Second Level Address Translation

From Wikipedia, the free encyclopedia

Jump to navigation Jump to search

Second Level Address Translation (SLAT), also known as nested paging, is a hardware-
assisted virtualization technology which makes it possible to avoid the overhead associated with
software-managed shadow page tables.

AMD has supported SLAT through the Rapid Virtualization Indexing (RVI) technology since the
introduction of its third-generation Opteron processors (code name Barcelona). Intel's
implementation of SLAT, known as Extended Page Table (EPT), was introduced in the Nehalem
microarchitecture found in certain Core i7, Core i5, and Core i3 processors.

ARM's virtualization extensions support SLAT, known as Stage-2 page-tables provided by a

Stage-2 MMU. The guest uses the Stage-1 MMU. Support was added as optional in the ARMv7ve
architecture and is also supported in the ARMv8 (32-bit and 64-bit) architectures.

Contents
 1 Overview
 2 Implementations
o 2.1 Rapid Virtualization Indexing
o 2.2 Extended Page Tables
o 2.3 Stage-2 page-tables
 3 Extensions
o 3.1 Mode Based Execution Control
 4 Support in software
 5 See also
 6 References
 7 External links

Overview
Modern[vague] processors use the concepts of physical memory and virtual memory; running
processes use virtual addresses and when an instruction requests access to memory, the
processor translates the virtual address to a physical address using a page table or translation
lookaside buffer (TLB). When running a virtual system, it has allocated virtual memory of the host
system that serves as a physical memory for the guest system, and the same process of address
translation goes on also within the guest system. This increases the cost of memory access since
the address translation needs to be performed twice – once inside the guest system (using
software-emulated guest page table), and once inside the host system (using physical
map[pmap]).

In order to make this translation efficient, software engineers implemented software based shadow
page table. Shadow page table will translate guest virtual memory directly to host physical memory
address. Each VM has a separate shadow page table and hypervisor is in charge of managing
them. But the cost is very expensive since every time a guest updates its page table, it will trigger
the hypervisor to manage the allocation of the page table and its changes.

In order to make this translation more efficient, processor vendors implemented technologies
commonly called SLAT. By treating each guest-physical address as a host-virtual address, a slight
extension of the hardware used to walk a non-virtualized page table (now the guest page table)
can walk the host page table. With multilevel page tables the host page table can be viewed
conceptually as nested within the guest page table. A hardware page table walker can treat the
additional translation layer almost like adding levels to the page table.

Using SLAT and multilevel page tables, the number of levels needed to be walked to find the
translation doubles when the guest-physical address is the same size as the guest-virtual address
and the same size pages are used. This increases the importance of caching values from
intermediate levels of the host and guest page tables. It is also helpful to use large pages in the
host page tables to reduce the number of levels (e.g., in x86-64, using 2 MB pages removes one
level in the page table). Since memory is typically allocated to virtual machines at coarse
granularity, using large pages for guest-physical translation is an obvious optimization, reducing
the depth of look-ups and the memory required for host page tables.

Implementations
Rapid Virtualization Indexing

Rapid Virtualization Indexing (RVI), known as Nested Page Tables (NPT) during its development,
is an AMD second generation hardware-assisted virtualization technology for the processor
memory management unit (MMU).[1][2] RVI was introduced in the third generation of Opteron
processors, code name Barcelona.[3]

A VMware research paper found that RVI offers up to 42% gains in performance compared with
software-only (shadow page table) implementation. [4] Tests conducted by Red Hat showed a
doubling in performance for OLTP benchmarks.[5]

Extended Page Tables

Extended Page Tables (EPT) is an Intel second-generation x86 virtualization technology for the
memory management unit (MMU). EPT support is found in Intel's Core i3, Core i5, Core i7 and
Core i9 CPUs, among others.[6] It is also found in some newer VIA CPUs. EPT is required in order
to launch a logical processor directly in real mode, a feature called "unrestricted guest" in Intel's
jargon, and introduced in the Westmere microarchitecture.[7][8]

According to a VMware evaluation paper, "EPT provides performance gains of up to 48% for
MMU-intensive benchmarks and up to 600% for MMU-intensive microbenchmarks", although it can
actually cause code to run slower than a software implementation in some corner cases.[9]

Stage-2 page-tables

Stage-2 page-table support is present in ARM processors that implement exception level 2 (EL2).
Extensions
Mode Based Execution Control

Mode Based Execution Control (MBEC) is an extension to x86 SLAT implementations first
available in Intel Kaby Lake and AMD Zen 2 CPUs. The extension extends the execute bit in the
extended page table (guest page table) into 2 bits - one for user execute, and one for supervisor
execute.[10]

MBE was introduced to speed up guest usermode unsigned code execution with kernelmode code
integrity enforcement. Under this configuration, unsigned code pages can be marked as execute
under usermode, but must be marked as no-execute under kernelmode. To maintain integrity by
ensuring all guest kernelmode executable code are signed even when the guest kernel is
compromised, the guest kernel does not have permission to modify the execute bit of any memory
pages. Modification of the execute bit, or switching of the guest page table which contains the
execute bit, is delegated to a higher privileged entity, in this case the host hypervisor. Without
MBE, each entrance from unsigned usermode execution to signed kernelmode execution must be
accompanied by a VM exit to the hypervisor to perform a switch to the kernelmode page table. On
the reverse operation, an exit from signed kernelmode to unsigned usermode must be
accompanied by a VM exit to perform another page table switch. VM exits significantly impact
code execution performance.[11][12] With MBE, the same page table can be shared between
unsigned usermode code and signed kernelmode code, with two sets of execute permission
depending on the execution context. VM exits are no longer necessary when execution context
switches between unsigned usermode and signed kernel mode.

Support in software
Hypervisors that support SLAT include the following:

 Hyper-V for Windows Server 2008 R2, Windows 8 and later.[13] The Windows 8 (and later
Microsoft Windows) Hyper-V actually requires SLAT.[14][15]
 Hypervisor.framework, a native macOS hypervisor, available since macOS 10.10[16]
 KVM, since version 2.6.26 of the Linux kernel mainline[17][18]
 Parallels Desktop for Mac, since version 5[19]
 VirtualBox, since version 2.0.0[20]
 VMware ESX, since version 3.5[4]
 VMware Workstation. VMware Workstation 14 (and later VMware Workstation) actually
requires SLAT.[21]
 Xen, since version 3.2.0[22]
 Qubes OS — SLAT mandatory[23]
 bhyve[24][25] — SLAT mandatory and slated to remain mandatory
 vmm, a native hypervisor on OpenBSD — SLAT mandatory[26][27]
 ACRN, an open-source lightweight hypervisor, built with real-time and safety-criticality in
mind, optimized for IoT and Edge usages.[28]
Some of the above hypervisors actually require SLAT in order to work at all (not just faster) as they
do not implement a software shadow page table; the list is not fully updated to reflect that.
Install Docker Desktop on Windows
Estimated reading time: 10 minutes

Update to the Docker Desktop terms

Commercial use of Docker Desktop in larger enterprises (more than 250 employees OR more than
$10 million USD in annual revenue) now requires a paid subscription.

Welcome to Docker Desktop for Windows. This page contains information about Docker Desktop
for Windows system requirements, download URL, instructions to install and update Docker
Desktop for Windows.

Download Docker Desktop for Windows

Docker Desktop for Windows

For checksums, see Release notes

System requirements
Your Windows machine must meet the following requirements to successfully install Docker
Desktop.

 WSL 2 backend
 Hyper-V backend and Windows containers

WSL 2 backend

 Windows 11 64-bit: Home or Pro version 21H2 or higher, or Enterprise or Education version
21H2 or higher.
 Windows 10 64-bit: Home or Pro 21H1 (build 19043) or higher, or Enterprise or Education
20H2 (build 19042) or higher.
 Enable the WSL 2 feature on Windows. For detailed instructions, refer to the Microsoft
documentation.
 The following hardware prerequisites are required to successfully run WSL 2 on Windows
10 or Windows 11:
o 64-bit processor with Second Level Address Translation (SLAT)
o 4GB system RAM
o BIOS-level hardware virtualization support must be enabled in the BIOS settings. For
more information, see Virtualization.
 Download and install the Linux kernel update package.

Note

Docker only supports Docker Desktop on Windows for those versions of Windows 10 that are still
within Microsoft’s servicing timeline.
Containers and images created with Docker Desktop are shared between all user accounts on
machines where it is installed. This is because all Windows accounts use the same VM to build
and run containers. Note that it is not possible to share containers and images between user
accounts when using the Docker Desktop WSL 2 backend.

Running Docker Desktop inside a VMware ESXi or Azure VM is supported for Docker Business
customers. It requires enabling nested virtualization on the hypervisor first. For more information,
see Running Docker Desktop in a VM or VDI environment.

About Windows containers

Looking for information on using Windows containers?

 Switch between Windows and Linux containers describes how you can toggle between
Linux and Windows containers in Docker Desktop and points you to the tutorial mentioned
above.
 Getting Started with Windows Containers (Lab) provides a tutorial on how to set up and run
Windows containers on Windows 10, Windows Server 2016 and Windows Server 2019. It
shows you how to use a MusicStore application with Windows containers.
 Docker Container Platform for Windows articles and blog posts on the Docker website.

Note

To run Windows containers, you need Windows 10 or Windows 11 Professional or Enterprise

edition. Windows Home or Education editions will only allow you to run Linux containers.

Install Docker Desktop on Windows

Install interactively

1. Double-click Docker Desktop Installer.exe to run the installer.

If you haven’t already downloaded the installer ( Docker Desktop Installer.exe), you can get it
from Docker Hub. It typically downloads to your Downloads folder, or you can run it from the
recent downloads bar at the bottom of your web browser.

2. When prompted, ensure the Use WSL 2 instead of Hyper-V option on the Configuration
page is selected or not depending on your choice of backend.

If your system only supports one of the two options, you will not be able to select which
backend to use.

3. Follow the instructions on the installation wizard to authorize the installer and proceed with
the install.
4. When the installation is successful, click Close to complete the installation process.
5. If your admin account is different to your user account, you must add the user to the
docker-users group. Run Computer Management as an administrator and navigate to
Local Users and Groups > Groups > docker-users. Right-click to add the user to the
group. Log out and log back in for the changes to take effect.
Install from the command line

After downloading Docker Desktop Installer.exe, run the following command in a terminal to
install Docker Desktop:

"Docker Desktop Installer.exe" install

If you’re using PowerShell you should run it as:

Start-Process '.\win\build\Docker Desktop Installer.exe' -Wait install

If using the Windows Command Prompt:

start /w "" "Docker Desktop Installer.exe" install

The install command accepts the following flags:

 --quiet: suppresses information output when running the installer

 --accept-license: accepts the Docker Subscription Service Agreement now, rather than
requiring it to be accepted when the application is first run
 --no-windows-containers: disables Windows containers integration
 --allowed-org=<org name>: requires the user to sign in and be part of the specified Docker
Hub organization when running the application
 --backend=<backend name>: selects the default backend to use for Docker Desktop,
hyper-v, windows or wsl-2 (default)

If your admin account is different to your user account, you must add the user to the docker-users
group:

net localgroup docker-users <user> /add

Start Docker Desktop

Docker Desktop does not start automatically after installation. To start Docker Desktop:

1. Search for Docker, and select Docker Desktop in the search results.
2. The Docker menu ( ) displays the Docker Subscription Service Agreement window. It
includes a change to the terms of use for Docker Desktop.

Here’s a summary of the key changes:

o Our Docker Subscription Service Agreement includes a change to the terms of use
for Docker Desktop
o It remains free for small businesses (fewer than 250 employees AND less than $10
million in annual revenue), personal use, education, and non-commercial open
source projects.
o It requires a paid subscription for professional use in larger enterprises.
o The effective date of these terms is August 31, 2021.
 o The existing Docker Free subscription has been renamed Docker Personal and we
have introduced a Docker Business subscription .
o The Docker Pro, Team, and Business subscriptions include commercial use of
Docker Desktop.
3. Click the checkbox to indicate that you accept the updated terms and then click Accept to
continue. Docker Desktop starts after you accept the terms.

Important

If you do not agree to the updated terms, the Docker Desktop application will close
and you can no longer run Docker Desktop on your machine. You can choose to
accept the terms at a later date by opening Docker Desktop.

For more information, see Docker Desktop License Agreement. We recommend that you
also read the Blog and FAQs to learn how companies using Docker Desktop may be
affected.

Updates
When an update is available, Docker Desktop displays an icon on the Docker menu to indicate the
availability of a newer version. Additionally, the Software Updates section in Settings
(Preferences on Mac) also notifies you of any updates available to Docker Desktop. You can
choose to download the update right away, or click the Release Notes option to learn what’s
included in the updated version.

Starting with Docker Desktop 4.2.0, the option to turn off the automatic check for updates is
available for users on all Docker subscriptions, including Docker Personal and Docker Pro..

Docker Subscription Service Agreement

Beginning on August 31, 2021, you must agree to the Docker Subscription Service Agreement to
continue using Docker Desktop. Read the Blog and the Docker subscription FAQs to learn more
about the changes.

Click Download update When you are ready to download the update. This downloads the update
in the background. After downloading the update, click Update and restart from the Docker menu.
This installs the latest update and restarts Docker Desktop for the changes to take effect.

When Docker Desktop starts, it displays the Docker Subscription Service Agreement window.
Read the information presented on the screen to understand how the changes impact you. Click
the checkbox to indicate that you accept the updated terms and then click Accept to continue.

Important

If you do not agree to the terms, the Docker Desktop application will close and you can no longer
run Docker Desktop on your machine. You can choose to accept the terms at a later date by
opening Docker Desktop.

Docker Desktop starts after you accept the terms.

Uninstall Docker Desktop
To uninstall Docker Desktop from your Windows machine:

1. From the Windows Start menu, select Settings > Apps > Apps & features.
2. Select Docker Desktop from the Apps & features list and then select Uninstall.
3. Click Uninstall to confirm your selection.

Important

Uninstalling Docker Desktop destroys Docker containers, images, volumes, and other Docker
related data local to the machine, and removes the files generated by the application. Refer to the
back up and restore data section to learn how to preserve important data before uninstalling.