Overcome the limitations of software-based virtualization. Those limitations are introduced in a separate Knowledge Base item, “How to Identify the Limitations of Software-Based Virtualization.” By understanding both the limitations of software-only solutions and the ways in which hardware solutions address those limitations, you can begin to create a business case for the adoption of hardware-based virtualization technology.
Intel® Virtualization Technology provides much needed support to virtual machine monitors (VMMs) vendors in upcoming IA processors and chipsets. It enables VMMs to run off-the-shelf operating systems and applications without recourse to binary translation or paravirtualization. This greatly facilitates the deployment of VMMs and provides greater reliability and manageability of guest operating systems and applications.
VMMs must do two things well: they must completely emulate the hardware environment to the point that the hosted OS cannot tell it does not own the entire hardware platform, and they must handle all unusual circumstances that can arise either in the OS (such as hardware malfunctions) or the application (software errors). Both tasks must be performed with high levels of reliability and low performance overhead.
Previous processor architectures have not made it easy for VMMs to meet these goals, because they were designed primarily to run a single instance of the operating system. As a result, traditional processors currently pose several key challenges to VMMs, all of which are addressed by Intel® Virtualization Technology.
All modern processors and operating systems implement the concept of privilege levels, which define what actions can be performed by specific processes. Intel® architecture provides four levels of privilege, called rings, that are numbered 0-3. The highest level, 0, is used by the operating system; the lowest level, 3, is employed by the applications. For various reasons, levels 1 and 2 are rarely, if ever, used. Only OSs running in ring 0 have unrestricted access to the hardware. By limiting this ring to use by a single OS, Intel architecture enables the OS to have complete knowledge of the state of the hardware.
For the VMM to work properly, it (the VMM) needs to run at ring 0 and create the illusion to the guest OS that it (the Guest OS) is running in ring 0. However, since the VMM is itself running in ring 0, none of the guest OSs can run at this privilege level. In fact, today they typically run at ring 1, a technique known as ring deprivileging. This creates enormous difficulties for the VMM, which must constantly monitor the activities of the VMs to trap hardware accesses and certain system calls, and execute them itself and emulate the results.
Intel Virtualization Technology solves this problem by creating two classes of rings: the privileged “root” ring – referred to as ring 0P – for use by the VMM, and the deprivileged “non-root” ring – ring 0D – for the operating systems. In this way, the VMM can function as the fundamental layer and all OSs can run above it with the necessary benefits of ring 0. By use of this approach, hosted OSs and applications run within their expected ring levels and are unaware of the VMM; each hosted OS thinks it owns the entire machine.
This item is part of a series of related pieces that together address the issues associated with software-based virtualization and how they are addressed using hardware-based virtualization:
- How to Identify the Limitations of Software-Based Virtualization
- How to Obtain the Benefits of Hardware-Based Virtualization