Direct Device Assignment for Untrusted Fully-Virtualized Virtual Machines

The I/O interfaces between a host platform and a guest virtual machine take one of three forms: either the hypervisor provides the guest with emulation of hardware devices, or the hypervisor provides virtual I/O drivers, or the hypervisor assigns a selected subset of the host’s real I/O devices directly to the guest. Each method has advantages and disadvantages, but letting VMs access devices directly has a number of particularly interesting benefits, such as not requiring any guest VM changes and in theory providing near-native performance. In an effort to quantify the benefits of direct device access, we have implemented direct device assignment for untrusted, fully-virtualized virtual machines in the Linux/KVM environment using Intel’s VT-d IOMMU. Our implementation required no guest OS changes and—unlike alternative I/O virtualization approaches—provided near native I/O performance. In particular, a quantitative comparison of network performance on a 1GbE network shows that with large-enough messages direct device access throughput is statistically indistinguishable from native, albeit with CPU utilization that is slightly higher.

[1]  Beng-Hong Lim,et al.  Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor , 2001, USENIX Annual Technical Conference, General Track.

[2]  Monica S. Lam,et al.  Optimizing the migration of virtual computers , 2002, OPSR.

[3]  HarrisTim,et al.  Xen and the art of virtualization , 2003 .

[4]  Stefan Götz,et al.  Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines , 2004, OSDI.

[5]  Andrew Warfield,et al.  Live migration of virtual machines , 2005, NSDI.

[6]  Dhabaleswar K. Panda,et al.  High Performance VMM-Bypass I/O in Virtual Machines , 2006, USENIX Annual Technical Conference, General Track.

[7]  Jimi Xenidis,et al.  Utilizing IOMMUs for Virtualization in Linux and Xen Muli , 2006 .

[8]  Dhabaleswar K. Panda,et al.  Nomad: migrating OS-bypass networks in virtual machines , 2007, VEE '07.

[9]  Andrew Warfield,et al.  Safe Hardware Access with the Xen Virtual Machine Monitor , 2007 .

[10]  Alan L. Cox,et al.  Concurrent Direct Network Access for Virtual Machine Monitors , 2007, 2007 IEEE 13th International Symposium on High Performance Computer Architecture.

[11]  Muli Ben-Yehuda,et al.  The Price of Safety : Evaluating IOMMU Performance , 2007 .

[12]  Karsten Schwan,et al.  High performance and scalable I/O virtualization via self-virtualized devices , 2007, HPDC '07.

[13]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[14]  Rusty Russell,et al.  virtio: towards a de-facto standard for virtual I/O devices , 2008, OPSR.

[15]  Jose Renato Santos,et al.  Bridging the Gap between Software and Hardware Techniques for I/O Virtualization , 2008, USENIX Annual Technical Conference.

[16]  Alan L. Cox,et al.  Protection Strategies for Direct Access to Virtualized I/O Devices , 2008, USENIX Annual Technical Conference.

[17]  Srilatha Manne,et al.  Accelerating two-dimensional page walks for virtualized systems , 2008, ASPLOS.

[18]  S. Hand,et al.  Live Migration with Pass-through Device for Linux VM , 2010 .