ARM Core Virtualization
Prashanth Bungale, Sr. Member of Technical Staff, Mobile Virtualization
January 23rd 2012
Sponsored by MIT and VMware Academic Programs
VMware: www.vmware.com
VMware Labs: labs.vmware.com
© 2012 VMware Inc. All rights reserved
Agenda
 Mobile Virtualization and BYOD Use Case
 Overview of ARM CPU State
 ARM Instruction Set Virtualization
 ARM MMU Virtualization
 Comparison of x86 vs. ARM Virtualizability
2
Copyright ® VMware, Inc. All Rights Reserved.
MVP – Manage Corporate Phone on Employee Owned Device
PERSONAL
CORPORATE
♬
One Device – Two Phones
3
Copyright ® VMware, Inc. All Rights Reserved.
Benefits
 For enterprises
• Safely support wide diversity of mobile phones accessing corporate assets
• Enforce security and compliance policies
• Reduce device expenses by supporting “bring your own device program”
• Manage Mobile and Desktop from a single interface
• Write corporate applications once and make them portable to multiple
platforms
 For employees
• No need to carry two devices anymore
• Have freedom of choice in terms of device they can use for work
4
Copyright ® VMware, Inc. All Rights Reserved.
ARM




5
Predominant architecture in mobile phone world
Over 15 billion chips shipped to date
Over 10 million chips shipped every day
Looking to enter the server/datacenter market in future
5
ARM CPU State
Coprocessor Registers
6
Copyright ® VMware, Inc. All Rights Reserved.
CPSR: Current Program Status Register
N Z C V Q
IT
[1:0]
J
Reserved
GE[3:0]
IT[7:2]
E A
ITSTATE
E ENDIANSTATE
7
F T
Interrupt
Masks
Execution State Registers:
ISETSTATE
I
M[4:0]
Current
Processor Mode
Privileged-only Access Registers
Execution State Registers
Condition Flags
Copyright ® VMware, Inc. All Rights Reserved.
Dealing with Sensitive Instructions
• Interpretation / Full Emulation
• Binary Translation
• Para-Virtualization
• Shallow Para-Virtualization: replace sensitive instructions
• Deep Para-Virtualization: replace sensitive subsystems
• Binary Patching / Pre-Virtualization
• Hardware Assisted Virtualization
8
8
Copyright ® VMware, Inc. All Rights Reserved.
Lightweight Para Virtualization: 1-1 Hypercalls
 Replace sensitive instructions with 1-1 Hypercalls
• Use trap instruction to issue hypercall
• Encode hypercall type & original instruction bits in hypercall hint
• Example:
mrs Rd, R <cpsr/spsr>
swi 0x088000
mrs r8, cpsr
 Trap and Emulate Semantics
• Upon trapping into the monitor, decode the hypercall type and the original
instruction bits, and emulate instruction semantics
9
Copyright ® VMware, Inc. All Rights Reserved.
MMU Virtualization
 Shadow PT
• Intercept guest MMU events of interest
• Data/Prefetch Aborts, TTBR deltas, PT deltas, TLB ops
• Maintain (lazily) VMM-controlled, trusted shadow PT
 Para-Virtualized trusted guest PT
• Highly intrusive to guest MMU software
 Hardware virtualization support
• Nested / 2-stage Page Tables: VA->PA; PA->MA
10
Copyright ® VMware, Inc. All Rights Reserved.
Privilege Levels & Access Permissions
Guest always executes in machine User mode
• Protect monitor/host from guest
• Avoid virtualization holes
How to protect guest privileged from guest user?
 6 distinct guest access permissions
{PNA-UNA, PRW-UNA, PRW-URO, PRW-URW, PRO-UNA, PRO-URO}
 Only 3 shadow access permission equivalence classes
{{PNA-UNA, PRW-UNA, PRO-UNA}, {PRW-URO, PRO-URO}, {PRW-URW}}
{{P**-UNA}, {P**-URO}, {P**-URW}}
 No injective mapping possible!
11
Copyright ® VMware, Inc. All Rights Reserved.
Dual Shadow Page Tables
Use two shadow page tables for each guest page table
• Privileged/User shadow PTs
• Switch on privilege mode switches
12
Guest AP
Priv. Shadow AP
User Shadow AP
PNA-UNA
P**-UNA
P**-UNA
PRW-UNA
P**-URW
P**-UNA
PRW-URO
P**-URW
P**-URO
PRW-URW
P**-URW
P**-URW
PRO-UNA
P**-URO
P**-UNA
PRO-URO
P**-URO
P**-URO
Copyright ® VMware, Inc. All Rights Reserved.
{User, Priv} Shadows
Shadow User page table
Guest page table
Shadow Priv. page table
13
Copyright ® VMware, Inc. All Rights Reserved.
Comparison of ARM vs. x86 Virtualizability
 Sensitive Instructions
Type of Sensitive
Instructions
Violating
Goldberg’s
Requirement #
X86 [3]
ARM
Sensitive Register
Access
3B
SGDT, SIDT, SLDT,
SMSW, PUSHF/POPF
-
Protection System
References
3C
LAR, LSL, VERR, VERW,
PUSH/POP, CALL, JMP,
INT n, RET, STR, MOVE
LDM/STM (user regs),
LDRT/STRT (“As User”)
Both
3B & 3C
-
MRS, MSR, CPS, SRS,
RFE, DPSPC,
LDM (exc. return)
[3] John Scott Robin and Cynthia Irvine, Analysis of the Intel Pentium’s Ability to Support a
Secure Virtual Machine Monitor, USENIX Security Symposium, 2000.
14
Copyright ® VMware, Inc. All Rights Reserved.
Comparison of ARM vs. x86 Virtualizability
 Ring compression – protection mechanisms
• x86: Segmentation + Paging
• ARM: Paging (+ domains?)
 Instruction execution vs. Data Read/Write protection
• x86: CS for instruction fetch vs. DS/other for data access
• ARM: No explicit distinction b/w execute and read protection
 Cache architecture
• x86: Largely transparent; PIPT across all versions
• ARM: Exposes a lot of the cache architecture; VIVT/VIPT/PIPT
15
Copyright ® VMware, Inc. All Rights Reserved.
Comparison of ARM vs. x86 Virtualizability
 Instruction size
• x86: Variable
• ARM: Fixed -> enables in-place patching mechanisms
 I/O
• x86: I/O instructions + memory-mapped I/O
• ARM: Only memory-mapped I/O
16
Copyright ® VMware, Inc. All Rights Reserved.
Thank You!
17
Copyright ® VMware, Inc. All Rights Reserved.
Next in IAP VMware Mobile Virtualization series…
 Mobile I/O virtualization
• Mobile VMs interact with virtual I/O devices
• E.g. touchscreen, display, storage, GPS, Bluetooth, WiFi, GSM, GPU,
cameras, accelerometers, audio, keyboard, etc.
• Explore I/O virtualization techniques with a mobile focus
 Application-level virtualization
• Deprivileged hypervisor design and implementation
• Distribute a hypervisor via a mobile app store
 Programming exercise
• Based on today’s talk and the concepts from application-level virt.
• Complete the exercise, enter a draw for exciting prize (iPad!)
18