Citrix Systems is working with Intel to deliver a "bare metal" hypervisor for client PCs, which proponents say could broaden the use of desktop virtualisation by overcoming some of the technology's current shortcomings

The hypervisor should improve on today's desktop virtualisation by providing better security, because it runs independently of the client OS, and better performance for end users, because it allows applications to run on the local client instead of a remote server, the companies said.

"What this product will do at a high level is address some of the core challenges and core barriers that have kept client virtualisation solutions and usage models from being broadly adopted in the past," said Gregory Bryant, a vice president and general manager at Intel, in a call-in for press and analysts on Friday.

Citrix and Intel plan to deliver the hypervisor in the second half of this year. Intel will package it with the firmware it delivers to PC manufacturers, which the companies hope will preinstall it on desktop and laptop PCs. Citrix says it can also distribute the software with its own products.

"It's a case of building a hypervisor into the platform - into laptops and desktops - and trying to make virtualisation ubiquitous on all those machines," said Ian Pratt, founder of the open-source Xen project and a vice president at Citrix.

The hypervisor is the layer of software that manages interaction between a virtual machine and the underlying hardware. Most products for the client today are "Type 2" hypervisors, which install on a PC's host OS. Type 1 hypervisors are installed with the firmware beneath the OS, directly on the computer's "bare metal."

The new product should help Citrix keep pace with VMware, which announced its own bare-metal hypervisor at the VMworld conference last October. VMware's product is also due in the second half of this year, a spokeswoman said.

Virtualisation has been widely adopted on servers but its use on desktops has been limited. Proponents say it can offer big savings for IT departments because it allows them to create and manage desktop images centrally, instead of on each client individually.

But today's products have drawbacks. In one model, used by Citrix XenDesktop and VMware View, desktop images are stored in virtual containers on a server and streamed to end users. That model can create performance issues for end users, since data is constantly shuttled back and forth over a network. It also doesn't allow users to work offline.

Another model, used by VMware ACE, installs the desktop image on a Type 2 hypervisor on the client OS. That provides better performance and the ability to work offline, but critics say security is weaker because it is dependent upon the security of the client OS.

"The Type 2 hypervisor provides no security to stop the host from snooping on what the virtual machine is doing. It can arbitrarily corrupt it and steal data from it," Pratt said.

Bare metal hypervisors aim to combine the best of both worlds. They will also allow companies to install two separate desktop images side by side on a PC, meaning an employee could have one environment for work use and another for personal use, said Andi Mann, a research director with Enterprise Management Associates, in Boulder Colorado.

"It really enables this fundamental and clear separation of the corporate and the personal, and that's very significant," he said. "From a usability point of view it makes my personal desktop environment really my own, and from the corporate standpoint it allows them to lock down their desktop. So it satisfies both parties' desires."

VMware dominates the server virtualisation market, but Citrix may have an advantage on the desktop because it has focussed much of its efforts on application delivery, Mann said. "My feeling is that Citrix is better poised to manage the virtual client environment," he said.

Citrix believes employees will increasingly use the same computer for work and personal use, so having a way to keep work and personal environments separate on a PC will be a big benefit, said Calvin Hsu, director of product marketing for Citrix's desktop delivery group. "This sits directly on the hardware and allows each virtual machine on there to be totally isolated," he said.

Claims that a Type 1 hypervisor is inherently more secure because it runs independently of the host OS need to be tested, however, Mann said. A skilled hacker could potentially gain access a Type 1 hypervisor from another part of the machine. "We can't tell until we do some penetration tests how secure it really is," he said.

The work with Intel makes use of the VT virtualisation technology included with its VPro business-class chipsets. The hypervisor will be able to run on existing Intel PCs that have that technology, and applications will not need to be rewritten to run on the new software, according to Pratt.

The hypervisor will be based on software developed through the open-source Xen Client Initiative announced last year, and Citrix expects to release an open source version of the hypervisor along with its own commercial product. It's not saying yet if that product will be priced separately or bundled with PCs and other software.