The L4 Microkernel. Invited Speaker: Prof. Hermann Härtig Technische Universität Dresden. ARTIST Summer School in Europe 2010

Transcription

1 ARTIST Summer School in Europe 2010 Autrans (near Grenoble), France September 5-10, 2010 The Invited Speaker: Prof. Technische Universität Dresden

2 L4

3 COTS - SW Applet Firefox Flash X11 Linux! Kernel Keyboard 3

4 MICRO Native Microkernel App Native Microkernel App Window Server File System IP Stack Framebuffer! Driver Disk Driver Network Driver 4

5 MICRO Native Microkernel App Native Microkernel App Virtualization! Container for Legacy OS Window Server File System IP Stack Framebuffer! Driver Disk Driver Network Driver 5

6 OUTLINE Using a small kernel Motivation, Cost & Benefit Case studies A short history of L4 L4 Kernel interface Capability system design Michael Roitzsch Mobile use cases Adam Lackorzynski 6

7 Department of Computer Science Institute of System Architecture, Operating Systems Group USING A SMALL KERNEL HERMANN HÄRTIG

8 WHY MICRO Native Microkernel App Native Microkernel App Virtualization! Container for Legacy OS Window Server File System IP Stack Framebuffer! Driver Disk Driver Network Driver 8

9 COST & BENEFIT Performance (Failure) Isolation Openness Small (Minimal) Trusted Computing Base 9

10 BENEFITS Flexibility? SW engineering./. microkernels Difficulty to build? can be harder to build 10

11 ISOLATION Separate address spaces for components Message passing interfaces Communication controlled by capabilities Immediate: I/O Drivers tamed Base for fault containment fault recovery? 11

12 ALTERNATIVE Virtual machines provide separate machines requires emulation of physical HW interface an operating system in each VM large!grained components more later 12

13 ALTERNATIVE Languages with component!support Use one language or language family Fine!grained components (modules, objects, ) Compiler and runtime enforce isolation Closed systems Examples: Burroughs 7700, B extended Algol, Espol, Concurrent Pascal, Modula, Oberon, various Java systems 13

14 OPENNESS Microkernels Minimal kernel and hardware enforce separation Only kernel runs in CPU privileged mode Components are user!level processes No restrictions on component software Reuse of legacy software 14

15 MINIMAL TCB Trusted Computing Base A small amount of software and hardware that security depends on and that we distinguish from a much larger amount that can misbehave without affecting security. Lampson et al. 15

16 MINIMAL TCB Trusted Computing Base A small amount of software and hardware that * depends on and that we distinguish from a much larger amount that can misbehave without affecting *. In this lecture: * : security, real!time, fault tolerance,... TCB is application specific 16

17 MINIMAL TCB General Approach: Divide system into uncritical and (minimal) critical parts Include minimal set of components into TCB offload uncritical parts, e.g. into legacy SW Split critical part into isolated components Benefit: small application!specific TCB 17

18 CASE STUDIES 18

19 L 4 LINUX App App X11 L 4 Linux Server Fiasco.OC 19

20 COST!1997 Time- Sharing Applicatio ns L 4 Linux jobs per minute (Härtig, Hohmuth, Liedtke, Schönberg, Wolter: The Performance of!-kernel based Systems, SOSP 1997)" L4 simulated load

21 COST!1997 Time- Sharing Applicatio ns L 4 Linux L4

22 L 4 LINUX App App App App X11 X11 L 4 Linux Server L 4 Linux Server Fiasco.OC 22

23 L4RE App App App App X11 X11 L 4 Linux Server Resource Management and Virtualization Support Layer L 4 Linux Server moe ned io rtc mag Fiasco.OC 23

24 L4RE App App App App X11 L 4 Linux Server L 4 Symbian Server moe ned io rtc mag Fiasco.OC 24

25 L 4 LINUX App App App App X11 X11 L 4 Linux Server L 4 Linux Server Fiasco.OC 25

26 L4RE App App App App X11 X11 L 4 Linux Server Resource Management and Virtualization Support Layer L 4 Linux Server moe ned io rtc mag Fiasco.OC 26

27 L4RE App App App App X11 L 4 Linux Server L 4 Symbian Server moe ned io rtc mag Fiasco.OC 27

28 NATIVE APPS App App X11 L 4 Linux Server Security!Sensitive Application moe ned io rtc mag Fiasco.OC 28

29 HYBRID APPS Helper App X11 Security!Sensitve Application L 4 Linux Server Secure Application Core moe ned io rtc mag Fiasco.OC 29

30 CASE STUDY Micro!SINA VPN Box security goals: connect sets of trusted machines ensure confidentiality and integrity non goal: availability 30

31 USE CASES eth0 eth1 L 4 Linux Server L 4 Linux Server IP Viaduct moe ned io rtc mag Fiasco.OC 31

32 USE CASES DDE eth0 IP Viaduct DDE eth1 moe ned io rtc mag Fiasco.OC 32

33 HYBRID APPS Slide Loader X11 Presentation Application L 4 Linux Server Presenter moe ned io rtc mag Fiasco.OC 33

34 HYBRID APPS E!Mail Client X11 L 4 Linux Server E!Mail Signing moe ned io rtc mag Fiasco.OC 34

35 HYBRID APPS Address Book ROBIN Demo Scenario X11 L 4 Linux Server Dialer with Filter for Premium!rate Numbers moe ned io rtc mag Fiasco.OC 35

36 HYBRID APPS Browser Nizza Demo Scenario X11 L 4 Linux Server Secure Transactions for Home!Banking moe ned io rtc mag Fiasco.OC 36

37 NUMBERS Scenario e!commerce Browser VPN Gateway FreeS/WAN signer Thunderbird TCB Linux + X11 Original AppCore kloc kmcc kloc kmcc Reduc! tion Factor " " " " Reducing TCB Complexity for Security!Sensitive Applications: Three Case Studies Lenin Singaravelu, Calton Pu,, Christian Helmuth, EuroSys

38 REAL-TIME App App X11 L 4 Linux Server Real!Time Application moe ned io rtc mag Fiasco.OC 38

39 REAL-TIME Legacy App Hybrid App Real!Time App L 4 Linux Server Stubs RT!File RT!Net RT!Disk RT!NIC DOpE moe ned io rtc mag Fiasco.OC 39

40 ORTHOGONAL Microkernel Virtual Machine Isolation Rehosting Light!Weight Microkernels Componentization of operating system Split applications Critical part on microkernel Uncritical on commodity OS Small Trusted Computing Bases 40

41 ORTHOGONAL Microkernel Virtual Machine Isolation Rehosting Virtual Machines Provide virtual hardware interface Reuse of COTS operating systems and applications with no modification At the price of complexity 41

42 State of the Art: Monolithic Hypervisors NOVA VM VM VM guest mode Monolithic Hypervisor Storage x86 Virtualization> 100,000 lines of code Network Management Device Drivers host mode Monolithic hypervisor is single point of failure Udo Steinberg NOVA 4 42

43 NOVA OS Virtualization Architecture NOVA guest mode VM VM VM VMM VMM 20,000 LOC VMM Applications Partition Manager 7,000 LOC Device Drivers!"#$ Microhypervisor 9,000 LOC %#$&#' host mode Udo Steinberg NOVA 7 43

44 SHORT HISTORY Eumel, L3, BirliX first version of L4 L4Linux, the first major application Fiasco, the first HLL implementation PikeOS: first commercial derivative real!time systems based on Fiasco Pistachio (Uni Karlsruhe) 44

45 SHORT HISTORY 2000 First commercial usage (Fiasco on a DRM product) 2005 Qualcomm adopts L4 kernel from NICTA (Pistachio derivative) 2009 Full formal verification of implementation in Haskell (NICTA) Fiasco.OC, L4Re NOVA 45

46 L4 KERNEL ABSTRACTIONS 46

47 ABSTRACTIONS Task (Address space: memory & capabilities) Thread Communication (IPC) 47

48 MAIN MEMORY Management of Physical Memory at user"level? only kernel can access page tables? 48

49 MAIN MEMORY Task C Task D Task B Page Fault transformed into message to Task A handler 49

50 MAIN MEMORY Task C Task D Task B Handler returns message with PTE as payload, kernel adds to Task A address space 50

51 MAIN MEMORY Task C Task D Task B Task A 51

52 MAIN MEMORY Task C Task D!! Task B revoke:! Task A kernel maintains data structure for revoking 52

53 USES OF IPC data exceptions interrupts memory references (page fault handling) capabilities 53

54 NEXT Using a small kernel Capability system design Michael Roitzsch Mobile use cases Adam Lackorzynski 54

55 Department of Computer Science Institute of System Architecture, Operating Systems Group DESIGN OF A CAPABILITY SYSTEM MICHAEL ROITZSCH

56 SYSTEM DESIGN Applications Services Kernel Michael Roitzsch Design of a Capability System 2

57 DESIGN GOALS application!centric interfaces object!based design easy setup and destruction of subsystems object invocation by message passing uniform security model all services virtualizable flexible and efficient support for multicore Michael Roitzsch Design of a Capability System 3

58 EXAMPLE Worker A Worker B Manager Service Michael Roitzsch Design of a Capability System 4

59 GOOGLE CHROME separate processes chrome parent sandboxes for tabs implementation on Linux: glorious mix of chroot(), clone() and setuid() there must be a better way Michael Roitzsch Design of a Capability System 5

60 TWO WORLDS POSIX POLA operations allowed by default nothing allowed by default some limited restrictions apply every right must be granted ambient authority explicit authority Michael Roitzsch Design of a Capability System 6

61 L4RE L4Re the L4 Runtime Environment set of libraries and system services on top of the Fiasco.OC microkernel Microkernel L4Re Michael Roitzsch Design of a Capability System 7

62 CAPABILITIES Fiasco.OC and L4Re form an object!capability system actors in the system are objects objects have local state and behavior capabilities are references to objects object interaction requires a capability capabilities cannot be forged Michael Roitzsch Design of a Capability System 8

63 CAPABILITIES Task A Task B Capability Table Capability Table A B C D E Fiasco.OC Michael Roitzsch Design of a Capability System 9

64 HOW TO USE? invocation of any object requires a capability to that object no global names no sophisticated rights representation beyond capability ownership just four rights bits on objects C++ language integration capabilities passed as message payload Michael Roitzsch Design of a Capability System 10

65 CAP TRANSFER Task A Task B A Michael Roitzsch Design of a Capability System 11

66 CAP TRANSFER Task A Task B A Michael Roitzsch Design of a Capability System 11

67 EXAMPLE Worker A Worker B Manager Service Michael Roitzsch Design of a Capability System 12

68 ANSWERING How do you send an answer to a client? Always include a backward capability in every request? Establish backward capability once and cache? call!return!semantics as the standard case implicit reply capability use!once, cannot be passed on Michael Roitzsch Design of a Capability System 13

69 EXAMPLE Worker A Worker B Manager mag Michael Roitzsch Design of a Capability System 14

70 MAG factory for new Manager framebuffer sessions session object backing store memory Factory S S mag view: visible rectangle on the backing store metadata, refresh method How does it appear on the screen? Michael Roitzsch Design of a Capability System 15

71 MAG Factory S S mag hardware framebuffer is memory with side effect all memory is initially fb!drv mapped to the roottask framebuffer driver moe find framebuffer memory wrap in FB!interface Memory same interface as mag s Michael Roitzsch Design of a Capability System 16

72 INTERFACES L4Re uses one interface per resource low!level system resources are managed by the kernel CPU, memory, IRQ minimal policy user!level servers can reimplement and augment interfaces virtualizable interfaces Michael Roitzsch Design of a Capability System 17

73 EXAMPLE Worker B Manager? Service mag Michael Roitzsch Design of a Capability System 18

74 SUBSYSTEMS Subsystem Life subsystems are opaque parents can restrict the resources parents cannot restrict their sub!structure Subsystem Death How to deallocate resources in servers? notify all servers used by the subsystem? garbage collection Michael Roitzsch Design of a Capability System 19

75 CONCLUSION! coherent per!resource interfaces "! all services provided as objects "! garbage collection for server resources "! invocation is the only system call "! object!capability system "! all interfaces can be interposed "! see next talk " Michael Roitzsch Design of a Capability System 20

76 Department of Computer Science Institute of System Architecture, Operating Systems Group MOBILE USE CASES ADAM LACKORZYŃSKI

77 OUTLINE ICT!eMuCo project Multi!Cores and Load Balancing Virtualization Adam Lackorzynski Mobile Use Cases 2

78 ICT-EMUCO Embedded Multicore Computing FP7 Project, STREP Feb 2008 Jan 2010 Partners: ARM, Infineon, Ruhr! Uni Bochum, IBM, Uni of Timisoara, Uni York, TU!Dresden Adam Lackorzynski Mobile Use Cases 3

79 ARCHITECTURE Microkernel based system ARM11MPCore 4 cores Modem Stack App!OS Adam Lackorzynski Mobile Use Cases 4

80 THE EMUCO OS Isolation Secure communication Timing properties Multi!core capable Power Management Embedded systems Flexible & usable Protocol Stack L4Re Runtime Environment Fiasco.OC Microkernel Hardware Platform Adam Lackorzynski Mobile Use Cases 5

81 OUTLINE ICT!eMuCo project Multi!Cores and Load Balancing Virtualization Adam Lackorzynski Mobile Use Cases 6

82 MULTI-CORES Shared memory multi!processor systems Model: Cross CPU tasks Cross CPU notifications Cross CPU IPC Shared memory Local scheduling Fixed!prio, round!robin scheduler on each core Adam Lackorzynski Mobile Use Cases 7

83 DISTRIBUTION How to Distribute Work? Kernel provides migration mechanism No automatic migration, decision is policy App1 App2? App3 CPU1 CPU2 CPU3 CPU4 Adam Lackorzynski Mobile Use Cases 8

84 L4::SCHEDULER L4::Scheduler interface Run/Migrate a thread with parameters Priority, CPU set, budget,... scheduler.run_thread(thread, sched_param); Kernel implementation Singleton, has all resources (all CPUs, all CPU time) Chooses one CPU from CPU set, fixed Adam Lackorzynski Mobile Use Cases 9

85 LOAD BALANCING Load balancer component Implements L4::Scheduler interface Hides platform details from application Implements policy App1 App2 Load? Balancer App3 CPU1 CPU2 CPU3 CPU4 Adam Lackorzynski Mobile Use Cases 10

86 LOAD BALANCER Implements balancing strategy Application specific scheduler instances Enforces scheduling policies Combines client policies Protocol Stack 3 CPUs 2 CPUs LB Scheduler Policy Scheduler Fiasco.OC Scheduler CPU CPU CPU CPU Adam Lackorzynski Mobile Use Cases 11

87 USE CASES Multi!threaded program Distribute and balance Sophisticated real!time application No migration by load balancer Threads always on the same CPU (cache locality) Threads always on different CPUs (no interference) Virtual machine Adam Lackorzynski Mobile Use Cases 12

88 OUTLINE ICT!eMuCo project Multi!Cores and Load Balancing Virtualization Adam Lackorzynski Mobile Use Cases 13

89 VIRTUALIZATION Application side Standard OS Standard applications Integration in the system Resource and device usage Isolation of the virtual machine No disturbance of other programs Protocol Stack L4Re Runtime Environment Fiasco.OC Microkernel Hardware Platform Adam Lackorzynski Mobile Use Cases 14

90 EMUCO PLATFORM ARM architecture Available CPU features: MMU Paravirtualization L 4 Linux TECOM!FP7: TrustZone for Virtualization Adam Lackorzynski Mobile Use Cases 15

91 L 4 LINUX Adapted Linux kernel runs on Fiasco.OC & L4Re Normal program, runs Linux kernel code in user mode, including device drivers Binary compatible for applications Address space for kernel and each program Programs isolated from each other Kernel isolated from programs CPU, memory, devices Adam Lackorzynski Mobile Use Cases 16

92 L 4 LINUX L 4 Linux CPU Virtualization Native execution Exceptions reflected by microkernel System calls Page faults Linux Program Fault handling Linux Program Linux Kernel Other exceptions Microkernel Adam Lackorzynski Mobile Use Cases 17

93 SMP Multi!Processor Virtualization Linux has multiple virtual CPUs (vcpu) Shared memory between cores Migration of application threads is done by the Linux kernel Inter (v)cpu communication done with microkernel primitives Adam Lackorzynski Mobile Use Cases 18

94 MEMORY L 4 Linux Memory Virtualization L4Re supplies Linux memory (virtual) MMU managed by microkernel Hooks in Linux page!table code use Fiasco memory!mapping functionality Adam Lackorzynski Mobile Use Cases 19

95 DEVICES Virtual PCI bus and/or platform devices Pass!through devices according to configuration Stub drivers for L4Re services: Framebuffer driver for windowing system Input driver for keyboard/mouse events Serial driver for basic input/output Network drivers for virtual switch Adam Lackorzynski Mobile Use Cases 20

96 PLATFORM Central IO service Device discovery Device enumeration Per client device access Virtual buses Virtual interrupt controller Device pass!through Adam Lackorzynski Mobile Use Cases 21

97 VIRTUALIZATION Faithful Virtualization Unmodified guest OS AMD SVM, Intel VT 1500 LoC in Fiasco for SVM and VT support Off!the!shelf VMM (e.g. QEmu on L4Linux) Adam Lackorzynski Mobile Use Cases 22

98 WHAT ELSE? DDE, virtual network switch Debugging: Valgrind Checkpoint & Restart ARM Virtualization Run!time environment: libc, libstdc++, virtual!fs, pthread, communication framework, dynamic linking, scriptable startup with lua,... Adam Lackorzynski Mobile Use Cases 23

99 GO DOWNLOAD Adam Lackorzynski Mobile Use Cases 24