The guest OS will begin by probing for hardware
devices.
What should the hypervisor do?
One approach: respond with a list of the actual
hardware devices.
Guest OS attempts to write to the device registers will
then trap (they are sensitive instructions), and the
hypervisor can then do whatever is needed, perhaps just
really write to those registers.
But the hypervisor can also "fake" devices: pretend to
have an old device when a fancy new one has been
installed. This allows device upgrades to be invisible
to the guests.
Hypervisor-based device emulation
I/O virtualization video
I/O Virtualization Explained
I/O MMUs
IOMMU and MMU
The problem: DMA. DMA hardware is trying to directly
access memory. This memory must be re-mapped for VMs.
I/O MMU (memory management unit): virtualizes
I/O the same way an MMU virtualizes memory.
The I/O MMU eliminates the DMA problem. It maps device
memory addresses to real physical addresses. It can
keep different guests DMA out of each other's way.
Device pass through allows both the device and
the guest OS to be unaware that any address translation
may be going on: both think they are directly
addressing the same memory locations. It is useful when
sharing a device between VMs is not feasible .
Device pass through
Device isolation lets a device assigned to a VM
directly access its memory without interfering with
other guests.
Virtual machine isolation
Interrupt remapping is necessary so that the
right interrupt goes to the right VM.
A generated interrupt hits the I/O MMU first, which
redirects it to the proper VM with the proper interrupt
vector.
Device Domains
In this approach, one VM runs a standard OS, and all
I/O calls from other VMs are directed to it.
Type 2 hypervisors have an edge here: the OS upon which
they run can have device drivers for all sorts of
unusual I/O devices (3D printers, virtual reality
setups, smell-o-ramas, etc.)
The authors contend that as VM matures, hardware
enhancements will allow guest OSs to access hardware
devices directly in a secure way.
Single Root I/O Virtualization
We often can't directly assign a device to a VM. What
if we have 128 VMs on a server... we would need 128
network cards to directly assign a VM to each!
We can do this in software, but we may not be able to
take advantage of all of a device's advanced features,
because the software has no support for them. (The
tendency will be to support the common features among
various devices first.)
PCIe
provides a solution in hardware. It is known as
Single Root I/O Virtualization (SR-IOV),
by allowing SR-IOV devices to provide an independent
memory space, independent interrupts, and DMA streams
to each VM.
PF (Physical Function):
These allow the administrator to configure the device directly,
however they see fit.
VF (Virtual Function):
These provide lightweight functions that trick a VM
into thinking it is sole owner of some device.
Some device hardware supports this: Intel I350 network
cards have 8 separate send and receive queues, which
provides hardware support for up to 8 VMs that think
this is their own card.
Single root I/O virtualization video
Quiz
A device pass through allows
a hacker to directly access a device by bypassing the hypervisor
interrupt remapping
a printer to pass through jobs to another printer
a physical device to be assigned directly to a particular virtual machine
I/O virtualization can be used to
allow access to more memory than the real machine has
trap sensitive instructions
upgrade hardware without having to update the guest OSs
