Enabling Intel® Virtualization Technology Features and ...

1 WHITE PAPERI ntel VirtualizationTechnology Enterprise ServerEnabling intel Virtualization TechnologyFeatures and Benefits Maximizing the benefits of Virtualization with intel s new CPUs and chipsetsEXECUTIVE SUMMARYA lthough Virtualization has been accepted in most data centers, some users havenot yet taken advantage of all the Virtualization Features available to them. Thiswhite paper describes the Features available in intel Virtualization Technology ( intel VT) that work with intel s new CPUs and chipsets, showing how they canbenefit the end user and how to enable them. intel Virtualization TechnologyFeature Brief and Usage ModelIntel VT combines with software-basedvirtualization solutions to provide maximumsystem utilization by consolidating multipleenvironments into a single server or abstracting the software away from theunderlying hardware, a world of new usagemodels opens up that can reduce costs,increase management efficiency, andstrengthen security all while making yourcomputing infrastructure more resilient inthe event of a the last four years, intel has intro-duced several new Features to intel VT.

2 Mostof these Features are well known, but othersmay not be. This paper describes key Features of intel VT,how they fit into intel s platforms, and how tomaximize their VT CPU-Based FeaturesThe x86 processor architecture did not orig-inally meet the Formal Requirements forVirtualizable Third-Generation Architectures,a specification for Virtualization created in1974 by Gerald J. Popek and Robert Thus, developers found it difficultto implement a virtual machine platform onthe x86 architecture without significantoverhead on the host machine. In 2005 and 2006, intel and AMD, workingindependently, each resolved this by creat-ing new processor extensions to the x86architecture. Although the actual implemen-tation of processor extensions differsbetween AMD and intel , both achieve thesame goal of allowing a virtual machinehypervisor to run an unmodified operatingsystem without incurring significant emula-tion performance VT is intel s hardware Virtualization forthe x86 architecture that helps consolidatemultiple environments into a single server,workstation, or PC so that you need fewersystems to complete the same tasks.

3 The sections that follow explain some ofthe key CPU-based Features of intel VT FlexPriorityIntel VT FlexPriority is a processor exten-sion that optimizes Virtualization softwareefficiency by improving interrupt Righini intel enable intel VT FlexPriority, you enableIntel VT extensions. Like most hardwarefeatures, intel VT FlexPriority must beenabled by the hypervisor or virtualmachine monitor (VMM), which allows mul-tiple operating systems to run concurrentlyon a host computer. intel VT FlexPriority eliminates most VMexits due to guest task priority registers(TPR) access. This reduces the virtualiza-tion overhead and improves I/O through-put. Table 1 lists which intel CPUs haveIntel VT FlexPriority; Table 2 maps IntelVT Features to CPUs. Figure 1 shows thereduction of EXITs and also looks at theI/O throughput measured (best-casescenario).

4 intel VT FlexMigrationIntel VT FlexMigration is a feature of IntelVirtualization Technology that enables youto build one compatible Virtualization pool andconduct live virtual machine (VM) migrationacross all intel Core microarchitecture-basedservers. It gives you the power to choose theright server platform to best optimize per-formance, cost, power, and reliability. Combined with support from a virtualizationsoftware provider, this feature allows IT tomaximize flexibility by providing the abilityto build a single live migration compatibilitypool with multiple generations of intel Xeonprocessor-based servers. For details on intel VT FlexMigration, Processor IDs (VPID)Traditionally, every time a hypervisorswitched execution between different VMs,the VM and its data structure had to beflushed out of the transition look-asidebuffers (TLB) associated with the CPUcaches, since the hypervisor had no informa-tion on which cache line was associated withany particular VM.

5 With virtual processor IDs (VPID), a VM IDtag in the CPU hardware structures ( ,TLB) associates cache lines with each VMactively running on the CPU. This permitsthe CPU to flush only the cache linesassociated with a particular VM when itis flushed from the CPU, avoiding the need to reload cache lines for a VM thatwas not migrated and resulting in loweroverhead. Enabling intel Virtualization Technology Features and Benefits2 Table 1. intel Processors with intel VT FlexPriorityIntel Enhanced vmotion * ExampleMicroarchitectureCompatibility (EVC) Setting45nm intel Core intel Xeon processor (45nm) intel Xeon processor processor familyIntel Core 2 processor5400 or 7400 series Next-generation intel intel Xeon processor intel Xeon processor microarchitectureIntel Core i7 processor (45nm)5500 or 7500 seriesIntel Xeon processor intel Xeon processor intel Xeon processor 5600 seriesIntel Core i7 processor (32nm )5600 seriesTable 2.

6 intel Virtualization Technology Feature and CPU Mapping intel Xeon Processor 7400 7500/ 5500 5600 3300/ 3400 Series 6500 Series Series 3100 SeriesSeriesSeriesVT-x Base intel VT FlexPriority intel VT FlexMigration Extended Page Tables (EPT)Virtual Processor ID (VPID)Guest Preemption TimerDescriptor-Table ExitingPause-Loop Exiting TXT Real Mode Support VPID is available on all new intel Xeon processorsstarting with the 5500, 5600, and 7500 Preemption Timer The Guest Preemption Timer is a mecha-nism that enables a VMM to preempt theexecution of a guest by VMM, the timer causesthe VM to exit when the timer expires. Ithas no impact on interrupt intel Virtualization Technology Features and BenefitsThis feature helps VMM vendors fulfill flexi-bility and quality of service guarantees.

7 Itcan help when you need to switch tasks orallocate a certain amount of CPU power to atask. For telecom and networking applica-tions, it makes Virtualization a useful tool and possibly a must-have Table ExitingThis feature allows a VMM to protect aguest OS from internal attack by preventingrelocation of key system data ExitingThis feature is a hardware assist to enabledetection of spin locks in guest softwareand avoid lock-holder preemption. It helps toreduce overhead and improve performance. Real Mode SupportThis feature allows guests to operate inreal mode, removing the performanceoverhead and complexity of an emulator. Uses include: Early VMM load Guest boot and resumehardware Features built into the CPU andchipset. This hardware-based security pro-vides a foundation on which trusted plat-form solutions can be built to protect theplatform from software-based attacks.

8 Figure 3 shows how intel TXT of intel TXT include: Verified intel TXT hardware-based chain of trustenables launch of MLE into a known,expected state. Changes to MLE can be detected via hash-basedmeasurements. Protected Configuration. intel TXThardware protects the launched con-figurations from malicious software,maintaining the integrity of themeasured launched environment sidentity. Secret TXT hardware removes residual data at improper MLE shut-down, protect-ing data from memory snooping Page Table (EPT)Typical intel architecture 32-page tables(referenced by control register CR3) trans-late from linear addresses to guest-physicaladdresses. With the Extended Page Table(EPT) feature, a separate set of page tables(EPTs) translate from guest-physicaladdresses to host-physical addresses thatare used to access memory.

9 As a result, theguest OS can be allowed to modify its ownpage tables and directly handle page faults. This allows a VMM to avoid the VM exitsassociated with page-table Virtualization ,which is a major source of virtualizationoverhead without EPT. Figure 2 shows how the EPT Trusted Execution TechnologyIntel Trusted Execution Technology ( intel TXT) provides a hardware-based securityfoundation on which to build and maintaina chain of trust to protect the platformfrom software-based goal of intel TXT is to provide an accu-rate measurement, at launch, of the meas-ured launch environment (MLE) through the3 Figure ofEXITs with intel VTFlexPriorityWithout intel VT FlexPriorityWith intel VT FlexPriorityFigure 2 Extended Page TableEnabling intel Virtualization Technology Features and Benefits4 intel VT-d is a feature integrated into thechipset and therefore not related to the intel VT-d and hypervisors supporting it,any VM running on top of a VMM was seeingemulated, or para-virtualized, devices.

10 Figure 4shows how intel VT-d matter what type of hardware was physical-ly present in the server, the VM itself sees a vir-tualized device. So, for example, on VMwarevSphere*, you would typically see a VMXnet*network card instead of the real network inter-face card (NIC) installed on the has both pros and cons: Pros:This hides any type of changebetween the hardware vendors andmakes it possible for VMs to migrateeasily. Cons:Performance takes a hit. This istrue even if the emulated device isbased on a para-virtualized or synthet-ic driver, either in terms of CPU utiliza-tion, bandwidth, or VT for Directed I/O ( intel VT-d) In computing, an input/output memory man-agement unit (IOMMU) is a memory manage-ment unit (MMU) that connects a digitalmedia adapter (DMA)-capable I/O bus to themain memory. Like a traditional MMU, whichtranslates CPU-visible virtual addresses tophysical addresses, the IOMMU takes care ofmapping device-visible virtual addresses(also called device addresses or I/O address-es in this context) to physical units also provide memory protectionfrom misbehaving 3.