intel® virtualization technology [vt]

IntelIntel®® Virtualization Virtualization Technology [VT]Technology [VT]

Sunil SaxenaIntel Corporation

2*Third party marks and brands are the property of their respective owners

Intel Confidential

Copyright Intel Corporation

INFORMATION IN THIS DOCUMENT IS PROVIDED IN INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTELCONNECTION WITH INTEL®® PRODUCTS.PRODUCTS. EXCEPT AS PROVIDED EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY RELATING TO SALE AND/OR USE OF INTEL PRODUCTS, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS, INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT, OR OTHER INFRINGEMENT OF ANY PATENT, COPYRIGHT, OR OTHER INTELLECTUAL PROPERTY RIGHT.INTELLECTUAL PROPERTY RIGHT.

INTEL MAY MAKE CHANGES TO SPECIFICATIONS, PRODUCT INTEL MAY MAKE CHANGES TO SPECIFICATIONS, PRODUCT DESCRIPTIONS, AND PLANS AT ANY TIME, WITHOUT NOTICE.DESCRIPTIONS, AND PLANS AT ANY TIME, WITHOUT NOTICE.

ALL DATES PROVIDED ARE SUBJECT TO CHANGE WITHOUT ALL DATES PROVIDED ARE SUBJECT TO CHANGE WITHOUT NOTICE.NOTICE.


Intel Confidential


Scope of this SessionScope of this Session

IntelIntel®® Virtualization Technology (VT)Virtualization Technology (VT)––Challenges of IA CPU virtualization todayChallenges of IA CPU virtualization today––VT closes virtualization holes by designVT closes virtualization holes by design––VTVT--x Technical Overview x Technical Overview –– IntelIntel®® LaGrandeLaGrande Technology (LT)Technology (LT)––VTVT--i Technical Overviewi Technical Overview––Status / Plans Xen with VTStatus / Plans Xen with VT

VT Roadmap VT Roadmap Additional ResourcesAdditional Resources


Intel Confidential


Platform Hardware

VM1

VM Monitor

VM0

Guest OS0

App AppApp ...

... Guest OS1

App AppApp ...

OS and Apps in a VM don't know that the

VMM exists or that they share CPU resources

with other VMs

VMM should run protected from all

Guest software

Challenges of Running a VMMChallenges of Running a VMM

VMM should isolate Guest SW stacks from

one another

VMM should present a virtual platform

interface to Guest SW


Intel Confidential


Platform Hardware

VM1

VM Monitor

VM0

Guest OS0

App AppApp ...

... Guest OS1

App AppApp ...

Run Guest OS above Ring-0 and have privileged instructions

generate faults...

Run VMM in Ring-0 as a collection of fault handlers

Current IA CPUs require sophisticated software techniquesCurrent IA CPUs require sophisticated software techniques

SW Solution: Guest Ring SW Solution: Guest Ring DeprivilegingDeprivileging

Top IA Virtualization Holes :• Ring Aliasing• Non-trapping instructions• Excessive Faulting• Interrupt Virtualization Issues• CPU state context switching• Addr Space Compression

Sophisticated Software Techniques :• Source guest OS Modifications• Binary guest OS Modifications


Intel Confidential


Platform Hardware

VM1

VM Monitor

VM0

Guest OS0

App AppApp ...

... Guest OS1

App AppApp ...

VMM preempts execution of Guest OS via new HW-based

transition mechanism

By designBy design, VT closes virtualization holes and , VT closes virtualization holes and the need for complex software workarounds the need for complex software workarounds

IntelIntel®® Virtualization TechnologyVirtualization Technology

Guest SW runs deprivileged in a new operating mode:

• Apps run deprivileged in ring 3• OS runs deprivileged in ring 0• VMM runs in new mode with full privilege


Intel Confidential


VM Entry and VM ExitVM Entry and VM ExitVM EntryVM Entry–– Transition from VMM to Guest Transition from VMM to Guest –– Enters VMX nonEnters VMX non--root operationroot operation

Loads Guest state and Exit criteria from VMCSLoads Guest state and Exit criteria from VMCS–– VMLAUNCHVMLAUNCH instruction used on initial entryinstruction used on initial entry

VMRESUMEVMRESUME instruction used on subsequent entriesinstruction used on subsequent entries

VM ExitVM Exit–– VMEXITVMEXIT instruction used on transition from Guest to VMMinstruction used on transition from Guest to VMM–– Enters VMX root operationEnters VMX root operation–– Saves Guest state in VMCSSaves Guest state in VMCS–– Loads VMM state from VMCSLoads VMM state from VMCS

Physical Host Hardware

VM1

VM Monitor

VM0

Guest OS0

App AppApp ......

Guest OS1

App AppApp ...

VM Exit VM Entry


Intel Confidential


IA-32Operation

VTVT--x Operationsx Operations Build Foil Build Foil

Ring 0

Ring 3VMX RootOperation

VMX Non-rootOperation

. . .Ring 0

Ring 3

VM 1

Ring 0

Ring 3

VM 2

Ring 0

Ring 3

VM n

VMXONVMLAUNCHVMRESUME

VM Exit VMCS2

VMCSn

VMCS1


Intel Confidential


Protected Key Operations Protected Key Operations & Sealed Storage& Sealed Storage

Protected Data Paths Protected Data Paths (Keyboard, Mouse, Graphics)(Keyboard, Mouse, Graphics)

Protected Execution Environments Protected Execution Environments (Protected Launch, DMA Protections)(Protected Launch, DMA Protections)

LPCLPCTPM v1.2TPM v1.2

USB

USB

LT builds on IntelLT builds on Intel®® Virtualization TechnologyVirtualization Technology

LT interoperates with an enabled OS to better defend against LT interoperates with an enabled OS to better defend against software based attackssoftware based attacks

LaGrande Technology* (LT)LaGrande Technology* (LT)


Intel Confidential


ItaniumItanium®® Virtualization VTVirtualization VT--ii

Virtualization-supported CPU

Guest Software(Virtualized)

Host Software/VMM

Host Virtual Address

Non-privilegedResources

Intercepts

PrivilegedResources

Build Foil

PSR.vm=1

PSR.vm=0

Processor Status Processor Status RegisterRegister

••TLB AccessesTLB Accesses

••Privileged Registers Privileged Registers (PSR, Control, Debug)(PSR, Control, Debug)

••Register Stack Register Stack Engine (RSE)Engine (RSE)


Intel Confidential


IntelIntel®® Virtualization Technology and XenVirtualization Technology and Xen

Xen Hypervisor

Domain UDomain 0

Platform

Native

Device

Drivers

BackendVirtual driver

AppApp

Front end Virtual D

rivers

AppApp AppApp

Enhanced Xen capability with Legacy Linux supportEnhanced Xen capability with Legacy Linux support

Control

Panel

Virtual PlatformVirtual Platform

Domain VMX

Unmodified Linux

Guest BIOSGuest BIOS

FE Virtual D

rivers

AppApp AppApp

Device

Models

Control

Platform with Intel® Virtualization Technology

Xenolinux Xenolinux

…


Intel Confidential


Status/Plans Status/Plans –– Xen with VTXen with VT

Completed Xen 3.0 itemsCompleted Xen 3.0 items––3232--bit VT, UP Linux guest, UP hostbit VT, UP Linux guest, UP host––6464--bit bit xenolinuxxenolinux and 32and 32--bit VT domainbit VT domain

Additional items for Xen 3.0Additional items for Xen 3.0––6464--bit VT domain, PCI/IOAPIC/ACPI in bit VT domain, PCI/IOAPIC/ACPI in

domain 0, guest FW, domain 0, guest FW, parapara--virtualized drivers, virtualized drivers, xenolinuxxenolinux in VT domainin VT domain

Plan for Xen 4.0Plan for Xen 4.0––Performance Optimization, SMP guests, Performance Optimization, SMP guests,

Windows guest, Security, ManagementWindows guest, Security, Management


Intel Confidential


VT Client RoadmapVT Client Roadmap2005 Lyndon2005 LyndonIntelIntel®® PentiumPentium®® 4 Processor4 Processor945G Chipset945G ChipsetHT, XD, EM64T, EIST, Intel AMT, HT, XD, EM64T, EIST, Intel AMT, VTVT

2006 Averill2006 AverillIntel Pentium 4 Processor & DCIntel Pentium 4 Processor & DCBroadwater Chipset Broadwater Chipset 2005 features plus Intel AMT2, 2005 features plus Intel AMT2, LTLT

2006 Napa2006 NapaMobile Dual Core Processor codeMobile Dual Core Processor code--named named ““YonahYonah””Chipset codeChipset code--named named ““CalistogaCalistoga””Wireless LAN solution codeWireless LAN solution code--named named ““GolanGolan””XD, EIST, XD, EIST, VTVT, Intel AMT, Intel AMT


Intel Confidential


2006 2006 BensleyBensley, , GlidewellGlidewellDempsey Dempsey Blackford & Blackford & GreencreekGreencreek2005 features plus 2005 features plus VTVT, IAMT, I/OAT, IAMT, I/OAT

2 Socket2 Socket

2 Socket2 Socket

≥≥ 4 Socket4 Socket

2005 2005 -- 2006 2006 Millington / DP MontvaleMillington / DP MontvaleIntelIntel®® 8870, Enabled8870, EnabledDual Core, MT, Foxton, Pellston, Dual Core, MT, Foxton, Pellston, VTVT

2005 2005 -- 2006 2006 Montecito / MontvaleMontecito / MontvaleIntelIntel®® 8870 / Enabled8870 / EnabledMT, Foxton, Pellston, MT, Foxton, Pellston, VTVT

VT Server RoadmapVT Server Roadmap


Intel Confidential


Additional ResourcesAdditional Resources

For specs / whitepapers / web resources:For specs / whitepapers / web resources:WWW.INTEL.COM/TECHNOLOGY/VTWWW.INTEL.COM/TECHNOLOGY/VT

For discussions on VT: For discussions on VT: [email protected]@Intel.Com


Intel Confidential


Thank YouThank You

intel® virtualization technology [vt]

Documents