Patent Application
20130145363
The invention generally relates to virtual machines (VMs) and more specifically to execution of a guest in a para-virtualized environment.
There are two known forms of virtualization used today. One form of implementation is full virtualization which allows an unmodified guest operating system (which is also referred to herein simply as a guest) to execute thereon a virtual machine (VM). In this case, the VM sufficiently simulates the hardware on which it executes, such that no modification is required of a guest that runs directly on the host processor. However, full virtualization is possible only when there is the right combination of hardware and software to support it. Such configuration is cumbersome and sometime impractical for some of the more commonly used processor architectures.
An alternative to full virtualization is para-virtualization that comes at a cost of requiring some modifications of the guest. A software interface is used to allow the handling and modifying of the guest, so that the guest can operate in the environment of a para-virtualized system. The advantage is a somewhat simpler system to handle when compared to a full virtualization system, but at a cost of a requirement to modify the guest. In some cases, hardware assisted virtualization is used with respect of para-virtualization to reduce maintenance overhead associated with such para-virtualization.
Spaces, rings or protection rings are hierarchical protection domains utilized to protect data and functionality from faults and malicious actions. Each protection provides different levels of access to hardware/software resources. In typical operating system, the most privileged is the kernel space, also known as Ring 0 in certain processor architectures, which interacts directly with the physical hardware (e.g., the CPU and memory). The least privileged is the user space also known as Ring 3 in certain processor architectures. In a para-virtualized environment, a modified guest runs in Ring 3, and therefore cannot execute instructions that require Ring 0 privileges. Such instructions are referred to herein as privileged instructions. Therefore, on each attempt to execute privileged instructions in Ring 3, the processor executing the instruction raises an exception which in turn leads to an undefined behavior.
It would be therefore advantageous to provide a solution that overcomes the deficiencies of the prior art by allowing an unmodified guest operating system to run in a para-virtualized environment.
Certain embodiments disclosed herein include a method of operation in a para-virtualized environment. The method includes executing a first hypervisor on a hardware platform of a computing device; and executing a second hypervisor over the first hypervisor, the second hypervisor is configured to capture at least a privileged instruction called by an unmodified guest program executed over the second hypervisor and cause the first hypervisor to execute an instruction corresponding to the captured privileged instruction, wherein the unmodified guest program and the second hypervisor operate in a user space protection domain and the at least privileged instruction should be executed in a kernel space protection domain.
Certain embodiments disclosed herein also include an apparatus operating in a para-virtualized environment. The apparatus includes a processor; and a memory coupled to the processor and configured to store at least a first set of instructions for a first hypervisor for execution by the processor and a second set of instructions for a second hypervisor for execution by the processor over the first hypervisor, wherein the first hypervisor is configured to enable execution of an unmodified guest program over the second hypervisor and wherein the unmodified guest program and the second hypervisor operates in a user space protection domain.
Certain embodiments disclosed herein also include a method for isolating an unmodified guest program executed in a para-virtualized environment from a para-virtualized hypervisor. The method comprises executing a para-virtualized hypervisor (PVHV) on a hardware platform of a computing device; executing an interface hypervisor (IHV) over the PVHV; and executing the unmodified guest program over the IHV, wherein the IHV is configured to capture at least a privileged instruction received from the unmodified guest program and cause the PVHV to execute an instruction corresponding to the captured privileged instruction, wherein the unmodified guest program and the IHV operate in a user space protection domain, and the at least privileged instruction should be executed in a kernel space protection domain.
The subject matter that is regarded as the invention is particularly pointed out and distinctly claimed in the claims at the conclusion of the specification. The foregoing and other objects, features, and advantages of the invention will be apparent from the following detailed description taken in conjunction with the accompanying drawings.
The embodiments disclosed herein are only examples of the many possible advantageous uses and implementations of the innovative teachings presented herein. In general, statements made in the specification of the present application do not necessarily limit any of the various claimed inventions. Moreover, some statements may apply to some inventive features but not to others. In general, unless otherwise indicated, singular elements may be in plural and vice versa with no loss of generality. In the drawings, like numerals refer to like parts through several views.
Various embodiments disclosed herein enable the execution of an unmodified guest in a para-virtualized computing environment. This is in contrast to prior art systems that require a guest be modified to be capable of executing in a para-virtualized environment, where a hypervisor executes on a computing device, and a modified guest is executed thereon.
With this aim of executing an unmodified guest in a para-virtualized environment, a new architecture is provided that includes a second hypervisor that runs on-top of the para-virtualized hypervisor and operates as an in-between layer for an unmodified guest and the para-virtualized hypervisor executed over the computing device. In one embodiment, the second hypervisor translates for the first hypervisor all privileged instructions, which otherwise could not be executed by the para-virtualized hypervisor and would therefore require the modification of the guest.
The unmodified guest 240 may be, but is not limited to, a commercially available operating system (OS) that was not purposefully designed, programmed, or configured to operate successfully in a para-virtualized environment. The guest may be, for example and without limitation, a Windows-based OS, a Linux-based OS, iOS, and the like. The PVHV 120 enables the operation in a para-virtualized environment with an unmodified guest 240. With this aim, according to the embodiments disclosed herein, an interface hypervisor (IHV) 230 is provided as an interface operative over the PVHV 120.
Operating generally as a hypervisor, the IHV 230 is modified to capture a set of privileged instructions that require execution in Ring 0 (kernel) of the computing device. The set of privileged instructions may be preconfigured with the IHV 230 and additional instructions may be added as needed. For example, a new version release of the IHV 230 may include additional privileged instructions. In one embodiment, the set of instructions is defined based on the type of the PVHV 120, a list of features supported by the PVHV 120, and so on. The IHV 230 may be also configured to bridge the gap to allow compatibility of other software resources of the unmodified guest 240 and the PVHV 120.
A captured instruction is translated to a corresponding instruction that can be executed by the PVHV 120 in Ring 0. Thus, the PVHV 120 executes the privileged instruction on behalf of the unmodified guest. The results of the executed instruction are exported to a guest by, for example, writing the results to the shared memory portion in the memory unit 114. Upon completion of the instruction's execution, the IHV 230 instructs the unmodified guest 240 to read the execution from the shared memory.
It should be noted that by handling the privileged instructions, and as explained herein below with respect of
In S320, it is checked whether the capture system call is for execution of a privileged instruction, and if so execution continues with S340; otherwise, execution continues with S330. As mentioned above, a privileged instruction is an instruction that requires Ring 0 privileges, but the unmodified guest 240 runs with Ring 3 (user) privileges. Thus, running such instructions in Ring 3 causes a process exception.
In S330, the non-privileged instruction is transferred to the PVHV 120 for execution, followed thereafter by S360. Specifically, the PVHV 120, being a hypervisor that manages the execution of the guest's instructions, can safely execute on the hardware the non-privileged instructions.
In S340, the privileged instruction is translated into an instruction executable by the PVHV 120 without causing any disruption to the execution. Specifically, privileged instructions are translated into para-virtualized application program interface (API) calls provided by the PVHV 120. The translation may be realized, for example, through a hash table that maps a captured privileged instruction to a corresponding para-virtualized API call. The mapping may be performed based on the syntax of the privileged instruction.
In S350, the para-virtualized API call (i.e., a translated instruction(s) corresponding to a privileged instruction) is transferred to the PVHV 120 for execution therein. At S355, the execution results of the privileged instruction are exported to the unmodified guest. In S360, it is checked whether additional instructions are to be executed and if so execution continues with S310; otherwise, execution terminates.
An exemplary and non-limiting use of the invention discussed herein is in conjunction with the XEN® hypervisor, used as the PVHP 120. In such an implementation the following exemplary and non-exhaustive translations using para-virtualized APIs occurs as shown in Table 1.
The column “Desired Action” describes an action that the unmodified guest attempts to perform. In the “X86 Instruction(s)” column the respective instruction or instructions for the desired action to be performed by the unmodified guest are shown. The X86 Instruction(s) are executed by the processor of a computing device, thus these instructions if executed by directly by the unmodified guest would trigger an exception by the processor. In the “XEN API” column respective XEN hypervisor API calls for the X86 instructions are shown. The X86 instructions column lists a privileged instruction, while the Xen API column shows a corresponding API call used to handle the case of such privileged instruction. These XEN API calls are implemented by the XEN hypervisor and exported to a guest by means of the shared memory.
It should be noted that one of ordinary skill in the art would readily appreciate that such implementation would not be limited to the XEN hypervisor, and other para-virtualized environments may benefit from the invention. Hence, the mere example should not be viewed as limiting upon the scope of the invention. Specifically, the examples give hreinabove where with respect to a ring domain protection, specifically Ring 3 and Ring 0, however, other user space and kernel space domain protection is possible without departing from the scope of the invention.
The various embodiments disclosed herein may be implemented as hardware, firmware, software, or any combination thereof. Moreover, the software is preferably implemented as an application program tangibly embodied on a program storage unit or computer readable medium consisting of parts, or of certain devices and/or a combination of devices. The application program may be uploaded to, and executed by, a machine comprising any suitable architecture. Preferably, the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs”), a memory, and input/output interfaces. The computer platform may also include an operating system and microinstruction code. The various processes and functions described herein may be either part of the microinstruction code or part of the application program, or any combination thereof, which may be executed by a CPU, whether or not such computer or processor is explicitly shown. In addition, various other peripheral units may be connected to the computer platform such as an additional data storage unit and a printing unit. Furthermore, a non-transitory computer readable medium is any computer readable medium except for a transitory propagating signal.
All examples and conditional language recited herein are intended for pedagogical purposes to aid the reader in understanding the principles of the invention and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the invention, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future, i.e., any elements developed that perform the same function, regardless of structure.
This application claims priority from U.S. provisional application No. 61/567,110 filed Dec. 5, 2011, the contents of which are herein incorporated by reference.
| Number | Date | Country | |
|---|---|---|---|
| 61567110 | Dec 2011 | US |
