DOCSLIB.ORG

Performance Benchmarking and Tuning for Container Networking on Arm

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Performance Benchmarking and Tuning for Container Networking on Arm Performance Benchmarking and Tuning for Container Networking on Arm Trevor Tao, Jianlin Lv, Jingzhao Ni, Song Zhu Sep/2020 © 2020 Arm Limited (or its affiliates) Agenda • Introduction • Container Networking Interfaces(CNIs) on arm • Benchmarking metrics, environment and tools • Benchmarking results • Initial Performance Analysis with perf tools • Future Work(Provisional) 2 © 2020 Arm Limited (or its affiliates) Introduction © 2020 Limited Introduction What is CNI? • CNI (Container Network Interface), a Cloud Native Computing Foundation project, consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers, along with a number of supported plugins. • CNI concerns itself only with network connectivity of containers and removing allocated resources when the container is deleted. • CNI has a wide range of support and the specification is simple to implement but not the implementation itself for its extensions. • CNI are the de-facto Kubernetes networking support • We need to know how they perform on arm platform Kubernetes Networking Model • Kubernetes makes opinionated choices about how Pods • Networking objects are networked: • Container-to-Container networking • all Pods can communicate with all other Pods • Pod-to-Pod networking without using network address translation (NAT). • Pod-to-Service networking • all Nodes can communicate with all Pods without • Internet-to-Service networking NAT. • The IP that a Pod sees itself as is the same IP that others see it as. 4 © 2020 Arm Limited (or its affiliates) Container Networking Interfaces(CNIs) on arm © 2020 Limited High Performance CNIs available for Arm Edge Stack Things now available in Akraino IEC Arm edge stack as a ref: IEC Arm Edge Stack Calico Cilium Contiv-VPP OVN-K8s SRIOV Flannel • Direct physical • Widely used and • pure IP networking • Linux-Native, API- • uses FD.io VPP to interfaces(PF/VFs) almost easiest fabric Aware Networking deployment for a provide network • OVS/OVN- support for Pods and Security for simple K8s • high-level network connectivity controller based Containers • High performance networking policy between PODs K8s networking with direct Linux management by • Linux eBPF based solution kernel eth driver or• Linux network bridge • Native DPDK iptables network policy, DPDK PMD driver for pod connection interface support • Rather good load balance and and overlay based • Good scalability for phy NIC performance with • Usually co-work with communication for security which is OVS inherited other CNIs, such as inter-hosts access • Support believed to be with • Native VPP Flannel, Calico by direct(non-overlay) incredible ACL/NAT based • Use OVN logical Multus or other glue• Easy to be integrated and overlay(IPINIP, performance network policy and switches/routers to CNI into other container VxLAN) network connect Pods and networking solution, Repo: • access • Need resource connection L3 networking for outside access e.g., Cilium between hosts • Good performance description or • No good network https://gerrit.akraino.o • Easy deployment but with rather • No OVS-DPDK annotation when do • Good scalability policy support complex support now the configuration for rg/r/admin/repos/iec • Calico-VPP appears too configuration CNI and Pod setup • Hard to debug 6 6 © 2020 Arm Limited (or its affiliates) CNI Networking Models Flannel Cilium Ref. and modified from web source Quote from web source Backend: Tested version: v0.11.0 Backend: Tested version: IPIP, VXLAN VXLAN, Direct Master branch compiled at 2020-09-09 Routing(not tested 7 © 2020 Arm Limited (or its affiliates) now) 7 CNI Networking Models Calico Kubernetes Service Implementation Quote from web source 8 © 2020 Arm Limited (or its affiliates) Tested version: v3.13.2 Benchmarking metrics, environment and tools © 2020 Limited Benchmarking metrics, topology and tools Benchmarking Metrics • Protocols: TCP, UDP, HTTP(s) • TCP, UDP Metrics: bandwidth in Mbits/sec, Gbits/sec, round-trip delay in ms • HTTP(s): Bandwidth in Mbits/sec, Gbits/sec, CPS(Connection per Second), RPS(Request per Second) Tools: Network connection: • IPerf, WRK 10Gbps connection by Ethernet Controller XXV710----→82599ES 10-Gigabit Server Platform SFI/SFP+ Network Connection 10fb Architecture: aarch64 CPU max MHz: 2500.0000 NUMA node0 CPU(s): 0-xxx Byte Order: Little Endian CPU min MHz: 1000.0000 NUMA node1 CPU(s): xxx- CPU(s): xxx BogoMIPS: 400.00 yyy On-line CPU(s) list: 0-xxx L1d cache: xxK Thread(s) per core: 4 L1i cache: xxK L2 cache: xxxK L3 cache: xxxxK 10 © 2020 Arm Limited (or its affiliates) 10 Benchmarking metrics, environment and tools IPerf(v2) test topology: Wrk (http performance) test topology: Nginx Test Command: Client: Test command: iperf -c ${SERVER_IP} -t ${time} -i 1 -w wrk -t12 -c1000 -d30s 100K -P 4 http://$IP/files/$file 11 © 2020 Arm Limited (or its affiliates) Server: Iperf -s 11 Benchmarking Results © 2020 Limited Benchmarking Results of TCP Throughput for CNIs with Different Backends Node to Pod TCP Performance for IPIP(Calico), IPIP(Flannel), VXLAN(Flannel), Observation for TCP performance over CNIs VXLAN(Cilium) and Direct Routing(no Tunnel, Calico) Inter-Hosts 10Gb/s ether connection • The performance gap between CNIs are not so explicit when overlay tunnel is used; 12 • Calico and Flannel show a little bit better 10 performance than Cilium for most MTUs here 8 BW • With IPIP/VXLAN overlay tunnel enabled, the 6 (Gbps) larger MTU size, the throughput(BW) 4 performance is better. 2 • When use direct routing(here by Calico, Cilium 0 also support this mode), the throughput 1500 2000 3000 4000 5000 6000 7000 8000 9000 performance is not significantly affected by MTU MTU size (Byte) size. • The performance of direct routing here by Calico, Calico IPIP Tunnel Flannel IPIP Tunnel Flannel VXLAN Tunnel Cilium VXLAN Tunnel Calico Direct Routing(no tunnel) Cilium also support this mode) is better than IPIP Pod to Pod Performance for IPIP(Calico), IPIP(Flannel), VXLAN(Flannel), enabled. VXLAN(Cilium) and Direct Routing(no Tunnel, Calico) • The IPIP tunnel is a little better than VXLAN tunnel Inter Hosts 10Gb/s ether connection • In general, the node to pod TCP performance is better than that of pod 2 pod which flows one 12 more step ( of veth connection to the Linux 10 kernel) . 8 BW Finally, compared with different scenarios, it proves 6 (Gbps) that IPIP/VXLAN overlay tunnel which are now 4 implemented in the Linux kernel is the key factor 2 which affects the performance of CNIs on arm 0 1500 2000 3000 4000 5000 6000 7000 8000 9000 Question: MTU (Byte) Why the node to pod performance is no better than that of pod to pod case for Cilium? 13 © 2020 ArmCalico Limited IPIP (or Tunnel its affiliates)Flannel IPIP Tunnel Flannel VXLAN Tunnel Cilium VXLAN Tunnel Calico Native Routing HTTP Performance Benchmarking for Calico CNI Pod2Pod HTTP Performance with Calico IPIP Overlay for Cross- Host Communication 1000 Initial observation: • MTU has a rather 900 bigger effect on 800 767.05 775.54 760.33 the performance when accessing 700 large files, but when the 600 accessed file size 510.09 BW is small, it has 500 little effect (MB/s) 400 369.53 • The accessed file size is a major 300 factor to the HTTP performance 200 when there is only 100.82 a small number of 100 parallel threads 9.09 0 • When the file size 600B 10KB 100KB 1MB 10MB 100MB 500MB is big enough, the performance can’t File size to be accessed by Wrk be improved much even with bigger MTU: 1480 2000 3000 4000 5000 6000 7000 8000 8980 MTUs 14 © 2020 Arm Limited (or its affiliates) HTTP Performance Benchmarking for Calico CNI Pod2Pod HTTP Performance with Calico non-IPIP Overlay for Cross-Host Communication 1200 1120 1120 1120 Initial observation: 1000 1000 • Almost the same as that of IPIP • The file size has much 800 more significant performance impact BW 596.93 than the MTU 600 (MB/s) • For file size > =10MB, the MTU has little effect 400 to the final performance • The performance is much higher than those 200 of IPIP when file size >= 114.96 100KB(See next page) 9.78 0 600B 10KB 100KB 1MB 10MB 100MB 500MB File size to be accessed by Wrk MTU: 1500 2000 3000 4000 5000 6000 7000 8000 9000 Question: Why for small file size, the performance of smaller MTU is even better than those of large MTUs? 15 © 2020 Arm Limited (or its affiliates) Wrk: thread 5, connections: 10 HTTP Performance Benchmarking for Calico CNI Pod2Pod HTTP Performance with Calico IPIP vs non-IPIP for Cross- Host Communication 1200 1130 1130 1130 1020 Initial observation: 1000 • For file size > =10MB, the MTU 800 has little effect to the final performance BW 580.31 600 (MB/s) • The performance is much higher than those of IPIP 400 when file size >= 100KB 200 • When MTU is 107.6 small, the 10.28 performance gap 0 between IPIP and 600B 10KB 100KB 1MB 10MB 100MB 500MB non-IPIP is higher File size to be accessed by Wrk IPIP-MTU-1480 non-IPIP-MTU-1500 IPIP-MTU-5000 MTU: non-IPIP-MTU-5000 IPIP-MTU-8980 non-IPIP-MTU-9000 16 © 2020 Arm Limited (or its affiliates) Wrk: thread 5, connections: 10 HTTP Performance Benchmarking for Calico CNI Host2Pod vs Host2Service HTTP Performance with Calico IPIP and Observation: non-IPIP for Cross-Host Communication • The performance gap is minor 1200 when accessing small files 1090 1090 1090 • For small file size, the 1010 host2pod and host2service 1000 performance is almost the same, which means the 800 service access(by iptables configured by kube-proxy) is BW not the bottleneck for HTTP 600 559 (MB/s) service • The performance of non-IPIP is 400 much higher than those of IPIP when file size >= 100KB 200 • For large MTU and large file 102.9 size, the host2pod 9.12 performance is better than 0 host2svc.
Load more

Recommended publications
  • Open Source Projects As Incubators of Innovation
    RESEARCH CONTRIBUTIONS TO ORGANIZATIONAL SOCIOLOGY AND INNOVATION STUDIES / STUTTGARTER BEITRÄGE ZUR ORGANISATIONS- UND INNOVATIONSSOZIOLOGIE SOI Discussion Paper 2017-03 Open Source Projects as Incubators of Innovation From Niche Phenomenon to Integral Part of the Software Industry Jan-Felix Schrape Institute for Social Sciences Organizational Sociology and Innovation Studies Jan-Felix Schrape Open Source Projects as Incubators of Innovation. From Niche Phenomenon to Integral Part of the Software Industry. SOI Discussion Paper 2017-03 University of Stuttgart Institute for Social Sciences Department of Organizational Sociology and Innovation Studies Seidenstr. 36 D-70174 Stuttgart Editor Prof. Dr. Ulrich Dolata Tel.: +49 711 / 685-81001 [email protected] Managing Editor Dr. Jan-Felix Schrape Tel.: +49 711 / 685-81004 [email protected] Research Contributions to Organizational Sociology and Innovation Studies Discussion Paper 2017-03 (May 2017) ISSN 2191-4990 © 2017 by the author(s) Jan-Felix Schrape is senior researcher at the Department of Organizational Sociology and Innovation Studies, University of Stuttgart (Germany). [email protected] Additional downloads from the Department of Organizational Sociology and Innovation Studies at the Institute for Social Sciences (University of Stuttgart) are filed under: http://www.uni-stuttgart.de/soz/oi/publikationen/ Abstract Over the last 20 years, open source development has become an integral part of the software industry and a key component of the innovation strategies of all major IT providers. Against this backdrop, this paper seeks to develop a systematic overview of open source communities and their socio-economic contexts. I begin with a recon- struction of the genesis of open source software projects and their changing relation- ships to established IT companies.
    [Show full text]
  • MINCS - the Container in the Shell (Script)
    MINCS - The Container in the Shell (script) - Masami Hiramatsu <[email protected]> Tech Lead, Linaro Ltd. Open Source Summit Japan 2017 LEADING COLLABORATION IN THE ARM ECOSYSTEM Who am I... Masami Hiramatsu - Linux kernel kprobes maintainer - Working for Linaro as a Tech Lead LEADING COLLABORATION IN THE ARM ECOSYSTEM Demo # minc top # minc -r /opt/debian/x86_64 # minc -r /opt/debian/arm64 --arch arm64 LEADING COLLABORATION IN THE ARM ECOSYSTEM What Is MINCS? My Personal Fun Project to learn how linux containers work :-) LEADING COLLABORATION IN THE ARM ECOSYSTEM What Is MINCS? Mini Container Shell Scripts (pronounced ‘minks’) - Container engine implementation using POSIX shell scripts - It is small (~60KB, ~2KLOC) (~20KB in minimum) - It can run on busybox - No architecture dependency (* except for qemu/um mode) - No need for special binaries (* except for libcap, just for capsh --exec) - Main Features - Namespaces (Mount, PID, User, UTS, Net*) - Cgroups (CPU, Memory) - Capabilities - Overlay filesystem - Qemu cross-arch/system emulation - User-mode-linux - Image importing from dockerhub And all are done by CLI commands :-) LEADING COLLABORATION IN THE ARM ECOSYSTEM Why Shell Script? That is my favorite language :-) - Easy to understand for *nix administrators - Just a bunch of commands - Easy to modify - Good for prototyping - Easy to deploy - No architecture dependencies - Very small - Able to run on busybox (+ libcap is perfect) LEADING COLLABORATION IN THE ARM ECOSYSTEM MINCS Use-Cases For Learning - Understand how containers work For Development - Prepare isolated (cross-)build environment For Testing - Test new applications in isolated environment - Test new kernel features on qemu using local tools For products? - Maybe good for embedded devices which has small resources LEADING COLLABORATION IN THE ARM ECOSYSTEM What Is A Linux Container? There are many linux container engines - Docker, LXC, rkt, runc, ..
    [Show full text]
  • LVC20-108 Arm64 Linux Kernel Architecture Update
    Arm64 Linux Kernel architecture update Matteo Carlini Director, Software Technology Management Arm – Open Source Software A-profile Architecture new feature names! https://developer.arm.com/architectures/cpu-architecture/a-profile/exploration-tools/feature-names-for-a-profile A-profile features: arm64 kernel support table https://developer.arm.com/tools-and-software/open-source-software/linux-kernel/architecture-and-kvm-enablement A-class architecture kernel enablement – Mar 20 TTS2UXN A64ISA AA32HPD PAUTH CNTS PMU S2FW FHM TTPBHA C B Trace LSE LSE IESB LSMAOC Debug SHA PMU RDMA CompNum JSconv S-EL2 SM SM TTCNP TTST VMID16 HPD v8.3 DIT SHA UAO v8.1 v8.2 RAS v8.4 IDST RCPC CCIDX DotProd ATS1E1 LOR VHE DFE CondM TTRe NV RCPC RAS LP16 m PAN TTHM MPAM AMU TTL NV Debug LVA TLBI VPIPT LPA DCPOP EVT DoPD GTG ECV MTPMU ETS SVE2 SPE SpecRest MPAM CTSS PMU PredInv PAuth2/ Future FGT FPAC architectures v8.0 RNG BT v8.5 v8.6 F64MM DGH DCCVADP MemTag Enablement complete TME EOPD CSEH F32MM TWED Enablement ongoing Enablement TBD SB CMODX I8MM BF16 FRINT CondM AMU N/A – no Kernel impact A-class architecture kernel enablement – Today TTS2UXN A64ISA AA32HPD PAUTH PMU FHM TTPBHA CNTSC S2FWB S-EL2 LSE LSE IESB LSMAOC TTST SHA PMU RDMA CompNum JSconv RAS SM SM TTCNP VMID16 HPD v8.3 DFE DIT SHA UAO TTRem v8.4 v8.1 v8.2 IDST RCPC CCIDX DotProd ATS1E1 LOR VHE Trace CondM NV Debug RCPC RAS LP16 PAN TTHM MPAM AMU Debug LVA NV TLBI TTL VPIPT LPA DCPOP GTG SPE SpecRest ECV MTPMU ETS SVE2 PMU PredInv MPAM CTSS RNG MemTag PAuth2/ Future FGT FPAC architectures v8.0
    [Show full text]
  • Hdcp Support in Optee
    HDCP SUPPORT IN OPTEE PRODUCT PRESENTATION Linaro Multimedia Working Group MICR ADVANCED TECHNOLOGIES • https://www.linaro.org/ SEPTEMBER 2019 Agenda • Quick introduction to HDCP • Secure Video Path overview • Current HDCP control in Linux • Proposal to control HDCP in OPTEE • Questions HDCP OVERVIEW 3 HDCP : High bandwidth Digital Content Protection • A digital copy protection developed by Intel™ to prevent copying of digital and audio video content. Before sending data, the source device shall check the destination device is authorized to received it. If so, the source device encrypts the data, only the destination device can decrypt. - data encryption - prevent non-licensed devices from receiving content • Android and Linux NXP bsp manage HDCP at Linux Level, through libDRM. So nothing prevent a user to disable HDCP protection while secure content is under playback. It is a security holes in the Secure Video Path. • HDCP support currently under development for wayland/Weston: https://gitlab.freedesktop.org/wayland/weston/merge_requests/48 • No Open Source solution exists to manage HDCP in secure mode. • HDCP versions: ▪ HDCP 1.X: Hacked: Master key published (leak/reverse engineering) ▪ HDCP 2.0: Hacked before release ▪ HDCP 2.1: Hacked before release ▪ HDCP 2.2: Not yet hacked 4 ▪ HDCP 2.3: Not yet hacked HDCP control state Machine Content with HDCP protection mandatory no yes Local display Local display yes no yes no Video displayed Video displayed without HDCP Digital Display without HDCP Digital Display encryption encryption yes no yes no It means we have analog display Video displayed Video displayed HDCP supported without HDCP HDCP supported without HDCP encryption encryption yes no yes no Video displayed Video displayed without Widevine/PlayReady To Video not displayed Application to decide if HDCP check current HDCP version Application to display a Warning 5 HDCP encryption message HDCP Unauthorized, encryption to be used >= expected HDCP version Content Disabled.' Error.
    [Show full text]
  • Implantación De Linux Sobre Microcontroladores
    Embedded Linux system development Embedded Linux system development DSI Embedded Linux Free Electrons Developers © Copyright 2004-2018, Free Electrons. Creative Commons BY-SA 3.0 license. Latest update: March 14, 2018. Document updates and sources: http://free-electrons.com/doc/training/embedded-linux Corrections, suggestions, contributions and translations are welcome! DSI - FCEIA http://dsi.fceia.unr.edu.ar 1/263 Derechos de copia © Copyright 2018, Luciano Diamand Licencia: Creative Commons Attribution - Share Alike 3.0 http://creativecommons.org/licenses/by-sa/3.0/legalcode Ud es libre de: I copiar, distribuir, mostrar y realizar el trabajo I hacer trabajos derivados I hacer uso comercial del trabajo Bajo las siguientes condiciones: I Atribuci´on. Debes darle el cr´editoal autor original. I Compartir por igual. Si altera, transforma o construye sobre este trabajo, usted puede distribuir el trabajo resultante solamente bajo una licencia id´enticaa ´esta. I Para cualquier reutilizaci´ono distribuci´on,debe dejar claro a otros los t´erminos de la licencia de este trabajo. I Se puede renunciar a cualquiera de estas condiciones si usted consigue el permiso del titular de los derechos de autor. El uso justo y otros derechos no se ven afectados por lo anterior. DSI - FCEIA http://dsi.fceia.unr.edu.ar 2/263 Hiperv´ınculosen el documento Hay muchos hiperv´ınculosen el documento I Hiperv´ıncluosregulares: http://kernel.org/ I Enlaces a la documentaci´ondel Kernel: Documentation/kmemcheck.txt I Enlaces a los archivos fuente y directorios del kernel: drivers/input include/linux/fb.h I Enlaces a declaraciones, definiciones e instancias de los simbolos del kernel (funciones, tipos, datos, estructuras): platform_get_irq() GFP_KERNEL struct file_operations DSI - FCEIA http://dsi.fceia.unr.edu.ar 3/263 Introducci´ona Linux Embebido Introducci´ona DSI Linux Embebido Embedded Linux Developers Free Electrons © Copyright 2004-2018, Free Electrons.
    [Show full text]
  • SFO17-409 TSC OSS Toolchain Discussion David a Rusling Ryan S
    SFO17-409 TSC OSS Toolchain Discussion David A Rusling Ryan S. Arnold, Maxim Kuvyrkov linaro Committee Confidential @ 2017 Overview ● Toolchain work in Linaro ○ GCC ■ ARM GNU funding to TCWG and the effect on Linaro TCWG's roadmap ■ Transition of GNU toolchain release to ARM in 2018 (august) ■ ARMv8.2 ■ SVE upstream progress ● GDB SVE enablement moving forward ○ LLVM ■ ARMv8.2 ■ LLVM growth roadmap ■ SVE upstream progress ○ ILP32 ■ ILP32 toolchain progress update ○ FDPIC Toolchain ● Discussion ○ Does this all fit together? ○ Is there anything that we’re missing? linaro Committee Confidential @ 2017 ENGINEERS AND DEVICES WORKING TOGETHER Key GNU Deliverables 1.TCWG-1232 Link Time Optimization tuning for AArch64 2.TCWG-64 Sign/Zero-Extension Elimination optimizations 3.TCWG-1233 Investigate scalability of libgomp on SPEC CPU2017 4.TCWG-1207 ILP32 Toolchain 5.TCWG-159 GDB Kernel Awareness 6.TCWG-1035 GDB target description rework for SVE enablement 7.TCWG-1160, TCWG-1161 OpenOCD AArch64 & GDB Remote debugging interoperability 8.TCWG-935 Automated regression testing of upstream branches 9.TCWG-1231 Automated benchmarking of upstream branches linaro Committee Confidential @ 2017 ENGINEERS AND DEVICES WORKING TOGETHER ARM funding of GNU work & Need for LLVM ● High volume of LLVM work needed to be done (see LLVM Growth Roadmap slides). Linaro Exec Mgmt was planning to propose TCWG transition to LLVM in the future. This initial proposal was shared with ARM. ● ARM expressed concern as there is still important GNU work Linaro can do especially on behalf of ARM enterprise workloads. ● ARM has decided to fund three existing (full-time equivalent) TCWG engineers to continue to focus on GNU for at least the next year.
    [Show full text]
  • Is Android the New Embedded Linux?
    Is Android the new Embedded Linux? AnDevCon 2013 Karim Yaghmour [email protected] 1 These slides are made available to you under a Creative Commons Share- Delivered and/or customized by Alike 3.0 license. The full terms of this license are here: https://creativecommons.org/licenses/by-sa/3.0/ Attribution requirements and misc., PLEASE READ: ● This slide must remain as-is in this specific location (slide #2), everything else you are free to change; including the logo :-) ● Use of figures in other documents must feature the below “Originals at” URL immediately under that figure and the below copyright notice where appropriate. ● You are free to fill in the “Delivered and/or customized by” space on the right as you see fit. ● You are FORBIDEN from using the default “About” slide as-is or any of its contents. rd ● You are FORBIDEN from using any content provided by 3 parties without the EXPLICIT consent from those parties. (C) Copyright 2013, Opersys inc. These slides created by: Karim Yaghmour Originals at: www.opersys.com/community/docs 2 About ● Author of: ● Introduced Linux Trace Toolkit in 1999 ● Originated Adeos and relayfs (kernel/relay.c) ● Training, Custom Dev, Consulting, ... 3 1. Why are we asking this question? ● Android is based on Linux ● Android is “embedded” ● Android is extremely popular ● Android enjoys good support from SoC vendors Mostly - The trends are there 4 1.1. Why did Embedded Linux rise? ● EETimes 2005 survey ... http://www.embedded.com/electronics-blogs/- include/4025539/Embedded-systems-survey-Operating- systems-up-for-grabs ● EETimes 2013 survey http://www.slideshare.net/MTKDMI/2013-embedded-market- study-final http://www.eetimes.com/electronics-news/4407897/Android-- FreeRTOS-top-EE-Times--2013-embedded-survey 5 1.2.
    [Show full text]
  • Operating System Support for Run-Time Security with a Trusted Execution Environment
    Operating System Support for Run-Time Security with a Trusted Execution Environment - Usage Control and Trusted Storage for Linux-based Systems - by Javier Gonz´alez Ph.D Thesis IT University of Copenhagen Advisor: Philippe Bonnet Submitted: January 31, 2015 Contents Preface2 1 Introduction4 1.1 Context.......................................4 1.2 Problem.......................................6 1.3 Approach......................................7 1.4 Contribution....................................9 1.5 Thesis Structure.................................. 10 I State of the Art 12 2 Trusted Execution Environments 14 2.1 Smart Cards.................................... 15 2.1.1 Secure Element............................... 17 2.2 Trusted Platform Module (TPM)......................... 17 2.3 Intel Security Extensions.............................. 20 2.3.1 Intel TXT.................................. 20 2.3.2 Intel SGX.................................. 21 2.4 ARM TrustZone.................................. 23 2.5 Other Techniques.................................. 26 2.5.1 Hardware Replication........................... 26 2.5.2 Hardware Virtualization.......................... 27 2.5.3 Only Software............................... 27 2.6 Discussion...................................... 27 3 Run-Time Security 30 3.1 Access and Usage Control............................. 30 3.2 Data Protection................................... 33 3.3 Reference Monitors................................. 36 3.3.1 Policy Enforcement............................. 36 3.3.2
    [Show full text]
  • Secure Data Path on Linux and Nxp I.Mx 8M
    SECURE DATA PATH ON LINUX AND NXP I.MX 8M PRODUCT PRESENTATION MICR ADVANCED TECHNOLOGIES Linaro Multimedia Working Group https://www.linaro.org/ LINARO CONNECT SAN DIEGO 2019 SECURE VIDEO PATH OVERVIEW 2 I.MX 8MQ Secure Video Path with Android bsp – Hong Kong Connect 2018 • Slides: https://www.slideshare.net/linaroorg/hkg18113-secure-data-path-work-with-imx8m • Demos: https://www.youtube.com/watch?v=z27Tl5XkFJ4 3 i.MX 8M : Voice and video processing applications processor • Dedicated hardware for security • Video quality with full 4K Ultra HD resolution and HDR (Dolby Vision, HDR10, and HLG) • Hardware composer (4Kp60): DCSS (Display Controller Sub System) • Highest levels of pro audio fidelity with more than 20 audio channels each @384KHz • DSD512 audio capability • Fully supported on NXP’s 10 and 15-year Longevity Program 4 i.MX 8M SDP (Secure Data Path) at a glance The i.MX 8M security subsystem is configured in a way that only hardware components involved in the decoding and the rendering of the stream have access to the decrypted data: • High Assurance Boot (On Chip ROM with tamper detection). Authenticated and Encrypted boot • ARM TrustZone/TEE and the Central Security Unit (CSU) split the processing between non-secure world running the rich OS, and the secure world running the trusted stack (ATF/OP-TEE from Linaro) • RDC (Resource Domain Controller) to isolate CPU, VPU, GPU, DCSS and memory buffers, using dedicated hardware -> Application CPU cores won’t have physical access to decrypted video memory buffers • CAAM (Cryptographic
    [Show full text]
  • Embedded Linux Size Reduction Techniques
    Embedded Linux Conference 2017 Embedded Linux size reduction techniques Michael Opdenacker free electrons [email protected] free electrons - Embedded Linux, kernel, drivers - Development, consulting, training and support. http://free-electrons.com 1/1 Michael Opdenacker I Michael Opdenacker I Founder and Embedded Linux engineer at free electrons I Embedded Linux expertise I Development, consulting and training I Strong open-source focus I Long time interest in embedded Linux boot time, and one of its prerequisites: small system size. I From Orange, France Penguin from Justin Ternet (https://openclipart.org/detail/182875/pinguin) free electrons - Embedded Linux, kernel, drivers - Development, consulting, training and support. http://free-electrons.com 2/1 Why reduce size? There are multiple reasons for having a small kernel and system I Run on very small systems (IoT) I Run Linux as a bootloader I Boot faster (for example on FPGAs) I Reduce power consumption Even conceivable to run the whole system in CPU internal RAM or cache (DRAM is power hungry and needs refreshing) I Security: reduce the attack surface I Cloud workloads: optimize instances for size and boot time. I Spare as much RAM as possible for applications and maximizing performance. See https://tiny.wiki.kernel.org/use_cases free electrons - Embedded Linux, kernel, drivers - Development, consulting, training and support. http://free-electrons.com 3/1 Reasons for this talk I No talk about size since ELCE 2015 I Some projects stalled (Linux tinification, LLVM Linux...) I Opportunity to have a look at solutions I didn’t try: musl library, Toybox, gcc LTO, new gcc versions, compiling with Clang..
    [Show full text]
  • Linux Interface Specification Yocto Recipe Start-Up Guide Rev.1.09
    User ’s Manual ’s Linux Interface Specification Yocto recipe Start-Up Guide User’s Manual: Software RZ/G2 group All information contained in these materials, including products and product specifications, represents information on the product at the time of publication and is subject to change by Renesas Electronics Corp. without notice. Please review the latest information published by Renesas Electronics Corp. through various means, including the Renesas Electronics Corp. website (http://www.renesas.com). www.renesas.com Rev.1.09 Aug. 31, 2021 Notice 1. Descriptions of circuits, software and other related information in this document are provided only to illustrate the operation of semiconductor products and application examples. You are fully responsible for the incorporation or any other use of the circuits, software, and information in the design of your product or system. Renesas Electronics disclaims any and all liability for any losses and damages incurred by you or third parties arising from the use of these circuits, software, or information. 2. Renesas Electronics hereby expressly disclaims any warranties against and liability for infringement or any other claims involving patents, copyrights, or other intellectual property rights of third parties, by or arising from the use of Renesas Electronics products or technical information described in this document, including but not limited to, the product data, drawings, charts, programs, algorithms, and application examples. 3. No license, express, implied or otherwise, is granted hereby under any patents, copyrights or other intellectual property rights of Renesas Electronics or others. 4. You shall not alter, modify, copy, or reverse engineer any Renesas Electronics product, whether in whole or in part.
    [Show full text]
  • LAVA Federated Testing Testing with and by the Community
    LAVA federated testing Testing with and by the community Remi Duraffort What’s LAVA? ● Linaro Automated Validation Architecture ● CI system ○ Deploy (kernel, dtb, rootfs, raw image, ...) ○ Boot (linux, android, zephyr, …) ○ Test ● On real hardware: rpi, juno, panda, imx8, … ● Becoming the “de facto” standard Testing without LAVA kernel dtb rootfs Serial relay % power on board % telnet localhost 2000 <enter> Power control => dhcp => setenv serverip 10.3.1.1 => […] => bootm 0x01000000 - 0x03f00000 […] raspberrypi3 login: root # run-test.sh tftp&nfs server […] % power off board Testing with LAVA kernel dtb rootfs Serial relay Job Configuration dispatcher Power control tftp&nfs server Testing with LAVA (full lab) Serial relay Serial relay Users Serial relay Serial relay dispatcher 1 Power control Power control dispatcher 2 Power control Power control server dispatcher N tftp&nfs server Testing with LAVA (user side) ● lavacli jobs submit <job-definition.yaml> ● YAML file ○ device_type: rpi3-b ○ urls: ■ kernel ➢ android ■ dtb ➢ ltp ■ rootfs ➢ ○ auto_login: kselftest ■ prompt ➢ linpack ■ username ➢ v4l2 ○ test repository (git) ➢ ■ https://git.linaro.org/qa/test-definitions.git/ ... Testing with LAVA (admin side) ● Server ● Dispatcher ○ Web UI and API ○ Check boards health ■ Submit jobs ○ Parse logs ■ Results, logs, ... ■ Kernel panic ○ Access control ■ Bootloader error ○ Scheduling ○ Classify errors ■ Priority ■ Infrastructure, Job, Test, Bug, ... ■ Private boards ○ Reproducible ■ Multinode jobs ○ Notifications Supported methods (some) ● Deploy:
    [Show full text]