🥸Advanced Computer Architecture Unit 11 – Virtualization Support in Architecture

What's Virtualization All About?

• Virtualization enables running multiple virtual machines (VMs) on a single physical machine (host)
• Allows efficient utilization of hardware resources by sharing them among VMs
• Provides isolation between VMs, ensuring one VM's activities do not affect others
• Facilitates easier management and deployment of software environments
  • Simplifies testing, development, and production workflows
• Offers flexibility in terms of operating systems and configurations within each VM
• Enhances scalability by allowing dynamic allocation of resources to VMs based on demand
• Enables cost savings through server consolidation and reduced hardware requirements

Key Concepts in Virtualization

• Hypervisor (Virtual Machine Monitor): Software layer that manages and coordinates VMs
  • Type 1 (Bare-metal): Runs directly on hardware (Xen, VMware ESXi)
  • Type 2 (Hosted): Runs on top of a host operating system (VirtualBox, VMware Workstation)
• Guest OS: Operating system running within a virtual machine
• Host OS: Operating system running on the physical machine hosting the VMs (Type 2 hypervisor)
• Virtual Hardware: Emulated hardware components presented to each VM (CPU, memory, storage, network)
• Resource Allocation: Distribution of physical resources among VMs
  • Includes CPU time, memory, storage, and network bandwidth
• Live Migration: Moving a running VM from one physical host to another without downtime
• Snapshot: Saved state of a VM at a particular point in time, allowing rollback or cloning

Hardware Support for Virtualization

• Intel VT-x and AMD-V: Hardware extensions that facilitate efficient virtualization
  • Introduce new instructions and operating modes for virtualization support
• Extended Page Tables (EPT) and Rapid Virtualization Indexing (RVI): Optimize memory virtualization
  • Reduce hypervisor interventions and improve performance
• I/O Memory Management Unit (IOMMU): Enhances I/O virtualization and device assignment
  • Allows direct assignment of physical devices to VMs
• Single-Root I/O Virtualization (SR-IOV): Enables efficient sharing of PCIe devices among VMs
• Virtual Machine Control Structure (VMCS): Stores VM state and configuration information
  • Used by the hypervisor to manage VM execution
• Virtualization exceptions and intercepts: Mechanisms for trapping sensitive instructions and events
  • Allows the hypervisor to maintain control and enforce isolation

Types of Virtualization

• Full Virtualization: Complete emulation of hardware, allowing unmodified guest OS to run
  • Provides best compatibility but may have performance overhead
• Paravirtualization: Modified guest OS aware of being virtualized, cooperates with hypervisor
  • Offers better performance but requires OS modifications
• Hardware-assisted Virtualization: Utilizes hardware extensions (Intel VT-x, AMD-V) for efficient virtualization
  • Combines benefits of full virtualization and paravirtualization
• Operating System-level Virtualization (Containerization): Virtualizes OS resources rather than hardware
  • Lightweight and fast, but limited to the same OS kernel (Docker, LXC)
• Application Virtualization: Encapsulates an application and its dependencies into a virtual package
  • Allows running applications in isolated environments (Microsoft App-V, VMware ThinApp)

Virtualization Techniques in Modern CPUs

• Hardware-assisted Virtualization: Intel VT-x and AMD-V extensions
  • Introduces new CPU operating modes (root and non-root) for hypervisor and VMs
  • Provides hardware support for VM entry and exit events
• Extended Page Tables (EPT) and Nested Paging: Optimizes memory virtualization
  • Reduces hypervisor interventions for memory management
  • Allows direct mapping of guest physical memory to host physical memory
• VMCS Shadowing: Accelerates nested virtualization (running a hypervisor inside a VM)
  • Provides hardware support for efficient management of nested VMs
• Posted Interrupts: Optimizes interrupt handling in virtualized environments
  • Allows direct delivery of interrupts to VMs without hypervisor intervention
• Virtualization exceptions: Traps sensitive instructions and events for hypervisor handling
  • Enables the hypervisor to maintain control and enforce isolation between VMs

Performance Impacts and Optimizations

• Overhead: Virtualization introduces performance overhead due to additional layers of abstraction
  • Includes CPU, memory, I/O, and context switching overhead
• Paravirtualized Drivers: Optimize I/O performance by using virtualization-aware drivers
  • Reduces hypervisor interventions for I/O operations (virtio, VMware Tools)
• Ballooning: Dynamically adjusts VM memory allocation based on actual usage
  • Allows efficient utilization of physical memory among VMs
• Transparent Page Sharing (TPS): Deduplicates identical memory pages across VMs
  • Reduces memory footprint and improves memory utilization
• CPU Pinning: Assigns VMs to specific physical CPU cores
  • Enhances performance by reducing CPU contention and cache misses
• NUMA Awareness: Optimizes VM placement based on Non-Uniform Memory Access (NUMA) architecture
  • Minimizes memory access latency and improves performance

Security Considerations in Virtualized Systems

• Hypervisor Security: Ensuring the integrity and isolation of the hypervisor is crucial
  • Vulnerabilities in the hypervisor can compromise all VMs
• VM Escape: Exploit that allows an attacker to break out of a VM and access the host or other VMs
  • Mitigated through proper hypervisor design and security best practices
• VM Isolation: Maintaining strict isolation between VMs to prevent unauthorized access
  • Achieved through hardware support (EPT, IOMMU) and secure hypervisor design
• Secure Boot: Ensures the integrity of the hypervisor and VM boot process
  • Prevents tampering and unauthorized modifications
• Virtual Machine Introspection (VMI): Monitoring and analyzing VM behavior from the hypervisor level
  • Enables detection of malware and anomalous activities within VMs
• Network Security: Securing virtual networks and inter-VM communication
  • Includes virtual switches, VLANs, and firewalls

Real-World Applications and Case Studies

• Cloud Computing: Virtualization is a key enabler of cloud computing platforms (Amazon EC2, Microsoft Azure)
  • Allows elastic scaling, resource pooling, and multi-tenancy
• Server Consolidation: Reducing the number of physical servers by running multiple VMs on each host
  • Improves resource utilization and reduces hardware costs
• DevOps and Testing: Using VMs for development, testing, and continuous integration/deployment (CI/CD) pipelines
  • Provides isolated and reproducible environments for each stage
• Disaster Recovery and High Availability: Leveraging VM replication and live migration for business continuity
  • Enables quick recovery from hardware failures and minimizes downtime
• Desktop Virtualization: Delivering virtual desktops to users from a centralized infrastructure (VDI)
  • Simplifies management, security, and deployment of desktop environments
• Edge Computing: Running virtualized workloads on edge devices for low-latency processing
  • Enables IoT, AR/VR, and real-time applications