Channels ▼
RSS

Security

System Virtualization


Hypervisor Architectures

Hypervisor architectures vary along several dimensions. Some are open source, others are proprietary. Some comprise thin hypervisors augmented with specialized guest operating systems. Others employ a monolithic hypervisor that is fully self-contained. In this section, we compare and contrast currently available architectures.

Monolithic Hypervisor

Hypervisor architectures seen in commercial applications most often employ a monolithic architecture, as in Figure 2. Similar to monolithic operating systems, the monolithic hypervisor requires a large body of operating software, including device drivers and middleware, to support the execution of one or more guest environments. In addition, the monolithic architecture often uses a single instance of the virtualization component to support multiple guest environments. Thus, a single flaw in the hypervisor may result in a compromise of the fundamental guest environment separation intended by virtualization in the first place.

[Click image to view at full size]
Figure 2: Monolithic hypervisor architecture. (Source: Green Hills Software, 2008)

Console Guest Hypervisor

An alternative approach uses a trimmed down hypervisor that runs in the microprocessor's privileged mode but employs a special guest operating system partition to handle the I/O control and services for the other guest operating systems Thus, a complex body of software must still be relied upon for system security. As in Figure 3, a typical console guest, such as Linux, may add far more code to the virtualization layer than found in a monolithic hypervisor.

[Click image to view at full size]
Figure 3: Console guest hypervisor architecture. (Source: Green Hills Software, 2008)

Microkernel-based Hypervisor

The newest hypervisor architecture was designed specifically to provide robust separation between guest environments. Figure 4 shows the microkernel-based hypervisor architecture. This architecture places the computer virtualization complexity into user-mode processes outside the trusted operating system microkernel, as, for example, in Green Hills Software's Integrity. A separate instance of the virtualization layer is used for each guest environment. Thus, the virtualization layer need only meet the equivalent (and, typically, relatively low) robustness level of the guest itself.

[Click image to view at full size]
Figure 4: Microkernel-based hypervisor architecture. (Source: Green Hills Software, 2008)

Paravirtualization

System virtualization can be implemented with full virtualization or paravirtualization, a term first coined in the 2001 Denali project. [2] With full virtualization, unmodified guest operating systems are supported. With paravirtualization, the guest operating system is modified in order to improve the ability of the underlying hypervisor to achieve its intended function. Paravirtualization is often able to provide improved performance and lower power consumption. For example, device drivers in the guest operating system can be modified to make direct use of the I/O hardware instead of requiring I/O accesses to be trapped and emulated by the hypervisor. Contrary to enterprise computing requirements, most of the virtualization deployed within low power embedded systems have used paravirtualization. This trend is likely to change, however, due to the inclusion of Intel VT in low power chipsets. The advantage to full virtualization is the ability to use unmodified versions of operating systems that have a proven fielded pedigree and do not require the maintenance associated with custom modifications. This maintenance savings is especially important in embedded devices where I/O peripherals tend to vary dramatically across designs.

Leveraging Intel VT

Intel VT has been a factor in the growing adoption of full virtualization throughout the enterprise computing world. Intel VT for IA-32, Intel 64 and Intel Architecture (Intel VT-x) provides a number of hypervisor assistance capabilities. For example, true hardware hypervisor mode enables unmodified Ring-0 guest operating systems to execute with reduced privilege. Intel VT-x will also prevent a guest operating system from referencing physical memory beyond what has been allocated to the guest's virtual machine. In addition, Intel VT-x enables selective exception injection, so that hypervisor-defined classes of exceptions can be handled directly by the guest operating system without incurring the overhead of hypervisor software interposing.

In 2006, Green Hills Software demonstrated virtualization using Intel VT-x. Prior to this, in 2005, Green Hills demonstrated a full virtualization solution on platforms without Intel VT capabilities. We did so by using selective dynamic translation techniques conceptually similar to that employed by original versions of VMware. Green Hills Software's previous desktop solution was able to support no more than two simultaneous full-motion audio/video clips (each in a separate virtual machine) without dropping frames. With Intel VT-x on similar class desktops, the number of simultaneous clips was limited only by the total RAM available to host multiple virtual machines. General PC benchmarks showed an approximate factor of two performance improvement for Intel VT-x over earlier platforms. In addition, the Green Hills virtualization layer was radically simplified due to the Intel VT-x capabilities.

In 2008, Green Hills Software demonstrated its virtualization technology enabled by Intel VT-x on Intel Atom processors, thereby taking advantage of the scalability of Intel VT-x across low-power embedded systems, laptops, and desktops, and server-class systems. In 2007, Green Hills demonstrated the use of Intel VT for Directed I/O (Intel VT-d) in its desktop-based offerings. In 2008, Green Hills demonstrated the use of Intel VT-d in Intel Centrino 2 processor technology-based laptops. Intel VT-d's DMA remapping capability further enhances virtualization performance and reduces hypervisor software complexity by enabling select I/O peripherals to be controlled directly by the guest operating system, with little or no intervention from virtualization software. Intel VT has enabled Green Hills Software and other technology suppliers to leverage the power of full system virtualization across a wide range of hardware platforms, vertical industries, and emerging usage scenarios.


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Video