Where is guest ring-3 code run in VM environment?

Question

According to the white paper that VMWare has published, binary translation techinology is only used in kernel (ring 0 codes), ring 3 code is "directly executed" on cpu hardware.

As I observed, no matter how many processes are run in the guest OS, there is always only 1 process in the host OS. So I assume all the guest ring 3 code are run in the single host process context. (for VMWare, it's vmware-vmx.exe).

So my question here is, how do you execute so many ring 3 code natively in a single process? Considering most of the windows exe file don't contain relocation information, it cannot be executed somewhere else, and binary translation is not used in ring3 code.

Thanks.

Answer 1

Let's talk about VMX, which is Intel VT-x's design.

Intel VT-x introduces two new modes to solve this problem: VMX root mode and VMX non-root mode, which are for host and guest respectively. Both modes have ring 0~3, which means the host and guest will not share the same ring level.

A hypervisor running in ring 3 of VMX root mode, when it decides to transfer the CPU control to a guest, the hypervisor lanuch VMLAUNCH instruction, which allows transfer to VMX non-root mode from VMX root mode. Then guest ring 3 code now is able to automatically executing in VMX non-root mode. All of this is supported by Intel VT-x. No binary translation or instruction emulation is needed for running guest.

Of course ring 3 of VMX non-root mode has less privilege and power. For example, when a guest ring 3 code encounters somthing it cannot handle, such as a physical device access request, CPU will automatically detect this kind of restriction and transfer back to hypervisor in VMX root-mode. After hypervisor finish this task, then it will trigger VMLAUNCH again to for running guest.