CN113626148A - Terminal virtual machine generation system and method based on hybrid virtualization - Google Patents
Terminal virtual machine generation system and method based on hybrid virtualization Download PDFInfo
- Publication number
- CN113626148A CN113626148A CN202110883775.8A CN202110883775A CN113626148A CN 113626148 A CN113626148 A CN 113626148A CN 202110883775 A CN202110883775 A CN 202110883775A CN 113626148 A CN113626148 A CN 113626148A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- virtual
- management
- monitor
- operating system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 20
- 238000013507 mapping Methods 0.000 claims abstract description 13
- 238000012986 modification Methods 0.000 claims description 3
- 230000004048 modification Effects 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 17
- 238000010586 diagram Methods 0.000 description 14
- 238000009434 installation Methods 0.000 description 7
- 238000002955 isolation Methods 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 7
- 239000008186 active pharmaceutical agent Substances 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000013519 translation Methods 0.000 description 5
- 230000003993 interaction Effects 0.000 description 4
- 239000013598 vector Substances 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 101100016034 Nicotiana tabacum APIC gene Proteins 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 239000003208 petroleum Substances 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
- Debugging And Monitoring (AREA)
- Memory System Of A Hierarchy Structure (AREA)
Abstract
The invention discloses a terminal virtual machine generation system and a method based on hybrid virtualization, wherein the related terminal virtual machine generation system based on hybrid virtualization comprises a virtual machine monitor, a main virtual machine containing a primary operating system and a secondary virtual machine responsible for data forwarding operation; the virtual machine monitor is used for providing virtualized hardware resources for a native operating system running on an upper layer; the main virtual machine is connected with the virtual machine monitor and is used for interacting with a management API provided by the virtual machine monitor and managing a virtual machine environment through a management tool in a user mode; the slave virtual machine is connected with the virtual machine monitor and used for mapping the virtual device driver of the master virtual machine in a device mapping mode and sharing the virtual device driver with the master virtual machine.
Description
Technical Field
The invention relates to the technical field of virtual machines, in particular to a terminal virtual machine generation system and method based on hybrid virtualization.
Background
By the definition of Goldberg, a virtual machine monitor is software that is capable of creating efficient, isolated copies of a computer system. These copies are known as Virtual Machines (VMs), in which a subset of the Virtual processor's instruction set can be executed directly on the physical processor. According to the implementation position and implementation method of a Virtual Machine Monitor (VMM) in the whole physical system, Goldberg defines two virtual machine monitor models, namely a Type I VMM and a Type II VMM, and the specific structure is shown in FIG. 1.
The Type I VMM is pre-installed before the operating system and then installs a guest operating system on top of this virtual machine monitor, which can have the best performance with hardware support, as IBM VM/370, VMware ESX Server, Xen, Denali, etc. all belong to such virtual machines. Type I VMMs are typically implemented in the form of a lightweight operating system. The Type II VMM is installed on an existing host operating system (host operating system), and the virtual machine monitor manages and accesses various resources (such as files and various I/O devices) through the host operating system, such as VMware work, Parallel work and the like.
The virtualization technology of the hardware abstraction layer has high isolation of guest virtual systems (including between guest operating systems and between a guest operating system and a host operating system). The isolation enables different types of operating systems to run on the same physical platform at the same time, and operations such as restarting and the like of the operating systems cannot affect each other. From the user's perspective, isolation allows the physical platform to be divided into different virtual machines. Since the user is faced with a virtual machine, the user needs more system installation and configuration work.
Therefore, the invention provides a terminal virtual machine generation system and method based on hybrid virtualization.
Disclosure of Invention
The invention aims to provide a terminal virtual machine generation system and method based on hybrid virtualization, aiming at the defects of the prior art.
In order to achieve the purpose, the invention adopts the following technical scheme:
a terminal virtual machine generation system based on hybrid virtualization comprises a virtual machine monitor, a primary virtual machine containing a native operating system, and a secondary virtual machine responsible for data forwarding operation;
the virtual machine monitor is used for providing virtualized hardware resources for a native operating system running on an upper layer;
the main virtual machine is connected with the virtual machine monitor and is used for interacting with a management API provided by the virtual machine monitor and managing a virtual machine environment through a management tool in a user mode;
the slave virtual machine is connected with the virtual machine monitor and used for mapping the virtual device driver of the master virtual machine in a device mapping mode and sharing the virtual device driver with the master virtual machine.
Further, a management machine is also arranged in the main virtual machine; the management machine is used for managing the external equipment.
Further, the virtual machine monitor further includes virtual machine management, memory management, local interrupt/exception management, local virtual device, remote virtual device, and a management interface.
Further, the local interrupt/exception management includes: the external device interrupts are handled by a hypervisor in the primary virtual machine and the external device exceptions are handled by the virtual machine monitor kernel.
Further, the memory management includes modifying the management machine, and managing the memory related to the virtual monitor by the virtual monitor.
Correspondingly, a terminal virtual machine generation method based on hybrid virtualization is also provided, and the method comprises the following steps:
the virtual machine monitor provides virtualized hardware resources for a native operating system running on an upper layer;
the main virtual machine comprising a native operating system is responsible for interacting with a management API provided by a virtual machine monitor, and managing a virtual machine environment through a management tool in a user mode;
and the slave virtual machine which is in charge of the data forwarding operation maps the virtual device drive of the main virtual machine in a device mapping mode, and shares the virtual device drive with the main virtual machine.
Compared with the prior art, the invention has the beneficial effects that:
1) the hardware virtualization technology is combined with the operating system virtualization technology, so that the problem that the hardware virtualization technology can not depend on bare computer installation, but the bottom layer security of hardware virtualization is still reserved is solved; and the problem that the virtualization security of the operating system depends on the host operating system can be solved, and the traditional operating system virtualization product cannot become the root cause of the terminal security product.
2) The hybrid virtualization technology can inherit all data and applications of the original terminal PC environment, and the original environment is encapsulated and guided into the main virtual machine, so that the terminal assets can be successfully inherited.
3) The hybrid virtualized terminal virtual machines have high security isolation, and can be applied to various operating system environments including windows, management machines and various domestic operating systems.
Drawings
FIG. 1 is a schematic diagram of the architecture of Type I VMM and Type II VMM provided in the background art;
FIG. 2 is a diagram illustrating a hybrid virtualized virtual machine monitor architecture according to an embodiment;
FIG. 3 is a schematic diagram of an implementation model of a virtual machine monitor according to the second embodiment;
FIG. 4 is a schematic diagram of an access capable of shielding an interrupt provided by the second embodiment;
FIG. 5 is a diagram illustrating the physical address space layout of the x86 platform according to the second embodiment;
FIG. 6 is a diagram of x86 two-level address translation according to the second embodiment;
FIG. 7 is a diagram illustrating an EPT address translation mechanism according to the second embodiment;
fig. 8 is a schematic diagram illustrating an operating principle of a virtual memory of the virtual machine monitor according to the second embodiment;
fig. 9 is a schematic diagram of a virtual memory management structure of a virtual machine monitor according to a second embodiment;
fig. 10 is a schematic diagram of a page reclamation algorithm and structure of the virtual machine monitor according to the second embodiment;
FIG. 11 is a schematic diagram of an I/O virtualization framework provided in the second embodiment;
FIG. 12 is a schematic diagram of interaction between a virtual machine and an I/O processor when inputting provided by the second embodiment;
FIG. 13 is a schematic diagram of interaction between a virtual machine and an I/O processor in exporting provided by the second embodiment.
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict.
The invention aims to provide a terminal virtual machine generation system and method based on hybrid virtualization, aiming at the defects of the prior art.
Example one
The terminal virtual machine generation system based on hybrid virtualization provided by the embodiment comprises a virtual machine monitor, a primary virtual machine containing a native operating system, and a secondary virtual machine responsible for data forwarding operation;
the virtual machine monitor is used for providing virtualized hardware resources for a native operating system running on an upper layer;
the main virtual machine is connected with the virtual machine monitor and is used for interacting with a management API provided by the virtual machine monitor and managing a virtual machine environment through a management tool in a user mode;
the slave virtual machine is connected with the virtual machine monitor and used for mapping the virtual device driver of the master virtual machine in a device mapping mode and sharing the virtual device driver with the master virtual machine.
The embodiment provides a brand new virtualization technology combining hardware virtualization and operating system virtualization, the security of the terminal is guaranteed through the hardware virtualization technology, and meanwhile, the installation and use processes are simplified through the variant operating system virtualization technology, and the specific principle is as shown in fig. 2.
The hybrid virtual machine monitor (Hypervisor) is located between the operating system and the hardware, and is responsible for providing virtualized hardware resources for an operating system kernel running on an upper layer, managing and allocating the resources, and ensuring mutual isolation between upper layer virtual machines. In the embodiment, a hybrid mode is adopted, so that a primary virtual machine is set to assist in managing other virtual machines and provide virtual resource services, and the rest of the virtual machines are called secondary virtual machines.
It should be noted that, in the petroleum operation interface of the primary virtual machine designed in this embodiment, a user can see the petroleum operation interface during operation.
Hypervisor provides an abstraction layer for the virtual machine, which contains APIs to manage and virtualize hardware. The main virtual machine internally comprises a real device driver (a native operating system), can directly access physical hardware, is responsible for interacting with a management API provided by the Hypervisor, and manages the virtual machine environment through a management tool in a user mode.
The main virtual machine is responsible for virtual machine management, virtual machine equipment driving, native operating system inheritance and the like; the slave virtual machine maps the virtual equipment of the master virtual machine to the slave virtual machine for use in a device mapping mode, and can share equipment drive with the master virtual machine so as to achieve the purpose of a lightweight terminal virtual machine.
In the design of the virtual machine architecture, all real hardware access is initiated by calling a native device driver by a virtual device driver of the main virtual machine. The design of the virtual device driver of the slave virtual machine is very simple, only the forwarding operation of data needs to be completed, and the request scheduling operation is not needed because the virtual device driver is not a real device driver. The virtual device driver running in the main virtual machine can utilize the existing device driver of the original operating system to complete hardware access, and only the mapping forwarding function of the IO request needs to be added, namely the distribution and the loopback of tasks can be completed.
The present embodiment can reuse the original operating system on the PC, and because the target machine is the end PC, it is impossible to require the end user to install a virtual machine on the bare computer, and there are many applications and data to be reserved in the original operating system, so it is a very important thing to reserve the original operating system. The embodiment packages the original operating system into the main virtual machine, so that the hardware driving program of the original operating system can be utilized, and the product can be installed more conveniently.
The hybrid virtualization technology provided by the embodiment balances the security and the practicability of the virtual machine, and provides a solid technical foundation for the cross-domain security terminal.
The beneficial effect of this embodiment does:
1) the hardware virtualization technology is combined with the operating system virtualization technology, so that the problem that the hardware virtualization technology can not depend on bare computer installation, but the bottom layer security of hardware virtualization is still reserved is solved; and the problem that the virtualization security of the operating system depends on the host operating system can be solved, and the traditional operating system virtualization product cannot become the root cause of the terminal security product.
2) The hybrid virtualization technology can inherit all data and applications of the original terminal PC environment, and the original environment is encapsulated and guided into the main virtual machine, so that the terminal assets can be successfully inherited.
3) The hybrid virtualized terminal virtual machines have high security isolation, and can be applied to various operating system environments including windows, management machines and various domestic operating systems.
Correspondingly, the embodiment also provides a terminal virtual machine generation method based on hybrid virtualization, which includes:
the virtual machine monitor provides virtualized hardware resources for a native operating system running on an upper layer;
the main virtual machine comprising a native operating system is responsible for interacting with a management API provided by a virtual machine monitor, and managing a virtual machine environment through a management tool in a user mode;
and the slave virtual machine which is in charge of the data forwarding operation maps the virtual device drive of the main virtual machine in a device mapping mode, and shares the virtual device drive with the main virtual machine.
Example two
The difference between the terminal virtual machine generation system based on hybrid virtualization provided in this embodiment and the first embodiment is that:
the present embodiment specifically describes the installation and usage of the system.
Fig. 3 is a schematic diagram of a model implemented by a virtual monitor. The virtual monitor installs a management and I/O processor on the lower layer of the native operating system, and realizes I/O virtualization by using the powerful support of the native operating system to the I/O device. The supervisor runs on the main processor BSP, occupies part of the physical memory, but is responsible for managing all the external devices, and all the external interrupts are transmitted to the supervisor. In addition, a hypervisor is also run in the user mode of the hypervisor through the native operating system, and is responsible for the work of creating, configuring, starting, stopping and the like of the virtual machine.
The rest parts of the virtual monitor run on each AP processor in an SMP mode, and the parts are realized in an integral kernel mode, and the method specifically comprises the following steps: the system comprises 6 types of modules such as virtual machine management (kernel state), memory management, local interrupt/exception management, local virtual equipment, remote virtual equipment, a management interface and the like.
Installation and boot start:
the method comprises the steps of installing on a native operating system, but running a virtual monitor to the bottom layer of the native operating system, so that an operating system boot record needs to be modified, running a virtual monitor boot module after BIOS verification, starting the virtual monitor through the virtual monitor boot module, creating a virtual machine through the virtual monitor, incorporating the native operating system into a main virtual machine, and incorporating all data resources and application resources on an original terminal into the main virtual machine. And creating an image from the virtual machine, the guest operating system of the slave virtual machine and the newly imported image on the existing spare space of the hard disk.
The interrupt/exception management is specifically:
for operating systems in the traditional sense, external interrupts are generated by I/O devices, globally, each processor can handle the external interrupt, and exceptions are local, each processor can generate an exception. Since the virtual supervisor uses the hypervisor in the primary virtual machine as a dedicated I/O handler, all external interrupts are handled by the hypervisor in the primary virtual machine, but the virtual supervisor kernel must handle the exception, as well as the inter-processor interrupt IPI sent to the AP. Thus, the interrupt and exception handling portion essentially includes two tasks, namely, the modification and response handler, directing all external interrupts to the BSP, and the support for AP processor local interrupts and IPIs directed to them.
x86 supports 256 interrupts and exceptions, the first 32 interrupt or exception vectors are used for exception or reserve vectors, and the remaining 224 are left to maskable interrupts and user-defined traps, as shown in Table 1.
TABLE 1 x86 interrupt and Allocation of exception vector
Exceptions are local, each processor generates an exception, and interrupts are global, which may be posted to any processor. The processor determines an entry address for an Interrupt Service Routine (ISR) in the IDT based on the exception or interrupt type number.
The maskable interrupt is delivered to the processor by an interrupt controller (8259A/IOAPIC/LAPIC), as shown in FIG. 4. In an SMP/multi-core architecture, interrupts generated by the same device may be posted by the IOAPIC to any processor.
On SMP/multi-core platforms, 8259A is typically integrated in the south bridge chip, providing interrupts to the BSP only during system boot and initialization, and later interrupts must both be passed to the BSP or AP via IOAPIC/LAPIC. LAPIC is integrated in P6, Pentium 4, Intel Xeon, and later Intel 64 and IA-32 processors, and IOAPIC is integrated in chipsets such as Intel 82430. The APIC adopts a distributed architecture and is formed by interconnection of LAPIC and IOAPIC through a special bus or a system bus. The LAPIC may receive external (from IOAPIC or 8259A), internal (from an internal clock, etc.), or other processor (IPI) interrupts and pass them to the processor core; the IOAPIC is used to receive interrupts from devices and pass them to a selected processor or group of processors.
To ensure compatibility, the APIC may work with 8259A. The hardware supports three interrupt modes: PIC Mode, Virtual Wire Mode, and symmetry I/O Mode. The first two of these approaches may remain compatible with the PC/AT architecture, AT least one of which should be supported by the BIOS for booting of the multiprocessor system. After the multiprocessor boots, the operating system should switch the interrupt mode to Symmetric I/OMode.
In the x86 architecture, the interrupt source may be shared, i.e., multiple external devices send interrupt requests over an interrupt request line, which requires identification of which device issued the interrupt request in conjunction with the ISR.
Under the condition that all external equipment interrupts are handed to the BSP processing of the supervisor, the number of interrupts sent to the AP processor is greatly reduced, mainly referring to inter-processor interrupts IPIs and clock interrupts generated by LAPICs, and for LAPIC clock interrupts, corresponding bottom half processing is needed, and the processing modes of the supervisor can be referred to by the work.
Exceptions are local, incoming in synchronization, handled in the context of each process. The virtual machine monitor initializes the lower 32 interrupt vectors of the IDT of each processor to the entries of corresponding exceptions when the system is initialized, and different exceptions correspond to different exception handlers.
The memory management specifically comprises the following steps:
the memory management part comprises two major parts, namely, the management machine is modified to give up management on a part of physical memory and give management right to a kernel of a monitor of the virtual machine; the second is the management of the memory that the virtual machine monitor belongs to.
The physical address space of the x86 platform is continuous, but the storage medium may be discrete, including: RAM, ROM and MMIO. The address signal sent by the processor is analyzed by the memory controller and the chip set and then sent to the corresponding medium. The layout of the physical address space of the x86 platform is shown in FIG. 5.
The conventional x86 processor employs a two-level memory management mechanism, wherein a segment management mechanism is necessary, and if a page management mechanism is activated, a linear address needs to be processed by the page management mechanism to obtain a physical address, as shown in fig. 6.
On the latest x86 processors that support virtualization, level 3 address translation, i.e., translation of guest physical addresses to host physical addresses, is also supported, with the newly added address translation mechanism being referred to as ept (extended Page table) or np (nested Page). FIG. 7 shows the basic operating principle of Intel EPT.
Unlike the conventional OS in which the virtual memory management is responsible for maintaining the relationship between the linear address and the physical address or the disk block address, the virtual memory management of the virtual machine monitor is responsible for maintaining the relationship between the host/slave virtual machine Guest Physical Address (GPA) and the Host Physical Address (HPA) or the disk block address, and the operation principle thereof is as shown in fig. 8.
The virtual machine monitor maintains a structure of type gpa _ space _ t for each virtual machine to represent the guest physical address space of the VM and a set of EPT page tables for each VM to map the host and slave virtual machine guest physical addresses to host physical addresses or swap area. The guest physical address space is usually discontinuous, and its layout varies according to the configuration of the VM, so a piece of continuous guest physical address space is represented by using gpa _ area _ t, and the VM may have a plurality of gpa _ area _ t, which form a linked list, and the header is stored in the gpa _ areas field of gpa _ space _ t. The structure of virtual memory management is shown in fig. 9.
When multiple VMs run simultaneously, physical memory is stressed, and therefore physical memory is required to be recycled and swapped out. The traditional OS is made by: the memory occupied by the kernel is regarded as a non-paged memory, and the part of the memory is never recycled or swapped out; the occupied memory of the user process is added into a page cache or an LRU queue to record the recent use frequency of the user process, and the recently-used page can be recycled or exchanged.
The virtual machine monitor firstly needs to guarantee the native memory requirement of the master virtual machine, secondly cannot assume the guest physical address range occupied by the guest OS kernel of the master/slave virtual machine, cannot sense the page cache and the LRU queue of the guest operating system, and even the hardware does not set an access bit (A bit) in the EPT table entry, which all bring difficulty to the CECyw-VMM to determine which pages to recycle and swap out.
The virtual machine monitor employs an LRU algorithm with a secondary opportunity to determine page usage. To determine which physical pages have been recently accessed, the virtual machine monitor sets two page queues, respectively called active _ VM _ list and inactive _ VM _ list, and the related structure is shown in fig. 10.
The main description of the algorithm is as follows:
1. pages originally assigned to the VM are linked in inactive _ VM _ list, and the RA/WA/EA bits in the EPT entry are all set to 0, prohibiting any access to these pages.
2. If the page is in the inactive _ VM _ list and the RA/WA/EA bits are all 0, when the page is accessed, a page fault is caused, the page fault processing program sets the RA/WA/EA bit in the EPT table entry to be 1, sets the domain access in the page _ t structure of the page to be 1, records the access time access _ time, and moves the page to the head of the active _ VM _ list.
3. The kernel thread kswapd regularly scans a certain number of pages at the tail of the active _ VM _ list queue, and checks an accessed domain in a page _ t structure:
a) if the accessed field is 1 and the current _ time-access _ time > threshold of the current time, clearing 0 and clearing 0 the RA/WA/EA bit in the corresponding EPT entry.
b) If the accessed field is 0, the page is moved to the head of the inactive _ VM _ list queue.
4. If the page is in the active _ VM _ list and the RA/WA/EA bits are all 0, when the page is accessed, the page is moved to the head of the active _ VM _ list queue, the RA/WA/EA bit in the EPT table entry is set to be 1, and the domain access in the page _ t structure of the page is set to be 1.
5. The kernel thread kswapd periodically scans a certain number of pages at the tail of the inactive _ VM _ list queue, and checks an access domain in a page _ t structure.
a) And if the accessed field is 0, swapping the page to the swapping interval.
b) If the accessed field is 1, error case, BUG ().
In addition, the virtual machine monitor can also recycle the free pages from the Slab distributor when the physical memory is in shortage.
The I/O management specifically includes:
the primary purpose of the I/O handler is to implement device virtualization using rich device drivers in the hypervisor. The I/O virtualization framework of the virtual machine monitor is shown in FIG. 11.
The virtual machines communicate with each other by using a shared memory and an IPI mechanism. The shared memory can adopt an annular data structure, so that the use of locks can be avoided, and the communication efficiency is improved. When the shared memory area is full, and when the virtual machine monitor fetches data from the shared memory, the shared memory changes from a full state to a free space state, and at this time, the virtual machine monitor should notify the hypervisor through the IPI to wake up.
Assuming that the virtual machine VM is configured with a virtual serial port using a physical serial port as a medium, taking serial port input as an example, an interaction process between the virtual machine and the IO processor is shown in fig. 12.
1. When the input on the physical serial port comes, the management machine receives the interrupt, calls the related driving program and awakens QEMU.
And 2, recording the serial port input into a related structure describing the state of the virtual serial port device by the QEMU, and simultaneously copying the input into the shared memory.
QEMU registers an interrupt with the virtual machine monitor in the manner of IPI.
4. When a VM is scheduled, the virtual machine monitor injects an interrupt into the VM.
The guest operating system in the VM handles the interrupt, followed by issuing a read I/O request.
6. The virtual machine monitor intercepts the request and notifies the QEMU to perform a read request to the virtual device so that the QEMU deletes the input data from the virtual device.
7. The virtual machine monitor takes the input data from the shared memory and sends the input data to the VM.
Then, taking serial port output as an example, the interaction process between the virtual machine and the IO handler is shown in fig. 13.
The VM issues a write I/O request, which is intercepted by the virtual machine monitor.
2. The virtual machine monitor copies the write input to the shared memory.
3. And the virtual machine monitor sends IPI to the management machine and informs the arrival of output operation.
4. And the manager informs the QEMU of the arrival of the output operation, and the QEMU takes the output data from the shared memory.
And 5, executing the write operation by the QEMU.
The QEMU registers an interrupt to the virtual machine monitor in IPI mode, informing the output operation is completed.
7. When a VM is scheduled, the virtual machine monitor injects an interrupt into the VM.
Compared with the prior art, the invention has the beneficial effects that:
1) the hardware virtualization technology is combined with the operating system virtualization technology, so that the problem that the hardware virtualization technology can not depend on bare computer installation, but the bottom layer security of hardware virtualization is still reserved is solved; and the problem that the virtualization security of the operating system depends on the host operating system can be solved, and the traditional operating system virtualization product cannot become the root cause of the terminal security product.
2) The hybrid virtualization technology can inherit all data and applications of the original terminal PC environment, and the original environment is encapsulated and guided into the main virtual machine, so that the terminal assets can be successfully inherited.
3) The hybrid virtualized terminal virtual machines have high security isolation, and can be applied to various operating system environments including windows, management machines and various domestic operating systems.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (6)
1. A terminal virtual machine generation system based on hybrid virtualization is characterized by comprising a virtual machine monitor, a primary virtual machine containing a native operating system, and a secondary virtual machine responsible for data forwarding operation;
the virtual machine monitor is used for providing virtualized hardware resources for a native operating system running on an upper layer;
the main virtual machine is connected with the virtual machine monitor and is used for interacting with a management API provided by the virtual machine monitor and managing a virtual machine environment through a management tool in a user mode;
the slave virtual machine is connected with the virtual machine monitor and used for mapping the virtual device driver of the master virtual machine in a device mapping mode and sharing the virtual device driver with the master virtual machine.
2. The system for generating a terminal virtual machine based on hybrid virtualization according to claim 1, wherein a management machine is further arranged in the primary virtual machine; the management machine is used for managing the external equipment.
3. The hybrid virtualization-based terminal virtual machine generation system of claim 1, wherein the virtual machine monitor further comprises virtual machine management, memory management, local interrupt/exception management, local virtual devices, remote virtual devices, and a management interface.
4. A hybrid virtualization-based terminal virtual machine generation system according to claim 3, wherein the local interrupt/exception management comprises: the external device interrupts are handled by a hypervisor in the primary virtual machine and the external device exceptions are handled by the virtual machine monitor kernel.
5. The hybrid virtualization-based terminal virtual machine generation system according to claim 3, wherein the memory management includes modification of a hypervisor and management of memory associated with the virtual monitor.
6. A terminal virtual machine generation method based on hybrid virtualization is characterized by comprising the following steps:
the virtual machine monitor provides virtualized hardware resources for a native operating system running on an upper layer;
the main virtual machine comprising a native operating system is responsible for interacting with a management API provided by a virtual machine monitor, and managing a virtual machine environment through a management tool in a user mode;
and the slave virtual machine which is in charge of the data forwarding operation maps the virtual device drive of the main virtual machine in a device mapping mode, and shares the virtual device drive with the main virtual machine.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110883775.8A CN113626148B (en) | 2021-08-03 | 2021-08-03 | Terminal virtual machine generation system and method based on hybrid virtualization |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110883775.8A CN113626148B (en) | 2021-08-03 | 2021-08-03 | Terminal virtual machine generation system and method based on hybrid virtualization |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113626148A true CN113626148A (en) | 2021-11-09 |
| CN113626148B CN113626148B (en) | 2024-02-09 |
Family
ID=78382344
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110883775.8A Active CN113626148B (en) | 2021-08-03 | 2021-08-03 | Terminal virtual machine generation system and method based on hybrid virtualization |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113626148B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101008903A (en) * | 2006-01-23 | 2007-08-01 | 联想(北京)有限公司 | Virtual machine system and device access method thereof |
| US20080288940A1 (en) * | 2007-05-16 | 2008-11-20 | Vmware, Inc. | Dynamic Selection and Application of Multiple Virtualization Techniques |
| CN101976200A (en) * | 2010-10-15 | 2011-02-16 | 浙江大学 | Virtual machine system for input/output equipment virtualization outside virtual machine monitor |
| CN103425563A (en) * | 2013-07-04 | 2013-12-04 | 上海交通大学 | Online input/output (I/O) electronic evidence obtaining system and method based on virtualization technology |
| CN104598294A (en) * | 2015-01-07 | 2015-05-06 | 杨学仕 | Efficient and safe virtualization method for mobile equipment and equipment thereof |
| CN110069920A (en) * | 2019-03-06 | 2019-07-30 | 上海交通大学 | Guarantee the method and system of SGX safety based on virtualization |
-
2021
- 2021-08-03 CN CN202110883775.8A patent/CN113626148B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101008903A (en) * | 2006-01-23 | 2007-08-01 | 联想(北京)有限公司 | Virtual machine system and device access method thereof |
| US20080288940A1 (en) * | 2007-05-16 | 2008-11-20 | Vmware, Inc. | Dynamic Selection and Application of Multiple Virtualization Techniques |
| CN101976200A (en) * | 2010-10-15 | 2011-02-16 | 浙江大学 | Virtual machine system for input/output equipment virtualization outside virtual machine monitor |
| CN103425563A (en) * | 2013-07-04 | 2013-12-04 | 上海交通大学 | Online input/output (I/O) electronic evidence obtaining system and method based on virtualization technology |
| CN104598294A (en) * | 2015-01-07 | 2015-05-06 | 杨学仕 | Efficient and safe virtualization method for mobile equipment and equipment thereof |
| CN110069920A (en) * | 2019-03-06 | 2019-07-30 | 上海交通大学 | Guarantee the method and system of SGX safety based on virtualization |
Non-Patent Citations (2)
| Title |
|---|
| SHIH-WEI LI等: "Protecting Cloud Virtual Machines from Hypervisor and Host Operating System Exploits", 《USENIX SECURITY 19》 * |
| 戴月华: "Trochilidae:面向众核平台的高性能轻量级虚拟机监控器", 《计算机科学与探索》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113626148B (en) | 2024-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210255882A1 (en) | Dynamic device virtualization for use by guest user processes based on observed behaviors of native device drivers | |
| US8453143B2 (en) | Reducing the latency of virtual interrupt delivery in virtual machines | |
| JP5735070B2 (en) | Guest address to host address translation for devices to access memory in partitioned systems | |
| US8316374B2 (en) | On-line replacement and changing of virtualization software | |
| US6961941B1 (en) | Computer configuration for resource management in systems including a virtual machine | |
| US10162655B2 (en) | Hypervisor context switching using TLB tags in processors having more than two hierarchical privilege levels | |
| CN101751284B (en) | I/O resource scheduling method for distributed virtual machine monitor | |
| US7376949B2 (en) | Resource allocation and protection in a multi-virtual environment | |
| US10255090B2 (en) | Hypervisor context switching using a redirection exception vector in processors having more than two hierarchical privilege levels | |
| US9619279B2 (en) | Operating systems sharing supervisor address space with same virtual to physical mapping for supervisor address space using same translation formula with different translation tree | |
| US8024742B2 (en) | Common program for switching between operation systems is executed in context of the high priority operating system when invoked by the high priority OS | |
| JP4668166B2 (en) | Method and apparatus for guest to access memory converted device | |
| US8612992B2 (en) | Operating systems | |
| KR20070100367A (en) | Method, apparatus and system for dynamically reassigning memory from one virtual machine to another | |
| JP7538950B2 (en) | COMPUTER DEVICE, EXCEPTION PROCESSING METHOD, AND INTERRUPT PROCESSING METHOD - Patent application | |
| Xue et al. | {gScale}: Scaling up {GPU} Virtualization with Dynamic Sharing of Graphics Memory Space | |
| CN113626148B (en) | Terminal virtual machine generation system and method based on hybrid virtualization | |
| US8402191B2 (en) | Computing element virtualization | |
| Jain | Study of firecracker microvm | |
| CN117472805B (en) | Virtual IO device memory management system based on virtio | |
| US20230085994A1 (en) | Logical resource partitioning via realm isolation | |
| US20220229683A1 (en) | Multi-process virtual machine migration in a virtualized computing system | |
| EP1673693B1 (en) | Operating systems | |
| CN118377576A (en) | Lightweight virtual operating system for controlling working mode of intelligent wearable device | |
| Vasilevsky et al. | LINUX Rс Virtualization on Virtual IronTM VFe |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |