This document discusses virtualization techniques such as Intel VT and VMX. It explains the ring protection model of x86 CPUs and how virtualization works by having a hypervisor sit at the highest ring/privilege level. Key virtualization concepts covered include VMX root/non-root operation, VMCS data structures, VM exits/entries, and instructions for accessing and modifying VMCS like VMPTRLD, VMPTRST, VMWRITE, VMREAD, VMCLEAR. Memory mapped and port IO virtualization techniques are also summarized.

1. Bitvisor
Tsuyoshi Ozawa
2009 10 7 1

2. • x86
• x86 IO
• Intel-VT
• Intel-VT
2009 10 7 2

3. x86
2009 10 7 3

4. x86
( )
Ring3 = User Mode
Ring2
Ring1
(0 )
Ring0
Kernel Mode OS Ring 0
Ring 3
2009 10 7 4

5. 1.
2.
2009 10 7 5

6. Ring3 Ring0
Ring3
Ring2
Ring1
Ring0
Kernel Mode
User Mode
2009 10 7 6

7. Ring3 Ring0
Ring3
Ring2 out
Ring1
Ring0
Kernel Mode
User Mode
2009 10 7 6

8. Ring3 Ring0
Ring3
Ring2 out
Ring1
Ring0
Kernel Mode
( )
User Mode
2009 10 7 6

9. Ring3 Ring0
Ring3
Ring2
out
Ring1
Ring0
Kernel Mode
User Mode
2009 10 7 7

10. Ring3 Ring0
Ring3
Ring2
out
Ring1
Ring0
Kernel Mode
User Mode
2009 10 7 8

11. x86 IO
2009 10 7 9

12. x86 IO
• Memory Mapped IO
•
• IO Mapped IO
• IO
2009 10 7 10

13. MMIO
Kernel Memory
Mapped IO
mov %eax,(%ebx)
Physical memory
2009 10 7 11

14. MMIO
•
• Datasheet
Intel G35 Express Chipset
http://support.intel.co.jp/design/chipsets/
datashts/317607.htm
2009 10 7 12

15. MMIO
•
• Datasheet
Intel G35 Express Chipset
http://support.intel.co.jp/design/chipsets/
datashts/317607.htm
2009 10 7 12

16. IO mapped IO
Memory
address
space
Kernel
IO
address
space
outw %ax,$0xECDF
Physical memory
2009 10 7 13

17. IO mapped IO
• 0x0000 - 0xFFFF 16
IO
•
0x0000
IO
• IO
address
TSS(Task State Segment) space
0xFFFF
2009 10 7 14

18. Intel-VT
2009 10 7 15

19. Intel-VT
1.
2.( )VM
CPU
2009 10 7 16

20. OS on Hypervisor
1. OS
2.
OS
2009 10 7 17

21. Kernel Kernel
Mode Mode
Hypervisor on Guest OS os CPU
2009 10 7 18

22. Kernel Kernel
Mode Mode
Hypervisor on Guest OS os CPU
2009 10 7 18

23. Kernel Kernel
Mode Mode
Hypervisor on Guest OS os CPU
2009 10 7 18

24. Kernel Kernel
Mode Mode
Hypervisor on Guest OS os CPU
2009 10 7 19

25. Kernel Kernel
Mode Mode
Hypervisor on Guest OS os CPU
2009 10 7 19

26. Kernel Kernel
Mode Mode
Hypervisor on Guest OS os CPU
2009 10 7 19

27. Kernel Kernel
Mode Mode
Hypervisor on Guest OS os CPU
2009 10 7 20

28. Kernel Kernel
Mode Mode
Hypervisor on Guest OS os CPU
2009 10 7 20

29. Kernel Kernel
Mode Mode
Hypervisor on Guest OS os CPU
2009 10 7 20

30. Kernel Kernel
Mode Mode
Hypervisor on Guest OS os CPU
2009 10 7 21

31. Kernel Kernel
Mode Mode
Hypervisor on Guest OS os CPU
2009 10 7 21

32. ?
2009 10 7 22

33. Xen VMWare
Ring3
Ring2
Ring1 = Guest Kerel
Ring0
HyperVisor
OS
2009 10 7 23

34. Xen VMWare
Ring 1 Ring 2 Ring 1
Kernel Kernel
Mode Mode
Hypervirsor on Guest kernel on CPU
2009 10 7 24

35. Intel-VT
2009 10 7 25

36. Intel-VT
Kernel Kernel
Mode Mode
Hypervirsor on Guest kernel on CPU
2009 10 7 26

37. Intel-VT
Guest OS
Kernel Kernel
Mode Mode
Hypervirsor on Guest kernel on CPU
2009 10 7 27

38. Intel-VT
CPU .
Kernel Kernel
Mode Mode
Hypervirsor on Guest kernel on CPU
2009 10 7 28

39. Intel-VT
VMX Root Mode
Kernel Kernel
Mode Mode
Hypervirsor on Guest kernel on CPU
2009 10 7 29

40. VMX Root Mode
VMXON
Kernel .
Mode
A20
VT
Hypervirsor on
2009 10 7 30

41. VMX Root Mode
VMXOFF
Kernel
Mode VT .
VT
Hypervirsor on
2009 10 7 31

42. Intel-VT
VMX non Root Mode
Kernel Kernel
Mode Mode
Hypervirsor on Guest kernel on CPU
2009 10 7 32

43. Intel-VT
VMX non Root Mode
Kernel Kernel
Mode Mode
VMEntry
Hypervirsor on Guest kernel on CPU
2009 10 7 32

44. VMEntry
VMLAUNCH
VMRESUME
VMX non Root Mode
2009 10 7 33

45. VMLAUNCH
VMRESUME
1.
•Host State ( )
2.VMX non Root
( )Host State Intel
2009 10 7 34

46. Host State ?
•
• CR0,CR3,CR4
• DR7
• RSP, RIP
• (CS,SS,DS,ES,FS,GS)
•
(FS,GS,TR,IDTR)
2009 10 7 35

47. Host State
?
• OS OS
• Hypervisor
OS
2009 10 7 36

48. ?
• VMCS(Virtual Machine Control Structure)
• 4KB 0 byte
revison
4 byte
• 4KB VMX-abort indicator
8 byte
VMCS Data
2009 10 7 37

49. VMCS
0 byte
VMCS revison identifier VMCS .
4 byte
VMX-abort indicator CPU VMCS
8 byte
VMCS Data
(
)
2009 10 7 38

50. VMCS
0 byte
VMCS revison identifier
4 byte
VMX-abort indicator
8 byte
abort
VMCS Data abort
2009 10 7 39

51. VMCS
0 byte
VMCS revison identifier
4 byte
VMX-abort indicator
8 byte
VMCS Data
Host State VMCS Data
2009 10 7 40

52. VMCS
Guest
Visible
Area
Kernel Kernel
Memory
Mode Mode
VMCS
Hypervirsor on
2009 10 7 41

53. VMCS
Guest
Visible
Area
Kernel Kernel
Memory
Mode Mode
VMCS
Hypervirsor on
2009 10 7 41

54. •
• RAX,RBX,RCX...
• -
• CR2
• Shadow Paging
• etc..
2009 10 7 42

55. •
• RAX,RBX,RCX...
• -
• CR2
• Shadow Paging
• etc..
(RIP )
2009 10 7 42

56. Intel-VT
VMExit
Kernel Kernel
Mode Mode
Hypervirsor on Guest kernel on CPU
2009 10 7 43

57. VMExit
VMMCALL
+
VMX Root Mode
2009 10 7 44

58. VMExit
1.
•Guest State ( )
2.VMX Root
( )Guest State Intel
2009 10 7 45

59. Guest State ?
1.
• CR0,CR3,CR4
• DR7
• RSP, RIP
• (CS,SS,DS,ES,FS,GS)
2. Active State
• 32bit Active/HLT/Wait for IPI
3. Interruptibility state
• 32bit Active/HLT/Wait for IPI
4. VMCS Link pointer
• .VMCS 2
2009 10 7 46

60. • .
RDTSC ( )
•
2009 10 7 47

61. • .
RDTSC ( )
•
VMCS
2009 10 7 47

62. 0 byte
VMCS revison identifier
4 byte
VMX-abort indicator
8 byte
VMCS Data .
2009 10 7 48

63. VMCS
VMREAD/VMWRITE
mov
VMExit ...
2009 10 7 49

64. VMWRITE
Kernel
Mode Memory
VMCS
Hypervirsor on
2009 10 7 50

65. VMREAD
Kernel
Mode Memory
VMCS
Hypervirsor on
2009 10 7 51

66. VMWRITE/VMREAD
• vmwrite destreg srcreg
• vmread destreg srcreg
2009 10 7 52

67. VMWRITE/VMREAD
• vmwrite destreg srcreg
• vmread destreg srcreg
srcreg
2009 10 7 52

68. srcreg
-encoding-
Bit Posiotion(s) Contents
31:15 Reserved (must be 0)
14:15 Bit Width
12 Reserved (must be 0)
11:10 Type
9:1 Index
0 Access Type(32bit or 64bit?)
• Appendix H.3
2009 10 7 53

69. • IO
•
•
•
0 OS
1 VMEXIT
2009 10 7 54

70. IO
• IO
16bit bitmap
VMCS
• 0x0000 - 0xFFFF
0 OS
1 VMEXIT
2009 10 7 55

71. IO
-encoding-
Bit Posiotion(s) Contents
31:15 Reserved (must be 0)
14:15 Bit Width
12 Reserved (must be 0)
11:10 Type
9:1 Index
0 Access Type(32bit or 64bit?)
• Appendix H.3
2009 10 7 56

72. IO
-encoding-
Bit Posiotion(s) Contents
31:15 Reserved (must be 0)
14:15 Bit Width
12 Reserved (must be 0)
11:10
64 bit access Type
=2
9:1 Index
0 Access Type(32bit or 64bit?)
• Appendix H.3
2009 10 7 56

73. IO
-encoding-
Bit Posiotion(s) Contents
31:15 Reserved (must be 0)
14:15 Bit Width
12 Reserved (must be 0)
11:10 Type
9:1 Index
0 Access Type(32bit or 64bit?)
• Appendix H.3
2009 10 7 57

74. IO
-encoding-
Bit Posiotion(s) Contents
31:15 Reserved (must be 0)
14:15 Bit Width
12 Reserved (must be 0)
11:10
Control = 0 Type
Index = 0
9:1 Index
0 Access Type(32bit or 64bit?)
• Appendix H.3
2009 10 7 57

75. IO
-encoding-
mov $bitmaptr, %rax /* val */
mov $0x0002000, %rdx /* index */
vmwrite %rax,%rdx
2009 10 7 58

76. IO
-encoding-
core/asm.s
core/constants.h
core/vt_init.c
2009 10 7 59

77. 2009 10 7 60

78. VMCS
VMPTRST
Current VMCS
Current VMCS .
2009 10 7 61

79. VMPTRST
Kernel
Mode Memory
VMCS
VMCS
Hypervirsor on
2009 10 7 62

80. Current VMCS
VMPTRLD
Current VMCS
2009 10 7 63

81. VMPTRST
Kernel
Mode Memory
VMCS
Current VMCS
Hypervirsor on
2009 10 7 64

82. VMCLEAR
VMCS
2009 10 7 65

83. VMCLEAR
Kernel
Mode Memory
VMCS
Hypervirsor on
2009 10 7 66

84. Intel
( )
Volume 2B, 3B
2009 10 7 67

85. 2009 10 7 68