From VT-X to VT-D intel virtualization technology development blueprint

[It168 EvaluationCenter] the emergence and application of the very popular virtualization technology has been around for decades. In the early days, this technology was mainly used in ServerAs PC performance continues to grow, virtualization has become increasingly popular in x86 architectures.

Virtualization Technology virtualizes various resources from multiple hosts to improve the sharing rate and utilization of these resources

Virtualization can transform the IT environment into a more powerful, elastic, and dynamic architecture. ByOperating SystemIntegrated to a High PerformanceServerTo maximize the use of all the resources of the hardware platform, with less investment to achieve more applications, but also to simplify the IT architecture, reduce the difficulty of resource management, and avoid unnecessary IT architecture expansion. The real hardware independence of the customer's virtual machines can also achieve the migration of virtual machines during operation, which can achieve real uninterrupted operation, so as to maximize the business continuity, you don't have to pay a high price for purchasing a super high availability platform.

Compared with the virtualization technology (CPU partition) on Sun, the virtualization on x86 lags behind a lot. However, it is indeed constantly improving. A few years ago, there was no hardware support on x86, even even the instruction set is not designed for virtualization, it mainly depends on the completeSoftwareTo achieve virtualization. At that time, it was represented by VMware products and virtual PCs developed by connectix that have not been acquired by Microsoft. VMware products were mainly used in the server market, these include gsx server and ESX Server later. These software virtualization products use binary simulation/translation methods for key commands, with high overhead, later, some Virtualization Technologies of para-virtualization were introduced, which avoided some binary conversions and improved the performance. However, they still had isolation problems.

Today, all aspects of virtualization technology have been improved. virtualization also goes from pure software to processor-level virtualization to platform-level virtualization and even input/output-level virtualization. The Representative technology isIntel virtualization technology for directed I/OAbbreviated as Intel VT-D. Before introducing this intel VT-D, let's take a look at the first step of X86 hardware Virtualization: processor-assisted virtualization technology, that is, Intel virtualization technology, it is divided into two versions: VT-I for the itanium platform and VT-X for the X86 platform. AMD also has corresponding technical AMD-V for x86 Platform. We will introduce the VT-X Technology on the X86 platform. The VT-I technology is slightly similar in principle.

PureSoftwareVirtualization mainly involves performance and isolation. Full outer AliZATIOn full virtualization technology can provide better customersOperating SystemStand-alone, but its performance is not high. In different applications, the host can be consumed by 10% ~ 30% of resources. However, the operating system of each customer is not independent. Regardless of the software method, isolation is provided by hypervisor software. Excessive isolation will inevitably lead to performance degradation.

These problems are mainly related to the fact that virtualization is not considered during x86 design. Let's take a look at the privilege level design of the x86 processor.

X86 architecture provides four different commands to protect the running of commandsPrivilege privilege levelThe term "ring" ranges from "Ring 0" to "Ring 0 ~ Ring 3. Ring 0 has the highest priority and ring 3 has the lowest priority. Each level has limits on commands that can be run,For example, gdt, IDT, LDT, and TSS commands can only run on privilege 0, that is, ring 0.Note that the ring/privilege level is different from the priority of processes we generally know in the operating system.

The operating system must run some privilege 0 privileged commands. Therefore, ring 0 is used to run the operating system kernel, and ring 1 and ring 2 are used for operating system services, ring 3 is used for applications. However, there is no need to use up four different levels. Generally, the operating system uses only two levels, namely, ring 0 and ring 3 ,:

That is to say, in a conventional x86 operating system, the system kernel must run on Ring 0, however, the vmm Software and Its managed Guest OS cannot run on Ring 0, because it cannot effectively manage all virtual machines, just as traditional collaborative multi-task operating systems (such as Windows 3.1) cannot ensure stable system operation. In the absence of processor-assisted virtualization, the challenge is to run vmm (Virtual Machine monitor, Virtual Machine monitor), hypervisor, and guest OS at a level other than ring 0.

The most popular solution isRing deprivileging)And has two options: the customer OS runs on privilege 1 (0/1/3 Model), or privilege 3 (0/3/3 model ).

Regardless of the model, the client OS cannot run on privilege 0. In this way, privileged commands such as gdt, IDT, LDT, and TSS must be run in a simulated manner, this will cause obvious performance problems. Especially when the load is heavy and these commands are executed heavily.

At the same time, these privileged commands are real "privileges". improper isolation can seriously threaten other customers' OS, or even host OS. The ring deprivileging technology uses the segments limit (restricted segments) and paging (pagination) of the ia32 architecture to isolate vmm and Guest OS,Unfortunately, the 64-Bit mode of em64t does not support the segment limit mode.To run a 64-bit operating system, you must use the paging mode.

For virtualization, one of the fatal aspects of using the paging mode is that it does not distinguish the privileg 0/1/2 mode. Therefore, the client running on privileg 3 becomes inevitable (0/3/3 model ), in this way, the paging mode can isolate the Host OS from the customer OS. However, different applications (such as different virtual machines) in the same privileg mode cannot be protected by the privileg organization, this is the isolation problem brought about by ia32, which is calledRing Compression.

Ia32 does not support VT, so it cannot virtualize the 64-bit client operating system.

The actual problem is: VMWare does not supportIntelVT's ia32 architecture cannot virtualize the 64-bit customer operating system on the CPU, because it cannot be between the customer's OSSecurity.

 

As a chip-assisted virtualization technology, VT can improve the virtualization efficiency andSecurityNext, let's take a look at the architectural changes brought about by Intel vt. We are talking about VT Technology on ia32, which is generally called VT-X, while VT technology on the itanium platform is called VT-I.

VT-x extends the Cu operation of ia32 to two forms ):Vmx root operation (root virtualization operations) and vmx non-root operation (non-root virtualization operations ),Vmx root operation is designed for vmm/hypervisor. Its behavior is not particularly different from that of traditional ia32, while vmx non-root operation is another ia32 environment under vmm control. All Forms support all four privileges levels, so that virtual machines running in the vmx non-root operation environment can fully utilize the privilege 0 level.

Two Worlds: vmx non-root and vmx Root

Unlike some articles, VT provides all the privilege operation levels for vmm and Guest OS, rather than just assigning them one level: because vmm and Guest OS run different forms.

Therefore, commands such as gdt, IDT, LDT, and TSS can run normally inside the virtual machine. In the past, these privileged commands had to be simulated. Vmm can also be freed from the simulation of privileged commands, which can solve the ring aliasing problem (SoftwareThe actual running ring is different from the designed running ring), which can solve the ring compression problem and greatly improve the running efficiency. The solution to the ring compression problem solves 64-bit customers.Operating System.

To establish the architecture of these two virtualized forms, VT-x designs a Data Structure of virtual-machine control structure (vmcs, virtual machine control structure, including guest-state area (customer state area) and HOst-State area (host State area) is used to save various state parameters of virtual machines and hosts, and provides VM entry and Vm exit operations to switch between virtual machines and vmm, you canVM-execution control fieldsSpecifies the command to be executed and the event to be triggered, and the VM in the vmx non-root operation environment executes the VM exit to allow the vmm to gain control, therefore, VT-x solves the isolation of virtual machines and performance problems.

 

As we can see, the emergence of Inter vt can solve the important virtual processor architecture problems, let the pureSoftwareThe performance of the virtualization solution is greatly mitigated. However, there are still many things to do.

We know thatServerI/O is an important component. Although the CPU computing capability can be improved to process data faster, the premise is that the data can be smoothly reached the CPU.Storage, OrNetwork, And graphics card,MemoryI/O capabilities are an important part of enterprise-level architecture. To this end, people not only invest in transmission bandwidth (for example, from Mbit/s Ethernet to Mbit/s Ethernet ), A large amount of investment has also been made in various systems and architectures (such as raid series with higher throughput and multi-layer data centers ).

In virtualization technology, with the improvement of the utilization efficiency of the overall processor resources, it also puts forward higher requirements for data I/O.

The vmm Virtual Machine manager must provide I/O virtualization to support I/O requests from multiple clients. The current virtualization technology uses the following methods to process I/O virtualization.

Analog I/O device: The vmm can simulate an I/O device on the client. By completely simulating the functions of the device, the client can use the corresponding realDriverProgram, this method can provide perfect compatibility (no matter the device actually does not exist), but obviously this simulation will affect the performance. As an example, various virtual machines use a floppy image to provide virtualSoft driveIn this way, and the simulation of the real S3 ViRGE 3D virtual PCGraphics card, Sound blster 16 simulated by VmwareSound Card, All belong to this method.

 

Additional Software Interface: This model is similar to the I/O simulation model. The vmm software will provide a series of direct device interfaces to virtual machines, thus improving the virtualization efficiency.Operating SystemDirectX technology to provide better performance than the I/O simulation model. Of course, the compatibility is reduced. For example, VMWare graphics card simulated by VMware can provide a good display speed, however, DirectDraw technology is not fully supported, and direct3d technology is not required. Similar to the Gigabit simulation of VmwareNic, Etc. These fully virtual devices (such as VMware card graphics cards and VMWare card NICS) need to use specially crafted drivers in part directly with the host and hardwareCommunicationIt provides higher throughput than the 10 Mbit/s NIC that was previously simulated to access the VM through the driver in the VM.

The current I/O device virtualization mainly uses analog or software interface methods, so performance becomes a bottleneck-after all, on traditional machines, i/O devices can easily become bottlenecks, because intel has proposed intel virtualization technology for directed I/O, short for Intel VT-D.

 

The key to I/O virtualization is to solve the problem of data exchange between I/O devices and virtual machines. This is mainly related to direct DMAMemoryAccess, and IRQ interrupt requests, as long as the isolation, protection, and performance problems are solved, they are successful I/O virtualization.

Like intel VT-I and VT-X on the processor, Intel VT-D technology is based on the North Bridge Chip (or, more recently, MCH) hardware-assisted virtualization technology. By providing built-in DMA virtualization and IRQ virtualization hardware in the North Bridge, the new I/O virtual mirroring method is realized, intel VT-D can greatly improve the reliability, flexibility, and performance of I/O in virtual environments.

The traditional iommus (I/O memory management units, I/O Memory Management Unit) provides a centralized way to manage all the DMA resources-apart from the traditional internal DMA, it also includes such special DMA as AGP Gart, TPT, rdma over TCP/IP, etc. It distinguishes devices by memory address range, so it is easy to implement, but not easy to Implement DMA isolation, therefore, VT-D implements the existence of multiple DMA protection areas by updating the iommu architecture, and ultimately achieves DMA virtualization. This technology is also called DMA remapping.

I/O devices generate many interrupt requests. I/O virtualization must correctly separate these requests and route them to different virtual machines. The interrupt request of traditional devices can be routed through an I/O interrupt controller, or an MSI (Message signaled interrupts, message interruption). Because the target memory address needs to be embedded in the DMA request, this architecture requires full access to all memory addresses and cannot implement interruption isolation.

The interrupt-remapping architecture implemented by VT-D solves this problem by redefining the MSI format. The new MSI is still in the form of a DMA write request, however, it is not embedded in the target memory address. Instead, it is a message id. By maintaining a table structure, the hardware can identify different virtual machine regions through different message IDs. The interrupt re ing implemented by VT-D can support all I/O sources, including ioapics and all interrupt types, such as common MSI and extended MSI-X.

There are still many changes made by VT-D, such as hardware buffering and address translation. Through these measures, VT-D achieves I/O device virtualization at the chip level of beiqiao. VT-D is embodied in the virtualization model by adding two new device virtualization methods:

Traditional I/O simulation virtualization is on the left, and direct I/O device allocation is on the right.

Direct I/O device allocation: Virtual machines directly allocate physical I/O devices to virtual machines. In this modelDriverPrograms are directly connected to hardware devices.Communication. To ensure system robustness, hardware virtualization is required to isolate and protect hardware resources for the specified virtual machine only, the hardware also requires multiple I/O container partitions to serve multiple virtual machines at the same time. This model almost completely eliminates the need to run the driver in the vmm. For example, although the CPU is not a general I/O device, it is indeed allocated to the virtual machine in this way, of course, the CPU resources are still under vmm management.

I/O device sharing: This model is an extension of the I/O allocation model. It has high hardware requirements and requires devices to support multiple functional interfaces. Each interface can be assigned to a virtual machine separately, this model can undoubtedly provide very high virtualization performance.

Using VT-D technology, virtual machines can use direct I/O device allocation or I/O device sharing instead of traditional device analog/additional device interface methods, this greatly improves the I/O performance of virtualization.

 

Mainstream dual-channel Xeon stoakley platform will support Intel VT-D Technology

The high-end four-way caneland platform also supports the VT-D Function

According to data, the stoakley platform and caneland platform released earlier will contain the VT-D function. stoakley platform is the next generation of Bensley, which is used for dual-channel Xeon processors, caneland, the successor of truland, for quad-channel Xeon processors, supports the latest 45nm Penryn processors.

From the Intel virtualization technology development roadmap, virtualization is undoubtedly gradually extended from the processor to other devices. From VT-I/VT-X to VT-D, this process is very much reflected, for enterprise-level applications that focus on I/O performance, the virtualization of processors and I/O is completed, and the virtualization of the entire platform is nearing completion. Therefore, in the future, intel will continuously develop the VT-D technology and add various I/O devices to the virtualization feature to provide a powerful virtualization infrastructure.