1. Field of the Invention
This invention relates generally to the field of computer processors. More particularly, the invention relates to an apparatus and method for fine grain memory protection.
2. Description of the Related Art
A virtual-machine system is a computer system that includes a virtual machine monitor (VMM) supporting one or more virtual machines (VMs). A Virtual Machine Monitor (VMM) is a software program that controls physical computer hardware and presents programs executing within a Virtual Machine (VM) with the illusion that they are executing on real physical computer hardware. Each VM typically functions as a self-contained platform, controlled by a “guest” operating system (OS), i.e., an OS hosted by the VMM, which executes as if it were running on a real machine instead of within a VM.
To accomplish this simulation, it is necessary for some operations within a VM (e.g., attempts to configure device hardware) to be trapped and emulated by the VMM, which will perform operations to simulate virtual hardware resources (e.g., a simulated device) to maintain the illusion that the guest OS is manipulating real hardware. Thus, in a virtual-machine system transitions from a VM to the VMM and back will occur with some frequency, depending upon the number of instructions and events that the VMM must emulate.
In a virtual-memory system, a memory address generated by software (a “virtual” address) is translated by hardware into a physical address which is then used to reference memory. This translation process is called paging, and the hardware used to perform the translation is called the paging hardware. In many virtual-memory systems, the virtual-to-physical address translation is defined by system software in a set of data structures (called “page tables”) that reside in memory. Modern virtual-memory systems typically incorporate into a system's central processing unit (CPU) a specialized caching structure, often called a translation lookaside buffer (TLB), which stores information about virtual-to-physical address translations and which can be accessed far more quickly than memory.
When an OS stops executing one process and begins executing another, it will typically change the address space by directing the hardware to use a new set of paging structures. This can be accomplished using a software or hardware mechanism to invalidate or remove the entire contents of the TLB. More frequent than changes between processes are transitions of control between a process and OS software. Because of this, system performance would suffer significantly if the TLB were invalidated on each such transition. Thus, modern operating systems are typically constructed so that no change of address space is required. One or more ranges of (virtual) memory addresses in every address space are protected so that only the OS can access addresses in those ranges.
Some virtual-machine systems may support layers of VMMs. For example, a single VMM, sometime referred to as a virtual machine extension (VMX) root, directly controls the CPU. This VMX root may support, in guest VMs, other “guest” VMMs that may themselves support guest VMs. The support for layering may be provided by software, hardware, or a combination of the two.
VMMs may monitor runtime data-structure integrity at the page level. That is, read/write privileges and other memory policies are implemented at the granularity of a memory page, which is typically 4 kBytes in size. An in-band (IB) agent within the OS configures these policies via the VMX-root. Write access on monitored pages generates Virtualization Exceptions (VEs). With existing hardware, this causes the IB agent to check/white-list the memory accessor. As a result of this architecture, false-shared data structures (data on the same 4K page) may cause a high volume of VE events that have to be brute-force filtered by the IB agent. Other examples of use cases where sub-page (less than 4K) region protection is applicable are: memory mapped input/output (MMIO) device memory areas for virtualization; page table protection for sparse mappings in the page table; checkpointing VM memory; and any VMM architectures that support memory monitoring application programming interfaces (APIs) which are limited to a 4K granularity for VM introspection.