Lecture 6 From L3 to seL4: What Have We Learnt in 20 Years of L4 Microkernels? Kevin Elphinstone and Gernot Heiser Operating Systems Practical 12 November, 2014 OSP Lecture 6, L4 Microkernels 1/42 Contents Introduction and design principles Brief history of microkernels L4: Basic abstractions L4: Design and implementation choices Keywords Questions OSP Lecture 6, L4 Microkernels 2/42 Outline Introduction and design principles Brief history of microkernels L4: Basic abstractions L4: Design and implementation choices Keywords Questions OSP Lecture 6, L4 Microkernels 3/42 Context and terminology OSP I Operating system I Kernel I Monolithic kernel I Microkernel Lecture 6, L4 Microkernels 4/42 Operating system I abbrv. OS I Software (collection) to interface hardware with user Components: I I I I I OSP Kernel: Linux, FreeBSD, Windows NT, XNU, L4, . . . Services/daemons: sysvinit, CUPS print server, udev, . . . Utilities: ls, Windows Commander, top Other applications Lecture 6, L4 Microkernels 5/42 Kernel I Components directly interfacing with hardware I I I OSP Examples? “Core” of OS No general definition of “core” Lecture 6, L4 Microkernels 6/42 Monolithic vs. Micro-kernel Application Syscall VFS User Mode IPC, file system Scheduler, virtual memory Unix File Server Device Server Application Driver Kernel Mode Device drivers, dispatcher IPC, virtual memory Hardware Hardware IPC Source: http://www.cse.unsw.edu.au/ OSP Lecture 6, L4 Microkernels 7/42 Monolithic vs. Micro-kernel Monolithic kernel OSP Microkernel I IPC, scheduling, memory management I IPC, scheduling, memory management I File systems I I Drivers API closer to the hardware I Higher-level API Lecture 6, L4 Microkernels 8/42 Microkernel principles: minimality I I If it’s not critical, leave it out of the kernel Pros: I I I I Cons: I I OSP Small code base Easy to debug Trusted Computing Base, feasible for formal verification Harder to find the “right” API design Harder to optimize for high-performance Lecture 6, L4 Microkernels 9/42 Microkernel principles: user-level services I I Drivers, file systems, etc. as user space services Pros: I I I I Cons: I OSP Isolation ⇒ limited attack surface High availability, fault tolerance Componentization, reusability Performance: IPC is a bottleneck Lecture 6, L4 Microkernels 10/42 Microkernel principles: policy freedom I Kernel provides mechanisms, not policies I Policy definition is left up to the user space application Pros: I I I Cons: I I OSP Flexibility Hard to achieve, e.g. for scheduling May lead to application bloat I Example: kernel provides user with memory, allocation algorithm depends on app I Example: cache maintenance is explicitly exposed to user space, to improve performance Lecture 6, L4 Microkernels 11/42 Outline Introduction and design principles Brief history of microkernels L4: Basic abstractions L4: Design and implementation choices Keywords Questions OSP Lecture 6, L4 Microkernels 12/42 0th Generation (1970s) I Nucleus [Brinch Hansen ’70] I Hydra [Wulf et al ‘74] Issues I I I OSP Lack of hardware support Bad performance Lecture 6, L4 Microkernels 13/42 1st Generation (1980s) I Mach I Chorus Issues I I I I OSP Stripped-down monolithic kernels Big Bad performance: 100µs IPC Lecture 6, L4 Microkernels 14/42 2nd Generation (1990s, early 2000s) I Minix I L3, L4 [Lietdke ’95] Performance-oriented I I I I I Issues I OSP From scratch design Architecture-dependent optimizations, e.g. reduced cache footprint L3 was fully implemented in assembly Security Lecture 6, L4 Microkernels 15/42 L4 family tree Verifie d C L4-embed. Assember seL4 OKL4-µKernel Caps L4/MIPS OKL4-Microvisor Portable L4/Alpha L3→L4 Hazelnu t “X” Codezero Pistachio Fiasco Fiasco.OC GMD/IBM/Karlsruhe Nova UNSW/NICTA P4 → PikeOS Dresden 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 Source: http://www.cse.unsw.edu.au/ OSP Lecture 6, L4 Microkernels 16/42 L4 family tree Verifie d C Assember L4-embed. Asm+C seL4 OKL4-µKernel Caps L4/MIPS OKL4-Microvisor Portable L4/Alpha L3→L4 Hazelnu t “X” Codezero Pistachio Fiasco Fiasco.OC C++ GMD/IBM/Karlsruhe UNSW/NICTA P4 → PikeOS Dresden 93 94 95 Nova 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 Source: http://www.cse.unsw.edu.au/ OSP Lecture 6, L4 Microkernels 17/42 3rd Generation (2007+) OSP I OKL4 Microvisor [Heiser and Leslie ’10] I Microkernel and hypervisor I Replaces some of the mechanisms with hypervisor mechanisms I Deployed in older Motorola phones Lecture 6, L4 Microkernels 18/42 3rd Generation (2007+) I I seL4 [Elphinstone et al ’07, Klein et al ’09] Security-oriented I I I Memory management policy fully exported to user space I I I OSP Capability-based access control Strong isolation Kernel objects are first class citizens All memory is explicitly allocated Formally verified [Klein et al ’09] Lecture 6, L4 Microkernels 19/42 Outline Introduction and design principles Brief history of microkernels L4: Basic abstractions L4: Design and implementation choices Keywords Questions OSP Lecture 6, L4 Microkernels 20/42 What mechanisms to abstract? I Bare minimum: I I I I Must replace memory isolation with communication protocols I I OSP Processor Memory Interrupts/exceptions Communication (IPC) Synchronization Lecture 6, L4 Microkernels 21/42 Hypervisor vs. microkernel Resource Hypervisor Microkernel Memory Virtual MMU (vMMU) Address space CPU Virtual CPU (vCPU) Thread or scheduler activation Interrupt Virtual IRQ (vIRQ) IPC message or signal Communication Virtual NIC Message-passing IPC Synchronization Virtual IRQ IPC message Source: http://www.cse.unsw.edu.au/ OSP Lecture 6, L4 Microkernels 22/42 Abstracting memory I Address space, fundamentally: I I Ways to expose this to user: I I OSP A collection of virtual → physical mappings Array of (physical) frames or (virtual) pages to be mapped Cache for mappings which might vanish (Virtual TLB) Lecture 6, L4 Microkernels 23/42 Abstracting execution I Threads, vCPUs I What defines a thread? Migrating threads I I OSP Thread might be moved to different address space Lecture 6, L4 Microkernels 24/42 Abstracting execution OSP I Scheduling: map threads to CPUs I What is the scheduling policy? I Simple round-robin I Policy-free scheduling? Lecture 6, L4 Microkernels 25/42 Communication abstraction I Inter-Process Communication (IPC) I Synchronous, asynchronous 6= blocking, non-blocking I Traditional L4 IPC is fully synchronous Asynchronous notification I I I OSP Sender asynchronous, receiver blocking and synchronous Similar to Unix’s select Lecture 6, L4 Microkernels 26/42 Interrupt abstraction I Hardware faults are abstracted through IPC I Synchronous exceptions, page faults, etc. Interrupts are asynchronous notifications I I OSP Thread must register as a pagefault/exception/interrupt handler Lecture 6, L4 Microkernels 27/42 Access control How do we specify objects? I IDs in a global list I I OSP Provably insecure Can DDoS, create covert channels, etc. I IDs in per-address space lists I Capabilities Lecture 6, L4 Microkernels 28/42 Access control: capabilities I I Developed in KeyKOS, Coyotos, Amoeba, L4 Pistachio, OKL4, seL4, . . . A token I I I OSP owned by the subject (e.g. a thread) as proof that it has access rights to an object (e.g. a kernel object) All inter-domain accesses are mediated by capabilities Lecture 6, L4 Microkernels 29/42 Outline Introduction and design principles Brief history of microkernels L4: Basic abstractions L4: Design and implementation choices Keywords Questions OSP Lecture 6, L4 Microkernels 30/42 Implementation language OSP I Initial L3 and L4: 100% x86 assembly I Pistachio, OKL4 microkernel: C, C++, assembly I OKL4 Microvisor, seL4: C I seL4: Haskell prototype for correctness proof Lecture 6, L4 Microkernels 31/42 Inter-Process Communication I seL4, OKL4: “Endpoints” as IPC targets I I OSP Decouple target from actual service Fully signal-like asynchronous IPC (OKL4 Microvisor) Lecture 6, L4 Microkernels 32/42 Access control and resource management I seL4: access control based on delegable capabilities I Take-grant model Provable security I I I I I I OSP Information leaks are impossible . . . if the policy is correct . . . and the implementation is correct . . . and the compiler is correct . . . and the hardware isn’t faulty Lecture 6, L4 Microkernels 33/42 Access control and resource management I I seL4: resources are exposed as capabilities to physical memory May be: I I I OSP Mapped Delegated to children domains Delegated to kernel: “retyped” into kernel objects Lecture 6, L4 Microkernels 34/42 Preemption in the kernel OSP I Interrupts are disabled when running in kernel I Microkernel is in general non-preemptable I Preemption points for long-running operations Lecture 6, L4 Microkernels 35/42 Scheduling I Scheduling contexts (Fiasco.OC) I I I OSP Separate scheduling parameters from threads Allow implementing hierarchical scheduling [Lackorzy´ nski et al ’12] Policy-free scheduling still unresolved Lecture 6, L4 Microkernels 36/42 Multi-processors OSP I Initial L4 design is uniprocessor I seL4: same, due to formal verification constraints I Possible approach: multikernels [M Von Tessin ’12] Lecture 6, L4 Microkernels 37/42 Outline Introduction and design principles Brief history of microkernels L4: Basic abstractions L4: Design and implementation choices Keywords Questions OSP Lecture 6, L4 Microkernels 38/42 Keywords OSP I microkernel I inter-process communication I l4 I access control I thread I capability I address space I preemption Lecture 6, L4 Microkernels 39/42 Resources OSP I http://dl.acm.org/citation.cfm?id=224075 I I http://www.cse.unsw.edu.au/~cs9242/13/lectures/ http://os.inf.tu-dresden.de/L4/ I http://ssrg.nicta.com.au/projects/seL4/ I http://os.inf.tu-dresden.de/fiasco/ I http://www.ok-labs.com/products/okl4-microvisor Lecture 6, L4 Microkernels 40/42 Outline Introduction and design principles Brief history of microkernels L4: Basic abstractions L4: Design and implementation choices Keywords Questions OSP Lecture 6, L4 Microkernels 41/42 Questions ? OSP Lecture 6, L4 Microkernels 42/42
© Copyright 2024 ExpyDoc
