What is a problem with trap-and-emulate virtualization?
Some privileged operations silently fail -> do not cause a trap.
Guest VM or OS thinks all worked fine though Hypervisor never received any trap, thus did not emulate jack shit.
Name the classic definition of a VM
A virtual machine is an efficient, isolated, duplicate of the real machine
Name goals of the VMM
- fidelty (trust): the hardware (CPU, I/O devices) matches the real hardware
- Performance similar to native
- Safety & Isolation
Characteristics of a VMM
- Provides an environment essentially identical to the original machine
- VMM is in complete control of system resources
- VMM determines whether a VM gets direct hardware access
- VMM provides Isolation between VMs
Advantage of VMS
- consolidation ==> decrease cost
- Migration between physical hosts
- increased reliability - can migrate my VM away from failing host
- Availability (Spin up clones)
- Security (Isolation)
- Support for legacy OS
Describe the two models for Virtualisation
- VMM (hypervizor) based / Hypervisor Type 1
- Not a software application that is installed on an operating system
- Kommunizieren über eigene Hardwaretreiber direkt mit dem Hostsystem und benötigen kein anderes Betriebssystem zwischen Hardware und Hypervisor
- Hypervisor could have a privileged VM with a common OS that includes the necessary standard device driver - Hypervisor Type 2 / Hosted Model
- Ein Hypervisor vom Typ 2 ist oberhalb eines Betriebssystems installiert und greift über die Treiber des Betriebssystems auf die Hardware des Hosts z
Name a downside of the Hypervisor type 1
Hardware providers need to create device drivers not only for a certain OS but also for different hypervisors.
Solution
- Privileged service VM with common OS
- This service OS runs all the device drivers (privileged)
- Common OS: No need to write extra device drivers
How do you separate privilege levels in a host with a hypervisor of type 1?
4 Rings = protection levels
Some also additional distinction between root & non-root
non-root: Guest VMS
- ring 3: apps
- ring 0: OSroot: Hypervisor
What is trap-and-emulate
The technique used in mainframes for efficient virtualization. All non-privileged instructions from guest VMS run WITHOUT interference of the hypervisor (native speed).
Only priv. instructions trap to the hypervisor and need to be evaluated.
What is full virtualization and how is it achieved?
Guest OS does not need to be modified. Achieved using binary translation! At VM runtime, Translate 17 silently failing priv. operations to other non-failing statements.
What is paravirtualization and how does it differ from full virtualisation?
paravirtualization gives up on goal of full virtualisation to increase performance.
- Guest knows it runs virtualized.
- Guest makes explicit calls to hypervisor to perform hardware manipulations (hypercalls)
Memory virtualization - what is the difference between the virtual vs physical vs machine addresses?
Application on VM -> virtual addresses -> pysical addresses (PoV VM)
VMs address space is then mapped to the machines real address space.
What is a shadow page table and why is it required?
Why is the Shadow page table required?
- Because GuestOS does not know it is virtualised and will create it’s own page table.
- However this page table only maps to memory addresses that the VMM artificially mapped to start from 0 => expected by OS which thinks it runs on native hardware!
What is special about paravirtualisation for memory?
- Guest OS does NOT expect physical address space starting from address 0
- No Need for a duplicate shadow page table!!
- > Guest OS can just explicitly register its virtual page table with the hypervisor => REMEMBER: it knows it virtualised, therefore can just make a call to VMM to use its special features.
Another nice feature: Guest OS Hypercall to VMM to batch update new page table entries
What is a Hypercall / VM Exit
Only exist in paravirtualization!
A direct message from a Guest OS to the VMM to take advantage of Hypervisor special functionality.
Can be expensive.
What are the three modes of Virtualisation of Hardware?
- Passthrough
- Hypervisor Direct
- Split Device Driver Model
What is the advantage & disadvantage of the Passthrough Hardware virtualisation mode?
A:
- VM has excusive acces
- Bypass the VMM (Speed!)
D:
- Device sharing not possible often
- VMM must have EXACT device type that VM expects (e.g SSD device driver type)
- VM migration tricky (no abstraction layer in between, dependent on specific hardware, state in the hardware itself)
What is the advantage & disadvantage of the Hypervisor Direct - Hardware virtualisation mode?
A:
- VM decoupled from hardware (easy migration!, no hardware device specifics)
D:
- Emulation overhead: SLOW / Latency due to all device operations intercepted
- Hypervisor needs to include device drivers (often custom to VMM)
- Adds complexity to Hypervisor itself
What is the advantage & disadvantage of the Split Device Driver Model - Hardware virtualisation mode?
A:
- Eliminate Emulation overhead
- Allow for better management of shared devices
Detailed:
Vs Direct access: Centrals decision for device requests (policy, device sharing amongst VMS) within the service VM => better decision compared to having to rely on physical device capabilities to manage sharing it amongst VMs
