Software developers have embraced the value of virtualization technology and are incorporating hypervisor capabilities into some software products. Nested VMMs, however, place performance-draining demands on system hardware. As hardware developers look for ways to meet these new hardware demands, VMCS shadowing has emerged to extend the capabilities of
Virtualization typically requires the use of one virtual machine monitor -- a hypervisor -- in order to abstract and manage the system's computing resources. The single VMM approach works well, but continued software development is fostering a new generation of applications that effectively utilize a unique virtual machine monitor (VMM) that is not associated with the primary hypervisor's VMM. This multiple-VMM environment can, however, present serious performance issues for the underlying system. Processor developers, such as Intel, are addressing this emerging problem with the introduction of a new feature called virtual machine control structure (VMCS) shadowing.
What is VMCS and why do I need VMCS shadowing?
A virtual machine monitor is the core of a hypervisor, responsible for handling the system's virtualized computing resources. In a typical computing environment, a system hosts a single VMM, which supports each guest virtual machine.
When software such as McAfee Deep Defender incorporates a unique VMM, however, it does not share the system equally with the hypervisor's VMM. Instead, the primary hypervisor forms a root VMM, and the VMM features of other software tools -- guest VMMs -- sit on top of the hypervisor and communicate with the system hardware through the hypervisor. Thus, the guest VMM is nested in the root VMM.
Software currently controls nested VMM switching. As you might imagine, forcing a guest VMM to run through the root VMM can introduce latencies that impair the performance of workloads dependent on the guest VMM. As you introduce new software that uses additional VMMs, you need a new means of switching control between VMMs.
The VMCS tracks the state of the host and guest VMs as control is handed between them. This feature of Intel-VT helps to accelerate VM switching and improve virtual server performance. Unfortunately, guest VMMs must take the time to access the root VMM and its VMCS. To overcome the performance penalties of nested VMMs, the VMCS is shadowed in hardware, which allows the guest VMM to access a VMCS directly without disrupting the root VMM. VMCS shadow access is almost as fast as a non-nested VMM environment.
How is VMCS shadowing implemented on a virtualized server?
Current VMCS features are implemented on the processor as part of the Intel-VT architecture. Multi-VMM support will require the addition of VMCS shadowing, which is also implemented on the processor as part of the CPU's virtualization capabilities. Intel currently deploys VMCS shadowing in certain fourth-generation Intel Core vPro processors, such as i5 vPro and i7 vPro, used in desktop and notebook systems, as well as the Xeon E5-2600, E5-1600 and E3-1200 processor families for enterprise servers. The technology should eventually appear across a wider range of enterprise processors.
For multiple-VMM support, you should only require a system with a processor that has VMCS shadowing enabled in properly developed firmware. If you do not deploy software with its own VMM on the hardware platform, then the VMCS shadowing feature will not enable.
Aside from VMCS shadowing, is there another method for VMM nesting?
If the system processors do not support VMCS shadowing, then the system will use software emulation instead. Unfortunately, software emulation forces the guest VMM to operate through the host VMM.
In an emulation scenario, the guest VMM will take control of the system from the host VMM in order to perform a read/write task, and the guest VMM will access the VMCS used by the host VMM. When the guest VMM completes the task, it hands control back to the host VMM. An active guest VMM can disrupt the host VMM's operation and cause significant performance degradation.
VMCS shadowing creates a second (shadow) VMCS that the guest VMM accesses independently of the host VMM's VMCS. Thus the guest VM does not disrupt the host VMM, which improves system performance. You must only periodically synchronize the shadow VMCS with the primary VMCS.
This was first published in November 2013