Second Level Address Translation: Difference between revisions

Second Level Address Translation (SLAT), also known as nested paging, is a hardware-assisted virtualization technology which makes it possible to avoid the overhead associated with software-managed shadow page tables.

AMD has supported SLAT through the Rapid Virtualization Indexing (RVI) technology since the introduction of its third-generation Opteron processors (code name Barcelona). Intel's implementation of SLAT, known as Extended Page Table (EPT), was introduced in the Nehalem microarchitecture found in certain Core i7, Core i5, and Core i3 processors.

ARM's virtualization extensions support SLAT, known as Stage-2 page-tables provided by a Stage-2 MMU. The guest uses the Stage-1 MMU. Support was added as optional in the ARMv7ve architecture and is also supported in the ARMv8 (32-bit and 64-bit) architectures.

The introduction of protected mode to the x86 architecture with the Intel 80286 processor brought the concepts of physical memory and virtual memory to mainstream architectures. When processes use virtual addresses and an instruction requests access to memory, the processor translates the virtual address to a physical address using a page table or translation lookaside buffer (TLB). When running a virtual system, it has allocated virtual memory of the host system that serves as a physical memory for the guest system, and the same process of address translation goes on also within the guest system. This increases the cost of memory access since the address translation needs to be performed twice – once inside the guest system (using software-emulated guest page table), and once inside the host system (using physical map[pmap]).

In order to make this translation efficient, software engineers implemented software based shadow page table. Shadow page table will translate guest virtual memory directly to host physical memory address. Each VM has a separate shadow page table and hypervisor is in charge of managing them. But the cost is very expensive since every time a guest updates its page table, it will trigger the hypervisor to manage the allocation of the page table and its changes.

In order to make this translation more efficient, processor vendors implemented technologies commonly called SLAT. By treating each guest-physical address as a host-virtual address, a slight extension of the hardware used to walk a non-virtualized page table (now the guest page table) can walk the host page table. With multilevel page tables the host page table can be viewed conceptually as nested within the guest page table. A hardware page table walker can treat the additional translation layer almost like adding levels to the page table.

Using SLAT and multilevel page tables, the number of levels needed to be walked to find the translation doubles when the guest-physical address is the same size as the guest-virtual address and the same size pages are used. This increases the importance of caching values from intermediate levels of the host and guest page tables. It is also helpful to use large pages in the host page tables to reduce the number of levels (e.g., in x86-64, using 2 MB pages removes one level in the page table). Since memory is typically allocated to virtual machines at coarse granularity, using large pages for guest-physical translation is an obvious optimization, reducing the depth of look-ups and the memory required for host page tables.

Rapid Virtualization Indexing (RVI), known as Nested Page Tables (NPT) during its development, is an AMD second generation hardware-assisted virtualization technology for the processor memory management unit (MMU).^[1][2] RVI was introduced in the third generation of Opteron processors, code name Barcelona.^[3]

A VMware research paper found that RVI offers up to 42% gains in performance compared with software-only (shadow page table) implementation.^[4] Tests conducted by Red Hat showed a doubling in performance for OLTP benchmarks.^[5]

Extended Page Tables (EPT) is an Intel second-generation x86 virtualization technology for the memory management unit (MMU). EPT support is found in Intel's Core i3, Core i5, Core i7 and Core i9 CPUs, among others.^[6] It is also found in some newer VIA CPUs. EPT is required in order to launch a logical processor directly in real mode, a feature called "unrestricted guest" in Intel's jargon, and introduced in the Westmere microarchitecture.^[7][8]

According to a VMware evaluation paper, "EPT provides performance gains of up to 48% for MMU-intensive benchmarks and up to 600% for MMU-intensive microbenchmarks", although it can actually cause code to run slower than a software implementation in some corner cases.^[9]

Stage-2 page-table support is present in ARM processors that implement exception level 2 (EL2).

Mode Based Execution Control (MBEC) is an extension to x86 SLAT implementations first available in Intel Kaby Lake and AMD Zen+ CPUs (known on the latter as Guest Mode Execute Trap or GMET).^[10] The extension extends the execute bit in the extended page table (guest page table) into 2 bits - one for user execute, and one for supervisor execute.^[11]

MBE was introduced to speed up guest usermode unsigned code execution with kernelmode code integrity enforcement. Under this configuration, unsigned code pages can be marked as execute under usermode, but must be marked as no-execute under kernelmode. To maintain integrity by ensuring all guest kernelmode executable code are signed even when the guest kernel is compromised, the guest kernel does not have permission to modify the execute bit of any memory pages. Modification of the execute bit, or switching of the guest page table which contains the execute bit, is delegated to a higher privileged entity, in this case the host hypervisor. Without MBE, each entrance from unsigned usermode execution to signed kernelmode execution must be accompanied by a VM exit to the hypervisor to perform a switch to the kernelmode page table. On the reverse operation, an exit from signed kernelmode to unsigned usermode must be accompanied by a VM exit to perform another page table switch. VM exits significantly impact code execution performance.^[12][13] With MBE, the same page table can be shared between unsigned usermode code and signed kernelmode code, with two sets of execute permission depending on the execution context. VM exits are no longer necessary when execution context switches between unsigned usermode and signed kernel mode.

Hypervisors that support SLAT include the following:

• Hyper-V for Windows Server 2008 R2, Windows 8 and later.^[14] The Windows 8 (and later Microsoft Windows) Hyper-V requires SLAT.^[15][16]
• Hypervisor.framework, a native macOS hypervisor, available since macOS 10.10^[17]
• KVM, since version 2.6.26 of the Linux kernel mainline^[18][19]
• Parallels Desktop for Mac, since version 5^[20]
• VirtualBox, since version 2.0.0^[21]
• VMware ESX, since version 3.5^[4]
• VMware Workstation. VMware Workstation 14 (and later VMware Workstation) requires SLAT.^[22]
• Xen, since version 3.2.0^[23]
• Qubes OS — SLAT mandatory^[24]
• bhyve^[25][26] — SLAT mandatory and slated to remain mandatory
• vmm, a native hypervisor on OpenBSD — SLAT mandatory^[27][28]
• ACRN, an open-source lightweight hypervisor, built with real-time and safety-criticality in mind, optimized for IoT and Edge usages.^[29]
• QEMU - an open-source embeddable hypervisor and chipset emulator. ^{[30][31][32][33][34]}

Some of the above hypervisors require SLAT in order to work at all (not just faster) as they do not implement a software shadow page table; the list is not fully updated to reflect that.

• AMD-V (codename Pacifica) – the first-generation AMD hardware virtualization support
• Page table
• VT-x

• Method and system for a second level address translation in a virtual machine environment (patent)
• Second Level Address Translation Benefits in Hyper-V R2
• Virtualization in Linux KVM + QEMU (PDF)