AMD Secure Virtual Machine

AMD Secure Virtual Machine support for virtualization technology is multifaceted, in addition to IOMMU, Tagged TLB, there have optional Nested Paging, as well as VMRUN / VMEXIT commands such as (Intel has a similar implementation ). If there is no Nested Page Tables (NPT), hypervisor on the guest OS page table for each one (gPT) should maintain a shadow page table (sPT), the actual use of the hypervisor hardware provided by sPT. gPT is write-protected, so the guest OS right gPT operate, such as delete, update, etc. will occur page fault, and then taken over by the hypervisor to the gPT be modified final synchronization sPT. Another implementation is to let guest OS operating gPT, so really occurred page fault, by the hypervisor synchronization sPT. NPT need two address translation. The first stage is the guest linear address to the guest physical address, guest CR3 (gCR3) point to the page table address. The second level is the guest physical address to host physical address, nested CR3 (nCR3) point to the page table address. gCR3 itself is a guest physical address, this address through the NTP must first convert the host physical address. Next, each obtained from the guest page talbe address to go through the conversion NPT are host physical address. TLB is stored in the final guest linear address to a host physical address of the conversion results. Each guest OS is only one NPT, hypervisor for each gPT do not need to maintain a sPT, therefore save a lot of physical memory. Second guest OS can speak love machine to make their own gCR3, such a process switch is no longer needed the involvement of hypervisor, while the virtual machine performance bottleneck is mainly between the guest OS and the hypervisor frequent switching. Early x86 processors from user mode into kernel mode the only way is through the interruption, that is, system calls, such as the 0x80 interrupt. Later, to speed up the process, Intel introduced the SYSENTER and SYSEXIT instruction, AMD introduced the SYSCALL and SYSRET instructions. These instructions are to make the operating system between ring 0 and ring 3, that is, kernel mode and user-state switching between programs. If the hypervisor resides in ring 0, guest OS the presence of ring 1, the application resides ring 3, guest OS will not reside in the traditional ring 0, while SYSCALL / SYSRET directive can only be carried out under the ring 0, then the user between the state and kernel-mode cut

change only through interrupts. Processors to support virtualization has introduced more than ring 0 privilege level, we can be called ring-1. In order to speed up the ring 0 and ring-1 to switch between the AMD introduces VMRUN and VMEXIT instructions. These two instructions can be analog SYSCALL and SYSRET. SYSCALL to save the user's current state of information in order to return from the kernel mode to continue. VMRUN and VMEXIT the same token, except that they preserve and restore the guest OS running status. Reference: A Comparison of Software and Hardware Techniques for x86 Virtualization The Definitive Guide to the Xen Hypervisor AMD64 Architecture Programmer's Manual Volume 2: System Programming (15 Secure Virtual Machine) AMD-V Nested Paging

AMD Secure Virtual Machine Film Coating Machine machine on the virtualization technology support is multifaceted, in addition to IOMMU, Tagged TLB, there have optional Nested Paging, as well as VMRUN / VMEXIT commands such as (Intel has a similar implementation). If there is no Nested Page Tables (NPT), hypervisor on the guest OS page table for each one (gPT) should maintain a shadow page table (sPT), the actual use of the hypervisor hardware provided by sPT. gPT is write-protected, so the guest OS

right gPT operate, such as delete, update, etc. will occur page fault, and then taken over by the hypervisor to the gPT be modified final synchronization sPT. Another implementation is to let guest OS operating gPT, so really occurred page fault, by the hypervisor synchronization sPT. NPT need two address translation. The first stage is the guest linear address to the guest physical address, guest CR3 (gCR3) point to the page table address. The second level is the guest physical address to host physical address, nested CR3 (nCR3)

pointing to the page table address. gCR3 itself is a guest physical address, this address through the NTP must first convert the host physical address. Next, each obtained from the guest page talbe address to go through the conversion NPT are host physical address. TLB is stored in the final guest linear address to a host physical address of the conversion results. Each guest OS only

an NPT, hypervisor for each gPT do not need to maintain a sPT, therefore save a lot of physical memory. Second guest OS can operate their own gCR3, so the process of switching is no longer needed the involvement of hypervisor, while the virtual machine's performance bottleneck is mainly between the guest OS and the hypervisor frequent switching. Early x86 processors from user mode into kernel mode the only way is through the interruption, that is, system calls, such as the 0x80 interrupt. Later, to speed up the process, Intel introduced the SYSENTER and SYSEXIT instructions, AMD

introduced SYSCALL and SYSRET instructions. These instructions are to make the operating system between ring 0 and ring 3, that is, kernel mode and user-state switching between programs. If the hypervisor resides in ring 0, guest OS the presence of ring 1, the application resides ring 3, guest OS will not reside in the traditional ring 0, while SYSCALL / SYSRET directive can only be carried out under the ring 0, then the user state and switching between kernel mode only through interrupts.

supports processor virtualization has introduced more than ring 0 privilege level, we can be called ring-1. In order to speed up the ring 0 and ring-1 to switch between the AMD introduces VMRUN and VMEXIT instructions. These two instructions can be analog SYSCALL and SYSRET. SYSCALL to save the user's current state of information in order to return from the kernel mode to continue. VMRUN and VMEXIT the same token, except that they preserve and restore the guest OS running status. Reference: A Comparison of Software and Hardware Techniques for x86 Virtualization The Definitive Guide to the Xen Hypervisor AMD64 Architecture Programmer's Manual Volume 2: System Programming (15 Secure Virtual Machine) AMD-V Nested Paging