System and method to deprivilege components of a virtual machine monitor

US 7,757,231 B2
Filed: 12/10/2004
Issued: 07/13/2010
Est. Priority Date: 12/10/2004
Status: Active Grant

First Claim

Patent Images

1. A computer system to deprivilege components of a virtual machine monitor executing on a computing platform, comprising:

a platform having a plurality of instruction set architecture (ISA) privilege levels, the platform including hardware virtualization support having a plurality of virtual machine (VM) privilege levels, the platform configured to transition among processes running in the VM privilege levels;

a micro-hypervisor portion of a virtual machine monitor (VMM) to run at a highest one of the VM privilege levels on the platform, the highest one of the VM privilege levels being a root level privilege, wherein program execution on the platform is configured to automatically transfer to the micro-hypervisor in response to selected trapped events occurring in a virtual machine associated with the hardware virtualization support; and

at least one service virtual machine (SVM) portion of the VMM to run at a lower VM privilege level than the VM privilege level operated in by the micro-hypervisor, the lower VM privilege level being a non-root level privilege, wherein the micro-hypervisor is to transfer program execution on the platform to the at least one SVM for handling of at least one of the selected trapped event events, and wherein the VMM is to run in different ones of the VM privilege levels independent of the ISA privilege levels.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, the invention involves a system to deprivilege components of a virtual machine monitor and enable deprivileged service virtual machines (SVMs) to handle selected trapped events. An embodiment of the invention is a hybrid VMM operating on a platform with hardware virtualization support. The hybrid VMM utilizes features from both hypervisor-based and host-based VMM architectures. In at least one embodiment, the functionality of a traditional VMM is partitioned into a small platform-dependent part called a micro-hypervisor (MH) and one or more platform-independent parts called service virtual machines (SVMs). The micro-hypervisor operates at a higher virtual machine (VM) privilege level than any SVM, while the SVM and other VMs may still have access to any instruction set architecture (ISA) privilege level. Other embodiments are described and claimed.

79 Citations

View as Search Results

21 Claims

1. A computer system to deprivilege components of a virtual machine monitor executing on a computing platform, comprising:
- a platform having a plurality of instruction set architecture (ISA) privilege levels, the platform including hardware virtualization support having a plurality of virtual machine (VM) privilege levels, the platform configured to transition among processes running in the VM privilege levels;
  
  a micro-hypervisor portion of a virtual machine monitor (VMM) to run at a highest one of the VM privilege levels on the platform, the highest one of the VM privilege levels being a root level privilege, wherein program execution on the platform is configured to automatically transfer to the micro-hypervisor in response to selected trapped events occurring in a virtual machine associated with the hardware virtualization support; and
  
  at least one service virtual machine (SVM) portion of the VMM to run at a lower VM privilege level than the VM privilege level operated in by the micro-hypervisor, the lower VM privilege level being a non-root level privilege, wherein the micro-hypervisor is to transfer program execution on the platform to the at least one SVM for handling of at least one of the selected trapped event events, and wherein the VMM is to run in different ones of the VM privilege levels independent of the ISA privilege levels.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system as recited in claim 1, wherein a first operating system running in a first guest virtual machine on the platform runs at a VM privilege level lower than the VM privilege level operated in by the micro-hypervisor.
  - 3. The system as recited in claim 2, wherein a trapped event is caused when guest software running under the first operating system requests a service.
  - 4. The system as recited in claim 3, wherein at least one portion of the first operating system operates at a highest ISA privilege level of the platform.
  - 5. The system as recited in claim 2, further comprising a plurality of additional operating systems, each additional operating system to run in a respective additional virtual machine, the plurality of operating systems to run at a VM privilege level lower than the VM privilege level operated in by the micro-hypervisor.
  - 6. The system as recited in claim 1, wherein the at least one SVM is restricted in access to a selected at least one component.
  - 7. The system as recited in claim 1, where the micro-hypervisor is launched as a driver from a booting operating system.
  - 8. The system as recited in claim 1, wherein the micro-hypervisor resides in system firmware communicatively coupled to the platform.
  - 9. The system as recited in claim 1, wherein the micro-hypervisor is loaded during system boot.
  - 10. The system as recited in claim 1, wherein the at least one SVM provides services for hardware interactions.
  - 11. The system as recited in claim 1, wherein the highest one of the VM privilege levels on the platform is higher than a highest one of the ISA privilege levels on the platform.

12. A method for deprivileging services in a virtual machine monitor (VMM) executing on a computing platform having a plurality of instruction set architecture (ISA) privilege levels, the platform including hardware virtualization support having a plurality of virtual machine (VM) privilege levels, comprising:
- transitioning control, from a micro-hypervisor portion of a VMM executing at a highest one of the VM privilege levels, to a guest virtual machine (VM) in the platform, the guest VM to execute at a lower VM privilege level than the VM privilege level operated in by the micro-hypervisor, wherein the highest one of the VM privilege levels is a root level privilege and the lower VM privilege level is a non-root level privilege;
  
  receiving control by the micro-hypervisor in response to a trapped event occurring in the guest VM;
  
  selecting by the micro-hypervisor one of a plurality of service virtual machines (SVMs) of the VMM to handle the trapped event;
  
  transitioning control to the selected SVM for the trapped event, wherein the SVM is to execute at a lower VM privilege level than the VM privilege level operated in by the micro-hypervisor; and
  
  initiating execution of the selected SVM to service the trapped event;
  
  transitioning back to the micro-hypervisor upon completing service to the trapped event; and
  
  returning control, by the micro-hypervisor, to the guest VM.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method as recited in claim 12, wherein the selected SVM is a portion of the micro-hypervisor and the trapped event is handled locally by the micro-hypervisor without explicitly transitioning control to a second VM.
  - 14. The method as recited in claim 12, wherein trapping of events is enabled by the hardware virtualization support.
  - 15. The method as recited in claim 12, further comprising, prior to transitioning control to the guest virtual machine, enumerating at least one event type to be trapped in a virtual machine control structure (VMCS), the VMCS comprising a set of controls that specifies for each type of event, whether the event type is to cause a transition to the micro-hypervisor.
  - 16. The method as recited in claim 12, wherein transitioning control among the micro-hypervisor, guest VM and SVM is enabled by the hardware virtualization support.

17. A machine accessible storage medium for deprivileging services in a virtual machine monitor executing on a computing platform having a plurality of instruction set architecture (ISA) privilege levels, the platform including hardware virtualization architecture support having a plurality of virtual machine (VM) privilege levels, the medium having instructions stored thereon that when executed on the platform cause the platform to:
- transition control, from a micro-hypervisor portion of a VMM executing at a highest one of the VM privilege levels, to a guest virtual machine (VM) in the platform, the guest VM to execute at a lower VM privilege level than the VM privilege level operated in by the micro-hypervisor, wherein the highest one of the VM privilege levels is a root level privilege and the lower VM privilege level is a non-root level privilege;
  
  receive control by the micro-hypervisor in response to a trapped event occurring in the guest;
  
  select by the micro-hypervisor one of a plurality of service virtual machines (SVMs) of the VMM to handle the trapped event;
  
  transition control to one-of the selected SVM, wherein the SVM is to execute at a lower VM privilege level than the VM privilege level operated in by the micro-hypervisor; and
  
  initiate execution of the selected SVM to service the trapped event;
  
  transition back to the micro-hypervisor upon completing service to the trapped event; and
  
  return control, by the micro-hypervisor, to the guest VM.
- View Dependent Claims (18, 19, 20)
- - 18. The machine accessible storage medium as recited in claim 17, wherein trapping of events is enabled by the hardware virtualization support.
  - 19. The machine accessible storage medium as recited in claim 17, further comprising instructions that when accessed cause the machine to, prior to transitioning control to the guest virtual machine, enumerate at least one event type to be trapped in a virtual machine control structure (VMCS), the VMCS comprising a set of controls that specifies for each type of event, whether the event type is to cause a transition to the micro-hypervisor.
  - 20. The machine accessible storage medium as recited in claim 17, wherein transitioning control among the micro-hypervisor, guest VM and SVM is enabled by the hardware virtualization support.

21. A computer system to deprivilege components of a virtual machine monitor executing on a computing platform, comprising:
- a platform having a plurality of instruction set architecture (ISA) privilege levels, the platform including hardware virtualization support having a plurality of virtual machine (VM) privilege levels, the platform configured to transition among a first process and a second process running in the VM privilege levels;
  
  a micro-hypervisor portion of a virtual machine monitor (VMM) to run at a highest one of the VM privilege levels on the platform, the highest one of the VM privilege levels being a root level privilege, wherein program execution on the platform is to automatically transfer to the micro-hypervisor in response to selected trapped events occurring in a virtual machine associated with the hardware virtualization support; and
  
  at least one service virtual machine (SVM) portion of the VMM to run at a lower VM privilege level than the VM privilege level operated in by the micro-hypervisor, the lower VM privilege level being a non-root level privilege, wherein the micro-hypervisor is to transfer program execution on the platform to the at least one SVM for handling of at least one of the selected trapped events, and wherein a highest one of the VM privilege levels is higher than a highest one of the ISA privilege levels.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Cota-Robles, Erik, Schoenberg, Sebastian, Anderson, Andrew V., Neiger, Gilbert, Bennett, Steven M., Zimmer, Vincent J., Rothman, Michael A., Kägi, Alain, Uhlig, Richard, Jeyasingh, Stalinselvaraj, Madukkarumukumana, Rajesh S.
Primary Examiner(s)
An; Meng-Ai
Assistant Examiner(s)
Huaracha; Willy W

Application Number

US11/008,911
Publication Number

US 20060130060A1
Time in Patent Office

2,041 Days
Field of Search

718/100, 718/1, 718/108, 717/100, 714/38
US Class Current

718/1
CPC Class Codes

G06F 9/45533 Hypervisors; Virtual machin...

System and method to deprivilege components of a virtual machine monitor

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

79 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to deprivilege components of a virtual machine monitor

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links