Sensitive Privileged

Sensitive Privileged

Take Instructions Instruction

Control with Popf

Change CR3

Change IDT

Disable Paterruph

Problem with popf

Last class

Mr. mode/nonvoor mode

Last class

Root mode vmx mode/nonvoot mode

Process

V-cpu

Vmcs

Linux

Trap

Great performance for CPU benchmarks

(Figure 2 ASPLOS-06, Comparison of Sw hw tech for ×86 vist)

· House keeping overhead Timer Paterruph

| Exits determine performance for (3)<br>trop-and-emulate hypervisors |                |                          |                              |
|---------------------------------------------------------------------|----------------|--------------------------|------------------------------|
| Micro<br>Arch.                                                      | launch<br>date | vmm round<br>trip cycles | Syscall round<br>trip cycles |
| Nehalem                                                             | 3909           | 1009                     | 138                          |
| Sandy<br>bridge                                                     | 1911           | 784                      | 134                          |

VMM Emulate
VF bit

Solution: Avoid exits as much as
possible!

Example: guest running popf

frequently

Dealing with popf: Shadow EFLAGS
register in VMCB

Do not send
interrupts it
shadow eflags. IF

VMM is disabled. I Guest DS

Shadow & popt
eflags

=) Popf no longer traps!



Cruest process Gueck Octually um owns memory

Idea 1: Interpretive Execution (2)

30xx → mem[xx] = A(

Virtual address

array owned
by Interpreter

V Isolation

X Performance

V Transparency eg: IBM system 370

SIE instruction start

SIE instruction Intexpretive

Idea 2: Reuse paging hardware D

Shadow Page table:

map directly from \$3 GVA -> HPA

Most memory ops LD/ST run at

native Speed



- Now guest Os can boot. - Initially, address translation is disabled on real hardware
- CRO, bit 31 can enable-disable paging.

Guestostries to Trap VMM changes disable paging emulate ( page table

O. Guest thinks" it has disabled bodied.

Reading CRO. 31 shall frap ar return false ( Shadow register

But address translation is active.

Addresses treated as GPA

O Prepares page table

PDE GPA
PTE
PTE

Changes CR3 > Trap to top-level CIPA

CR3 JUPA

PDE CIPA PTE COM

Red CR3 JUPA

PDE CIPA PTE HPA

PDE TIPA PTE HPA

PDE TIPA PTE HPA

Ted Called prop







Transparency: If guest reads (R3, it

is emulated oxlood

by

kept dis Shadow (R3

Performance: Directly use MMU once page

table is setup

Safety! Guest can't directly touch shadow

Isolation page table. 0x12000, 0x23000 are

Not in quests address space





Memory tracing - (2)

Trace writes - mark R/O

Trace read/writes - mark Privated

Another use - memory mapped I/O

- Memory / performance optimizations

  Need 1 Shadow page table per guest

  page table.
  - O VMM deletes a shadow page table

    OR- Rebuild when CR3 is updated

    back to 0x1000.

Hidden Page fault - Transporent to guest D Move 0x E000 page to disk. Set Not Present" in Shadow page table. LD 0x5123 - Page fault Bring from disk to 0x F000. Update All shadow page tables pointing to 0x Evoo a) Maintain backward Mappings in "prop" O 3 Move 0x A000 to dish. When 3 guest Os tries to update page table. + l'age fault Bring to ox Cooo Update GPA - GOA HPA mapping 0x7000 -> 0x C000 Summay: (1) Trap on my CR3 (2) Copy PT to shadow PT 3 Give shadow PT directly to h/w for address translation (1) Memory tracing for maintaining Consistency 5) Pagefault, hidden page faults > mappings

O Transparency / Isolation / 1 · Performance: Native LD/ST in Common Case - Overhead on process creation " new PTE r page faults - Additional overhead-hidden page fault · Resource utilization: maintain copy of page table for every guest virtual address space