CN113626148B - Terminal virtual machine generation system and method based on hybrid virtualization - Google Patents
Terminal virtual machine generation system and method based on hybrid virtualization Download PDFInfo
- Publication number
- CN113626148B CN113626148B CN202110883775.8A CN202110883775A CN113626148B CN 113626148 B CN113626148 B CN 113626148B CN 202110883775 A CN202110883775 A CN 202110883775A CN 113626148 B CN113626148 B CN 113626148B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- virtual
- monitor
- terminal
- management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 19
- 238000013507 mapping Methods 0.000 claims abstract description 14
- 238000005516 engineering process Methods 0.000 description 16
- 238000010586 diagram Methods 0.000 description 14
- 238000002955 isolation Methods 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 7
- 239000008186 active pharmaceutical agent Substances 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 238000013519 translation Methods 0.000 description 5
- 230000008676 import Effects 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 239000013598 vector Substances 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000009434 installation Methods 0.000 description 3
- 239000002184 metal Substances 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 101100016034 Nicotiana tabacum APIC gene Proteins 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 239000003208 petroleum Substances 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Abstract
The invention discloses a terminal virtual machine generation system and a method based on hybrid virtualization, wherein the terminal virtual machine generation system based on hybrid virtualization comprises a virtual machine monitor, a main virtual machine containing a primary operating system and a slave virtual machine responsible for data forwarding operation; the virtual machine monitor is used for providing virtualized hardware resources for a primary operating system running on an upper layer; the host virtual machine is connected with the virtual machine monitor, is responsible for interacting with the management API provided by the virtual machine monitor, and manages the virtual machine environment through a management tool in a user mode; the slave virtual machine is connected with the virtual machine monitor and is used for mapping the virtual device driver of the master virtual machine in a device mapping mode and sharing the virtual device driver with the master virtual machine.
Description
Technical Field
The invention relates to the technical field of virtual machines, in particular to a system and a method for generating a terminal virtual machine based on hybrid virtualization.
Background
The virtual machine monitor is software that is capable of creating efficient, isolated copies for computer systems, as defined by Goldberg. These copies are Virtual Machines (VMs) in which a subset of the instruction set of the Virtual processor can execute directly on the physical processor. According to the implementation position and implementation method of a Virtual Machine Monitor (VMM) in the whole physical system, goldberg defines two virtual machine monitor models, namely a Type I VMM and a Type II VMM, and the specific structure is shown in fig. 1.
The Type I VMM is pre-installed before the operating system and then a guest operating system is installed on top of this virtual machine monitor, which may have the best performance under hardware support, such as IBM VM/370,VMware ESX Server,Xen,Denali, etc., all belonging to such a virtual machine. Type I VMMs are typically implemented in the form of a lightweight operating system. The Type II VMM is installed above an existing host operating system (host operating system), and such a virtual machine monitor manages and accesses various resources (e.g., files and various I/O devices, etc.) through the host operating system, such as VMware Workstation, parallel Workstation, etc.
Virtualization techniques at the hardware abstraction layer have a high degree of isolation of guest virtual systems (including between guest operating systems, between guest operating systems and host operating systems). This isolation allows different types of operating systems to run simultaneously on the same physical platform, and their restart and like operations do not affect each other. The isolation allows the physical platform to be partitioned into different virtual machines from the perspective of the user. Since the user is faced with virtual machines, the user requires more system installation and configuration work.
Therefore, the invention provides a system and a method for generating a terminal virtual machine based on hybrid virtualization.
Disclosure of Invention
The invention aims at overcoming the defects of the prior art, and provides a system and a method for generating a terminal virtual machine based on hybrid virtualization.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
a terminal virtual machine generation system based on hybrid virtualization comprises a virtual machine monitor, a master virtual machine containing a native operating system and a slave virtual machine responsible for data forwarding operation;
the virtual machine monitor is used for providing virtualized hardware resources for a primary operating system running on an upper layer;
the host virtual machine is connected with the virtual machine monitor, is responsible for interacting with the management API provided by the virtual machine monitor, and manages the virtual machine environment through a management tool in a user mode;
the slave virtual machine is connected with the virtual machine monitor and is used for mapping the virtual device driver of the master virtual machine in a device mapping mode and sharing the virtual device driver with the master virtual machine.
Further, a manager is further arranged in the main virtual machine; the supervisor is responsible for managing the external devices.
Further, the virtual machine monitor further comprises virtual machine management, memory management, local interrupt/exception management, local virtual equipment, remote virtual equipment and a management interface.
Further, the local interrupt/exception management includes: the external device interrupt is handled by the supervisor in the host virtual machine and the external device exception is handled by the virtual machine monitor kernel.
Further, the memory management includes modifying the supervisor and managing the memory associated with the supervisor by the virtual monitor.
Correspondingly, the method for generating the terminal virtual machine based on the hybrid virtualization is also provided, and comprises the following steps:
the virtual machine monitor provides virtualized hardware resources for a primary operating system running on an upper layer;
the main virtual machine containing the original operating system is responsible for interacting with a management API provided by the virtual machine monitor, and manages the virtual machine environment through a management tool in a user mode;
the slave virtual machine responsible for data forwarding operation maps the virtual device driver of the master virtual machine in a device mapping manner, and shares the virtual device driver with the master virtual machine.
Compared with the prior art, the invention has the beneficial effects that:
1) Combining hardware virtualization technology and operating system virtualization technology, namely solving the problem that the hardware virtualization technology can be installed independently of bare metal, but still retains the underlying security of hardware virtualization; the problem that the virtualization security of the operating system depends on the host operating system can be solved, and the traditional operating system virtualization product cannot become the root cause of the terminal security product.
2) The mixed virtualization technology can inherit all data and applications of the original terminal PC environment, and import the original environment package into the main virtual machine, so that terminal assets can be inherited smoothly.
3) The terminal virtual machines after the mixed virtualization have high security isolation, and can be suitable for various operating system environments including windows, management machines and various domestic operating systems.
Drawings
FIG. 1 is a schematic diagram of the Type I VMM and Type II VMM architectures provided in the background art;
FIG. 2 is a schematic diagram of a hybrid virtualized virtual machine monitor architecture according to an embodiment;
FIG. 3 is a schematic diagram of an implementation model of a virtual machine monitor according to a second embodiment;
fig. 4 is a schematic diagram of access to a maskable interrupt provided in embodiment two;
FIG. 5 is a diagram of a physical address space layout of an x86 platform according to the second embodiment;
FIG. 6 is a schematic diagram of two-stage address translation of x86 provided in embodiment two;
FIG. 7 is a schematic diagram of an EPT address translation mechanism provided in the second embodiment;
fig. 8 is a schematic diagram of a virtual memory operation principle of a virtual machine monitor according to the second embodiment;
FIG. 9 is a schematic diagram of a virtual memory management structure of a virtual machine monitor according to a second embodiment;
FIG. 10 is a schematic diagram of a page reclamation algorithm and structure of a virtual machine monitor according to a second embodiment;
FIG. 11 is a schematic diagram of an I/O virtualization framework provided by embodiment two;
FIG. 12 is a schematic diagram showing interaction between a virtual machine and an I/O processor at the time of input provided in the second embodiment;
FIG. 13 is a diagram illustrating interaction between a virtual machine and an I/O processor during output provided in the second embodiment.
Detailed Description
Other advantages and effects of the present invention will become apparent to those skilled in the art from the following disclosure, which describes the embodiments of the present invention with reference to specific examples. The invention may be practiced or carried out in other embodiments that depart from the specific details, and the details of the present description may be modified or varied from the spirit and scope of the present invention. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict.
The invention aims at overcoming the defects of the prior art, and provides a system and a method for generating a terminal virtual machine based on hybrid virtualization.
Example 1
The terminal virtual machine generation system based on hybrid virtualization comprises a virtual machine monitor, a main virtual machine containing a primary operating system and a slave virtual machine responsible for data forwarding operation;
the virtual machine monitor is used for providing virtualized hardware resources for a primary operating system running on an upper layer;
the host virtual machine is connected with the virtual machine monitor, is responsible for interacting with the management API provided by the virtual machine monitor, and manages the virtual machine environment through a management tool in a user mode;
the slave virtual machine is connected with the virtual machine monitor and is used for mapping the virtual device driver of the master virtual machine in a device mapping mode and sharing the virtual device driver with the master virtual machine.
The embodiment provides a brand new virtualization technology combining hardware virtualization and operating system virtualization, ensures the safety of the terminal through the hardware virtualization technology, and simplifies the installation and use processes through the variant operating system virtualization technology, and the specific principle is shown in fig. 2.
A hybrid virtualized virtual machine monitor (Hypervisor) is located between the operating system and the hardware, and is responsible for providing virtualized hardware resources for the operating system kernel running at the upper layer, managing and allocating these resources, and ensuring mutual isolation between the upper layer virtual machines. In this embodiment, a hybrid mode is adopted, so that one master virtual machine is set to assist in managing other virtual machines and provide virtual resource services, and the other virtual machines are called slave virtual machines.
It should be noted that, the petroleum operation interface of the main virtual machine designed in this embodiment can be seen when the user operates.
Hypervisor provides an abstraction layer to the virtual machine that contains APIs to manage and virtualize hardware. The main virtual machine contains a real device driver (a native operating system), can directly access physical hardware, is responsible for interacting with a management API provided by the Hypervisor, and manages the virtual machine environment through a management tool in a user mode.
The main virtual machine is responsible for virtual machine management, virtual machine equipment driving, inheritance of a native operating system and other matters; the slave virtual machine maps the virtual equipment of the master virtual machine to the slave virtual machine in an equipment mapping mode, and equipment driving can be shared with the master virtual machine, so that the purpose of the lightweight terminal virtual machine is achieved.
In the present virtual architecture design, all real hardware accesses are initiated by the virtual device driver of the host virtual machine invoking the native device driver. The design of the virtual device driver from the virtual machine is very simple, only the forwarding operation of the data needs to be completed, and the request scheduling operation is not needed because the virtual device driver is not a real device driver. The virtual device driver running in the main virtual machine can complete hardware access by using the existing device driver of the original operating system, and only the mapping forwarding function of the IO request, namely the task distribution and the loopback can be completed, needs to be added.
The present embodiment can reuse the original operating system on the PC, and because the target machine is a terminal PC, it is impossible to require the terminal user to install far as a virtual machine on the bare computer, and many applications and data in the original operating system need to be reserved, so it is very important to reserve the original operating system. According to the embodiment, the original operating system is packaged into the main virtual machine, so that not only can the hardware driver of the original operating system be utilized, but also the product can be more conveniently installed.
The hybrid virtualization technology provided by the embodiment balances the safety and practicability of the virtual machine and provides a solid technical foundation for the cross-domain security terminal.
The beneficial effects of this embodiment are:
1) Combining hardware virtualization technology and operating system virtualization technology, namely solving the problem that the hardware virtualization technology can be installed independently of bare metal, but still retains the underlying security of hardware virtualization; the problem that the virtualization security of the operating system depends on the host operating system can be solved, and the traditional operating system virtualization product cannot become the root cause of the terminal security product.
2) The mixed virtualization technology can inherit all data and applications of the original terminal PC environment, and import the original environment package into the main virtual machine, so that terminal assets can be inherited smoothly.
3) The terminal virtual machines after the mixed virtualization have high security isolation, and can be suitable for various operating system environments including windows, management machines and various domestic operating systems.
Correspondingly, the embodiment also provides a method for generating the terminal virtual machine based on hybrid virtualization, which comprises the following steps:
the virtual machine monitor provides virtualized hardware resources for a primary operating system running on an upper layer;
the main virtual machine containing the original operating system is responsible for interacting with a management API provided by the virtual machine monitor, and manages the virtual machine environment through a management tool in a user mode;
the slave virtual machine responsible for data forwarding operation maps the virtual device driver of the master virtual machine in a device mapping manner, and shares the virtual device driver with the master virtual machine.
Example two
The terminal virtual machine generating system based on hybrid virtualization provided in this embodiment is different from the first embodiment in that:
the present embodiment specifically describes the installation and use of the system.
A schematic diagram of a model of a virtual monitor implementation is shown in fig. 3. The virtual monitor installs the management and I/O processor under the native operating system, and utilizes the strong support of the native operating system to the I/O device to implement I/O virtualization. The supervisor runs on the main processor BSP, occupies part of the physical memory, but is responsible for managing all external devices, and all external interrupts are transferred to the supervisor. In addition, a management program is also operated in the user mode of the management machine by means of a native operating system and is responsible for the work of creating, configuring, starting, stopping and the like of the virtual machine.
The rest of the virtual monitor runs on each AP processor in an SMP mode, and the rest of the virtual monitor is realized in a whole kernel mode and specifically comprises the following steps: virtual machine management (kernel mode), memory management, local interrupt/exception management, local virtual device, remote virtual device, management interface, etc. 6 types of modules.
And (3) installing and guiding to start:
the method is characterized in that the method comprises the steps of installing a virtual monitor on a primary operating system, wherein the virtual monitor is required to be operated to a bottom layer of the primary operating system, so that an operating system guide record is required to be modified, after BIOS (basic input output system) verification, a virtual monitor guide module is operated first, then the virtual monitor is started through the virtual monitor guide module, then a virtual machine is created through the virtual monitor, the primary operating system is incorporated into a main virtual machine, and all data resources and application resources on an original terminal are incorporated into the main virtual machine. A slave virtual machine is created on the existing free space of the hard disk, the slave virtual machine's guest operating system being the image to the new import.
Interrupt/exception management is specifically:
for operating systems in the traditional sense, external interrupts generated by I/O devices are global, each processor can handle external interrupts, while exceptions are local, each processor can generate exceptions. Since the virtual monitor employs the hypervisor in the host virtual machine as a dedicated I/O handler, all external interrupts are handled by the hypervisor in the host virtual machine, but the virtual monitor kernel must handle the exception and the inter-processor interrupt IPI sent to the AP. Thus, the interrupt and exception handling portion essentially includes two things, one is the modification and reply manager, which directs all external interrupts to the BSP, and the other is to enable support for the AP processor local interrupts and IPIs directed to them.
The x86 supports 256 interrupts and exceptions, the first 32 interrupt or exception vectors are used for exception or hold vectors, and the remaining 224 are reserved for maskable interrupts and user-defined traps, as shown in Table 1.
Table 1 x86 interrupt and exception vector allocation
Exceptions are local, each processor generates an exception, and interrupts are global, they can be posted to any processor. The processor determines the entry address of an Interrupt Service Routine (ISR) in the IDT based on the exception or interrupt type number.
The maskable interrupt is passed to the processor by the interrupt controller (8259A/IOAPIC/LAPIC), as shown in FIG. 4. In an SMP/multi-core architecture, interrupts generated by the same device may be posted by the IOAPIC to any processor.
On SMP/multi-core platforms, 8259A is typically integrated in the south bridge chip, providing interrupts to the BSP only during system boot and initialization, after which the interrupts must all be passed to the BSP or AP via IOAPIC/LAPIC. LAPIC is integrated in P6, pentium 4, intel Xeon, and later Intel 64 and IA-32 processors, and IOAPIC is integrated in a chipset, such as Intel 82430.APIC adopts a distributed architecture, consisting of LAPIC and IOAPIC interconnected by a dedicated bus or system bus. LAPIC may receive external (from IOAPIC or 8259A), internal (from internal clock, etc.) or other processor (IPI) interrupts and pass them to the processor core; the IOAPIC is operable to receive interrupts from devices and pass them to a selected processor or group of processors.
To ensure compatibility, APIC may work with 8259A. The hardware supports three interrupt modes: PIC Mode, virtual Wire Mode, symmetry I/O Mode. The former two of which may remain compatible with the PC/AT architecture, the BIOS should support AT least one of them for booting of the multiprocessor system. After the multiprocessor boot, the operating system should switch the interrupt mode to Symmetric I/OMode.
In the x86 architecture, the interrupt source may be shared, i.e., multiple external devices send interrupt requests via an interrupt request line, which requires that it be identified with the ISR which device issued the interrupt request.
Under the condition that all external equipment interrupts are submitted to BSP processing of a supervisor, the number of interrupts sent to an AP processor is greatly reduced, mainly the inter-processor interrupts IPI and clock interrupts generated by LAPIC, and for LAPIC clock interrupts, corresponding bottom half processing is needed, and all the works can refer to the processing mode of the supervisor.
Exceptions are local, synchronous to arrive, handled in the context of each process. The virtual machine monitor initializes the low 32 interrupt vectors of the IDT of each processor to the entry of the corresponding exception when the system is initialized, and different exceptions correspond to different exception handlers.
The memory management specifically comprises:
the memory management part comprises two parts, namely, the management machine is modified to give up the management of a part of physical memory, and the management right is given to the kernel of the virtual machine monitor; and secondly, the virtual machine monitor manages the memory which is part of the virtual machine monitor.
The physical address space of the x86 platform is continuous, but the storage medium may be discrete, including: RAM, ROM, and MMIO. Address signals sent by the processor are sent to corresponding media after being analyzed by the memory controller and the chip set. The layout of the physical address space of the x86 platform is shown in fig. 5.
Conventional x86 processors employ a two-level memory management mechanism, where a segment management mechanism is necessary, and if the page management mechanism is activated, the linear address needs to be processed by the page management mechanism to obtain the physical address, as shown in fig. 6.
On the latest x86 processors supporting virtualization, level 3 address translation is also supported, i.e. translation of guest physical address to host physical address, with the newly added address translation mechanism being called EPT (Extended Page Table) or NP (Nested Page). Fig. 7 shows the basic working principle of Intel EPT.
Unlike traditional OS, which is responsible for maintaining the relationship between linear address and physical address or disk block address, virtual memory management of the virtual machine monitor is responsible for maintaining the relationship between host/slave virtual machine client physical address (GPA) and Host Physical Address (HPA) or disk block address, and its working principle is shown in fig. 8.
The virtual machine monitor maintains a structure of the type gpa_space_t for each virtual machine to represent the guest physical address space of the VM, and maintains a set of EPT page tables for each VM to map the host, slave virtual machine guest physical addresses to the host physical addresses or switch regions. The guest physical address space is usually discontinuous, its layout varies with the configuration of the VM, so the gpa_area_t is used to represent a continuous length of guest physical address space, the VM may have multiple gpa_area_t, they form a linked list, and the header is stored in the gpa_area field of gpa_space_t. The structure of virtual memory management is shown in fig. 9.
When multiple VMs are running simultaneously, physical memory is necessarily strained, and therefore physical memory is recovered and swapped out. The conventional OS is: the memory occupied by the kernel is regarded as non-paging memory, and the memory is never recycled or swapped out; the occupied memory of the user process is added into a page cache or LRU queue to record the latest use frequency, and the latest unusual pages can be recycled or exchanged.
The virtual machine monitor firstly needs to guarantee the memory requirement of the original of the main virtual machine, secondly cannot assume the guest physical address range occupied by the guest OS kernel of the main/slave virtual machine, cannot sense the page buffer and the LRU queue of the guest operating system, and even does not set access bits (A bits) in EPT list items by hardware, which all have difficulty for the CECyw-VMM to determine which pages to recycle and swap out.
The virtual machine monitor uses the LRU algorithm with secondary opportunities to determine the usage of the page. To determine which physical pages have been recently accessed, the virtual machine monitor sets two page queues, called active_VM_list and inactive_VM_list, respectively, the associated structure is shown in FIG. 10.
The main description of the algorithm is as follows:
1. pages initially assigned to the VM are linked in the inactive_VM_list and the RA/WA/EA bits in the EPT entry are set to 0, disabling any access to these pages.
2. If the page is in the active_VM_list and the RA/WA/EA bits are all 0, page faults will be caused when the page is accessed, the page fault processing program sets the RA/WA/EA bit in the EPT table entry to 1, sets the domain access in the page_t structure of the page to 1, records the access time access_time, and moves the page to the head of the active_VM_list.
3. The kernel thread kswapd periodically scans a certain number of pages at the tail of the active_VM_list queue, and checks the accessed domain in the page_t structure:
a) If the accessed field is 1 and the current time current_time-access_time > threshold, then it is cleared to 0, and the RA/WA/EA bit in its corresponding EPT entry is cleared to 0.
b) If the accessed field is 0, the page is moved to the head of the inactive_VM_list queue.
4. If the page is in active_VM_list and the RA/WA/EA bits are all 0, then when the page is accessed, it is moved to the head of the active_VM_list queue, the RA/WA/EA bit in the EPT entry is set to 1, and the domain access in the page_t structure of the page is set to 1.
5. The kernel thread kswapd periodically scans a certain number of pages at the tail of the inactive_vm_list queue, and checks the accessed domain in the page_t structure.
a) If the accessed field is 0, the page is swapped to the swap interval.
b) If the accessed field is 1, error condition, BUG ().
In addition, the virtual machine monitor can also reclaim the idle pages from the Slab allocator when the physical memory is tense.
I/O management specifically includes:
the main purpose of the I/O handler is to implement device virtualization using rich device drivers in the hypervisor. The I/O virtualization framework of the virtual machine monitor is shown in FIG. 11.
And the virtual machines communicate by using a shared memory and an IPI mechanism. The shared memory can adopt a ring-shaped data structure, so that the lock can be avoided, and the communication efficiency is improved. When the shared memory area is full, when the virtual machine monitor takes data from the shared memory, the shared memory is changed from a full state to a state with free space, and the virtual machine monitor should be informed to the supervisor to wake up through the IPI.
Assuming that the virtual machine VM is configured with a virtual serial port using a physical serial port as a medium, taking serial port input as an example, an interaction process between the virtual machine and the IO processor is shown in fig. 12.
1. The input on the physical serial port comes, the supervisor accepts the interrupt, invokes the relevant driver, and wakes up the QEMU.
The qemu records serial port inputs into a related structure describing the state of the virtual serial port device, and simultaneously places copies of the inputs into the shared memory.
Qemu registers an interrupt with the virtual machine monitor in IPI.
4. When a VM is scheduled, the virtual machine monitor injects an interrupt into the VM.
The guest operating system in the VM handles the interrupt, after which a read I/O request is issued.
6. The virtual machine monitor intercepts the request and notifies the QEMU to perform a read request to the virtual device so that the QEMU deletes the input data from the virtual device.
7. The virtual machine monitor accesses the input data from within the share and sends it to the VM.
Then, taking serial port output as an example, the interaction process between the virtual machine and the IO processor is shown in fig. 13.
The VM issues a write I/O request, which is intercepted by the virtual machine monitor.
2. The virtual machine monitor copies the write input to the shared memory.
3. The virtual machine monitor sends IPI to the management machine to inform the arrival of output operation.
4. The hypervisor notifies the QEMU that the output operation is coming and the QEMU accesses the output data from within the shared.
Qemu performs write operations.
The QEMU registers an interrupt with the virtual machine monitor in an IPI mode, and notifies that the output operation is completed.
7. When a VM is scheduled, the virtual machine monitor injects an interrupt into the VM.
Compared with the prior art, the invention has the beneficial effects that:
1) Combining hardware virtualization technology and operating system virtualization technology, namely solving the problem that the hardware virtualization technology can be installed independently of bare metal, but still retains the underlying security of hardware virtualization; the problem that the virtualization security of the operating system depends on the host operating system can be solved, and the traditional operating system virtualization product cannot become the root cause of the terminal security product.
2) The mixed virtualization technology can inherit all data and applications of the original terminal PC environment, and import the original environment package into the main virtual machine, so that terminal assets can be inherited smoothly.
3) The terminal virtual machines after the mixed virtualization have high security isolation, and can be suitable for various operating system environments including windows, management machines and various domestic operating systems.
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.
Claims (6)
1. The terminal virtual machine generation system based on the hybrid virtualization is characterized by comprising a virtual machine monitor, a master virtual machine containing a native operating system and a slave virtual machine responsible for data forwarding operation;
the virtual machine monitor is used for providing virtualized hardware resources for a primary operating system running on an upper layer;
the host virtual machine is connected with the virtual machine monitor, is responsible for interacting with the management API provided by the virtual machine monitor, and manages the virtual machine environment through a management tool in a user mode;
the slave virtual machine is connected with the virtual machine monitor and is used for mapping the virtual device driver of the master virtual machine in a device mapping mode and sharing the virtual device driver with the master virtual machine;
all data and applications of the original terminal PC environment are inherited, and the original environment package is imported into the main virtual machine, so that terminal assets can be inherited smoothly.
2. The system for generating the terminal virtual machine based on the hybrid virtualization according to claim 1, wherein a manager is further arranged in the main virtual machine; the supervisor is responsible for managing the external devices.
3. The hybrid virtualization-based terminal virtual machine generation system of claim 1, wherein the virtual machine monitor further comprises a virtual machine management, a memory management, a local interrupt/exception management, a local virtual device, a remote virtual device, a management interface.
4. A hybrid virtualization-based terminal virtual machine generation system as claimed in claim 3 wherein the local interrupt/exception management comprises: the external device interrupt is handled by the supervisor in the host virtual machine and the external device exception is handled by the virtual machine monitor kernel.
5. A hybrid virtualization-based terminal virtual machine generation system in accordance with claim 3 wherein the memory management comprises modifying a hypervisor and a virtual monitor managing memory associated with itself.
6. A terminal virtual machine generation method based on hybrid virtualization is characterized by comprising the following steps:
the virtual machine monitor provides virtualized hardware resources for a primary operating system running on an upper layer;
the main virtual machine containing the original operating system is responsible for interacting with a management API provided by the virtual machine monitor, and manages the virtual machine environment through a management tool in a user mode;
mapping the virtual device driver of the main virtual machine by the slave virtual machine responsible for data forwarding operation in a device mapping mode, and sharing the virtual device driver with the main virtual machine;
all data and applications of the original terminal PC environment are inherited, and the original environment package is imported into the main virtual machine, so that terminal assets can be inherited smoothly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110883775.8A CN113626148B (en) | 2021-08-03 | 2021-08-03 | Terminal virtual machine generation system and method based on hybrid virtualization |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110883775.8A CN113626148B (en) | 2021-08-03 | 2021-08-03 | Terminal virtual machine generation system and method based on hybrid virtualization |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113626148A CN113626148A (en) | 2021-11-09 |
| CN113626148B true CN113626148B (en) | 2024-02-09 |
Family
ID=78382344
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110883775.8A Active CN113626148B (en) | 2021-08-03 | 2021-08-03 | Terminal virtual machine generation system and method based on hybrid virtualization |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113626148B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101008903A (en) * | 2006-01-23 | 2007-08-01 | 联想(北京)有限公司 | Virtual machine system and device access method thereof |
| CN101976200A (en) * | 2010-10-15 | 2011-02-16 | 浙江大学 | Virtual machine system for input/output equipment virtualization outside virtual machine monitor |
| CN103425563A (en) * | 2013-07-04 | 2013-12-04 | 上海交通大学 | Online input/output (I/O) electronic evidence obtaining system and method based on virtualization technology |
| CN104598294A (en) * | 2015-01-07 | 2015-05-06 | 杨学仕 | Efficient and safe virtualization method for mobile equipment and equipment thereof |
| CN110069920A (en) * | 2019-03-06 | 2019-07-30 | 上海交通大学 | Guarantee the method and system of SGX safety based on virtualization |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8479195B2 (en) * | 2007-05-16 | 2013-07-02 | Vmware, Inc. | Dynamic selection and application of multiple virtualization techniques |
-
2021
- 2021-08-03 CN CN202110883775.8A patent/CN113626148B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101008903A (en) * | 2006-01-23 | 2007-08-01 | 联想(北京)有限公司 | Virtual machine system and device access method thereof |
| CN101976200A (en) * | 2010-10-15 | 2011-02-16 | 浙江大学 | Virtual machine system for input/output equipment virtualization outside virtual machine monitor |
| CN103425563A (en) * | 2013-07-04 | 2013-12-04 | 上海交通大学 | Online input/output (I/O) electronic evidence obtaining system and method based on virtualization technology |
| CN104598294A (en) * | 2015-01-07 | 2015-05-06 | 杨学仕 | Efficient and safe virtualization method for mobile equipment and equipment thereof |
| CN110069920A (en) * | 2019-03-06 | 2019-07-30 | 上海交通大学 | Guarantee the method and system of SGX safety based on virtualization |
Non-Patent Citations (2)
| Title |
|---|
| Protecting Cloud Virtual Machines from Hypervisor and Host Operating System Exploits;Shih-Wei Li等;《USENIX Security 19》;全文 * |
| Trochilidae:面向众核平台的高性能轻量级虚拟机监控器;戴月华;《计算机科学与探索》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113626148A (en) | 2021-11-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2008302393B2 (en) | Reducing the latency of virtual interrupt delivery in virtual machines | |
| US10691363B2 (en) | Virtual machine trigger | |
| JP5735070B2 (en) | Guest address to host address translation for devices to access memory in partitioned systems | |
| US6961941B1 (en) | Computer configuration for resource management in systems including a virtual machine | |
| CN101751284B (en) | I/O resource scheduling method for distributed virtual machine monitor | |
| US7467381B2 (en) | Resource partitioning and direct access utilizing hardware support for virtualization | |
| US8732698B2 (en) | Apparatus and method for expedited virtual machine (VM) launch in VM cluster environment | |
| WO2018041075A1 (en) | Resource access method applied to computer, and computer | |
| WO2017024783A1 (en) | Virtualization method, apparatus and system | |
| US20060184938A1 (en) | Method, apparatus and system for dynamically reassigning memory from one virtual machine to another | |
| US20110153909A1 (en) | Efficient Nested Virtualization | |
| EP1804164A1 (en) | Delivering interrupts directly to a virtual processor | |
| Xue et al. | {gScale}: Scaling up {GPU} Virtualization with Dynamic Sharing of Graphics Memory Space | |
| Binu et al. | Virtualization techniques: a methodical review of XEN and KVM | |
| CN113778612A (en) | Embedded virtualization system implementation method based on microkernel mechanism | |
| CN113626148B (en) | Terminal virtual machine generation system and method based on hybrid virtualization | |
| Hsu et al. | G-KVM: a full GPU virtualization on KVM | |
| US8402191B2 (en) | Computing element virtualization | |
| Gerangelos et al. | vphi: Enabling xeon phi capabilities in virtual machines | |
| CN117472805B (en) | Virtual IO device memory management system based on virtio | |
| Guo et al. | A cooperative model virtual-machine monitor based on multi-core platform | |
| Jain | Study of firecracker microvm | |
| Ruan et al. | CloudDVMM: Distributed virtual machine monitor for cloud computing | |
| US20230085994A1 (en) | Logical resource partitioning via realm isolation | |
| US20220229683A1 (en) | Multi-process virtual machine migration in a virtualized computing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |