Database Reference
In-Depth Information
enable flag, can be altered only in system mode. If POPF is executed in user mode
by a program that attempts to pop the interrupt enable flag, POPF will act as a
no-op
(i.e., no operation) instruction. Therefore, the behavior of POPF depends on the mode
of operation, thus rendering behavior-sensitive. Finally, if the instruction is neither
control-sensitive nor behavior-sensitive, it is innocuous.
According to Popek and Goldberg [48], a hypervisor can be constructed if it satis-
fies three properties,
efficiency,
,
resource control
, and
equivalence
. Efficiency entails
executing all innocuous instructions directly on hardware without any interference
from the hypervisor. Resource control suggests that it is not possible for any guest
software to change the configuration of resources in a system. Equivalence requires
identical behavior of a program running on a VM vs. running on a traditional OS.
One exception can be a difference in performance. Popek and Goldberg's proposal
(or indeed theorem) implies that a hypervisor can only be constructed if the set of
sensitive instructions is a subset of the set of privileged instructions. That is to say,
instructions that interfere with the correct functioning of the system (i.e., sensitive
instructions such as LPSW) should always trap in user mode. Figure 16.13a illus-
trates Popek and Goldberg's theorem.
Finally, let us discuss how a trap can be handled in a system. Specifically, we will
describe traps in the context of CPU virtualization. Figure 16.14 demonstrates how a
hypervisor can handle an instruction trap. The hypervisor's trap handling functions
can be divided into three main parts:
dispatcher
,
allocator
, and a set of
interpreter
routines
. First, a privileged instruction traps to the hypervisor's dispatcher. If the
hypervisor recognizes that the instruction is attempting to alter system resources, it
directs it to the allocator; otherwise, it sends it to a corresponding interpreter routine.
The allocator decides how system resources are to be allocated in a nonconflicting
manner, and satisfies the instruction's request accordingly. The interpreter routines
emulate (more on emulation shortly) the effects of the instruction when operating on
virtual resources. When the instruction is fully handled (i.e., done), control is passed
Unprivileged
Unprivileged
Privileged
Privileged
Sensitive
Sensitive
Critical
(a)
(b)
FIGURE 16.13
Demonstrating Popek and Goldberg's theorem: (a) satisfies Popek and
Goldberg's theorem and (b) does not satisfy Popek and Goldberg's theorem.
Search WWH ::
Custom Search