Popek and Goldberg virtualization requirements

The Popek and Goldberg virtualization requirements are a sufficient requirement for a computer architecture to support system virtualization efficiently. They were introduced by Gerald J. Popek and Robert P. Goldberg in their 1974 article “Formal Requirements for Virtualizable Third Generation Architectures”. [1] Even though the requirements are derived under simplified assumptions, they still represent a convenient way of determining whether a computer architecture supports efficient virtualization and provide guidelines for the design of virtualized computer architectures.

VMM definition

System virtual machines are capable of virtualizing a full set of hardware resources, including a processor (or processors), memory and storage resources and peripheral devices. A virtual machine monitor (VMM, also called hypervisor ) is the piece of software that provides the abstraction of a virtual machine. There are three properties of interest when analyzing the environment created by a VMM: [2]

Equivalence / Fidelity
A program running under the VMM should exhibit a similar behavior when running on an equivalent machine directly.
Resource control / Safety
The VMM must be in complete control of the virtualized resources.
Efficiency / Performance
A statistically dominant fraction of machine instructions must be executed without VMM intervention.

In the terminology of Popek and Goldberg, VMM must present all three properties. In the terminology used in the reference book of Smith and Nair (2005), VMMs are typically assumed to satisfy the equivalence and resource control properties, and they are called efficient VMMs . [3]

Popek and Goldberg describe the characteristics that the instruction set architecture (ISA) of the physical machine must possess in order to run VMMs which possess the above properties. Their analysis derives such characteristics using a model of “third generation architectures” (eg, IBM 360, Honeywell 6000, DEC PDP-10) that is nevertheless general enough to be extended to modern machines. This model includes a processor that operates in a system or user mode, and has access to linear, uniformly addressable memory. It is assumed that a subset of the instruction set is available only when in system mode and that memory is addressed to a relocation register. I / O and interrupts are not modelled.

Virtualization theorems

To derive their virtualization theorems, which gives sufficient conditions for virtualization, Popek and Goldberg introduce a classification of instructions for an ISA into 3 different groups:

Privileged instructions
Those That trap if the processor is in user mode and do not trap if it is in mode system ( supervisor fashion ).
Control sensitive instructions
Those who attempt to change the configuration of resources in the system.
Behavior sensitive instructions
Those whose behavior or result depends on the configuration of resources (the content of the relocation register or the processor’s mode).

The main result of Popek and Goldberg’s analysis can then be expressed as follows.

Theorem 1 . For the third-generation computer , an effective VMM can be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.

Intuitively, the theorem states that to build a VMM it is sufficient that all instructions could affect the correct functioning of the VMM (sensitive instructions). This guarantees the resource control property. Non-privileged instructions must be executed natively (ie, efficiently). The holding of the equivalence property also follows.

This theorem aussi Provides a simple technique for Implementing a WWW, called Expired trap-and-emulate virtualization , more recently called Expired classic virtualization : because all sensitive instructions behave nicely, all the VMM Has to do is trap and emulate every one of ’em. [4] [5]

A related problem is that of deriving sufficient conditions for recursive virtualization, that is, the conditions under which a VMM can run. Popek and Goldberg presents the following (sufficient) conditions.

Theorem 2 . The third-generation computer is recursively virtualizable if:

  1. it is virtualizable and
  2. a VMM without any timing dependencies can be constructed for it.

Some architectures, like the non-hardware-assisted x86 , do not meet these conditions, so they can not be virtualized in the classic way. But architectures can still be fully virtualized (in the x86 box meaning to the CPU and MMU level) by using different techniques, which replaces the sensitive instructions that do not generate traps, [4] which are sometimes called critical instructions. This additional processing however makes the VMM less efficient in theory, [5] but hardware traps have not-negligible performance cost as well. quote needed ]A well-tuned binary translation system can achieve comparable performance, and it is in the box of x86 binary translation relative to first generation x86 hardware assist, which merely makes sensitive instructions trappable. [6] Adequately this gives a theorem with different sufficiency conditions. quote needed ]

Theorem 3 . A hybrid VMM may be constructed for any third generation in which the set of user instructions may be used.

Handling critical instructions

This section does not cite any sources . Please add this section by adding quotes to reliable sources . Unsourced material can be challenged and removed . (February 2015) ( Learn how to remove this template message )

The conditions for ISA virtualization expressed in Theorem 1 may be relaxed at the expense of the property. VMMs for non-virtualizable ISAs (in the Popek’s and Goldberg’s sense) have routinely been built.

The virtualization of such architectures requires correct handling of critical instructions , ie, sensitive but unprivileged instructions. One approach, known as patching , commonly used techniques in dynamic recompilation : critical instructions are discovered at run-time and replaced by VMM. Various mechanisms, such as the caching of emulation code or hardware assists , have been proposed to make the patching process more efficient. A different approach is that of paravirtualization , which requires guest operating systems to be modified ( ported ) before running in the virtual environment.

Instruction sets of common architectures

This section presents some relevant architectures and how they relate to the virtualization requirements.


The PDP-10 architecture has a few instructions which are sensitive but not privileged. [7] These instructions save or restore the condition codes containing USER or IOT bits:

  • JSR: jump to subroutine
  • JSP: jump and save program counter
  • PUSHJ: push down and jump
  • JRST: jump and restore

System / 370

All sensitive instructions in the System / 370 are privileged: it satisfies the virtualization requirements. [8]

Motorola MC68000

The Motorola MC68000 has a single unprivileged sensitive instruction:

  • MOVE from SR

This instruction is sensitive because it allows access to the entire status register, which includes not only the condition codes but also the user / supervisor bit, interrupt level, and trace control. In addition to the MC68010 , the MOVE from SR instruction was made privileged, and a new MOVE from CCR instruction was provided to allow access to the condition code register only. [9] [10]

IA-32 (x86)

Main article: X86 virtualization

The IA-32 instruction set of the Pentium processor contains 18 sensitive, unprivileged instructions. [11] They can be categorized in two groups:

  • Sensitive register instructions: read or change sensitive registers or memory locations such as
    • SMSW
  • Protection system instructions: reference the storage system protection, memory or address relocation system:
    • POP
    • PUSH
    • STR
    • MOV (segment registers)

The introduction of the AMD-V and Intel VT-x instruction sets in 2005 allows x86 processors to meet the Popek and Goldberg virtualization requirements.


The effort needed to support virtualization on the IA-64 architecture is described in a 2000 article by Magenheimer and Christian. [12]


A “hyperprivileged” mode for the UltraSPARC architecture was specified in UltraSPARC Architecture 2005 . [13] It defines a sun4v platform [14] which is a super-set of the sun4u platform, but is still compliant to the SPARC v9 Level-1 [15] specification.


All sensitive instructions in the PowerPC instruction set are privileged. [16] [17]

Performance in practice

The efficiency requirement in Popek and Goldberg’s definition of a VMM concerns only the execution of non-privileged instructions, which must execute natively. This is what distinguishes VMM from the general class of hardware emulation software. Unfortunately, even on an architecture that meets Popek and Goldberg’s requirements, the performance of a virtual machine can differ significantly from the actual hardware. Early experiments performed on the System / 370 (which meets the formal requirements of Theorem 1), which has been shown to be as low as 21% of the native machine in some benchmarks. The cost of trapping and emulating privileged instructions in the VMM can be significant. This led the IBM engineers to introduce a number of hardware assists, which roughly doubled the performance of the System / 370 virtual machines. [18] Assists were added in several stages. In the end, there were over 100 assists on the late models System / 370. [19]

One of the main driving factors for the development of hardware assists for the System / 370 was virtual memory itself. When the guest was an operating system that even implemented virtual memory, even non-privileged instructions – a penalty imposed by the requirement to access translation tables not used in native execution (see shadow page tables ). [20]


  1. Jump up^ Popek, GJ ; Goldberg, RP (July 1974). “Formal requirements for virtualizable third generation architectures”. Communications of the ACM . 17(7): 412-421. doi : 10.1145 / 361011.361073 .
  2. Jump up^ Rogier Dittner David Rule,The best damn server virtualization book period, Syngress, 2007,ISBN 1-59749-217-5, p. 19
  3. Jump up^ Smith and Nair, p. 387
  4. ^ Jump up to:b Adams and Agesen, 2006, pp. 2-3
  5. ^ Jump up to:b Smith and Nair, p. 391
  6. Jump up^ Adams and Agesen, p. 1 and 5
  7. Jump up^ SW Galley (1969). “PDP-10 Virtual Machines”. Proc. ACM SIGARCH-SIGOPS Workshop on Virtual Computer Systems . pp. 30-34.
  8. Jump up^ Smith and Nair, p. 395
  9. Jump up^ M68000 8- / 16-32-Bit Microprocessor User’s Manual, Ninth Edition . Phoenix, AZ, USA: Motorola, Inc. 1993.
  10. Jump up^ Motorola M68000 Family Programmer’s Reference Manual . Phoenix, AZ, USA: Motorola, Inc. 1992.
  11. Jump up^ Scott John Scott and Cynthia E. Irvine (2000). “Analysis of the Intel Pentium’s Ability to Support a Secure Virtual Machine Monitor” . Proc. 9th USENIX Security Symposium .
  12. Jump up^ Daniel J. Magenheimer and Thomas W. Christian (2000). “vBlades: Optimized Paravirtualization for the Itanium Processor Family” . Proc. 3rd Virtual Machine Research & Technology Symposium . USENIX. pp. 73-82.
  13. Jump up^ Weaver, David (2007-05-17). UltraSPARC Architecture 2005: One Architecture …. Multiple Innovative Implementations (DraftD0.9) (PDF) . Santa Clara, CA, USA: Sun Microsystems, Inc.
  14. Jump up^ Sun Microsystems, Inc. (2006-01-24). UltraSPARC Virtual Machine Specification (PDF) . Santa Clara, CA, USA.
  15. Jump up^ Weaver, David L .; Tom Germond (1994). The SPARC Architecture Manual: Version 9 (PDF) . San Jose, CA, USA: SPARC International, Inc.ISBN  0-13-825001-4 .
  16. Jump up^ http://www.pagetable.com/?p=15
  17. Jump up^ http://www.cs.cmu.edu/~410-s07/lectures/L38_Virtualization.pdf
  18. Jump up^ Smith and Nair, p. 415-416 and 426
  19. Jump up^ Gum, p. 535
  20. Jump up^ Gum, p. 533

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright computerforum.eu 2018
Shale theme by Siteturner