Protection Strategies for Direct Access to Virtualized I/O Devices

Commodity virtual machine monitors forbid direct access to I/O devices by untrusted guest operating systems in order to provide protection and sharing. However, both I/O memory management units (IOMMUs) and recently proposed software-based methods can be used to reduce the overhead of I/O virtualization by providing untrusted guest operating systems with safe, direct access to I/O devices. This paper explores the performance and safety tradeoffs of strategies for using these mechanisms. The protection strategies presented in this paper provide equivalent inter-guest protection among operating system instances. However, they provide varying levels of intra-guest protection from driver software and incur varying levels of overhead. A simple direct-map strategy incurs the least overhead, providing native-level performance but offering no enhanced protection from misbehaving device drivers within the guest operating system. Additional protection against guest drivers can be achieved by limiting IOMMU page-table mappings to memory buffers that are actually used in I/O transfers. Furthermore, the cost incurred by this limitation can be minimized by aggressively reusing these mappings. Surprisingly, a software-only strategy that does not use an IOMMU at all performs competitively, and sometimes better than, hardware-based strategies while maintaining strict inter-guest isolation.

[1]  Muli Ben-Yehuda,et al.  The Price of Safety : Evaluating IOMMU Performance , 2007 .

[2]  Alan L. Cox,et al.  Optimizing network virtualization in Xen , 2006 .

[3]  Dhabaleswar K. Panda,et al.  High Performance VMM-Bypass I/O in Virtual Machines , 2006, USENIX Annual Technical Conference, General Track.

[4]  Scott Rixner,et al.  Increasing web server throughput with network interface data caching , 2002, ASPLOS X.

[5]  Scott Rixner,et al.  RiceNIC: a reconfigurable network interface for experimental research and education , 2007, ExpCS '07.

[6]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[7]  David Larson,et al.  Advanced virtualization capabilities of POWER5 systems , 2005, IBM J. Res. Dev..

[8]  Joefon Jann,et al.  Dynamic reconfiguration: Basic building blocks for autonomic computing on IBM pSeries servers , 2003, IBM Syst. J..

[9]  Ole Agesen,et al.  A comparison of software and hardware techniques for x86 virtualization , 2006, ASPLOS XII.

[10]  Willy Zwaenepoel,et al.  Diagnosing performance overheads in the xen virtual machine environment , 2005, VEE '05.

[11]  Alan L. Cox,et al.  Concurrent Direct Network Access for Virtual Machine Monitors , 2007, 2007 IEEE 13th International Symposium on High Performance Computer Architecture.

[12]  Beng-Hong Lim,et al.  Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor , 2001, USENIX Annual Technical Conference, General Track.

[13]  S. Gribble,et al.  Scale and performance in the Denali isolation kernel , 2002, OSDI '02.

[14]  Gil Neiger,et al.  Intel ® Virtualization Technology for Directed I/O , 2006 .

[15]  Andrew Warfield,et al.  Safe Hardware Access with the Xen Virtual Machine Monitor , 2007 .

[16]  Karsten Schwan,et al.  High performance and scalable I/O virtualization via self-virtualized devices , 2007, HPDC '07.

[17]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[18]  Jimi Xenidis,et al.  Utilizing IOMMUs for Virtualization in Linux and Xen Muli , 2006 .