© 2012 vmware inc. all rights reserved arm core virtualization prashanth bungale, sr. member of...

© 2012 VMware Inc. All rights reserved

ARM Core VirtualizationPrashanth Bungale, Sr. Member of Technical Staff, Mobile Virtualization

January 23rd 2012

Sponsored by MIT and VMware Academic Programs

VMware: www.vmware.com

VMware Labs: labs.vmware.com

2 Copyright ® VMware, Inc. All Rights Reserved.

Agenda

Mobile Virtualization and BYOD Use Case

Overview of ARM CPU State

ARM Instruction Set Virtualization

ARM MMU Virtualization

Comparison of x86 vs. ARM Virtualizability


CORPORATE

MVP – Manage Corporate Phone on Employee Owned Device

PERSONAL

♬

One Device – Two Phones


Benefits

For enterprises

• Safely support wide diversity of mobile phones accessing corporate assets

• Enforce security and compliance policies

• Reduce device expenses by supporting “bring your own device program”

• Manage Mobile and Desktop from a single interface

• Write corporate applications once and make them portable to multiple platforms

For employees

• No need to carry two devices anymore

• Have freedom of choice in terms of device they can use for work

5

ARM

Predominant architecture in mobile phone world

Over 15 billion chips shipped to date

Over 10 million chips shipped every day

Looking to enter the server/datacenter market in future

5

6

ARM CPU State

Coprocessor Registers

Copyright ® VMware, Inc. All Rights Reserved.

7

CPSR: Current Program Status Register

N Z C V QIT

[1:0]J Reserved GE[3:0] IT[7:2] E A I F T M[4:0]

Current Processor ModeInterrupt

Masks

ISETSTATE

ITSTATE

ENDIANSTATEE

Execution State Registers:

Privileged-only Access Registers

Condition Flags

Execution State Registers


8

Dealing with Sensitive Instructions

• Interpretation / Full Emulation

• Binary Translation

• Para-Virtualization

• Shallow Para-Virtualization: replace sensitive instructions

• Deep Para-Virtualization: replace sensitive subsystems

• Binary Patching / Pre-Virtualization

• Hardware Assisted Virtualization

8Copyright ® VMware, Inc. All Rights Reserved.

9

Lightweight Para Virtualization: 1-1 Hypercalls

Replace sensitive instructions with 1-1 Hypercalls

• Use trap instruction to issue hypercall

• Encode hypercall type & original instruction bits in hypercall hint

• Example:

Trap and Emulate Semantics

• Upon trapping into the monitor, decode the hypercall type and the original instruction bits, and emulate instruction semantics

mrs r8, cpsr swi 0x088000

mrs Rd, R <cpsr/spsr>


10

MMU Virtualization

Shadow PT

• Intercept guest MMU events of interest

• Data/Prefetch Aborts, TTBR deltas, PT deltas, TLB ops

• Maintain (lazily) VMM-controlled, trusted shadow PT

Para-Virtualized trusted guest PT

• Highly intrusive to guest MMU software

Hardware virtualization support

• Nested / 2-stage Page Tables: VA->PA; PA->MA


11

Privilege Levels & Access Permissions

Guest always executes in machine User mode

• Protect monitor/host from guest

• Avoid virtualization holes

How to protect guest privileged from guest user? 6 distinct guest access permissions

{PNA-UNA, PRW-UNA, PRW-URO, PRW-URW, PRO-UNA, PRO-URO}

Only 3 shadow access permission equivalence classes

{{PNA-UNA, PRW-UNA, PRO-UNA}, {PRW-URO, PRO-URO}, {PRW-URW}}

{{P**-UNA}, {P**-URO}, {P**-URW}}

No injective mapping possible!


12

Dual Shadow Page Tables

Use two shadow page tables for each guest page table

• Privileged/User shadow PTs

• Switch on privilege mode switches

Guest AP Priv. Shadow AP User Shadow AP

PNA-UNA P**-UNA P**-UNA

PRW-UNA P**-URW P**-UNA

PRW-URO P**-URW P**-URO

PRW-URW P**-URW P**-URW

PRO-UNA P**-URO P**-UNA

PRO-URO P**-URO P**-URO


13

{User, Priv} Shadows

Guest page table

Shadow User page table

Shadow Priv. page table


14

Comparison of ARM vs. x86 Virtualizability

Sensitive Instructions

[3] John Scott Robin and Cynthia Irvine, Analysis of the Intel Pentium’s Ability to Support a Secure Virtual Machine Monitor, USENIX Security Symposium, 2000.

Type of Sensitive Instructions

Violating Goldberg’s

Requirement #

X86 [3] ARM

Sensitive Register Access

3B SGDT, SIDT, SLDT, SMSW, PUSHF/POPF

-

Protection System References

3C LAR, LSL, VERR, VERW, PUSH/POP, CALL, JMP, INT n, RET, STR, MOVE

LDM/STM (user regs), LDRT/STRT (“As User”)

Both 3B & 3C - MRS, MSR, CPS, SRS, RFE, DPSPC,

LDM (exc. return)


15


Ring compression – protection mechanisms

• x86: Segmentation + Paging

• ARM: Paging (+ domains?)

Instruction execution vs. Data Read/Write protection

• x86: CS for instruction fetch vs. DS/other for data access

• ARM: No explicit distinction b/w execute and read protection

Cache architecture

• x86: Largely transparent; PIPT across all versions

• ARM: Exposes a lot of the cache architecture; VIVT/VIPT/PIPT


16


Instruction size

• x86: Variable

• ARM: Fixed -> enables in-place patching mechanisms

I/O

• x86: I/O instructions + memory-mapped I/O

• ARM: Only memory-mapped I/O



Thank You!

18

Next in IAP VMware Mobile Virtualization series…

Mobile I/O virtualization

• Mobile VMs interact with virtual I/O devices

• E.g. touchscreen, display, storage, GPS, Bluetooth, WiFi, GSM, GPU, cameras, accelerometers, audio, keyboard, etc.

• Explore I/O virtualization techniques with a mobile focus

Application-level virtualization

• Deprivileged hypervisor design and implementation

• Distribute a hypervisor via a mobile app store

Programming exercise

• Based on today’s talk and the concepts from application-level virt.

• Complete the exercise, enter a draw for exciting prize (iPad!)

© 2012 vmware inc. all rights reserved arm core virtualization prashanth bungale, sr. member of...

Documents

virtualization holes

r copyright vmware

agenda mobile virtualization

vmware labs

phones slide

arm virtualizability

work slide

guest user