Security Overview of the Integrity Virtual Machines Architecture
5
Storage Virtualization
Integrity VM virtualizes the memory-mapped I/O architecture of the Itanium processor family. It
intercepts loads and store to memory addresses that would represent physical devices in a real
computer, and emulates the behavior of the corresponding devices. To allow guest operating systems
to control I/O devices with complete isolation and flexibility and without adding virtualization-aware
drivers, Integrity VM provides register-level emulation of I/O devices. Register-level emulation is
accomplished by emulating the semantics of a device such that the existing device drivers in an
operating system can communicate with the virtual device. The VMM contains device emulators that
intercept memory accesses and take appropriate action. In most cases, these emulators format an
I/O request message that is then sent on to the VM Host operating system. The VM Host operating
system then sends the I/O request to its own device driver stack where it ultimately accesses the
physical device. Upon completion of the I/O request, the real hardware delivers an external interrupt
serviced by the VM Host, which causes the VMM to trigger the delivery of a virtual interrupt in the
guest operating system. This interrupt signals to the guest operating system that its I/O transaction
has completed.
When the VMM intercepts I/O requests from the virtual machine, it validates I/O space addresses
and ports, as well as data address ranges so that, for example, attempts to write to invalid media are
prevented. Similarly, the VMM intercepts invalid instruction sequences resulting in faults delivered to
the guest operating system delivering them.
Integrity Virtual Machines also provides accelerated virtual I/O (AVIO) devices that deliver higher
performance while still providing connectivity to logical storage and virtual switches. This
functionality requires AVIO modules on both the VM Host system as well as the guest operating
systems. The VM Host’s AVIO module performs all address validation and translation of I/O requests
before forwarding them on to the physical I/O device. This will ensure that virtual machines are not
able to accidentally or maliciously corrupt memory on other virtual machines or the VM Host.
Virtual Networking
With Integrity VM, the virtual networking functionality is manifested as a combination of virtual
network interface adapters on virtual machines, virtual Ethernet switches, the network stack on the VM
Host system and, optionally, network ports on the VM Host.
Virtual Ethernet Switches
The virtual Ethernet switch dispatches network traffic among the various virtual machines on a system.
It consists of a HP-UX kernel module that connects to the HP-UX network stack on the VM Host, and a
user-space application that invokes that driver. The virtual switch (vswitch) has ports that can be
connected to virtual network adapters, analogous to ports on a physical network switch and physical
servers. The virtual switch may or may not be connected to a logical port on the VM Host system.
If the virtual switch is not connected to such a port, then communication through that vswitch is limited
to virtual adapters located on that physical VM Host system. Moreover, such a configuration also
prevents communication with the VM Host system itself.
The configuration of a vswitch so that it is connected to a logical network port on the VM Host system
results in that vswitch being connected to the same network as the logical port. Note that the logical
port itself need not have an IP address configured and, hence, aids in securing the vswitch and any
virtual machines connected to that vswitch.