Virtualization in microcontrollers has progressed from memory management units (MMU) toward virtualizing the entire environment. There have been a number of attempts at getting this right in an x86 environment, starting with the 16-bit virtual machine (VM) support in the 80386. Subsequent VM enhancements have moved toward virtualizing the 32-bit and now 64-bit environments.
A hypervisor like Xen is the layer that controls the VM hardware and essentially sits between a logical VM and the hardware. The ideal hypervisor would utilize zero time and memory overhead. In practice, the current and forthcoming AMD and Intel 64-bit processor architectures are designed to minimize this overhead (see figure).
Some of the changes that will be showing up later this year include better handling of virtual memory page tables that must be changed when a VM context switch occurs. This is akin to a process switch in an operating system, but the overhead tends to be higher on the VM side. Part of the issue of this added overhead is what a VM must do to hide the fact that an operating system and its programs are running in a virtual environment. Changes within the processor architecture can address these contexts to improve performance.
Things get a little dicier when dealing with I/O. Low-level device drivers can perform I/O by bit-banging registers. This is handy for doing things like reading the output of analog-to-digital converters or serial ports when interrupts occur. A hypervisor can take two approaches to control I/O access.
One is to trap accesses and emulate the device interface. Most systems take this approach. Hardware enhancements will let device drivers directly access devices. This improves performance since there is no intermediary, but this approach only works for some devices.
Higher-performance devices like Ethernet adapters typically use DMA controllers to offload processing by the host processor. The processor's VM support can be used to limit the access of device drivers to memory and I/O ports, but DMA controllers tend to be outside the CPU. Providing device drivers direct access to DMA controllers opens a security hole.
The answer is the I/O MMU, which is typically placed in the Northbridge subsystem that handles peripheral access. The I/O MMU is under the control of the processors, typically the hypervisor. A DMA access goes through the I/O MMU so it's accessing memory in a logical fashion instead of using a physical address.
The I/O MMU isn't the end of the line for virtualization. Devices still like to be controlled by a single host. The PCISIG is working on standardizing PCI Express virtualization. These changes will result in devices that know how to handle multiple hosts. Essentially, one device looks like many. Applications can ignore the underlying details, but device driver developers will need to keep their eyes on these upcoming enhancements.