Re: VT guests in kvm

[Anthony Liguori <anthony-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org>]

Barry Silverman wrote:
>>> noone has yet to address.
>>>       
>
> That is surprising - I would have thought the developers would like to debug
> in the VM software in kvm, or in an emulator.
>
>   
>>> The VT instruction set would have to be emulated of course.  
>>>       
>
> Am I wrong in saying that you wouldn't have to completely emulate the VMCS
> operation in software - rather you would have to take the guest's version of
> VM instructions - and execute the guest VM instructions using similar VM
> instructions in the Host?
>
> IE a vmwrite to a guest VMCS would be done with a host vmwrite to the same
> VMCS (you may have to be clever about sharing or mapping the memory
> addresses of the VMCS). The host would have to validate that the VMCS in
> question is legal, and possible modify some arguments.
>   

Since VT only requires you pass the address of the VMCS to vmptrld, you 
actually can probably avoid trapping for vmwrites.  You establish a 
shadowed VMCS with vmptrld, then allow direct vmwrites() to that VMCS.  
You'll have to trap vmlaunch() and use that as an opportunity to fixup 
the VMCS (and physical addresses have to be translated and checked).  
Likewise, on return, you'll have to make sure to translate the VMCS back 
to whatever the guest thinks it ought to be.

I guess there's a few ways to do it.  Really depends on what combination 
gives the best performance.  The neat thing, is that no matter how 
deeply nested you are, performance should be pretty much identical if 
you can emulate hardware shadowing.  Nested shadow paging will probably 
be a bit painful.

> VMlaunch's and vmexits would have to be dispatched to the appropriate guest
> "pseudo root" level. 
>
> Here I am unclear - would it be possible for the root processor (root[0] to
> figure out which level a VMCS is actually running at, and then resume the
> VMCS for the "pseudo-root" process of the guest (which might be many levels
> down?). 
>
> If a guest at level 3 trapped, then Root[0] would need to restore control to
> the VM trap location of root[2].
>   

Recall, traps are always delivered to an EIP that is in the VMCS.  There 
is enough information in the VMCS to allow the host to figure out what 
it needs to do I reckon.

Another option would be to provide a paravirtual interface to VT/SVM.  
That would simplify things a fair bit and probably provide much better 
performance.  Much less interesting though :-)

Regards,

Anthony Liguori

> Barry Silverman
>
> -----Original Message-----
> From: Anthony Liguori [mailto:anthony-rdkfGonbjUSkNkDKm+mE6A@public.gmane.org] 
> Sent: Sunday, February 11, 2007 1:34 PM
> To: Barry Silverman
> Cc: kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
> Subject: Re: [kvm-devel] VT guests in kvm
>
> Barry Silverman wrote:
>   
>> Does KVM support itself as a guest?
>>
>> IE Would the VT instruction set have to be emulated 
>> completely in software, or
>> could the host's VT instructions be used after 
>> suitable KVM modification/validation.
>>   
>>     
>
> Nested hardware virtualization is a very interesting topic that AFAIK 
> noone has yet to address.
>
> The VT instruction set would have to be emulated of course.  It's a bit 
> easier with VT I suspect b/c you can more easily trap things like 
> vmwrite to ensure the guest isn't building a malicious VMCS.
>
> It would incur some overhead in already sensitive places (since 
> vmlaunch/vmresume will trap).  I think it could be done in such a way 
> though that any level of nesting will have a fixed overhead.
>
> An analysis of this would make a pretty interesting paper IMHO.
>
> Regards,
>
> Anthony Liguori
>
>   
>> -------------------------------------------------------------------------
>> Using Tomcat but need to do more? Need to support web services, security?
>> Get stuff done quickly with pre-integrated technology to make your job
>>     
> easier.
>   
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> kvm-devel mailing list
>> kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
>> https://lists.sourceforge.net/lists/listinfo/kvm-devel
>>
>>   
>>     
>
>
>
>
>   


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642