Enterprise Applications Architecture Popek and Goldberg Virtualization Requirements Dr. John Burns [email protected]

ITT Dublin

Enterprise Applications Architecture – p. 1

ISA Virtualization 1. As we mentioned, there are formal requirements for ISA a Virtualization. 2. Not all ISA support virtualization. 3. For example, in the 1990s the Intel x86 processor did not provide a comprehensive virtualization technology (at the CPU/hardware level). 4. In this section we explore the formal requirements an ISA must provide to support virtualization 5. Popek and Goldberg were one of the first authors to formalize this a ISA:

Instruction Set Architecture

Enterprise Applications Architecture – p. 2

Popek and Goldberg Formal Requirements for Virtualizable Third Generation Architectures a . Some terminology: 1. Virtual Machine capable of virtualizing all hardware resources, processors, memory, storage, and peripherals 2. Virtual Machine Monitor (VMM) provides virtual machine abstraction. Also referred to as hypervisor a Communications

of the ACM, vol 17, no 7, 1974, pp.412-421

Enterprise Applications Architecture – p. 3

VMM properties In their seminal paper, Popek and Goldberg identified the following properties VMM 1. Equivalence A program running under a VMM should exhibit a behavior identical to that of running on the equivalent machine 2. Resource Control The VMM is in full control of virtualized resources 3. Efficiency A statistically dominant fraction of machine instructions may be executed without VMM intervention

Enterprise Applications Architecture – p. 4

ISA Instruction Classification 1. Privileged instructions those that trap in user mode, and only run in system mode 2. Critical [Sensitive] instructions: (a) Control-sensitive those that change the resource configuration of the system (b) Behavior-sensitive behavior or results depend on the configuration of resources 3. Innocuous Instructions - those that can be executed without requiring System privileges. Ie, not Sensitive or Privileged

Enterprise Applications Architecture – p. 5

Popek and Goldberg Theorem 1 Theorem: For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions. All control-sensitive instructions always trap and pass control to the VMM • Guarantees resource control property non-privileged instructions must be executed natively •

Signficance: The IA-32/x86 architecture is not virtualizable.

Enterprise Applications Architecture – p. 6

Theorem 2: Recursive Virtualization VMM can run on a copy of itself. For an architecture, this is possible if: • The architecture is virtualizable • A VMM without timing dependences can be built

Enterprise Applications Architecture – p. 7

Non-Virtualizable Machines • •

• • •

VMMs (under Popek & Goldberg definition) cannot be build on non-virtualizable machines Workarounds: • patching: critical instructions removed and replaced with trap to VMM • paravirtualization: guest o.s. is modified (e.g., IBM VM) Patching has often been considered to be too slow. Indeed according to the rules of VMM construction, the x86 architecture is not virtualizable. However, the binary translation of critical instructions (that do not trap) with an instruction which does cause a trap to the VMM in fact has a negligible impact on performance. Enterprise Applications Architecture – p. 8

Trap Events in VMM

Enterprise Applications Architecture – p. 9

Handling critical instructions The conditions for ISA virtualization expressed in Theorem 1 may be relaxed at the expense of the efficiency property. VMMs for non-virtualizable ISAs (in the Popek and Goldberg’s sense) have routinely been built. • The virtualization of such architectures requires correct handling of critical instructions, i.e., sensitive but unprivileged instructions. • As mentioned, patching, adopts techniques commonly used in dynamic recompilation: critical instructions are discovered at run-time and replaced with a trap into the VMM. • Paravirtualization, which requires guest operating systems to be modified (ported) before running in the virtual environment. •

Enterprise Applications Architecture – p. 10

x86 Virtualization Before 2005: x86 processor architecture did not meet Popek & Goldberg Theorem 1 virtualization requirements Note: a well-tuned caching binary translation system may achieve comparable performance, and it does in the case of x86 binary translation relative to first generation x86 hardware assist, which merely made sensitive instructions trappable a . • Intel VT (Virtual Technology) (IVT): IA-32, IA-64, Directed I/O, DMA & interrupt remapping •

•

AMD-V (Pacifica): AMD Athlon 64, Turion, Opteron

Effectively this gives a theorem with different sufficiency conditions a

Enterprise Applications Architecture – p. 11