Virtuozity

Link: http://communities.vmware.com/servlet/JiveServlet/download/1118727-16763/VMware%20Enterprise%20Administration%20Exam%20study%20guide%203.pdf

Peter van den Bosch released a very fine summary of all topics that are mentioned in the official VCDX blueprint. If you are serious about taking the exam, you should read it to make sure you are prepared. I had some problems printing the PDF (especially page 18), but this could be a driver problem of my printer. Good luck with your exam!

Hardware vendors quickly embraced virtualization technology as they found a new market for their products. Popular CPU-based implementations are "Intel VT-x" and "AMD-V". This architecture is called "Hardware Assisted Virtualization" and since it is hardware-integrated, the VMM can run even under Ring-0 with "Root Level Privileges".

Besides the traditional Kernel and User Mode, there is an additional mode called "Guest Mode" where VMs are run in. Unprivileged applications have direct access the hardware, while privileged instructions are excepted and handled by the Hypervisor. The goal is the avoidance of rewriting instructions as you know it from binary translation.

Today I will take a look at "Paravirtualization". This technology is used in popular products like Xen and Parallels Virtuozzo. In Paravirtualization non-virtualizable instructions are replaced by so-called "Hypercalls". The Hypervisor itself is a kernel-modified OS with an inserted virtualization layer for translation. Just like binary translation direct unprivileged user mode access is possible. It is important to understand that the Host OS is the first VM started on the Hypervisor. This VM is referred to as a privileged guest (Dom0 in Xen) and has access to the drivers to access the underlying hardware.

Paravirtualization is much more flexible as far as hardware is concerned, because standard OS drivers can be applied. This means that a Para-Hypervisor can be extraordinary small, because it does not need to contain any hardware driver support.

Speaking of drivers: The unprivileged guests have frontend drivers which communicate with the backend driver of the privileged guest. This pro driver argument also is the downside of this architecture, since this virtualization approach is set to it's original OS. This means that you can only host Windows VMs on a Windows Host, Linux VMs on a Linux Host, and so on... The portability of the guests is also limited.

Since Paravirtualization is a major trend in the industry, VMware claims that they also used some these technology aspects in their VMware Tools on the VMs, of course without modifiying the OS kernel.

As I explained in Part 1 of this series there are some major drawbacks in the x86 architecture, especially when it comes to virtualization. VMware does the trick by using binary translation or how they call it: "Full Virtualization with Binary Translation". So, what's the deal with it?

To put it in a nutshell the VMware-Hypervisor rewrites problematical instructions for the VM in a way which should have the same effect on the VM compared to a traditional hardware-based system. So the application will probably get the same result. Sounds like emulation to you? Well, you are right. In fact, I/O and memory is emulated for the VM. The applications get partial direct access to the CPU to speed things up, e.g. non-privileged instructions in User-Mode. The guest OS works on Ring-1 and communicates with the underlying hardware via the "Virtual Machine Manager (VMM)" which works on Ring-0.

The good thing on Binary Translation is that you do not need to modify the guest OS itself, because the guest is not aware that is it virtualized. Also, from a security point of view binary translation delivers because of the high level of isolation of the VM and the independence of each system. On the other hand the Hypervisor will only run on supported hardware. Performance can also be a problem when things get a little bit "too emulated" on your VM. At least, now you know why.

Why did it take so long for virtualization technology to evolve on the x86 architecture? The problem is the architecture itself, as I will explain in a moment. For a long time x86 virtualization was actually thought to be impossible. The OS works in the so-called Ring-0, often better known as the "Kernel-Space", while the applications use Ring-3, mostly referred to as "User-Space".

What you have to do, is to separate the OS from the hardware. But there is more to it, since there are known privileged instructions and some sensitive instructions which deliver different results depending on the Ring they are executed in. Some of these are able to change the CPU state and have to be run in Kernel-Space, an execution in User-Space has to result in an exception. This is where the problem starts, because classic x86 CPU's are not able to except all kinds of instructions. The solution could be to except all instructions and emulate them in a proper way. But is this really the way to do it?

At this moment there are three major virtualization solutions in the industry which deal with these problems in different ways:

• Binary Translation
• Paravirtualization
• Hardware Assisted Virtualization

I encourage you to look into my future postings to learn more about these virtualization technologies.