In recent years, the use of virtual machine technology has increased significantly. This technology executes software within a host operating system that emulates a real computer, sometimes referred to as the “physical machine.” It is this emulation of a physical machine that is sometimes referred to as a “virtual machine.” A guest operating system can be run on a virtual machine, and from the perspective of the guest operating system the virtual machine is indistinguishable from a physical machine. Additionally, virtual machine monitoring software (sometimes referred to as a “hypervisor”) may be used as a layer between the operating system and multiple virtual machines, allowing multiple operating systems to concurrently run on multiple virtual machines, all supported by a single physical machine. The hypervisor serves as a coordination and arbitration point between each of the virtual machines and the physical machine, ensuring the required isolation between machines. This isolation may be required both for functional reasons (e.g., to avoid resource contention) and for security reasons.
Faster machines and less expensive software have made virtual machine technology both attractive and viable to a range of user that previously might have otherwise overlooked this technology. But as the number of users of virtual machines increases, so do the demands by these users for virtual machines that can perform at a level comparable to their physical counterparts. Meeting these performance demands has proved challenging, due in significant part to the fact that many of the low-level functions of the virtual machines are implemented in software. The software implementation of such functions adds a significant degree of latency and overhead to operations that would be performed in hardware by a corresponding physical machine. The partitioning, allocation and management of single-host resources by the hypervisor also adds overhead that further contributes to the performance disparity between virtual and physical machines.
To overcome some of the above-described latency and overhead issues sometimes associated with hypervisors, hardware-based extensions of the interconnect structures of some computer systems (e.g., extensions to the peripheral component interconnect or PCI) have been developed that allow a guest operating system, running under a hypervisor, to perform direct input and output (I/O) operations on an I/O device that is shared between multiple virtual machines. However, these interconnect extensions lack the types of hardware-based security and protection mechanisms currently available on many processors. Such hardware-based processor mechanisms allow a hypervisor to ensure operational isolation between multiple virtual machines performing operations on the processor, while decreasing the overhead associated with enforcing such isolation when compared to software-based security and protection mechanisms.