System and method to deprivilege components of a virtual machine monitor
First Claim
1. A computer system to deprivilege components of a virtual machine monitor executing on a computing platform, comprising:
- a platform having a plurality of instruction set architecture (ISA) privilege levels, the platform including hardware virtualization support having a plurality of virtual machine (VM) privilege levels, the platform configured to transition among processes running in the VM privilege levels;
a micro-hypervisor portion of a virtual machine monitor (VMM) to run at a highest one of the VM privilege levels on the platform, the highest one of the VM privilege levels being a root level privilege, wherein program execution on the platform is configured to automatically transfer to the micro-hypervisor in response to selected trapped events occurring in a virtual machine associated with the hardware virtualization support; and
at least one service virtual machine (SVM) portion of the VMM to run at a lower VM privilege level than the VM privilege level operated in by the micro-hypervisor, the lower VM privilege level being a non-root level privilege, wherein the micro-hypervisor is to transfer program execution on the platform to the at least one SVM for handling of at least one of the selected trapped event events, and wherein the VMM is to run in different ones of the VM privilege levels independent of the ISA privilege levels.
1 Assignment
0 Petitions
Accused Products
Abstract
In some embodiments, the invention involves a system to deprivilege components of a virtual machine monitor and enable deprivileged service virtual machines (SVMs) to handle selected trapped events. An embodiment of the invention is a hybrid VMM operating on a platform with hardware virtualization support. The hybrid VMM utilizes features from both hypervisor-based and host-based VMM architectures. In at least one embodiment, the functionality of a traditional VMM is partitioned into a small platform-dependent part called a micro-hypervisor (MH) and one or more platform-independent parts called service virtual machines (SVMs). The micro-hypervisor operates at a higher virtual machine (VM) privilege level than any SVM, while the SVM and other VMs may still have access to any instruction set architecture (ISA) privilege level. Other embodiments are described and claimed.
79 Citations
21 Claims
-
1. A computer system to deprivilege components of a virtual machine monitor executing on a computing platform, comprising:
-
a platform having a plurality of instruction set architecture (ISA) privilege levels, the platform including hardware virtualization support having a plurality of virtual machine (VM) privilege levels, the platform configured to transition among processes running in the VM privilege levels; a micro-hypervisor portion of a virtual machine monitor (VMM) to run at a highest one of the VM privilege levels on the platform, the highest one of the VM privilege levels being a root level privilege, wherein program execution on the platform is configured to automatically transfer to the micro-hypervisor in response to selected trapped events occurring in a virtual machine associated with the hardware virtualization support; and at least one service virtual machine (SVM) portion of the VMM to run at a lower VM privilege level than the VM privilege level operated in by the micro-hypervisor, the lower VM privilege level being a non-root level privilege, wherein the micro-hypervisor is to transfer program execution on the platform to the at least one SVM for handling of at least one of the selected trapped event events, and wherein the VMM is to run in different ones of the VM privilege levels independent of the ISA privilege levels. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for deprivileging services in a virtual machine monitor (VMM) executing on a computing platform having a plurality of instruction set architecture (ISA) privilege levels, the platform including hardware virtualization support having a plurality of virtual machine (VM) privilege levels, comprising:
-
transitioning control, from a micro-hypervisor portion of a VMM executing at a highest one of the VM privilege levels, to a guest virtual machine (VM) in the platform, the guest VM to execute at a lower VM privilege level than the VM privilege level operated in by the micro-hypervisor, wherein the highest one of the VM privilege levels is a root level privilege and the lower VM privilege level is a non-root level privilege; receiving control by the micro-hypervisor in response to a trapped event occurring in the guest VM; selecting by the micro-hypervisor one of a plurality of service virtual machines (SVMs) of the VMM to handle the trapped event; transitioning control to the selected SVM for the trapped event, wherein the SVM is to execute at a lower VM privilege level than the VM privilege level operated in by the micro-hypervisor; and initiating execution of the selected SVM to service the trapped event; transitioning back to the micro-hypervisor upon completing service to the trapped event; and returning control, by the micro-hypervisor, to the guest VM. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A machine accessible storage medium for deprivileging services in a virtual machine monitor executing on a computing platform having a plurality of instruction set architecture (ISA) privilege levels, the platform including hardware virtualization architecture support having a plurality of virtual machine (VM) privilege levels, the medium having instructions stored thereon that when executed on the platform cause the platform to:
-
transition control, from a micro-hypervisor portion of a VMM executing at a highest one of the VM privilege levels, to a guest virtual machine (VM) in the platform, the guest VM to execute at a lower VM privilege level than the VM privilege level operated in by the micro-hypervisor, wherein the highest one of the VM privilege levels is a root level privilege and the lower VM privilege level is a non-root level privilege; receive control by the micro-hypervisor in response to a trapped event occurring in the guest; select by the micro-hypervisor one of a plurality of service virtual machines (SVMs) of the VMM to handle the trapped event; transition control to one-of the selected SVM, wherein the SVM is to execute at a lower VM privilege level than the VM privilege level operated in by the micro-hypervisor; and initiate execution of the selected SVM to service the trapped event; transition back to the micro-hypervisor upon completing service to the trapped event; and return control, by the micro-hypervisor, to the guest VM. - View Dependent Claims (18, 19, 20)
-
-
21. A computer system to deprivilege components of a virtual machine monitor executing on a computing platform, comprising:
-
a platform having a plurality of instruction set architecture (ISA) privilege levels, the platform including hardware virtualization support having a plurality of virtual machine (VM) privilege levels, the platform configured to transition among a first process and a second process running in the VM privilege levels; a micro-hypervisor portion of a virtual machine monitor (VMM) to run at a highest one of the VM privilege levels on the platform, the highest one of the VM privilege levels being a root level privilege, wherein program execution on the platform is to automatically transfer to the micro-hypervisor in response to selected trapped events occurring in a virtual machine associated with the hardware virtualization support; and at least one service virtual machine (SVM) portion of the VMM to run at a lower VM privilege level than the VM privilege level operated in by the micro-hypervisor, the lower VM privilege level being a non-root level privilege, wherein the micro-hypervisor is to transfer program execution on the platform to the at least one SVM for handling of at least one of the selected trapped events, and wherein a highest one of the VM privilege levels is higher than a highest one of the ISA privilege levels.
-
Specification