A Software-only Mechanism for Device Passthrough and Sharing

Network processing elements in virtual machines, also known as Network Function Virtualization (NFV) often face CPU bottlenecks at the virtualization interface. Even highly optimized paravirtual device interfaces fall short of the throughput requirements of modern devices. Passthrough devices, together with SR-IOV support for multiple device virtual functions (VF) and IOMMU support, mitigate this problem somewhat, by allowing a VM to directly control a device partition bypassing the virtualization stack. However, device passthrough requires high-end (expensive and power-hungry) hardware, places scalability limits on consolidation ratios, and does not support efficient switching between multiple VMs on the same host. We present a paravirtual interface that securely exposes an I/O device directly to the guest OS running inside the VM, and yet allows that device to be securely shared among multiple VMs and the host. Compared to the best-known paravirtualization interfaces, our paravirtual interface supports up to 2x higher throughput, and is closer in performance to device passthrough. Unlike device passthrough however, we do not require SR-IOV or IOMMU support, and allow fine-grained dynamic resource allocation, significantly higher consolidation ratios, and seamless VM migration. Our security mechanism is based on a novel approach called dynamic binary opcode subtraction.

[1]  Katerina J. Argyraki,et al.  RouteBricks: exploiting parallelism to scale software routers , 2009, SOSP '09.

[2]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[3]  Alex Landau,et al.  ELI: bare-metal performance for I/O virtualization , 2012, ASPLOS XVII.

[4]  Giuseppe Lettieri,et al.  Speeding up packet I/O in virtual machines , 2013, Architectures for Networking and Communications Systems.

[5]  Luca Deri,et al.  vPF_RING: towards wire-speed network monitoring using virtual machines , 2011, IMC '11.

[6]  Giuseppe Lettieri,et al.  VALE, a switched ethernet for virtual machines , 2012, CoNEXT '12.

[7]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[8]  Sorav Bansal,et al.  Fast dynamic binary translation for the kernel , 2013, SOSP.

[9]  Luigi Rizzo,et al.  netmap: A Novel Framework for Fast Packet I/O , 2012, USENIX ATC.

[10]  Roberto Bifulco,et al.  ClickOS and the Art of Network Function Virtualization , 2014, NSDI.

[11]  Dan Grossman,et al.  Scalable Certification for Typed Assembly Language , 2000, Types in Compilation.

[12]  Gil Neiger,et al.  Intel ® Virtualization Technology for Directed I/O , 2006 .

[13]  Martín Casado,et al.  Extending Networking into the Virtualization Layer , 2009, HotNets.

[14]  Manish Mahajan,et al.  Proof carrying code , 2015 .

[15]  Alex Landau,et al.  Efficient and Scalable Paravirtual I/O System , 2013, USENIX Annual Technical Conference.

[16]  Stefano Giordano,et al.  On Multi-gigabit Packet Capturing with Multi-core Commodity Hardware , 2012, PAM.

[17]  K. K. Ramakrishnan,et al.  Eliminating receive livelock in an interrupt-driven kernel , 1996, TOCS.

[18]  Ole Agesen,et al.  A comparison of software and hardware techniques for x86 virtualization , 2006, ASPLOS XII.

[19]  Angela Demke Brown,et al.  Comprehensive kernel instrumentation via dynamic binary translation , 2012, ASPLOS XVII.

[20]  Jose Renato Santos,et al.  Bridging the Gap between Software and Hardware Techniques for I/O Virtualization , 2008, USENIX Annual Technical Conference.

[21]  John L. Henning SPEC CPU2000: Measuring CPU Performance in the New Millennium , 2000, Computer.

[22]  Hui Lu,et al.  vTurbo: Accelerating Virtual Machine I/O Processing Using Designated Turbo-Sliced Core , 2013, USENIX Annual Technical Conference.

[23]  Alan L. Cox,et al.  Achieving 10 Gb/s using safe and transparent network interface virtualization , 2009, VEE '09.

[24]  Vyas Sekar,et al.  Multi-resource fair queueing for packet processing , 2012, CCRV.

[25]  Mark Handley,et al.  Is it still possible to extend TCP? , 2011, IMC '11.

[26]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.