> Popek and Goldberg virtualization requirements
The Popek and Goldberg virtualization requirements are a set of sufficient conditions for a computer architecture to efficiently support system virtualization. They were introduced by Gerald J. Popek and Robert P. Goldberg in their 1974 article "Formal Requirements for Virtualizable Third Generation Architectures". Even though the requirements are derived under simplifying assumptions, they still represent a convenient way of determining whether a computer architecture support efficient virtualization and provide guidelines for the design of virtualizable computer architectures.
System virtual machines are virtual machines capable of virtualizing a full set of hardware resources, including a processor (or processors), memory and storage resources and peripheral devices. A virtual machine monitor (VMM) is the piece of software that provides the abstraction of a virtual machine. There are three properties of interest when analyzing the environment created by a VMM: In general terms, a virtual machine in computer science is software that creates an environment between the computer platform and the end user in which the end user can operate software. ...
In general terms, a virtual machine in computer science is software that creates an environment between the computer platform and the end user in which the end user can operate software. ...
- Equivalence: a program running under the VMM should exhibit a behavior essentially identical to that demonstrated when running on the original machine directly.
- Resource control: the VMM must be in complete control of the virtualized resources.
In Popek and Goldberg terminology, a VMM must present all 3 properties. In today's terminology, VMM are typically assumed to satisfy the equivalence and resource control properties. So, in a sense, Popek and Goldberg's VMMs are today's efficient VMM.
The problem addressed by Popek and Goldberg then is determining what are the characteristics that the Instruction Set Architecture (ISA) of the original machine must possess in order to allow the creation of VMMs with the above mentioned properties. Their analysis derives such characteristics for a model of "third generation architectures" (e.g., IBM 360, Honeywell 6000, DEC PDP-10), but is general enough to be naturally extended to current machines. The model includes a processor that can operate either in system or user mode and a linear, uniformly addressable memory. It is assumed that a subset of the instruction set is available only when in system mode and that memory is addressed relative to a relocation register. I/O and interrupts are not modeled. An instruction set, or instruction set architecture (ISA), describes the aspects of a computer architecture visible to a programmer, including the native datatypes, instructions, registers, addressing modes, memory architecture, interrupt and exception handling, and external I/O (if any). ...
To derive their virtualization requirements, Popek and Goldberg introduce a classification of instructions of a ISA into 3 different groups:
- Privileged instructions are those that trap if the processor is in user mode and do not trap if it is in system mode.
- Control sensitive instructions are those that attempt to change the configuration of resources in the system.
- Behavior sensitive instructions are those whose behavior or result depends on the configuration of resources (the content of the relocation register or the processor's mode).
The main result of Popek and Goldberg's analysis can then be expressed as follows.
Theorem 1. For any conventional third generation computer, a VMM may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.
Intuitively, the theorem states that to build a VMM it is sufficient that all instructions that could affect the correct functioning of the VMM (sensitive instructions) always trap and pass control to the VMM. This guarantees the resource control property. Non privileged instructions must instead be executed natively (efficiency). The holding of the equivalence property also follows.
A related problem is that of deriving the ISA requirements for recursive virtualization, that is, the conditions under which a VMM that can run on a copy of itself can be built. Popek and Goldberg presents the following (sufficient) conditions.
Theorem 2. A conventional third generation computer is recursively virtualizable if i) it is virtualizable and ii) a VMM without any timing dependencies can be constructed for it.
Handling critical instructions
The conditions for ISA virtualization expressed in Theorem 1 are sufficient and non necessary. Indeed, VMMs for non virtualizable ISA (in the Popek and Goldberg's sense) have routinely been built, at the expense of the efficiency property.
The virtualization of such architectures requires to handle correctly critical instructions, i.e., sensitive but unprivileged instructions. One approach, known as patching adopts techniques commonly used in dynamic recompilation: critical instructions are discovered at run-time and replaced with a trap into the VMM. Various mechanisms, such as the caching of emulation code or hardware assists, have been proposed to make the patching process more efficient. A different approach is that of paravirtualization, that requires guest operating systems to be modified (ported) before running in the virtual environment. It has been suggested that Dynarec be merged into this article or section. ...
In computing, paravirtualization is a virtualization technique that presents a software interface to virtual machines that is similar but not identical to that of the underlying hardware. ...
In this section some relevant architectures and how they relate to the virtualization requirements are presented.
The PDP-10 architecture has a few instructions which are sensitive (alter or query the processor's mode) but not privileged: The PDP-10 was a computer manufactured by Digital Equipment Corporation (DEC) from the late 1960s on; the name stands for Programmed Data Processor model 10. It was the machine that made time-sharing common; it looms large in hacker folklore because of its adoption in the 1970s by many...
- JSR: jump to subroutine
- JSP: jump and save program counter
- PUSHJ: push down and jump
- JRST: jump and restore
All sensitive instructions in the System/370 are privileged: it satisfies the virtualization requirements. The System/370 is a model range of IBM mainframes introduced in the early 1970s as the successors to the System/360 family. ...
The IA-32 instruction set contains 17 sensitive, unprivileged instructions. They can be categorized in two groups: It has been suggested that this article or section be merged with X86 assembly language. ...
- Sensitive register instructions: read or change sensitive registers and/or memory locations such as a clock register or interrupt registers:
- SGDT, SIDT, SLDT
- PUSHF, POPF
- Protection system instructions: reference the storage protection system, memory or address relocation system:
- LAR, LSL, VERR, VERW
- CALL, JMP, INT n, RET
The effort needed to support virtualization on the Itanium processor is described in  Itanium brand logo In computing, the Itanium is an IA-64 microprocessor developed jointly by Hewlett-Packard and Intel. ...
- ^ Gerald J. Popek and Robert P. Goldberg (1974). “Formal Requirements for Virtualizable Third Generation Architectures”. Communications of the ACM 17 (7): 412 –421.
- ^ S. W. Galley (1969). "PDP-10 Virtual machines". Proc. ACM SIGARCH-SIGOPS Workshop on Virtual Computer Systems, 30–34.
- ^ John Scott Robin and Cynthia E. Irvine (2000). "Analysis of the Intel Pentium's Ability to Support a Secure Virtual Machine Monitor". Proc. 9th USENIX Security Symposium.
- ^ Daniel J. Magenheimer and Thomas W. Christian (2000). "vBlades: Optimized Paravirtualization for the Itanium Processor Family". Proc. 3rd Virtual Machine Research & Technology Symposium, 73–82, USENIX.
Smith, Jim; Ravi Nair (2005). Virtual Machines, Morgan Kaufmann. ISBN 1558609105.