CN102855154B - A kind of system virtual machine and method improving non-sensitive privileged instruction execution efficiency - Google Patents
A kind of system virtual machine and method improving non-sensitive privileged instruction execution efficiency Download PDFInfo
- Publication number
- CN102855154B CN102855154B CN201210271838.5A CN201210271838A CN102855154B CN 102855154 B CN102855154 B CN 102855154B CN 201210271838 A CN201210271838 A CN 201210271838A CN 102855154 B CN102855154 B CN 102855154B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- privileged instruction
- sensitive
- host
- control bit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention provides a kind of system virtual machine and the method that improve non-sensitive privileged instruction execution efficiency.The system virtual machine of the non-sensitive privileged instruction execution efficiency of this raising, comprise host and at least one virtual machine, described host and virtual machine operate on CPU, described CPU comprises register, it is characterized in that, can described register additionally arranges control bit, directly perform for controlling non-sensitive privileged instruction in virtual machine; Wherein, host, before being absorbed in virtual machine, judges the state of virtual machine, according to judged result, arranges described control bit.The present invention by using software to control to the simple modification of hardware, the effective execution efficiency of non-sensitive privileged instruction in virtual machine improved, and correctness when ensure that it performs and security.
Description
Technical field
The present invention relates to computer hardware architectures and system virtualization field, especially relate to a kind of system virtual machine and the method that improve non-sensitive privileged instruction execution efficiency.
Background technology
Virtual machine instructions is divided into two classes: sensitive instructions and non-sensitive instruction (harmless instruction).Sensitive instructions refers to any change or relies on the instruction of system resource, and sensitive instructions directly cannot perform on physical cpu; Otherwise non-sensitive instruction directly can perform on physical machine, therefore sensitive instructions performs needs to produce extremely.Meanwhile, under virtual machine needs to run on unprivileged state, also can produce exception when the privileged instruction of virtual machine performs, the relation of sensitive instructions and privileged instruction as shown in Figure 1.Because can exception be produced, so the virtualized bottleneck of CPU is privileged instruction and sensitive instructions.
In the prior art, the mode accelerating sensitive instructions and privileged instruction is divided into two kinds: a kind of is in CPU, increase extra operator scheme; Another kind is software mode (such as: retouching operation system code mode, binary translation etc.).
Increase extra operator scheme in CPU after, sensitive instructions does not affect the privileged resource of host, and also divide franchise state and unprivileged state in this mode of operation, therefore most sensitive instructions and privileged instruction can not produce exception, for the framework not having this hardware to assist virtual design, cannot make in this way.
Software mode for be do not have hardware assist virtual design support CPU, substitute privileged instruction and sensitive instructions with the non-sensitive instruction of a series of non-privileged; But the amendment system of being limited in scope of the method, extensibility is poor.
Therefore, needs are a kind of at present solves the method that software replacement method can not process the defect of some non-sensitive privileged instruction, can make the execution of non-sensitive privileged instruction highly effective and safe in system virtual machine.
Summary of the invention
For solving the problem, the invention provides a kind of system virtual machine and the method that improve non-sensitive privileged instruction execution efficiency.
In first aspect, the invention provides a kind of system virtual machine improving non-sensitive privileged instruction execution efficiency.This system virtual machine comprises host and at least one virtual machine, described host and virtual machine operate on CPU, and described CPU comprises register, it is characterized in that, can described register additionally arranges control bit, directly perform for controlling non-sensitive privileged instruction in virtual machine; Wherein, host, before being absorbed in virtual machine, judges the state of virtual machine, according to judged result, arranges described control bit.
Further, when described virtual machine performs VME operating system, control bit is set for opening, then allows non-sensitive privileged instruction directly to run on a virtual machine; When described virtual machine exits VME operating system, control bit is set for closing, then forbids that non-sensitive privileged instruction is directly run on a virtual machine.
Further, described host comprises virtual machine monitor VMM, by arranging described virtual machine monitor VMM, making before host enters virtual machine, judging the state of virtual machine.
In second aspect, the invention provides a kind of method improving non-sensitive privileged instruction execution efficiency.Can the method be implemented in said system virtual machine, and host and virtual machine operate on CPU, and described CPU comprises register, described register has the control bit controlling non-sensitive privileged instruction and directly perform in virtual machine.The method step specifically comprises: host, before being absorbed in virtual machine, judges the state of virtual machine, according to judged result, arranges described control bit.
Further, when described virtual machine performs VME operating system, described control bit is set for opening, then allows non-sensitive privileged instruction directly to run on a virtual machine; When described virtual machine exits VME operating system, control bit is set for closing, then forbids that non-sensitive privileged instruction is directly run on a virtual machine.
Further, virtual machine monitor VMM is set, makes before host is absorbed in virtual machine, judge the state of virtual machine.
Further, judge what the state of virtual machine judged according to the address of the address of operating system and user program.
Further, the address of operating system and the address of user program is distinguished by virtual machine compiler operating system.
The invention solves the defect that software replacement method can not process some non-sensitive privileged instruction, and system virtual machine provided by the invention and method want simple a lot of compared at the CPU increasing a new operator scheme in realization.The execution efficiency of the non-sensitive privileged instruction that method provided by the invention effectively improves, and correctness when ensure that it performs and security.
Accompanying drawing explanation
Fig. 1 is sensitive instructions, the schematic diagram of relation between non-sensitive instruction and privileged instruction;
Fig. 2 is the process flow diagram of the software and hardware cooperating design method step in one embodiment of the invention.
Embodiment
The feature of non-sensitive privileged instruction is when not increasing additional operational modes, virtual machine general execution under the unprivileged state of CPU, if therefore perform privileged instruction can cause exception in virtual machine.But non-sensitive instruction is belonged to for these non-sensitive privileged instructions, if it is directly performed in virtual machine, can perform in theory, but have the possibility producing exception, cause the safety issue of virtual machine.
In order to improve the execution efficiency of this kind of instruction in virtual machine, ensureing the security of virtual machine simultaneously, proposing a kind of a kind of method of system virtual machine and Hardware/Software Collaborative Design.The feasibility that non-sensitive privileged instruction performs in virtual machine is ensured, security when ensureing that non-sensitive privileged instruction is run in virtual machine by Software for Design by hardware design.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
The present embodiment the invention provides system virtual machine and method is described for a kind of based on the Godson CPU of MIPS framework realizes.This CPU has two kinds of unprivileged states (namely managing state and User space).
Cache instruction is the non-sensitive privileged instruction in MIPS framework.Cache instruction can only be passed through because MIPS accesses CACHE, therefore the execution speed of cache instruction in virtual machine cannot be improved by software mode, but meeting multiple exercise cache instruction in VME operating system implementation, very affect operating system performance.Therefore, improve the execution efficiency of cache instruction in virtual machine by the mode combined design of hardware and software, and ensure its security in virtual machine.Its implementation is introduced respectively below from hardware design and Software for Design.Fig. 2 is the method step process flow diagram of Hardware/Software Collaborative Design.
In hardware design:
System virtual machine comprises host and at least one virtual machine, and in the present embodiment, host and virtual machine all operate on the Godson CPU based on MIPS framework.In the inner coprocessor 0 of Godson CPU, can No. 22 newly-increased control bits of register, directly perform for control cache instruction on host.
Concrete, before increase control bit, host is when being absorbed in virtual machine, and virtual machine runs on unprivileged, and coprocessor is unavailable, and cache instruction produces abnormal, so cache instruction can not safe directly performing on a virtual machine.
In order to solve the problem, after increase control bit, host is when being absorbed in virtual machine, and execution cache instruction need check No. 22 registers in the coprocessor 0 of CPU inside.Judge whether to allow cache instruction directly to perform in virtual machine by the control bit state on No. 22 registers.
Wherein, the state arranging control bit is realized by Software for Design, security when this design ensure that cache instruction directly runs on a virtual machine.
On Software for Design:
First, virtual machine compiler operating system, separates completely by VME operating system address and virtual machine user program address, making CPU when performing virtual machine, not having address conflict, to ensure security during cache instruction operation.
In a specific embodiment, by compiling address and the use address of retouching operation system, under making the address of operating system and access all be positioned at management state; In addition, user program operates in User space.
Concrete, virtual machine compiler operating system, comprises two aspects: the compiling address being amendment VME operating system on the one hand, is the use address of amendment VME operating system on the other hand.Both under having ensure that VME operating system code operated in management state by these two aspects, under in turn ensure that the reference address of data in VME operating system is all positioned at management state, so when virtual machine runs VME operating system, virtual machine runs on management state, during virtual machine run user program, virtual machine runs on User space, and the address run when making virtual machine be in different conditions separates completely, does not produce conflict.
Secondly, the setting of amendment virtual machine monitor VMM, makes before host is absorbed in virtual machine, judges the state of virtual machine.The state of control bit is set by judged result.
Concrete, when virtual machine operation system, because CPU performs VME operating system, VME operating system is recompilated in above process, so cache instruction directly performs in virtual machine can not produce exception, so now arrange control bit for opening, allow cache instruction directly can perform in virtual machine.When virtual machine exits operating system, control bit being set for closing, forbidding that cache instruction directly performs in virtual machine.
Can find out according to above-described embodiment, the invention provides system virtual machine and method, control bit is increased by hardware design, ensure that the feasibility that non-sensitive privileged instruction directly performs in virtual machine, and ensure the security of non-sensitive privileged instruction in virtual machine during direct execution by Software for Design.Because non-sensitive privileged instruction can directly and the performing in virtual machine, so improve the execution efficiency of non-sensitive privileged instruction in virtual machine of safety.
Above-described embodiment; object of the present invention, technical scheme and beneficial effect are further described; be understood that; the foregoing is only the specific embodiment of the present invention; the protection domain be not intended to limit the present invention; within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (4)
1. one kind is improved the system virtual machine of non-sensitive privileged instruction execution efficiency, comprise host and at least one virtual machine, described host and virtual machine operate on CPU, described CPU comprises register, it is characterized in that, can described register additionally arranges control bit, directly perform for controlling non-sensitive privileged instruction in virtual machine;
Wherein, host is before being absorbed in virtual machine, and the address of operating system after distinguishing according to virtual machine compiler operating system and the address of user program judge the state of virtual machine, according to judged result, arrange described control bit:
When described virtual machine performs VME operating system, described control bit being set for opening, allowing non-sensitive privileged instruction directly to run on a virtual machine; When described virtual machine exits VME operating system, described control bit is set for closing, then forbids that non-sensitive privileged instruction is directly run on a virtual machine.
2. the system as claimed in claim 1 virtual machine, is characterized in that, described host comprises virtual machine monitor VMM, by arranging described virtual machine monitor VMM, making before host enters virtual machine, judging the state of virtual machine.
3. one kind is improved the method for non-sensitive privileged instruction execution efficiency, host and virtual machine operate on CPU, described CPU comprises register, and can described register has the control bit controlling non-sensitive privileged instruction and directly perform in virtual machine, described method step specifically comprises:
Host is before being absorbed in virtual machine, and the address of operating system after being distinguished by virtual machine compiler operating system and the address of user program judge the state of virtual machine, according to judged result, arrange described control bit:
When described virtual machine performs VME operating system, described control bit is set for opening, then allows non-sensitive privileged instruction directly to run on a virtual machine; When described virtual machine exits VME operating system, described control bit is set for closing, then forbids that non-sensitive privileged instruction is directly run on a virtual machine.
4. method as claimed in claim 3, is characterized in that, arrange virtual machine monitor VMM, make before host is absorbed in virtual machine, judge the state of virtual machine.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210271838.5A CN102855154B (en) | 2012-08-01 | 2012-08-01 | A kind of system virtual machine and method improving non-sensitive privileged instruction execution efficiency |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210271838.5A CN102855154B (en) | 2012-08-01 | 2012-08-01 | A kind of system virtual machine and method improving non-sensitive privileged instruction execution efficiency |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102855154A CN102855154A (en) | 2013-01-02 |
| CN102855154B true CN102855154B (en) | 2015-08-26 |
Family
ID=47401763
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210271838.5A Active CN102855154B (en) | 2012-08-01 | 2012-08-01 | A kind of system virtual machine and method improving non-sensitive privileged instruction execution efficiency |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102855154B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104636647A (en) * | 2015-03-17 | 2015-05-20 | 南开大学 | Sensitive information protection method based on virtualization technology |
| CN112416508B (en) * | 2019-08-23 | 2022-07-12 | 无锡江南计算技术研究所 | CPU virtualization method based on privilege instruction library |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101425046A (en) * | 2008-10-28 | 2009-05-06 | 北京航空航天大学 | Method for implementing distributed I/O resource virtualizing technique |
| CN101681269A (en) * | 2007-05-16 | 2010-03-24 | 威睿公司 | The self-adaptation Dynamic Selection and the application of multiple virtualization techniques |
| US7689987B2 (en) * | 2004-06-30 | 2010-03-30 | Microsoft Corporation | Systems and methods for stack-jumping between a virtual machine and a host environment |
| US8239610B2 (en) * | 2009-10-29 | 2012-08-07 | Red Hat, Inc. | Asynchronous page faults for virtual machines |
-
2012
- 2012-08-01 CN CN201210271838.5A patent/CN102855154B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7689987B2 (en) * | 2004-06-30 | 2010-03-30 | Microsoft Corporation | Systems and methods for stack-jumping between a virtual machine and a host environment |
| CN101681269A (en) * | 2007-05-16 | 2010-03-24 | 威睿公司 | The self-adaptation Dynamic Selection and the application of multiple virtualization techniques |
| CN101425046A (en) * | 2008-10-28 | 2009-05-06 | 北京航空航天大学 | Method for implementing distributed I/O resource virtualizing technique |
| US8239610B2 (en) * | 2009-10-29 | 2012-08-07 | Red Hat, Inc. | Asynchronous page faults for virtual machines |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102855154A (en) | 2013-01-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9244712B2 (en) | Virtualizing performance counters | |
| JP6507435B2 (en) | Instruction emulation processor, method, and system | |
| JP5984865B2 (en) | Instruction emulation processor, method and system | |
| EP2962240B1 (en) | Performing security operations using binary translation | |
| EP1939754B1 (en) | Providing protected access to critical memory regions | |
| US20180211046A1 (en) | Analysis and control of code flow and data flow | |
| JP5936640B2 (en) | Creating an isolated execution environment for co-designed processors | |
| TWI620124B (en) | Virtual machine control structure shadowing | |
| US8151264B2 (en) | Injecting virtualization events in a layered virtualization architecture | |
| US20160378977A1 (en) | Simulation of an application | |
| US10621340B2 (en) | Hybrid hypervisor-assisted security model | |
| US10394586B2 (en) | Using capability indicators to indicate support for guest driven surprise removal of virtual PCI devices | |
| US10257166B2 (en) | Guest netfilter protection by virtual machine function | |
| Lee et al. | Efficient security monitoring with the core debug interface in an embedded processor | |
| CN102855154B (en) | A kind of system virtual machine and method improving non-sensitive privileged instruction execution efficiency | |
| JP2015166952A (en) | Information processor, information processing monitoring method, program and recording medium | |
| US9417941B2 (en) | Processing device and method of executing an instruction sequence | |
| Chen et al. | Duvisor: a user-level hypervisor through delegated virtualization | |
| US10585945B2 (en) | Methods of graph-type specialization and optimization in graph algorithm DSL compilation | |
| Kornaros et al. | Towards full virtualization of heterogeneous noc-based multicore embedded architectures | |
| CN102819712B (en) | Method and device for ensuring security of virtual machine operation system | |
| US20160232020A1 (en) | Providing mode-dependent virtual machine function code | |
| KR102600220B1 (en) | Check command to verify correct code execution context | |
| Yao | Building Secure Systems Across All Layers | |
| Alexander et al. | ARCHITECTED FOR PERFORMANCE--VIRTUALIZATION SUPPORT ON NEHALEM AND WESTMERE PROCESSORS. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 100095 Building 2, Longxin Industrial Park, Zhongguancun environmental protection technology demonstration park, Haidian District, Beijing Patentee after: Loongson Zhongke Technology Co.,Ltd. Address before: 100190 No. 10 South Road, Zhongguancun Academy of Sciences, Haidian District, Beijing Patentee before: LOONGSON TECHNOLOGY Corp.,Ltd. |