a subset of the set of privileged instructions.

In principle, the theorem says that, in order to build a VMM, it is sufficient if all instructions that can influence the correct functioning of the VMM (control-critical instructions) are always captured and passed on to the VMM for control and processed (emulated) . This ensures the fulfillment of the resource control / security property of the VMM. Non-privileged instructions, on the other hand, must be executed natively on the processor in order to meet the efficiency characteristics of the VMM. The fulfillment of the equivalence property follows from what has just been described.

The theorem also gives an indication of a simple technique to implement a VMM, the so-called trap-and-emulate virtualization sometimes classical virtualization called: Since all control critical instructions can be caught, everything is what do the VMM must now emulating each individual prisoner instruction.

A related problem is to infer sufficient conditions for recursive virtualization (also called nested virtualization ); H. Conditions under which VMMs can run a copy of themselves. Popek and Goldberg present the following (sufficient) conditions:

Theorem 2 . Any third generation processor architecture can be recursively virtualized if

  1. it is itself virtualizable
  2. for them a VMM can be constructed without time dependencies.

Some architectures, such as the x86 architecture without hardware-supported virtualization functions, do not meet these conditions, which is why they cannot be virtualized in the classic way.

Nevertheless, such architectures can be fully virtualized using other techniques , such as binary translation. The additional effort required to implement these techniques (based on software instead of hardware) theoretically makes such VMMs less efficient, but the implementation of hardware traps naturally also implies a certain loss of performance. A well-optimized VMM based on binary translation can definitely achieve comparable performance and, in the case of x86 binary translation, does this in comparison to VMMs, based on the x86 hardware-supported virtualization of the first generation. Indeed, from this fact follows a theorem with other sufficient conditions.

Handling critical instructions

As critical instructions are those referred to the control critical and in terms of the three categories of instructions unprivileged instructions are d. H. these instructions cannot be caught, but they change relevant structures for processor control. Processors that have such critical instructions in the instruction set cannot be virtualized according to Popek and Goldberg's criteria, since they violate Theorem 1.

Nonetheless, VMMs have been implemented that work very well in practice on such processor architectures. However, the virtualization of such architectures requires mechanisms for handling the critical instructions described above. One approach, known as patching or binary translation , uses elements of dynamic recompilation: critical instructions are recognized at runtime and replaced with a trap in the VMM. Various mechanisms, e.g. B. Caching has been suggested to make patching more efficient. Another approach is paravirtualization , in which the guest operating systems are adapted (ported) in such a way that critical instructions are replaced by traps in the VMM.

Examination results for instruction sets of some processor architectures

In this section the results of the investigation with regard to the conditions formulated above are shown for some processor architectures.

PDP-10

The PDP-10 architecture has some instructions that are control-critical but not privileged. These instructions save or restore conditions codes for USER or IOT bits:

  • JSR: jump to subroutine
  • JSP: jump and save program counter
  • PUSHJ: push down and jump
  • JRST: jump and restore

System / 370

All control-critical instructions of the System / 370 are also privileged instructions: The architecture fulfills the above. Virtualization Conditions.

Motorola MC68000

The Motorola MC68000 has a control-critical, non-privileged instruction:

  • MOVE from SR

This instruction is control-critical because it allows (read) access to the entire status register, which also contains the control bit for privileged and user modes, interrupt levels and trace control. In most of the later models of the Motorola 68000 family, starting with the MC68010 , this instruction had become the privileged instruction, and another instruction was provided in order to be able to read out the non-critical part of the status register in user mode.

IA-32 (x86)

The IA-32 instruction set of the Intel Pentium processor contains 17 control-critical, unprivileged instructions. They can be divided into the following groups:

  • Control-critical register instructions: Reading or changing control-critical registers above memory areas, e.g. B. Clock register or interrupt register:
    • SGDT, SIDT, SLDT
    • SMSW
    • PUSHF, POPF
  • Protection system instructions: You address the memory protection system or the address relocation system:
    • LAR, LSL, VERR, VERW
    • POP
    • PUSH
    • CALL, JMP, INT n, RET
    • STR
    • MOV

The introduction of the instruction set extension AMD-V and Intel VT-x means that x86 processors with these extensions meet the virtualization requirements of Popek and Goldberg.

IA-64 (Itanium)

The effort to implement virtualization on the Itanium architecture is described in the essay by Magenheimer and Christian from 2000.

Performance measurement in practice

The efficiency requirement in Popek and Goldberg's definition of the VMM only affects the execution of non-privileged instructions that are to be executed natively on the processor. This distinguishes a VMM from the more general class of hardware emulator software. Unfortunately, it turned out that even “efficient” VMMs based on processor architectures that fully met Theorem 1 showed significantly lower performance than the same non-virtualized system. Experiments carried out on the System / 370 architecture showed that the virtual machine only achieved 21% of the performance of the non-virtualized system. This was attributed to the effort required to implement the trap-and-emulate method in hardware. As a result, IBM introduced a number of hardware-assisted virtualization functions for the System / 370 architecture, which doubled the performance of the VMM.

Another major reason for developing hardware-assisted virtualization functions for the System / 370 architecture was memory management. If the guest system implemented virtual memory itself, the performance of the overall system was severely impaired by the multiple address translation (first in the virtual machine, then again by the memory management unit of the processor). A mechanism comparable to the second level address translation of modern architectures was implemented on the hardware side in System / 370 in order to accelerate this access.

literature

Individual evidence

  1. Gerald J. Popek, Robert P. Goldberg: Formal Requirements for Virtualizable Third Generation Architectures . In: Communications of the ACM . 17, No. 7, 1974, pp. 414-417. doi : 10.1145 / 361011.361073 .
  2. Gerald J. Popek, Robert P. Goldberg: Formal Requirements for Virtualizable Third Generation Architectures . In: Communications of the ACM . 17, No. 7, 1974, p. 417. doi : 10.1145 / 361011.361073 .
  3. J. Smith and R. Nair. Virtual Machines: Versatile Platforms for Systems and Processes (The Morgan Kaufmann Series in Computer Architecture and Design). Morgan Kaufmann Publishers Inc., 2005, p. 205.
  4. Gerald J. Popek, Robert P. Goldberg: Formal Requirements for Virtualizable Third Generation Architectures . In: Communications of the ACM . 17, No. 7, 1974, p. 414. doi : 10.1145 / 361011.361073 .
  5. a b A Comparison of Software and Hardware Techniques for x86 Virtualization (PDF) VMware. Retrieved September 8, 2010.
  6. a b J. Smith, R. Nair: Virtual Machines: Versatile Platforms for Systems and Processes . The Morgan Kaufmann Series in Computer Architecture and Design. Morgan Kaufmann Publishers (2005), 391.
  7. SW Galley: PDP-10 Virtual machines . In: Proc. ACM SIGARCH-SIGOPS Workshop on Virtual Computer Systems ., Pp. 30–34.
  8. ^ J. Smith, R. Nair: Virtual Machines: Versatile Platforms for Systems and Processes . The Morgan Kaufmann Series in Computer Architecture and Design. Morgan Kaufmann Publishers, 2005, p. 395.
  9. M68000 8- / 16-32-Bit Microprocessor User's Manual, Ninth Edition . Motorola, Inc., Phoenix AZ 1993.
  10. Motorola M68000 Family Programmer's Reference Manual . Motorola, Inc., Phoenix AZ 1992.
  11. ^ John Scott Robin, Cynthia E. Irvine: Analysis of the Intel Pentium's Ability to Support a Secure Virtual Machine Monitor . In: Proc. 9th USENIX Security Symposium ..
  12. ^ Daniel J. Magenheimer, Thomas W. Christian: vBlades: Optimized Paravirtualization for the Itanium Processor Family . In: Proc. 3rd Virtual Machine Research & Technology Symposium . USENIX, 2000, pp. 73-82.
  13. Smith and Nair, pp. 415-416 and 426
  14. ^ PH Gum: System / 370 Extended Architecture: Facilities for Virtual Machines. (PDF) In: IBM J. Res. Develop. , Vol. 27, No. 6, Nov 1983, p. 533