The present application relates generally to an improved data processing apparatus and method and more specifically to an apparatus and method for performing secure recursive virtualization of a computer system.
One of the most significant issues in computer systems is security. Security mechanisms are designed to protect the integrity, secrecy, and availability of a system and data within the system. These protections are typically provided by a combination of hardware methods, such as protected memory in which page tables define the allowed access for a context to a given page of memory, and software techniques in the operating system. Software mandatory access control systems may also include mathematical models for secrecy protection and integrity protection.
However, existing hardware and software security mechanisms have significant limitations. With typical hardware based protected memory, while access is controlled to the data when the data is in memory, once the data is loaded into registers in the processor, access is no longer controlled by the hardware, so security is dependent on the operating system software being correct. Similarly, all software based systems are dependent on correctness of the implementation of the software. As typical operating systems have many millions of lines of code, ensuring that all of this code is correct under all conditions is difficult.
More importantly, there is an implied hierarchy of trust in existing software based security mechanisms. Applications trust the operating system that generated their processes and operating systems trust the virtualization mechanism that generated their virtual machines. This trust is necessary for the functions of granting resources and providing services that virtualization mechanisms do for operating systems and that operating systems do for applications, since these are the main functions of virtualization mechanisms and operating systems. However, existing architectures also allow virtualization mechanisms and operating systems unlimited access to the memory and register state of the operating systems and applications they generate. This access is not necessary but is rather the result of the historical evolution of processor and virtualization architectures, for example, software that saves and loads registers to switch contexts and software that constructs page tables used by hardware to control memory access.