Date post: | 15-Jun-2015 |
Category: |
Education |
Upload: | vasily-sartakov |
View: | 530 times |
Download: | 2 times |
Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 2
Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 3
Myths
Genode OS Framework Architecture 4
Problem: Complexity
Today’s commodity OSes Exceedingly complex trusted computingbase (TCB)
TCB of an application on Linux:
Kernel + loaded kernel modulesDaemonsX Server + window managerDesktop environmentAll running processes of the user
→ User credentials are exposed to millions of lines of code
Genode OS Framework Architecture 5
Problem: Complexity (II)
Implications:
High likelihood for bugs (need for frequent security updates)Huge attack surface for directed attacksZero-day exploits
Genode OS Framework Architecture 6
Problem: Global names
Many examples on traditional systemsI UIDs, PIDsI network interface namesI port numbersI device nodesI ...
Leak information
Name is a potential attack vector (ambient authority)
Genode OS Framework Architecture 7
Problem: Resource management
Pretension of unlimited resourcesLack of accounting→ Largely indeterministic behavior→ Need for complex heuristics, schedulers
Genode OS Framework Architecture 8
Key technologies
MicrokernelsDecomponentization, kernelizationCapability-based securityVirtualization
Genode OS Framework Architecture 9
Tricky questions
How to...
...build a system without global names?
...trade between parties that do not know each other?
...reclaim kidnapped goods from an alien? (without violence)
...deal with distributed access-control policies?
...transparently monitor communication?
...recycle a subsystem without knowing its internal structure?
Genode OS Framework Architecture 10
Even more tricky questions
How to...
...avoid performance hazards through many indirections?
...translate architectural ideas into a real implementation?
Genode OS Framework Architecture 11
Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 12
A bit of history
Research timeline at TU Dresden
Genode OS Framework Architecture 13
A new generation of kernels on the horizon
Genode OS Framework Architecture 14
Unique feature: Cross-kernel portability
When started, no suitable microkernel was available→ Prototyped on Linux and L4/Fiasco→ Later ported to other kernels
Genode OS Framework Architecture 15
Today: Rich OS construction kit
Support of a variety of kernelsOKL4, L4/Fiasco, L4ka::Pistachio, NOVA, Fiasco.OC, Linux, Codezero
Preservation of special kernel features
I OKLinux on OKL4,I L4Linux on Fiasco.OC,I Vancouver on NOVA,I Real-time priorities on L4/Fiasco
Uniform API → kernel-independent components
Many ready-to-use device drivers, protocol stacks, and3rd-party libraries
Genode OS Framework Architecture 16
Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 17
Object capabilities
Delegation of rights
Each process lives in a virtual environmentA process that possesses a right (capability) can
I Use it (invoke)I Delegate it to acquainted processes
Genode OS Framework Architecture 18
Recursive system structure
Genode OS Framework Architecture 19
Service announcement
Genode OS Framework Architecture 20
Session creation
Genode OS Framework Architecture 21
Session creation
Genode OS Framework Architecture 22
This works recursively
→ Application-specific TCB
Genode OS Framework Architecture 23
Combined with virtualization
Genode OS Framework Architecture 24
Resource management
Explicit assignment of physical resources to processes
Genode OS Framework Architecture 25
Resource management (II)
Resources can be attached to sessions
Genode OS Framework Architecture 26
Resource management (III)
Intermediation of resource requests
Genode OS Framework Architecture 27
Resource management (IV)
Virtualization of resources
Genode OS Framework Architecture 28
Resource management (V)
Server-side heap partitioning
Genode OS Framework Architecture 29
Parent interface
void exit(exit_value)
void announce(service_name, root_capability)
session_capability session(service_name, session_args)
void upgrade(to_session_capability, quantum)
void close(session_capability)
Genode OS Framework Architecture 30
Root interface
session_capability session(session_args)
void upgrade(session_capability, upgrade_args)
void close(session_capability)
Genode OS Framework Architecture 31
Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 32
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Debug output
amount write(string)
Genode OS Framework Architecture 33
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Physical memory
ram_dataspace_capability alloc(size, cached)
void free(ram_dataspace_capability)
void ref_account(ram_session_capability)
void transfer_quota(ram_session_capability, amount)
amount quota()
amount used()
Genode OS Framework Architecture 34
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Object identities
capability alloc(entrypoint_capability)
void free(capability)
Genode OS Framework Architecture 35
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Threads
thread_capability create_thread(name)
void kill_thread(thread_capability)
void start(thread_capability, ip, sp)
Genode OS Framework Architecture 36
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Memory-mapped I/O
Session arguments base, size, write-combined
io_mem_dataspace_capability dataspace()
Genode OS Framework Architecture 37
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Port-based I/O
Session arguments base, size
value inb(address)
value inw(address)
value inl(address)
void outb(address, value)
void outw(address, value)
void outl(address, value)
Genode OS Framework Architecture 38
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Device interrupts
Session argument irq number
void wait_for_irq()
Genode OS Framework Architecture 39
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Protection domain
void bind_thread(thread_capability)
void assign_parent(parent_capability)
Genode OS Framework Architecture 40
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Access to boot modules
Session argument filename
rom_dataspace_capability dataspace()
Genode OS Framework Architecture 41
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Address-space management
local_addr attach(dataspace_capability, size, offset,
use_local_addr, local_addr,
executable)
void detach(local_addr)
void add_client(thread_capability thread)
/* managed dataspaces */
dataspace_capability dataspace()
void fault_handler(signal_context_capability)
state state()
Genode OS Framework Architecture 42
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Asynchronous signal delivery
signal_context_capability alloc_context(imprint)
void free_context(signal_context_capability)
void submit(signal_context_capability, count)
signal wait_for_signal()
Genode OS Framework Architecture 43
Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 44
Ingredients
Process environment set up by the parent:
RAM session for BSS and heap,ROM session for executable binary,CPU session for main thread,RM session for address-space layout,PD session for protection domain
Genode OS Framework Architecture 45
Parent: Obtain executable ELF binary
Rom_connection rom("init");
Rom_dataspace_capability ds_cap = rom.dataspace();
void *elf_addr = env()->rm_session()->attach(ds_cap);
Genode OS Framework Architecture 46
Parent: ELF binary decoding
1. Create a new region map using the RM service:Rm_connection rm;
2. Attach read-only parts of dataspacerm.attach(ds_cap, size, offset, true, addr);
3. Create RAM session, assign memory quantumRam_connection ram;
ram.ref_account(env()->ram_session_cap());
env()->ram_session()->transfer_quota(ram, RAM_QUOTA);
4. Use RAM dataspaces for writable sections (DATA, BSS)rw_cap = ram.alloc(section_size);
void *sec_addr = env()->rm_session()->attach(rw_cap);
... /* write to buffer at sec_addr */
env()->rm_session()->detach(sec_addr);
rm.attach(rw_cap, section_size, offset, true, addr);
Genode OS Framework Architecture 47
Parent: Creating the first thread
1. Create CPU sessionCpu_connection cpu;
2. Create main threadThread_capability thread_cap =
cpu.create_thread("noname");
3. Associate thread with the address space layout of the processrm.add_client(thread_cap);
Genode OS Framework Architecture 48
Parent: Creating the protection domain
1. Create PD sessionPd_connection pd;
2. Assign parent capabilitypd.assign_parent(parent_cap);
3. Associate main thread to PDpd.bind_thread(thread_cap);
4. Start main thread at instruction pointer and stack pointercpu.start(thread_cap, ip, sp);
Genode OS Framework Architecture 49
Child: Execute startup code
1. C++ runtime initializationI Exception handlingI Execute global constructors
2. Request process environment (env) capabilities from parent3. Call main() function
Genode OS Framework Architecture 50
Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 51
Default demo scenario
Genode OS Framework Architecture 52
Configuration
<config>
<parent-provides>
<service name="ROM"/> <service name="RAM"/> <service name="IRQ"/>
<service name="IO_MEM"/> <service name="IO_PORT"/> <service name="CAP"/>
<service name="PD"/> <service name="RM"/> <service name="CPU"/>
<service name="LOG"/>
</parent-provides>
<default-route> <any-service> <parent/> <any-child/> </any-service> </default-route>
<start name="pci_drv">
<resource name="RAM" quantum="1M"/>
<provides><service name="PCI"/></provides> </start>
<start name="vesa_drv">
<resource name="RAM" quantum="1M"/>
<provides><service name="Framebuffer"/></provides> </start>
<start name="ps2_drv">
<resource name="RAM" quantum="1M"/>
<provides><service name="Input"/></provides> </start>
<start name="timer">
<resource name="RAM" quantum="1M"/>
<provides><service name="Timer"/></provides> </start>
<start name="nitpicker">
<resource name="RAM" quantum="1M"/>
<provides><service name="Nitpicker"/></provides> </start>
<start name="launchpad">
<resource name="RAM" quantum="32M"/> </start>
</config>
Genode OS Framework Architecture 53
Screenshot
Genode OS Framework Architecture 54
Sessions
Genode OS Framework Architecture 55
Virtualized framebuffer
Genode OS Framework Architecture 56
Sessions including virtualized framebuffer
Genode OS Framework Architecture 57
Thank you
What we covered todayArchitecture
1. Why do we need anotheroperating system?
2. Genode entering the picture3. Architectural principles4. Genesis of a new process5. Simple example setup
Coming up next...Programming environment
1. Source tree overview2. Build system3. Run scripts4. Inter-process communication5. Client-server example
More information and resources:http://genode.org
Genode OS Framework Architecture 58