|
Reader Feedback: VMware Weighs in on X86 Virtualization Criticisms
Published: February 6, 2006
In last week's issue, our Mad Dog 21/21 column, written by Hesh Wiener, did a historical and technical review of various kinds of virtualization that have been woven into systems and servers in the past three decades. He made an assertion that there were some limits to X86 virtualization. VMware's technical staff took issue with some of those characterizations, and its press relations team was set in motion by the article. We let the techies do the talking.
First up, the letter from Keith Adams, a staff engineer at VMWare:
Greetings. As a staff engineer in VMware's virtual machine monitor group, I read Hesh Wiener's recent retrospective on virtualization with a keen interest. His characterization of VMware's virtual machine monitor is inaccurate, and I think interestingly so. He claims that the X86 architecture "offers an insufficient basis for virtualization," presumably referring to Popek and Goldberg's criteria for a VMM, set forth in their rightly classic paper "Formal Requirements for Virtualization of Third Generation Architectures" (See http://www.logos.ic.i.u-tokyo.ac.jp/~tau/lecture/os/gen/articles/p412-popek.pdf).
The idea that the X86 is not virtualizable has long been so commonplace that, as in Mr. Wiener's piece, few even bother making the reference to Popek and Goldberg explicit. Unfortunately, like so much other folk wisdom, this notion is simply wrong, and results from an elementary misreading of the paper. The X86, in the absence of VT, Pacifica, et al., is virtualizable, as VMware's virtual machine monitor demonstrates, and nothing Popek or Goldberg has ever written would suggest otherwise.
The confusion stems from Popek and Goldberg's "Theorem 1," which is the principal result of their paper:
"For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions."
Notice that the structure of this theorem only allows us to decide that an architecture affirmatively allows virtualization; the theorem does not provide any basis for the sorts of claims that Mr. Wiener makes. The theorem cannot tell us when a virtual machine monitor (hence VMM) cannot be constructed: in fact, Popek and Goldberg point out the dangers of attempting to reason from the converse of this theorem in their very paper.
Mr. Wiener is hardly the first to make this error; indeed, this instance of reasoning from the converse is so widespread that "the X86 is not a virtualizable architecture" has long been part of computing conventional wisdom. However, like much folklore, this meme's popularity provides no information about its truth value. VMware's virtual machine monitor runs unmodified X86 operating systems, at near native performance, with no risk of hostile operating systems escalating their privilege. This is the very definition of VMM that Popek and Goldberg put forth. So, to casually slough off our VMM a "lab curiosity" shows not only ignorance, but a contempt for the intelligence of our many customers entrusting their computation to the integrity of our VMM.
Thanks,
Keith Adams, kma@vmware.com
Hesh Wiener responds:
Hi Keith
I would like to apologize for misinterpreting some of the material I read as I worked on the article.
I still have a little difficulty reconciling some of the questions raised about virtualization on the X86 with the helpful case made by you.
At the very least I should have said that some experts in the computing community express doubts about the fortitude of virtual machine monitors running on current X86 circuitry, while others feel VMware (and other virtualization software technologies) are sufficiently robust for commercial deployment.
The skeptic in me keeps wanting to ask, "If X86 virtualization is so good, how come Intel and AMD are adding features to their chips specifically to support virtualization?"
If the chip makers' efforts are underway strictly to improve the performance of virtual machine monitors and not to address issues of system integrity, I erred and hope that the publication of your letter and this note dispel any doubts about the viability of virtualization software that is available here and now.
I'm not writing this to get off the hook. If I've blundered, I'm pleased to see a correction added to the record.
On the other hand, I don't want to encourage users eager to enjoy the benefits of virtualized X86 systems to take risks that will no longer be at issue if they simply wait a little while.
Thanks again for your patient and courteous criticism of my article.
Regards,
Hesh Wiener
Adams responds:
Mr. Wiener,
Thanks for the thoughtful (and prompt!) response. I'm not sure what I can do to assuage your doubts about VMware's virtual machine monitor; can you propose a demonstration that you'd find convincing? While I can't provide source code to the monitor, we have in fact provided that source code to the NSA. As a result of their audit, the NSA considers the VMware virtual machine boundary as good as an air gap for isolation purposes. (See, e.g. http://www.dgl.com/itinfo/2001/it010202.html.)
Keith Adams
|
