Microkernel Construction
Introduction
Hermann Härtig SS2013 Benjamin Engel
TU Dresden Operating Systems Group Microkernel Construction ClassClass GoalsGoals
Provide deeper understanding of OS mechanisms
Introduce L4 principles and concepts
Make you become enthusiastic L4 hackers
Propaganda for OS research at TU Dresden
Hermann Härtig Benjamin Engel
TU Dresden Operating Systems Group 2 Microkernel Construction AdministrationAdministration
Thursday, 4th DS, 2 SWS Slides: http://www.tudos.org → Teaching → Microkernel Construction Subscribe to our mailing list: http://www.tudos.org/mailman/listinfo/mkc2013 In winter term: – Construction of Microkernel-based Systems (2 SWS) – Various Labs
Hermann Härtig Benjamin Engel
TU Dresden Operating Systems Group 3 Microkernel Construction „„Monolithic“Monolithic“ KernelKernel SystemSystem DesignDesign
Application ApplicationApplication Application Unprivileged Mode
Privileged File Network Mode Systems Subsystem
Memory Process Drivers Management Management
Monolithic Kernel
Hermann Härtig Benjamin Hardware Engel
TU Dresden Operating Systems Group 4 Microkernel Construction MonolithicMonolithic KernelKernel OSOS (Propaganda)(Propaganda)
System components run in privileged mode ➔ No protection between system components – Faulty driver can crash the whole system – More than 2/3 of today's OS code are drivers ➔ No need for good system design – Direct access to data structures – Undocumented and frequently changing interfaces ➔ Big and inflexible – Difficult to replace system components Why something different? Hermann Härtig More and more difficult to manage increasing OS Benjamin Engel complexity
TU Dresden Operating Systems Group 5 Microkernel Construction MicrokernelMicrokernel SystemSystem DesignDesign
Application Application Application
File Network Systems Stacks
Memory Process Management Management Drivers Unprivileged System Services Mode
Privileged Tasks Threads IPC Scheduling Mode
Hermann Härtig Microkernel Benjamin Engel Hardware TU Dresden Operating Systems Group 6 Microkernel Construction ExampleExample –– IBMIBM WorkplaceWorkplace OSOS // MachMach
OS/2 DOS OS/400 AIX Windows Application Application Application Application Application
OS/2 DOS OS/400 Windows AIX Personality Personality Personality Personality Personality
File Server Network Service Security Power Management
Default Pager Device Support Bootstrap Name Service
Hermann Mach Microkernel Härtig Benjamin Engel ARM PowerPC IA32 MIPS Alpha
TU Dresden Operating Systems Group 7 Microkernel Construction ExampleExample –– QNXQNX // NeutrinoNeutrino
. Embedded systems Message passing system (IPC) Network transparency
Application Application Application
Filesystem Device Process Network Manager Manager Manager Manager Unprivileged Mode
Privileged Interrupt Network IPC Scheduler Mode Redirector Driver Hermann Härtig Neutrino - Microkernel Benjamin Engel Hardware TU Dresden Operating Systems Group 8 Microkernel Construction ExampleExample –– Fiasco.OCFiasco.OC
Native Linux Native Linux L4Re Application Application Application
X11
L4Linux Dope VPFS
L4Re
Hermann Fiasco.OC Microkernel Härtig Benjamin Engel Hardware
TU Dresden Operating Systems Group 9 Microkernel Construction VisionsVisions vs.vs. RealityReality
Flexibility and Customizable – Monolithic kernels are modular Maintainability and complexity – Monolithic kernel have layered architecture ✔ Robustness – Microkernels are superior due to isolated system components – Trusted code size (i386) • Fiasco kernel: about 15.000 loc • Linux kernel: about 300.000 loc (without drivers) Performance Hermann ✗ Härtig Benjamin – Application performance degraded Engel – Communication overhead (see next slides)
TU Dresden Operating Systems Group 10 Microkernel Construction RobustnessRobustness vs.vs. PerformancePerformance (1)(1)
System calls – Monolithic kernel: 2 kernel entries/exits – Microkernel: 4 kernel entries/exits + 2 context switches
Application Application
1 4 Driver Driver
2 3
Microkernel Monolithic kernel Hermann Härtig Benjamin Engel HardwareHardware Hardware
TU Dresden Operating Systems Group 11 Microkernel Construction RobustnessRobustness vs.vs. PerformancePerformance (2)(2)
Calls between system services – Monolithic kernel: 1 function call – Microkernel: 4 kernel entries/exits + 2 context switches
Network Network Driver Driver Subsystem Subsystem 1 4 2 3
Microkernel Monolithic kernel
Hermann Härtig Benjamin Hardware Hardware Engel
TU Dresden Operating Systems Group 12 Microkernel Construction ChallengesChallenges
Build functional powerful and fast microkernels – Provide abstractions and mechanisms – Fast communication primitive (IPC) – Fast context switches and kernel entries/exits ➔ Subject of this lecture
Build efficient OS services – Memory Management – Synchronization – Device Drivers – File Systems Hermann – Communication Interfaces Härtig Benjamin ➔ Engel Subject of lecture “Construction of Microkernel-based systems” (in winter term) TU Dresden Operating Systems Group 13 Microkernel Construction L4L4 MicrokernelMicrokernel FamilyFamily
Originally developed by Jochen Liedtke (GMD / IBM Research) Current development: – Uni Karlsruhe: Pistachio – UNSW/NICTA/OKLABS: OKL4, SEL4, L4Verified – TU Dresden: Fiasco.OC, Nova Support for hardware architectures: – X86, ARM, ...
Hermann Härtig Benjamin Engel
TU Dresden Operating Systems Group 14 Microkernel Construction MoreMore MicrokernelsMicrokernels (Incomplete(Incomplete list)list)
Commercial kernels – Singularity @ Microsoft Research – K42 @ IBM Research – velOSity/INTEGRITY @ Green Hills Software – Chorus/ChorusOS @ Sun Microsystems – PikeOS @ SYSGO AG – OKL4 Research kernels – EROS/CoyotOS @ John Hopkins University – Minix @ FU Amsterdam – Amoeba @ FU Amsterdam Hermann Härtig – Pebble @ Bell Labs Benjamin Engel – Grasshopper @ University of Sterling – Flux/Fluke @ University of Utah TU Dresden Operating Systems Group 15 Microkernel Construction L4L4 -- ConceptsConcepts
Jochen Liedtke: “A microkernel does no real work” – Kernel provides only inevitable mechanisms – No policies implemented in the kernel Abstractions – Tasks with address spaces – Threads executing programs/code Mechanisms – Resource access control – Scheduling – Communication (IPC)
Hermann Härtig Benjamin Engel
TU Dresden Operating Systems Group 16 Microkernel Construction ThreadsThreads andand TasksTasks
Task A Task B
User User Code Code Thread2
User User User Stack Stack Stack
Kernel Code Thread1 Thread3
Hermann Kernel Kernel Kernel Härtig Benjamin Stack Stack Stack Engel Microkernel TU Dresden Operating Systems Group 17 Microkernel Construction ThreadsThreads
Represent unit of execution – Execute user code (application) – Execute kernel code (system calls, page faults, interrupts, exceptions) Subject to scheduling – Quasi-parallel execution on one CPU – Parallel execution on multiple CPUs – Voluntarily switch to another thread possible – Preemptive scheduling by the kernel according to certain parameters Associated with an address space
Hermann – Executes code in one task at one point in time Härtig Benjamin • Migration allows threads move to another task Engel – Several threads can execute in one task TU Dresden Operating Systems Group 18 Microkernel Construction TasksTasks
Represent domain of protection and isolation Container for code, data and resources Address space: capabilities + memory pages Three management operations: – Map: share page with other address space – Grant: give page to other address space – Unmap: revoke previously mapped page
X X X
grant unmap Hermann map Härtig Benjamin Engel X X X TU Dresden Operating Systems Group 19 Microkernel Construction RecursiveRecursive AddressAddress SpacesSpaces
Application 1 Application 2
Pager 3
Pager 1 Pager 2
Initial Pager Hermann Härtig Benjamin Engel Physical Memory TU Dresden Operating Systems Group 20 Microkernel Construction Messages:Messages: CopyCopy DataData
Direct and indirect data copy UTCB message (special area) Special case: register-only message Pagefaults during user-level memory access possible Task A Task B
receive(msg, …) send(msg,…)
copy data area
data area
Hermann data word 1 data word 1 Härtig msg data word 2 msg data word 2 Benjamin send string receive string Engel
TU Dresden Operating Systems Group 21 Microkernel Construction Message:Message: MapMap ReferencesReferences
Used to transfer memory pages and capabilities Kernel manipulates page tables Used to implement the map/grant operations
Task A Task B
send(msg,…) receive(msg, …)
flexpage map
flexpage
Hermann send flexpage received flexpage Härtig msg msg Benjamin receive window Engel
TU Dresden memory page Operating Systems Group 22 Microkernel Construction CommunicationCommunication andand ResourceResource ControlControl
Need to control who can send data to whom – Security and isolation – Access to resources Approaches – IPC-redirection/introspection – Central vs. Distributed policy and mechanism – ACL-based vs. capability-based
Task A Task B
Thread IPC? Thread
Hermann Härtig Resource Access? Benjamin Engel Hardware TU Dresden Resources Operating Systems Group 23 Microkernel Construction CapabilitiesCapabilities Task A Task B
Capability Handles Capability Handles 3 1 2 1 2 2
Capability Table Capability Table C1 C3 C5C5 C1 C2 C4
Hermann Kernel Kernel Kernel Kernel Kernel Härtig Benjamin Object1 Object2 Object3 Object4 Object5 Engel
TU Dresden Operating Systems Group 24 Microkernel Construction CapabilitiesCapabilities -- DetailsDetails Kernel objects represent resources and communication channels Capability – Reference to kernel object – Associated with access rights – Can be mapped from task to another task Capability table is task-local data structure inside the kernel – Similar to page table – Valid entries contain capabilities Capability handle is index number to reference entry
Hermann into capability table Härtig Benjamin – Similar to file handle (in POSIX) Engel Mapping capabilities establishes a new valid entry into TU Dresden Operating Systems Group the capability table 25 Microkernel Construction PagePage FaultsFaults andand PagersPagers
Page Faults are mapped to IPC – Pager is special thread that receives page faults – Page fault IPC cannot trigger another page fault Kernel receives the flexpage from pager and inserts mapping into page table of application Other faults normally terminate threads
map Application X X Pager
Unnprivileged Mode 1.Page Fault 4.Resume 2.receive 3.send(X) Hermann Härtig Privileged Benjamin Mode Engel L4 Microkernel TU Dresden Operating Systems Group 26 Microkernel Construction DeviceDevice DriversDrivers
Hardware interrupts: mapped to IPC I/O memory & I/O ports: mapped via flexpages
IO-Memory Driver
2.receive(irq-id, …)
L4 Microkernel
map 1. Interrupt
Hermann Härtig IO-Memory Benjamin Engel
TU Dresden Operating Systems Group 27 Microkernel Construction L4L4 ApplicationsApplications -- LL4LinuxLinux
Paravirtualized Linux kernel and native Linux applications run as user-level L4 tasks System calls / page faults are mapped to L4 IPC
L4Linux Linux Linux Server Application Application
L4 Interface
Hermann Unprivileged System Services Härtig Mode Benjamin Engel Privileged Mode L4 Microkernel TU Dresden Operating Systems Group 28 Microkernel Construction LectureLecture OutlineOutline
Introduction Address spaces, threads, thread switching Kernel entry and exit IPC Address space management Capabilities Synchronization Case Studies: Fiasco, Nova, SeL4 Hands-on experience
Hermann Härtig Benjamin Engel
TU Dresden Operating Systems Group 29