[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Why the unmodified guest os can run on xen while hardware supports VT?



On Monday 27 November 2006 5:29 am, Petersson, Mats wrote:
> > unfortunately, x86 provides a limited set of rings (0 is the
> > most privileged,
> > 3 is the least); and there are some things that can only be
> > done on ring 0.
> > (mostrly very low level hardware accesses).  therefore, usual
> > unmodified
> > kernels are run only at ring 0.
>
> This is actually MORE than most other processors that usually just have
> "supervisor" and "user" mode. The fact that it's more than 2 means that
> it's possible to use the "ring compression" model that Xen and many
> other non-hardware-based virtual machine monitors use.
>
> I'm not aware of any 32-bit major operating system using anything other
> than rings 0 and 3.

right, any other architecture i've read of has only two modes.  in principle, 
the rings structure (borrowed from MULTICS, i guess) could be more flexible; 
but, as you said, no OS used more than two.  I said limited not in the 
sense "too few", but meaning "number set in stone"; therefore not enough for 
full hardware virtualization.

what other processors (i only know about POWER and derivatives. other 
examples??) provide is orthogonal to the privilege system, since it's meant 
from the start to be used to contain full OSs, and not only for the 
kernel/userspace separation (the usual supervisor/user is for that)

> > the new HVM extensions to the x86 IA lets the hypervisor to
> > setup new handlers
> > for all the missing privileged instructions, effectively
> > making it possible
> > to run managed code in ring 0.  i think you could think of it
> > like creating a
> > new ring0.5 for the guest OS's kernel, it can do anything
> > ring 0 does, but
> > managed by a "real ring 0" where the hypervisor resides.
>
> Whilst this is a good simplified answer, I'd like to say that it's
> "incorrect".
> The hardware support for virtualization actually creates two sets of
> 0..3 rings. One set being the Hypervisor's set of protection levels,
> which are "not managed" and the "managed" ones which the guest-OS runs
> in. There is an important difference: Having four protection levels on
> "both sides" means that you can run something like Xen in the
> "hypervisor side", and still have all three rings available to run for
> example Windows in a "managed" environment.

that was the most speculative part, thanks for correcting it.

-- 
Javier

Attachment: pgpPyg0muJNNO.pgp
Description: PGP signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.