Chapter 33. Virtual Machines

Virtual memory provides the illusion of physical memory. The abstraction allows a process to assume that its memory space both is contiguous and begins at location 0. This simplifies the process' view of memory and hides the underlying physical locations of the process' memory. The physical memory corresponding to the virtual memory need not be contiguous. Indeed, some of the locations in virtual memory may have no corresponding physical addresses until the process references them.

Like virtual memory, a virtual machine provides the illusion of a physical machine. The abstraction allows operating systems to assume that they are running directly on the hardware. This allows one to run the operating system, and allows the operating system to run processes, with no changes in either the operating system or the programs. A second, lower “virtual machine monitor” runs directly on the hardware and provides the illusion of hardware to the operating systems run above it. The physical machine may support many virtual machines, each running its own operating system.

This chapter reviews the structure of a virtual machine.

Virtual Machine Structure

A virtual machine runs on a virtual machine monitor. That monitor virtualizes the resources of the underlying system and presents to each virtual machine the illusion that it and it alone is using the hardware.

EXAMPLEIBM's VM/370 and its successors provide each user with the illusion that she has complete access to the resources of a single IBM mainframe system. Many users will use the same physical machine, but each one is isolated from the others. (See Figure 33-1.)

A virtual machine environment, with five virtual machines each running a different operating system. The control program (CP) manages their interactions with the physical resources. The middle virtual machine is running a virtual system within a virtual system. (Adapted from [294], pages 606 and 607.)

Figure 33-1. A virtual machine environment, with five virtual machines each running a different operating system. The control program (CP) manages their interactions with the physical resources. The middle virtual machine is running a virtual system within a virtual system. (Adapted from [294], pages 606 and 607.)

Virtual Machine Monitor

The virtual machine monitor runs at the highest level of privilege. It keeps track of the state of each virtual machine just as an ordinary operating system keeps track of the states of its processes. When a privileged instruction is executed, the hardware causes a trap to the virtual machine monitor. The monitor services the interrupt and restores the state of the caller.

EXAMPLESuppose the virtual machine monitor VMM is running the operating system OS. Process p running under OS makes a system call to read data from a disk. The system call causes a trap. The VMM is invoked and detects that the trap occurred from within OS. It updates the state of OS to make it appear that the hardware on which OS is running (the virtual machine) invoked OS. OS then tries to read from the disk to service the interrupt. This causes another trap, and the VMM is again invoked. It services the trap by carrying out the read and placing the results in the locations that OS indicates. It then returns control to OS, which updates the appropriate parts of process p (such as the return value of the system call). OS then performs a context switch to return control to p. This is a privileged instruction, so VMM is again invoked. It updates the virtual machine on which OS runs to make it appear that OS performed the context switch, and then performs the context switch itself. The process p now resumes execution.

Privilege and Virtual Machines

The Digital Equipment Corporation VAX/VMM project examined the issues of privilege in virtual machines [554]. Consider the requirements for a computer architecture to be virtualizable [810].

  • Definition 33–1. A sensitive instruction is an instruction that discloses or alters the state of privilege of the processor. A sensitive data structure is a data structure that contains information about the state of privilege of the system.

EXAMPLEThe VAX architecture has four levels of privilege: user, supervisor, executive, and kernel. On the VAX architecture, the CHMK instruction is privileged because it changes the privilege level (to kernel mode), and the MOVPSL instruction copies the processor status longword (PSL) to a memory location. The former instruction is a sensitive instruction because it alters the state of privilege (moving it to kernel mode). The latter is also sensitive because it reveals information about the current level of privilege (the level of privilege is encoded in two bits in the PSL).

Page table entries are sensitive data structures because they contain information about the protection state of the processor (notably, they can contain a copy of the PSL for the process).

A computer architecture is virtualizable if it meets the following requirements.

  1. All sensitive instructions cause traps when executed by processes at lower levels of privilege.

  2. All references to sensitive data structures cause traps when executed by processes at lower levels of privilege.

EXAMPLEThe CHMK instruction meets requirement 1, because it causes a trap unless it is executed in kernel mode. The MOVPSL instruction meets neither requirement, because it does not cause a trap regardless of the level of privilege of the process executing it. User level processes can alter page table entries, so references to those data structures also fail to meet the second requirement (but see Exercise 1).

If the hardware supports n levels of privilege, each virtual machine must appear to support n levels of privilege. However, only the virtual machine monitor can run at the highest level of privilege. This makes n – 1 levels of privilege available to each virtual machine. The virtual machine monitor virtualizes the levels of privilege. This technique is called ring compression.

EXAMPLERecall that the VAX system has four levels of privilege: user, supervisor, executive, and kernel. The VMM monitor must emulate all of these levels for each virtual machine that it runs. However, it cannot allow the operating system of any of those virtual machines to enter kernel mode, because then that operating system could access the physical resources directly, bypassing the virtual machine monitor. Yet to run the VAX standard operating system, VAX/VMS, the virtual machine must appear to provide all four levels.

The solution is to virtualize the executive and kernel privilege levels. The executive and kernel levels of the virtual machine (called VM executive and VM kernel levels, respectively) are mapped into the physical executive mode. The architects of VAX/VMM added three extensions to the VAX hardware to support this compression.

First, a virtual machine bit was added to the PSL. If this bit is set, the current process is running on a virtual machine. Second, a special register, the VMPSL register, records the PSL of the running virtual machine. Third, all sensitive instructions that could reveal the level of privilege either obtain their information from the VMPSL or cause a trap to the virtual machine monitor. In the latter case, the virtual machine monitor emulates the instruction.

One interesting approach to privilege is to divide users into different classes and control access to the system by limiting the access of each class.

EXAMPLEThe IBM VM/370 uses this approach to associate various CP commands with users [294]. Each CP command is associated with one or more user privilege classes. For example, class G is the “general user” class. Members of that class can start a virtual machine. Class A is the “primary system operator” class. Members of that class can control system accounting, the availability of virtual machines, and other system resources. Members of class “Any” can gain access to, or surrender access to, a virtual machine.

Physical Resources and Virtual Machines

The virtual machine monitor manages the physical resources by distributing them among the virtual machines as appropriate. Each virtual machine therefore appears to have a reduced amount of resources. For example, if the control program is to allocate space on a single disk for ten virtual machines, it will divide the disk into ten minidisks. Each virtual machine will have access to a different portion of the physical disk.The size of each minidisk is less than the size of the actual disk (although the sizes of the ten minidisks may differ). The virtual machine monitor handles the mapping from the minidisk address (presented to it by the virtual machine) and the physical disk.

EXAMPLEWhen a virtual machine's operating system tries to write to a disk, the I/O instruction is privileged and causes a trap to the virtual machine monitor. The virtual machine monitor translates the addresses to be accessed (read from or written to), verifies that the I/O references disk space allocated to that virtual machine, and services the request. It returns control to the virtual machine when the request is satisfied (completed for synchronous I/O, begun for asynchronous I/O).

Paging and Virtual Machines

On an ordinary machine, paging occurs at the highest level of privilege. When a virtual machine attempts to page, it does so from the virtual machine's level of privilege. The attempt to read from, or write to, the disk causes a trap to the virtual machine monitor. At that point, the request is handled as any other request for I/O. However, two problems unique to virtual machines arise.

First, because of the way some operating systems are designed, some pages may be accessible only to processes running at the highest level of privilege, but the virtual machine operating systems run at a lower level of privilege. The virtual machine must change the protection level of these pages to the appropriate level of privilege.

EXAMPLEOn the VAX/VMS system, only kernel level processes can read some pages. Hence, the virtual machine monitor on the VAX/VMM system must ensure that executive level processes on a virtual machine cannot read the pages for kernel level processes on that virtual machine. This is necessary because the kernel level processes on the virtual machine are actually running at the VM kernel level, which is in the physical executive level of privilege.

In theory, reducing the level of protection for these pages poses a security risk (because processes at the VM executive level could then access the pages). In practice, the VMS system allows processes in executive mode to change to kernel mode freely. Hence, there is no loss of security. But if the process running at the VM executive level should attempt to access one of these pages, the access would be allowed. Were the VAX/VMS system running directly on the hardware and not under a virtual machine, the access would be denied. Hence, there is a loss of reliability.

The second problem is performance. The virtual machine monitor paging its own data or instructions is transparent to the virtual machines. If the virtual machines attempt to page, the virtual machine monitor must handle the request as described above. If the virtual machine operating system pages heavily, this indirection may cause significant delays.

EXAMPLEIBM's VM/370 provides support for several different operating systems. OS/MFT and OS/MVT are designed to access storage on disk. If the jobs being run under those systems depend on timings, the delays caused by the virtual machine may affect the success of the jobs. With a system that supports virtual storage, such as MVS, either MVS or CP (the virtual machine monitor) may cause paging. Again, if timings are important, the delays could cause failure of a process that would not fail were there no intermediate CP.

Exercises

1:

The second example in Section 33.2.1 states that “user level processes can alter page table entries, so references to those data structures also fail to meet the second requirement.” How can an operating system prevent a user level process from altering its page table entries?

2:

Suppose a virtual machine monitor (call it VMM-1) is running another virtual machine monitor (VMM-2), which in turn is running a version of the Linux operating system. The user running the Linux system is editing a file. The user requests that the editor write the file to disk.

  1. Is the instruction RFT (Return From Trap) sensitive? Why or why not?

  2. Trace the flow of control among VMM-1, VMM-2, Linux, and the editor.

  3. How many RFT instructions will be executed? Justify your answer.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.103.154