hoakley January 11, 2024 Macs, Technology

How virtualisation came to Apple silicon Macs

In the weeks prior to Apple’s announcement of the first Apple silicon Macs in June 2020, there was intense speculation over how they would run existing macOS software. While most correctly recognised that this would be implemented using translation of x86 code as had been performed by Rosetta during the transition from PowerPC to Intel in 2006, some also saw a role for virtualisation. At the time I wrote that “Apple could provide a complete virtualisation layer which let users run most Intel Mac apps, and could even install and run Windows.”

A few days later Craig Federighi described three pillars to support a diversity of apps on Apple silicon: Universal apps containing code for both architectures, Rosetta 2 to translate x86 code, and virtualisation. At the time, the latter was promoted for hosting Linux and Docker, and Andreas Wendker demonstrated a pre-release version of Parallels Desktop running Linux as a guest.

Hypervisor

Apple had originally built support for the central requirement in virtualisation, the hypervisor, back in OS X 10.10 Yosemite in 2014. That provides C APIs to virtualise in user space without the need for kernel extensions. On Intel Macs this provides hardware support in the VT-x feature set including Extended Page Tables (EPT) and Unrestricted Mode. This API doesn’t extend to providing support for drivers in the form of VirtIO devices, though.

VirtIO

Meanwhile, preparations for Apple silicon Macs were proceeding apace. Two new kernel extensions appeared around the time of Mojave, in 2018-19, apparently to provide initial support for VirtIO in AppleVirtIO and AppleVirtualGraphics, which reached version 2.1.3 with the update to 10.14.6 in July 2019, a year before the first Developer Transition Kit was to be released. Those developed rapidly in Catalina, reaching version 16.140.6 with 10.15.6 shortly after Apple’s announcement of Apple silicon.

Big Sur brought further additions to macOS that made it possible to demonstrate Linux running in a virtual machine. Parallels made no secret of its collaboration with Apple. The number of kernel extensions grew from the original two to five, with the addition of AppleParavirtGPU, AppleParavirtGPUMetal and AppleVirtualMCA. VirtIO, AppleVirtIO and AppleVirtualGraphics also advanced to version 74.50.1. Two frameworks joined those kexts: ParavirtualizedGraphics and Virtualization.

Virtualization Extensions

More fundamentally, Big Sur brought hardware support in what Apple termed its “Virtualization Extensions” presumably AArch64 virtualization as documented by Arm. This features an additional ‘exception level’, EL2 hypervisor, offering stage 2 translation, EL1/0 instruction and register access trapping, and virtual exception generation. Stage 2 translation allows a hypervisor to control which memory-mapped resources a VM can access, and where those appear in the VM’s address space, augmenting stage 1 translation controlled by operating systems. Trapping allows a hypervisor to trap operations, such as those configuring low level controls, and emulate them where necessary.

While Big Sur brought sufficient support for that brief demonstration by Andreas Wendker, it fell short of what was required for release, even following additional support by 11.5.2. At that stage, there were ten kernel extensions

AppleParavirtGPU
AppleParavirtGPUIOGPUFamily
AppleParavirtGPUMetal
AppleParavirtGPUMetalIOGPUFamily
AppleParavirtIOSurface
AppleVirtIO
AppleVirtIOStorage
AppleVirtualGraphics
AppleVirtualMCA
AppleVirtualPlatform

several of which were still in their first version. Apple had also added an audio plug-in, AppleVirtIOSound.

Launch

Lightweight virtualisation of macOS and Linux on Apple silicon was launched with limited support for Monterey at WWDC 2022 in Benjamin Poulain’s presentation explaining how simple it is to implement. He concluded by saying how the virtualisation team “cannot wait to see what you will do next with this technology”. Notable by its absence, though, was support for folders shared between macOS guest and host, that awaited the addition of the virtio file system to Ventura, and support of the built-in neural engine (ANE), which gained its own kernel extension AppleVirtIONeuralEngineDevice at the same time. Sonoma has since added two more kernel extensions, AppleVideoToolboxParavirtualization and AppleVirtIOBiometrics, as well as XPC services for the Virtualization framework for EventTap, Installation, LinuxRosetta, and VirtualMachine.

In addition to the hypervisor and VirtIO support, there were other hurdles to overcome for Apple silicon Macs to run a guest macOS. A standard macOS Installer app is insufficient to build a working VM, as it doesn’t contain most of the ‘firmware’ components required. Fortunately, those already come in the IPSW images used to perform a full restore to an Apple silicon Mac in DFU mode, and provide all the ingredients for installing a macOS VM.

As of Sonoma, there remain several outstanding issues that Apple has yet to address. Most significant is the thorny problem of Apple ID support, about which Apple has been silent. For those with ample Performance cores on their Ultra chips, Apple’s licensing limit of a maximum of two concurrent macOS VMs on any Mac is unnecessarily restrictive when they can virtualise as many instances of Linux as they want. Fewer, though, want to be able to nest virtualisation by running a VM inside another VM. Finally, those in Europe and many countries outside the US are keen for Apple to support ISO keyboard layouts in macOS VMs, which remains a surprising shortcoming. I’m sure there’s plenty more to come in the future.

Milestones

2014 OS X 10.10: Hypervisor APIs (Intel).
2018 macOS 10.14: VirtIO kernel extensions.
2020 macOS 11 Big Sur: Linux VM demonstrated, Virtualization Extensions for Apple silicon.
2021 macOS 12 Monterey: first public support.
2022 macOS 13 Ventura: full support including virtiofs sharing.
2023 macOS 14 Sonoma: virtual display and other enhancements.

16Comments

Add yours

1

Milo on January 11, 2024 at 11:35 am
Reply

I’m wondering why Apple has so consequently improved the abilities of macOS with regard to virtualization. Do they have internal needs for this? Or is there some development about how macOS will work in the future that we are not anticipating yet?

LikeLiked by 1 person
- 2
  
  hoakley on January 11, 2024 at 2:06 pm
  Reply
  
  That’s a very good question that I’ll try to answer, as far as I know.
  From the outset, telling Mac users to change from the safety of Intel to the gamble of Apple silicon required as seamless a transition as possible. As identified, that consisted of Universal apps (largely a transitional arrangement, and relatively straightforward to implement), Rosetta 2 code translation (building on previous experience, but requiring investment), and virtualisation to support Linux and more (even Windows). Without virtualisation, you simply wouldn’t be able to run Linux on Apple silicon, except for a few who might boot into something like Asahi Linux.
  Virtualising macOS is even more important, and longer-lasting than Universal apps or Rosetta 2. There will come a time when Apple stops bundling Rosetta 2 with macOS: that’s when you’ll need to run any remaining x86 code in a VM that can still use Rosetta 2. There’s also the problem of how newer Apple silicon models can run apps that are only supported as far as older macOS, such as Monterey. You won’t be able to boot those in the older macOS (you already can’t with M3 models, for instance), so the only way to provide backward compatibility is for them to run older macOS in a VM.
  Virtualising on Intel is well-trodden ground, with most of the hardware well-known and drivers readily available. As all the devices in an Apple silicon chip are Apple’s, proprietary, and undocumented outside Apple, for any third-party to develop their own virtualiser would have been prohibitively expensive. So Apple had to do it if anyone was going to run VMs on Apple silicon.
  There are very real and substantial needs. Without virtualisation, Apple silicon would have been heading for trouble one way or another. And virtualising on it will only get more popular as time goes on.
  Howard.
  
  LikeLike
  - 3
    
    Simon on January 11, 2024 at 2:27 pm
    Reply
    
    Frankly, I’m not convinced. Those reasons you mention are all certainly valid, but who actually makes use of that? A very small fraction of Mac users actually rely on a VM. In many other instances Apple had no problems throwing features over board effectively telling those few who were affected to look somewhere else. So what is it that makes this feature set so special that Apple would appear to cater to a niche demand? My guess is, for reasons we perhaps haven’t seen yet, Apple itself is planning to leverage VMs for products/services they expect to have broader significance and that is why all of a sudden they invested heavily into something as exotic (exotic in the sense that so very few of Apple’s user base today actually makes use of it themselves) as virtualizing Linux on macOS.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on January 11, 2024 at 5:06 pm
      
      “but who actually makes use of that?” At present, that is a relatively small minority of Apple silicon Mac users. However, as Apple releases more new models that can’t run Big Sur, Monterey or Ventura, there will be an increasing number of users for whom that’s the only way to run older versions of apps. And when Apple discontinues Rosetta 2, it will be the only way of running x86 apps on Apple silicon. Add those together, and the numbers rise greatly. You can’t judge the importance of macOS VMs on current usage, because we all know those changes will inevitably take place.
      “all of a sudden they invested heavily into something as exotic” Only in geological terms. I had thought that the article above would have demonstrated that virtualisation on Apple silicon has been in development for quite a few years now, hardly something sudden.
      “Apple itself is planning to leverage VMs for products/services” There’s just one gaping great hole in that “guess”: products and services require an Apple ID, or they can’t be billed to the user. And that’s the most prominent and total omission from virtualisation, in addition to access to iCloud. But maybe Apple has been planning all along not to even test those features before suddenly releasing them? No, I think you’ll need to guess something that doesn’t rely on Apple ID.
      One interesting side-note here: although I and others have been surprised that macOS VMs can’t run App Store apps, that makes more sense than appears. App Store apps of course are expected to be updated to support current macOS, so as far as VMs are concerned, they’re not one of the key requirements, as the user will be able to run them in the host macOS and won’t require a VM running an older macOS.
      Howard.
      
      LikeLike
    - 5
      
      Christian Hopps on January 12, 2024 at 10:50 am
      
      Many software developers utilize Linux virtualization as well as docker.
      
      LikeLiked by 1 person
    - 6
      
      hoakley on January 12, 2024 at 11:59 am
      
      Thank you. While I agree, I think the numbers relative to the total market for Apple silicon Macs remain small. However, being able to run an older macOS, particularly with Rosetta 2 in it, is going to have more general appeal in the future.
      Howard.
      
      LikeLike
  - 7
    
    Milo on January 11, 2024 at 5:25 pm
    Reply
    
    Rosetta is certainly essential to make the transition painless for most users. But virtualization goes much further than that. Maybe you’re right and Apple is worried about backwards compatibility. This could be the case if they are already planning to more aggressively deprecate and remove older macOS APIs. In this case, virtualization would make a lot of sense.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on January 11, 2024 at 5:53 pm
      
      Apple certainly has a long-term plan to remove the APIs that it deprecates, and to continue deprecations. There have been quite a few since the release of Big Sur alone. Yet my new MacBook Pro M3 Pro can’t run any macOS older than Sonoma. Without being able to run Monterey or Ventura in a VM – which it does very nicely, thank you – how could it run software that’s incompatible with Sonoma, or that has been discontinued? It’s worth remembering here that Rosetta 2 translates x86 code, but can’t work around APIs that have been removed from macOS.
      In the past, we have assumed that we could always virtualise older versions of macOS using commercial products such as those from VMWare and Parallels. Well, the situation with Apple silicon is that no third-party could or would develop their own macOS virtualisation for Apple silicon, and when they do develop a virtualiser, they’re interested in the Windows and Linux markets, not macOS – as VMWare has demonstrated.
      Howard.
      
      LikeLike
9

Marc on January 11, 2024 at 8:18 pm
Reply

Very interesting and informative article (as usual). I think your explanation of why Apple has done this makes a lot of sense. How long do you think Apple will keep the old operating systems available? (It has been getting harder to find the later OSX 10 systems such as High Sierra.) Should people who expect to need Big Sur or Monterey, set up virtual machines just in case?

LikeLiked by 1 person
- 10
  
  hoakley on January 11, 2024 at 8:49 pm
  Reply
  
  Thank you. That’s an interesting and important question.
  So far, Apple has kept IPSW image files available for every release of macOS since Big Sur, although it doesn’t create IPSWs for versions that are security updates, once they’re out of full support. This has unexpected results. You can currently download and install as a VM IPSWs for 12.0.1 to 12.6.1. In theory a VM should be able to update itself beyond that, but this currently fails, hanging the VM during the update. You can still download the 12.7.x installers, but AFAIK you can’t use those to update a VM. So you can’t run, say, 12.7.2 in a VM. I don’t think that’s intentional though, but it’s time for Apple either to issue IPSWs for each of those security updates, or fix the updates so they can be applied to a VM.
  There’s also a mechanism by which Apple can block the installation of old macOS if it wants to, perhaps if it were to become compromised in some way. AFAIK that has never been invoked on an IPSW, but could prevent it from being installed.
  Just as with macOS Installers, I keep an archive of key versions just in case, so I can create a fresh VM for most versions of macOS since Monterey (as Big Sur can’t be virtualised) for testing purposes.
  Howard.
  
  LikeLike
11

mac2net on January 12, 2024 at 7:08 am
Reply

Sorry to bust the bubble but regarding Linux virtualisation it would be better for you to advise the Lima Project then re-invent the wheel. I can get going with Fedora 39 Server in minutes with Lima using 2 cores and 2GB RAM and taking up less than 3.5 GB of space after installing some utilities. You might ask why would I do this? Because then I use Cockpit to login to my AMD metal Fedora server via port 22.

Still the Lima folks could use your help doing what you do best, especially the GUI they are trying to develop to manage Lima, although actually since Lima uses a YAML config file, the GUI wouldn’t add that much value.

LikeLiked by 1 person
- 12
  
  hoakley on January 12, 2024 at 7:37 am
  Reply
  
  Sorry, you’ve lost me there. This is about what Apple has introduced in macOS to support virtualisation on Apple silicon Macs. I think you’ll find that the Lima Project uses Apple’s API – for example, it uses virtiofs, which is provided by the virtiofs file system in macOS.
  Howard.
  
  LikeLike
13

Marek on January 12, 2024 at 9:53 am
Reply

Thank you, Howard, for the article and a good summary of what has been achieved so far. One gaping hole I see currently with Apple’s VM framework is that there is no support to capture USB devices and connect them directly to the VM. Are you aware of any workarounds? Do you think that Apple will eventually implement their support?

LikeLiked by 1 person
- 14
  
  hoakley on January 12, 2024 at 11:57 am
  Reply
  
  Thank you.
  Well, Apple is improving that. The latest extension to earlier access limitations now includes direct access to NVMe storage devices. There’s no reason why Apple couldn’t provide a VirtIO devices to support direct USB access. Have you put this in feedback to the virtualisation team?
  Howard.
  
  LikeLike
- 15
  
  Milo on January 12, 2024 at 1:12 pm
  Reply
  
  Passthrough of USB devices would indeed be very useful. I hope it’s coming in a future release. Though if I understand it correctly, it’s very unlikely such functionality would be backported to earlier macOS versions (as a host). So it might be of limited use.
  
  LikeLiked by 1 person
  - 16
    
    hoakley on January 12, 2024 at 3:29 pm
    Reply
    
    Ask for it using Feedback, please, with your use case. Otherwise Apple may continue to leave it unsupported.
    Howard.
    
    LikeLike