SlideShare a Scribd company logo
Virtualization Technology For AMD Architecture Steve McDowell Division Marketing Manager Computation Products Group AMD steven.mcdowell @ amd.com Geoffrey Strongin Platform Security Architect Computation Products Group AMD geoffrey.strongin @ amd.com
Session Outline Driving Towards Virtualization Solving the IT Department’s Utilization Dilemma Virtual Machine Approaches System Architecture Matters x86 Needs Help “ Pacifica” Architecture Core Architecture Access Control Interrupts Secure System Management Mode Device Protection
Session Goals Attendees should leave this session with the following A better understanding of virtualization  use cases Understanding of hardware assist for virtualization and AMD’s virtualization technology, codenamed “Pacifica” Knowledge of where to find resources for learning more about AMD and virtualization
Virtualization Virtualization is the pooling and abstraction of resources in a way that masks the physical nature and boundaries  of those resources from  the resource users
Problems With “Physical Boundaries”  Today, IT Departments often have lots of pools of excess capacity and no way to share them Most applications are small 93% of x86 servers are 1 or 2-way Small applications don’t consume servers Applications typically have dynamic workloads Currently, x86 servers run at 10-20% utilization Mainframes typically run at 75-85% utilization The costs add up for running lots of  under-utilized servers
Virtualization In Servers Benefits over non-virtualized environments Reduced Hardware Cost Higher physical resource utilization Smaller footprint (power, space, cooling, etc.) Improved flexibility and responsiveness Resources can be adjusted dynamically Enables On-Demand and Adaptive Enterprise operating environments
Virtualization In Clients Used for legacy support for enterprises  who need to support applications on older Operating Systems (OS) side-by-side with  new technology Test and Development  Isolate development environments from  production work Emerging use cases for management partitions, which may reduce IT support costs Heart of next generation security – allow trusted and untrusted partitions to co-exist Have partitions with different levels of security;  The environment is designed to allow security policies to be reinforced
Virtual Machine Approaches Virtualization software manages  resources between Host and  Guest Operating Systems Application can suffer  decreased performance  due to added overhead Virtualization Software (Hypervisor) is the host environment  Designed to enable better software performance by eliminating some of the associated overhead If hardware is available, the Hypervisor can be designed  to take advantage of it Carve a Server into Many Virtual Machines Hypervisor-based Virtualization Hosted Virtualization Mgmt Partition Guest OS Guest OS AMD64 w/“Pacifica” Hypervisor App App X86 Hardware Guest OS App Guest OS App Host Operating System Virtualization Software
System Architecture Makes A Difference Legacy Architectures based around front-side bus aren’t scalable for today’s virtualization needs AMD’s Direct Connect Architecture reduces the bottlenecks, enabling efficient partitioning Examples:  Today’s Server Architectures
Efficiencies Needed On x86  For Virtualization Virtualization on the existing x86 architecture requires “unnatural acts” to achieve objectives This level of emulation and code rewriting is not required on other architectures Existing approaches add performance overhead and undue complexity, and leave security holes at the most physical levels AMD’s Pacifica technology is designed to take the complexity out of the hypervisor, putting it into the CPU for higher performance, higher security, and lower complexity (compared to traditional software- based approaches) Pacifica brings the x86 into the 21st century On to the Pacifica architecture…
Core “Pacifica” Architecture
Core “Pacifica” Architecture Virtual Machine Run (VMRUN) instruction Virtualization based on VMRUN instruction VMRUN executed by host causes the guest to run Guest runs until it exits back to the host World-switch:  host    guest    host  Host resumes at the instruction following VMRUN Host instruction Stream Guest instruction Stream VMRUN [rAX] VMCB Data Structure
Core “Pacifica” Architecture Intercepts Guest runs until It performs an action that causes an exit to the host It explicitly executes the VMMCALL instruction The VMCB for a guest has settings that determine what actions cause the guest to exit to host These intercepts can vary from guest to guest Two kinds of intercepts  Exception and Interrupt Intercepts Instruction Intercepts Rich set of intercepts allow the host to customize each  guest’s privileges  Information about the intercepted event is put into the VMCB on exit
Core “Pacifica” Architecture  Virtual Machine Control Block All CPU state for a guest is located in the Virtual Memory Control Block ( VMCB ) data-structure VMRUN:  Entry Host state is saved to memory Guest state loaded from VMCB Guest runs VMRUN:  Exit Guest state is saved back to VMCB Host state loaded from memory Host state saved using Model Specific Register ( MSR ):  vm_hsave_pa
Core “Pacifica” Architecture  Address translation:  Page Tables Page Tables or  Directories If this is a “Guest Physical” it must  be translated to “Host Physical” via  the host page tables when nested  paging is enabled Input Linear/Virtual  Address (LA,VA) Final Host or Guest Physical Address CR3 (Physical Address) Guest or Host  Physical Address   of next table
Core “Pacifica” Architecture  Address translation:  Modes with virtualization
Core “Pacifica” Architecture Shadow Page Tables Memory Protection – Central Processing Unit (CPU) accesses Shadow Page Tables (SPT) Nested Page Tables SPT Constraints on host design Host intercepts guest CR3 Reads/Writes Host monitors guest edits to guest page tables Guest page tables are marked “read only” Host constructs and manages SPT in software Software strategies for this are mature Guest never sees the “real” page tables or the real content of  Control Register 3 (CR3) Address Space ID’s (ASID) implemented to improve  Translation Look-aside Buffer (TLB) performance VMRUN sets guest ASID
Core “Pacifica” Architecture  CPU Access protection SPT sets guest access rights to physical address space No guest access is possible unless a mapping is present in  the SPT Covers DRAM and Memory Mapped Input/Output (MMIO) Minimum granularity 4k-bytes VMCB contains a pointer to an IO Permission Map (IOPM) that controls guest access rights to IO Ports Granularity is to 1-byte port VMCB contains a pointer to a Model Specific Register (MSR) permission map that control guest access to MSRs
Core “Pacifica” Architecture  Interrupts Processor response to hardware interrupts is setup in the VMCB Two Options Hardware interrupts while guest is running are intercepted causing exit  to host Host manages physical APIC Host determines interrupt routing and distribution Host injects virtual interrupts into guests as needed Hardware support for virtual interrupts: v_irq, v_vector, v_prio , v_tpr, PHYS_IF Interrupts serviced directly in the guest Guest manages physical APIC Host can still inject virtual interrupts Global Interrupt Flag ( GIF ) Protects host code critical-regions
Core “Pacifica” Architecture  System Management mode “ Pacifica” implements a flexible architecture for System Management Interrupt (SMI)/SMM Full legacy support for SMI from within host or guest SMI Intercepts Allow host to scrub state if needed followed by native SMI from host Support for “containerized” SMM SMM Mode control via SMM_CTL_MSR Allow host to scrub state and dispatch the SMM handler from a VMCB
Core “Pacifica” Architecture  Containerized SMM flow Top: … VMMRUN [rAX] … (Examine Exit  Code) … If external SMM (Setup SMM save state) VMRUN [rAX] … Loop Top Host Inst 1 Inst 2 SMI Guest RSM SMM Entry Point SMM Code SMM Save  State SMI Intercept RSM Intercept
Core “Pacifica” Architecture  Paged Real mode (New) SMM code is designed to start in real mode Memory protections rely on paging, guests must run with paging-enabled Pacifica Solution:  Paged Real Mode Only available for guests cr0.pg=1, cr0.pe=0 Host must intercept page faults Real-mode address translation (segment+offset) = Linear address    translation via SPT    physical address Correct composition of SPT’s is host responsibility  Guest is assuming linear, 0-based mapping
Core “Pacifica” Architecture  DMA protection Protection Domains Mapping from bus/device ID to protection domain Device Exclusion Vector (DEV) One DEV per protection domain Permission-checks all upstream accesses 1-bit per physical 4K page (0.003% tax;  128K/4G) of the system address space Protection for both DRAM and Memory Mapped IO space Contiguous table in physical memory
Summary Virtualization is being used in several server  scenarios today AMD expects that virtualization will prove valuable for PC clients too There are ways to modify the x86 architecture, so that virtualization is easier to accomplish, performs better, and provides more security AMD’s “Pacifica” technology is being developed for future AMD64 CPUs for servers and clients Key technologies include adding new instructions, supporting different methods of handling page tables, handle host, and guest interrupts (including SMI/SMM), and provide DMA protection
Call To Action Read the “Pacifica” specification to understand hardware assisted virtualization, available at  www.amd.com Continue to ensure that your device and driver works with AMD64 on ALL 64-bit enabled Windows Operating Systems  Pacifica Technology is for AMD64 CPUs Sign up for AMD’s development center at  http://devcenter.amd.com
Additional Resources Web Resources Main Page:  http://www.amd.com Developer Center:  http://devcenter.amd.com Related Sessions TWSE05008 Microsoft Virtual Server-Overview and Roadmap TWAR05013 Windows Virtualization Architecture
Community Resources Windows Hardware and Driver Central (WHDC) www.microsoft.com/whdc/default.mspx  Technical Communities www.microsoft.com/communities/products/default.mspx  Non-Microsoft Community Sites www.microsoft.com/communities/related/default.mspx   Microsoft Public Newsgroups www.microsoft.com/communities/newsgroups Technical Chats and Webcasts www.microsoft.com/communities/chats/default.mspx www.microsoft.com/webcasts Microsoft Blogs www.microsoft.com/communities/blogs
 

More Related Content

What's hot

Efficient Data Protection – Backup in VMware environments
Efficient Data Protection – Backup in VMware environmentsEfficient Data Protection – Backup in VMware environments
Efficient Data Protection – Backup in VMware environments
Kingfin Enterprises Limited
 
Hardware VDI vs. Software VDI
Hardware VDI vs. Software VDIHardware VDI vs. Software VDI
Hardware VDI vs. Software VDI
citrixgurl
 
Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2
vivekbhat
 
Virtualization
VirtualizationVirtualization
Virtualization
satchipatra
 
Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised Environment
Peter Wood
 
System Center Virtual Machine Manager 2012 - Whats New
System Center  Virtual Machine Manager 2012 - Whats NewSystem Center  Virtual Machine Manager 2012 - Whats New
System Center Virtual Machine Manager 2012 - Whats New
Amit Gatenyo
 
PHDVirtual Backups for VMware
PHDVirtual Backups for VMwarePHDVirtual Backups for VMware
PHDVirtual Backups for VMware
Devansh Chowdhary
 
Vmware Certified Professional 6 2V0-621 Dumps
Vmware Certified Professional 6 2V0-621 DumpsVmware Certified Professional 6 2V0-621 Dumps
Vmware Certified Professional 6 2V0-621 Dumps
Shamar41
 
XS Boston 2008 OVF
XS Boston 2008 OVFXS Boston 2008 OVF
XS Boston 2008 OVF
The Linux Foundation
 
XS Boston 2008 Malware & Training
XS Boston 2008 Malware & TrainingXS Boston 2008 Malware & Training
XS Boston 2008 Malware & Training
The Linux Foundation
 
Vsicm51 m01 course_intro_
Vsicm51 m01 course_intro_Vsicm51 m01 course_intro_
Vsicm51 m01 course_intro_
Luan Truong Duc
 
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
Edureka!
 
XS Japan 2008 Project Status English
XS Japan 2008 Project Status EnglishXS Japan 2008 Project Status English
XS Japan 2008 Project Status English
The Linux Foundation
 
VMworld 2013: Virtualization 101
VMworld 2013: Virtualization 101 VMworld 2013: Virtualization 101
VMworld 2013: Virtualization 101
VMworld
 
vCenter Operations 5: Level 300 training
vCenter Operations 5: Level 300 trainingvCenter Operations 5: Level 300 training
vCenter Operations 5: Level 300 training
Eric Sloof
 
Availability Considerations for SQL Server
Availability Considerations for SQL ServerAvailability Considerations for SQL Server
Availability Considerations for SQL Server
Bob Roudebush
 
White Paper: Understanding EMC Avamar with EMC Data Protection Advisor — Appl...
White Paper: Understanding EMC Avamar with EMC Data Protection Advisor — Appl...White Paper: Understanding EMC Avamar with EMC Data Protection Advisor — Appl...
White Paper: Understanding EMC Avamar with EMC Data Protection Advisor — Appl...
EMC
 
Improving Application Availability on Virtual Machines
Improving Application Availability on Virtual MachinesImproving Application Availability on Virtual Machines
Improving Application Availability on Virtual Machines
Neverfail Group
 
Sna lab prj (1)
Sna lab prj (1)Sna lab prj (1)
Sna lab prj (1)
alihaider922341
 
VMware Presentation
VMware PresentationVMware Presentation
VMware Presentation
Emirates Computers
 

What's hot (20)

Efficient Data Protection – Backup in VMware environments
Efficient Data Protection – Backup in VMware environmentsEfficient Data Protection – Backup in VMware environments
Efficient Data Protection – Backup in VMware environments
 
Hardware VDI vs. Software VDI
Hardware VDI vs. Software VDIHardware VDI vs. Software VDI
Hardware VDI vs. Software VDI
 
Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2
 
Virtualization
VirtualizationVirtualization
Virtualization
 
Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised Environment
 
System Center Virtual Machine Manager 2012 - Whats New
System Center  Virtual Machine Manager 2012 - Whats NewSystem Center  Virtual Machine Manager 2012 - Whats New
System Center Virtual Machine Manager 2012 - Whats New
 
PHDVirtual Backups for VMware
PHDVirtual Backups for VMwarePHDVirtual Backups for VMware
PHDVirtual Backups for VMware
 
Vmware Certified Professional 6 2V0-621 Dumps
Vmware Certified Professional 6 2V0-621 DumpsVmware Certified Professional 6 2V0-621 Dumps
Vmware Certified Professional 6 2V0-621 Dumps
 
XS Boston 2008 OVF
XS Boston 2008 OVFXS Boston 2008 OVF
XS Boston 2008 OVF
 
XS Boston 2008 Malware & Training
XS Boston 2008 Malware & TrainingXS Boston 2008 Malware & Training
XS Boston 2008 Malware & Training
 
Vsicm51 m01 course_intro_
Vsicm51 m01 course_intro_Vsicm51 m01 course_intro_
Vsicm51 m01 course_intro_
 
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
 
XS Japan 2008 Project Status English
XS Japan 2008 Project Status EnglishXS Japan 2008 Project Status English
XS Japan 2008 Project Status English
 
VMworld 2013: Virtualization 101
VMworld 2013: Virtualization 101 VMworld 2013: Virtualization 101
VMworld 2013: Virtualization 101
 
vCenter Operations 5: Level 300 training
vCenter Operations 5: Level 300 trainingvCenter Operations 5: Level 300 training
vCenter Operations 5: Level 300 training
 
Availability Considerations for SQL Server
Availability Considerations for SQL ServerAvailability Considerations for SQL Server
Availability Considerations for SQL Server
 
White Paper: Understanding EMC Avamar with EMC Data Protection Advisor — Appl...
White Paper: Understanding EMC Avamar with EMC Data Protection Advisor — Appl...White Paper: Understanding EMC Avamar with EMC Data Protection Advisor — Appl...
White Paper: Understanding EMC Avamar with EMC Data Protection Advisor — Appl...
 
Improving Application Availability on Virtual Machines
Improving Application Availability on Virtual MachinesImproving Application Availability on Virtual Machines
Improving Application Availability on Virtual Machines
 
Sna lab prj (1)
Sna lab prj (1)Sna lab prj (1)
Sna lab prj (1)
 
VMware Presentation
VMware PresentationVMware Presentation
VMware Presentation
 

Viewers also liked

Esposa 2.0
Esposa 2.0Esposa 2.0
Esposa 2.0
guest19f720
 
Cellular Trust
Cellular TrustCellular Trust
Cellular Trust
lilalia
 
Stress
StressStress
Stress
jthornbury
 
LA 4.5 Lillo
LA 4.5 LilloLA 4.5 Lillo
LA 4.5 Lillo
guestbda83
 
NuevoPeriodismo'08: cómo prosperar en la sociedad de la conversación
NuevoPeriodismo'08: cómo prosperar en la sociedad de la conversaciónNuevoPeriodismo'08: cómo prosperar en la sociedad de la conversación
NuevoPeriodismo'08: cómo prosperar en la sociedad de la conversación
Alberto Ortiz de Zarate
 
Why E-mail marketing
Why E-mail marketingWhy E-mail marketing
Why E-mail marketing
guest4d2f35
 
Chaouen
ChaouenChaouen
Chaouen
adilia
 
Ka Gallery 2 009
Ka Gallery 2 009Ka Gallery 2 009
Ka Gallery 2 009
shellkidzart
 
El ciego
El ciegoEl ciego
El ciego
aleegb
 
Miss E Mister
Miss E MisterMiss E Mister
Miss E Mister
guest160d3c
 
Frightful Deeds and Scary Reads
Frightful Deeds and Scary ReadsFrightful Deeds and Scary Reads
Frightful Deeds and Scary Reads
teresakatsulos
 
Respeto Yésica_H
Respeto Yésica_HRespeto Yésica_H
Respeto Yésica_H
crisbarreiro
 
¿Están las tecnologías de la información cambiando nuestras escuelas (I Parte)?
¿Están las tecnologías de la información cambiando nuestras escuelas (I Parte)?¿Están las tecnologías de la información cambiando nuestras escuelas (I Parte)?
¿Están las tecnologías de la información cambiando nuestras escuelas (I Parte)?
Hugo Martínez Alvarado
 
Addventure Investorday
Addventure InvestordayAddventure Investorday
Addventure Investorday
heckfly
 
Arte na Cozinha!
Arte na Cozinha!Arte na Cozinha!
Arte na Cozinha!
Andre de Castro Zorzo
 
Company Profile
Company ProfileCompany Profile
Company Profile
guestf198cd
 
Inseguridad En La Ciudad
Inseguridad En La CiudadInseguridad En La Ciudad
Inseguridad En La Ciudad
danielguz25
 
Miedo a la puerta
Miedo a la puertaMiedo a la puerta
Miedo a la puerta
aleegb
 

Viewers also liked (20)

Esposa 2.0
Esposa 2.0Esposa 2.0
Esposa 2.0
 
Cellular Trust
Cellular TrustCellular Trust
Cellular Trust
 
Power Point Porti
Power Point PortiPower Point Porti
Power Point Porti
 
Stress
StressStress
Stress
 
LA 4.5 Lillo
LA 4.5 LilloLA 4.5 Lillo
LA 4.5 Lillo
 
NuevoPeriodismo'08: cómo prosperar en la sociedad de la conversación
NuevoPeriodismo'08: cómo prosperar en la sociedad de la conversaciónNuevoPeriodismo'08: cómo prosperar en la sociedad de la conversación
NuevoPeriodismo'08: cómo prosperar en la sociedad de la conversación
 
Why E-mail marketing
Why E-mail marketingWhy E-mail marketing
Why E-mail marketing
 
Chaouen
ChaouenChaouen
Chaouen
 
Avgust
AvgustAvgust
Avgust
 
Ka Gallery 2 009
Ka Gallery 2 009Ka Gallery 2 009
Ka Gallery 2 009
 
El ciego
El ciegoEl ciego
El ciego
 
Miss E Mister
Miss E MisterMiss E Mister
Miss E Mister
 
Frightful Deeds and Scary Reads
Frightful Deeds and Scary ReadsFrightful Deeds and Scary Reads
Frightful Deeds and Scary Reads
 
Respeto Yésica_H
Respeto Yésica_HRespeto Yésica_H
Respeto Yésica_H
 
¿Están las tecnologías de la información cambiando nuestras escuelas (I Parte)?
¿Están las tecnologías de la información cambiando nuestras escuelas (I Parte)?¿Están las tecnologías de la información cambiando nuestras escuelas (I Parte)?
¿Están las tecnologías de la información cambiando nuestras escuelas (I Parte)?
 
Addventure Investorday
Addventure InvestordayAddventure Investorday
Addventure Investorday
 
Arte na Cozinha!
Arte na Cozinha!Arte na Cozinha!
Arte na Cozinha!
 
Company Profile
Company ProfileCompany Profile
Company Profile
 
Inseguridad En La Ciudad
Inseguridad En La CiudadInseguridad En La Ciudad
Inseguridad En La Ciudad
 
Miedo a la puerta
Miedo a la puertaMiedo a la puerta
Miedo a la puerta
 

Similar to Virtualization

An Introduction To Server Virtualisation
An Introduction To Server VirtualisationAn Introduction To Server Virtualisation
An Introduction To Server Virtualisation
Alan McSweeney
 
Virtualization
VirtualizationVirtualization
Virtualization
karimalinani
 
Server Virtualization Seminar Presentation
Server Virtualization Seminar PresentationServer Virtualization Seminar Presentation
Server Virtualization Seminar Presentation
shabi_hassan
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]
Louis Göhl
 
Cs seminar 20061207
Cs seminar 20061207Cs seminar 20061207
Cs seminar 20061207
Todd Deshane
 
Capito Ardoe House VMWare Presentation
Capito Ardoe House VMWare PresentationCapito Ardoe House VMWare Presentation
Capito Ardoe House VMWare Presentation
Capito Livingstone
 
Virtual Pc Seminar
Virtual Pc SeminarVirtual Pc Seminar
Virtual Pc Seminar
guest5b5549
 
Server Virtualization
Server VirtualizationServer Virtualization
Server Virtualization
Sanjiv Pradhan
 
Virtualization presentation
Virtualization presentationVirtualization presentation
Virtualization presentation
Mangesh Gunjal
 
VMware 2009
VMware 2009VMware 2009
VMware 2009
hyldgaard
 
cloud basics.
cloud basics.cloud basics.
cloud basics.
Mercy joy
 
10 zig combined presentation deck v3
10 zig combined presentation deck v310 zig combined presentation deck v3
10 zig combined presentation deck v3
Jennifer Phillips
 
Cio Breakfast Roundtable 05142009 Final Virtualization
Cio Breakfast Roundtable 05142009 Final VirtualizationCio Breakfast Roundtable 05142009 Final Virtualization
Cio Breakfast Roundtable 05142009 Final Virtualization
guestc900809
 
Virtualization meisen 042811
Virtualization meisen 042811Virtualization meisen 042811
Virtualization meisen 042811
Morty Eisen
 
Why Security Teams should care about VMware
Why Security Teams should care about VMwareWhy Security Teams should care about VMware
Why Security Teams should care about VMware
JJDiGeronimo
 
040711 webcast securing vmachine
040711 webcast securing vmachine 040711 webcast securing vmachine
040711 webcast securing vmachine
Erin Banks
 
Usenix Invited Talk
Usenix Invited TalkUsenix Invited Talk
Usenix Invited Talk
webhostingguy
 
APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...
APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...
APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...
Neha417639
 
virtualization.pptx
virtualization.pptxvirtualization.pptx
virtualization.pptx
ssuser6e6eec
 
www.doubletake.com Data Protection Strategies for Virtualization
www.doubletake.com Data Protection Strategies for Virtualizationwww.doubletake.com Data Protection Strategies for Virtualization
www.doubletake.com Data Protection Strategies for Virtualization
webhostingguy
 

Similar to Virtualization (20)

An Introduction To Server Virtualisation
An Introduction To Server VirtualisationAn Introduction To Server Virtualisation
An Introduction To Server Virtualisation
 
Virtualization
VirtualizationVirtualization
Virtualization
 
Server Virtualization Seminar Presentation
Server Virtualization Seminar PresentationServer Virtualization Seminar Presentation
Server Virtualization Seminar Presentation
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]
 
Cs seminar 20061207
Cs seminar 20061207Cs seminar 20061207
Cs seminar 20061207
 
Capito Ardoe House VMWare Presentation
Capito Ardoe House VMWare PresentationCapito Ardoe House VMWare Presentation
Capito Ardoe House VMWare Presentation
 
Virtual Pc Seminar
Virtual Pc SeminarVirtual Pc Seminar
Virtual Pc Seminar
 
Server Virtualization
Server VirtualizationServer Virtualization
Server Virtualization
 
Virtualization presentation
Virtualization presentationVirtualization presentation
Virtualization presentation
 
VMware 2009
VMware 2009VMware 2009
VMware 2009
 
cloud basics.
cloud basics.cloud basics.
cloud basics.
 
10 zig combined presentation deck v3
10 zig combined presentation deck v310 zig combined presentation deck v3
10 zig combined presentation deck v3
 
Cio Breakfast Roundtable 05142009 Final Virtualization
Cio Breakfast Roundtable 05142009 Final VirtualizationCio Breakfast Roundtable 05142009 Final Virtualization
Cio Breakfast Roundtable 05142009 Final Virtualization
 
Virtualization meisen 042811
Virtualization meisen 042811Virtualization meisen 042811
Virtualization meisen 042811
 
Why Security Teams should care about VMware
Why Security Teams should care about VMwareWhy Security Teams should care about VMware
Why Security Teams should care about VMware
 
040711 webcast securing vmachine
040711 webcast securing vmachine 040711 webcast securing vmachine
040711 webcast securing vmachine
 
Usenix Invited Talk
Usenix Invited TalkUsenix Invited Talk
Usenix Invited Talk
 
APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...
APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...
APznzaamT18LaGRvfDd3vc6XGHHoq2hlFqHYsO9vYeEQXTa-sAm9oMvLFaeBQkqdEEa1z4UJVAboW...
 
virtualization.pptx
virtualization.pptxvirtualization.pptx
virtualization.pptx
 
www.doubletake.com Data Protection Strategies for Virtualization
www.doubletake.com Data Protection Strategies for Virtualizationwww.doubletake.com Data Protection Strategies for Virtualization
www.doubletake.com Data Protection Strategies for Virtualization
 

More from jworth

University of Texas
University of TexasUniversity of Texas
University of Texas
jworth
 
Gpu Compute
Gpu ComputeGpu Compute
Gpu Compute
jworth
 
AMD's Lonestar Campus
AMD's Lonestar CampusAMD's Lonestar Campus
AMD's Lonestar Campus
jworth
 
AMD Financial Analyst\'s Day
AMD Financial Analyst\'s DayAMD Financial Analyst\'s Day
AMD Financial Analyst\'s Day
jworth
 
Accelerated Computing
Accelerated ComputingAccelerated Computing
Accelerated Computing
jworth
 
Amd V Nested Paging
Amd V Nested PagingAmd V Nested Paging
Amd V Nested Paging
jworth
 
Ces08
Ces08Ces08
Ces08
jworth
 

More from jworth (7)

University of Texas
University of TexasUniversity of Texas
University of Texas
 
Gpu Compute
Gpu ComputeGpu Compute
Gpu Compute
 
AMD's Lonestar Campus
AMD's Lonestar CampusAMD's Lonestar Campus
AMD's Lonestar Campus
 
AMD Financial Analyst\'s Day
AMD Financial Analyst\'s DayAMD Financial Analyst\'s Day
AMD Financial Analyst\'s Day
 
Accelerated Computing
Accelerated ComputingAccelerated Computing
Accelerated Computing
 
Amd V Nested Paging
Amd V Nested PagingAmd V Nested Paging
Amd V Nested Paging
 
Ces08
Ces08Ces08
Ces08
 

Virtualization

  • 1. Virtualization Technology For AMD Architecture Steve McDowell Division Marketing Manager Computation Products Group AMD steven.mcdowell @ amd.com Geoffrey Strongin Platform Security Architect Computation Products Group AMD geoffrey.strongin @ amd.com
  • 2. Session Outline Driving Towards Virtualization Solving the IT Department’s Utilization Dilemma Virtual Machine Approaches System Architecture Matters x86 Needs Help “ Pacifica” Architecture Core Architecture Access Control Interrupts Secure System Management Mode Device Protection
  • 3. Session Goals Attendees should leave this session with the following A better understanding of virtualization use cases Understanding of hardware assist for virtualization and AMD’s virtualization technology, codenamed “Pacifica” Knowledge of where to find resources for learning more about AMD and virtualization
  • 4. Virtualization Virtualization is the pooling and abstraction of resources in a way that masks the physical nature and boundaries of those resources from the resource users
  • 5. Problems With “Physical Boundaries” Today, IT Departments often have lots of pools of excess capacity and no way to share them Most applications are small 93% of x86 servers are 1 or 2-way Small applications don’t consume servers Applications typically have dynamic workloads Currently, x86 servers run at 10-20% utilization Mainframes typically run at 75-85% utilization The costs add up for running lots of under-utilized servers
  • 6. Virtualization In Servers Benefits over non-virtualized environments Reduced Hardware Cost Higher physical resource utilization Smaller footprint (power, space, cooling, etc.) Improved flexibility and responsiveness Resources can be adjusted dynamically Enables On-Demand and Adaptive Enterprise operating environments
  • 7. Virtualization In Clients Used for legacy support for enterprises who need to support applications on older Operating Systems (OS) side-by-side with new technology Test and Development Isolate development environments from production work Emerging use cases for management partitions, which may reduce IT support costs Heart of next generation security – allow trusted and untrusted partitions to co-exist Have partitions with different levels of security; The environment is designed to allow security policies to be reinforced
  • 8. Virtual Machine Approaches Virtualization software manages resources between Host and Guest Operating Systems Application can suffer decreased performance due to added overhead Virtualization Software (Hypervisor) is the host environment Designed to enable better software performance by eliminating some of the associated overhead If hardware is available, the Hypervisor can be designed to take advantage of it Carve a Server into Many Virtual Machines Hypervisor-based Virtualization Hosted Virtualization Mgmt Partition Guest OS Guest OS AMD64 w/“Pacifica” Hypervisor App App X86 Hardware Guest OS App Guest OS App Host Operating System Virtualization Software
  • 9. System Architecture Makes A Difference Legacy Architectures based around front-side bus aren’t scalable for today’s virtualization needs AMD’s Direct Connect Architecture reduces the bottlenecks, enabling efficient partitioning Examples: Today’s Server Architectures
  • 10. Efficiencies Needed On x86 For Virtualization Virtualization on the existing x86 architecture requires “unnatural acts” to achieve objectives This level of emulation and code rewriting is not required on other architectures Existing approaches add performance overhead and undue complexity, and leave security holes at the most physical levels AMD’s Pacifica technology is designed to take the complexity out of the hypervisor, putting it into the CPU for higher performance, higher security, and lower complexity (compared to traditional software- based approaches) Pacifica brings the x86 into the 21st century On to the Pacifica architecture…
  • 12. Core “Pacifica” Architecture Virtual Machine Run (VMRUN) instruction Virtualization based on VMRUN instruction VMRUN executed by host causes the guest to run Guest runs until it exits back to the host World-switch: host  guest  host Host resumes at the instruction following VMRUN Host instruction Stream Guest instruction Stream VMRUN [rAX] VMCB Data Structure
  • 13. Core “Pacifica” Architecture Intercepts Guest runs until It performs an action that causes an exit to the host It explicitly executes the VMMCALL instruction The VMCB for a guest has settings that determine what actions cause the guest to exit to host These intercepts can vary from guest to guest Two kinds of intercepts Exception and Interrupt Intercepts Instruction Intercepts Rich set of intercepts allow the host to customize each guest’s privileges Information about the intercepted event is put into the VMCB on exit
  • 14. Core “Pacifica” Architecture Virtual Machine Control Block All CPU state for a guest is located in the Virtual Memory Control Block ( VMCB ) data-structure VMRUN: Entry Host state is saved to memory Guest state loaded from VMCB Guest runs VMRUN: Exit Guest state is saved back to VMCB Host state loaded from memory Host state saved using Model Specific Register ( MSR ): vm_hsave_pa
  • 15. Core “Pacifica” Architecture Address translation: Page Tables Page Tables or Directories If this is a “Guest Physical” it must be translated to “Host Physical” via the host page tables when nested paging is enabled Input Linear/Virtual Address (LA,VA) Final Host or Guest Physical Address CR3 (Physical Address) Guest or Host Physical Address of next table
  • 16. Core “Pacifica” Architecture Address translation: Modes with virtualization
  • 17. Core “Pacifica” Architecture Shadow Page Tables Memory Protection – Central Processing Unit (CPU) accesses Shadow Page Tables (SPT) Nested Page Tables SPT Constraints on host design Host intercepts guest CR3 Reads/Writes Host monitors guest edits to guest page tables Guest page tables are marked “read only” Host constructs and manages SPT in software Software strategies for this are mature Guest never sees the “real” page tables or the real content of Control Register 3 (CR3) Address Space ID’s (ASID) implemented to improve Translation Look-aside Buffer (TLB) performance VMRUN sets guest ASID
  • 18. Core “Pacifica” Architecture CPU Access protection SPT sets guest access rights to physical address space No guest access is possible unless a mapping is present in the SPT Covers DRAM and Memory Mapped Input/Output (MMIO) Minimum granularity 4k-bytes VMCB contains a pointer to an IO Permission Map (IOPM) that controls guest access rights to IO Ports Granularity is to 1-byte port VMCB contains a pointer to a Model Specific Register (MSR) permission map that control guest access to MSRs
  • 19. Core “Pacifica” Architecture Interrupts Processor response to hardware interrupts is setup in the VMCB Two Options Hardware interrupts while guest is running are intercepted causing exit to host Host manages physical APIC Host determines interrupt routing and distribution Host injects virtual interrupts into guests as needed Hardware support for virtual interrupts: v_irq, v_vector, v_prio , v_tpr, PHYS_IF Interrupts serviced directly in the guest Guest manages physical APIC Host can still inject virtual interrupts Global Interrupt Flag ( GIF ) Protects host code critical-regions
  • 20. Core “Pacifica” Architecture System Management mode “ Pacifica” implements a flexible architecture for System Management Interrupt (SMI)/SMM Full legacy support for SMI from within host or guest SMI Intercepts Allow host to scrub state if needed followed by native SMI from host Support for “containerized” SMM SMM Mode control via SMM_CTL_MSR Allow host to scrub state and dispatch the SMM handler from a VMCB
  • 21. Core “Pacifica” Architecture Containerized SMM flow Top: … VMMRUN [rAX] … (Examine Exit Code) … If external SMM (Setup SMM save state) VMRUN [rAX] … Loop Top Host Inst 1 Inst 2 SMI Guest RSM SMM Entry Point SMM Code SMM Save State SMI Intercept RSM Intercept
  • 22. Core “Pacifica” Architecture Paged Real mode (New) SMM code is designed to start in real mode Memory protections rely on paging, guests must run with paging-enabled Pacifica Solution: Paged Real Mode Only available for guests cr0.pg=1, cr0.pe=0 Host must intercept page faults Real-mode address translation (segment+offset) = Linear address  translation via SPT  physical address Correct composition of SPT’s is host responsibility Guest is assuming linear, 0-based mapping
  • 23. Core “Pacifica” Architecture DMA protection Protection Domains Mapping from bus/device ID to protection domain Device Exclusion Vector (DEV) One DEV per protection domain Permission-checks all upstream accesses 1-bit per physical 4K page (0.003% tax; 128K/4G) of the system address space Protection for both DRAM and Memory Mapped IO space Contiguous table in physical memory
  • 24. Summary Virtualization is being used in several server scenarios today AMD expects that virtualization will prove valuable for PC clients too There are ways to modify the x86 architecture, so that virtualization is easier to accomplish, performs better, and provides more security AMD’s “Pacifica” technology is being developed for future AMD64 CPUs for servers and clients Key technologies include adding new instructions, supporting different methods of handling page tables, handle host, and guest interrupts (including SMI/SMM), and provide DMA protection
  • 25. Call To Action Read the “Pacifica” specification to understand hardware assisted virtualization, available at www.amd.com Continue to ensure that your device and driver works with AMD64 on ALL 64-bit enabled Windows Operating Systems Pacifica Technology is for AMD64 CPUs Sign up for AMD’s development center at http://devcenter.amd.com
  • 26. Additional Resources Web Resources Main Page: http://www.amd.com Developer Center: http://devcenter.amd.com Related Sessions TWSE05008 Microsoft Virtual Server-Overview and Roadmap TWAR05013 Windows Virtualization Architecture
  • 27. Community Resources Windows Hardware and Driver Central (WHDC) www.microsoft.com/whdc/default.mspx Technical Communities www.microsoft.com/communities/products/default.mspx Non-Microsoft Community Sites www.microsoft.com/communities/related/default.mspx Microsoft Public Newsgroups www.microsoft.com/communities/newsgroups Technical Chats and Webcasts www.microsoft.com/communities/chats/default.mspx www.microsoft.com/webcasts Microsoft Blogs www.microsoft.com/communities/blogs
  • 28.  

Editor's Notes

  1. WinHEC 2005