www.kernkonzept.com prpl Hypervisor Overview Michael Hohmuth Kernkonzept MICROKERNEL MADE IN GERMANY www.kernkonzept.com 2 About Kernkonzept Develops‌ and supports the L4Re system L4Re‌ Microkernel / Microhypervisor (AKA L4/Fiasco.OC) L4Re‌ Runtime Environment L4Linux‌ L4Android‌ ‌ Based‌ in Dresden, Germany ‌ ‌ MICROKERNEL MADE IN GERMANY www.kernkonzept.com 3 Outline Virtualization‌ Virtual‌ Machine – Hypervisor – Virtual Machine Monitor Paravirtualization‌ Microkernel‌ – Microhypervisor Tradeoffs‌ Security‌ – Trust – Certification MICROKERNEL MADE IN GERMANY www.kernkonzept.com 4 Virtualization Create‌ a virtual resource Protect‌ / multiplex the actual resource Virtual‌ memory Virtual‌ I/O Virtual‌ machine (VM) ● Virtual computer ● (Sometimes: abstract machine, e. g. Java VM) …‌ while keeping the programming model intact “‌ As if using the actual resource” MICROKERNEL MADE IN GERMANY www.kernkonzept.com 5 Virtual Machine Virtual‌ environment for running systems meant for actual machines Implemented‌ using system software on the actual system, the “host”: Hypervisor‌ ● Implements “world switch” ● Virtual CPU: Rich execution model (privileged and user modes) ● Benefits from hardware acceleration: AMD-V, VT-x, VZ Virtual‌ Machine Monitor ● Virtualizes/emulates platform/devices MICROKERNEL MADE IN GERMANY www.kernkonzept.com 6 Type 1 hypervisors Self-hosted‌ (“bare metal”) hypervisor Sometimes,‌ VMM runs in a VM VMM ‌ Example‌ systems: File File File Driver Net Driver Net Driver Net sys sys sys ● Hyper-V pass virt guest virt virt guest virt virt guest ● Xen thru CPU mem dev CPU mem dev CPU mem ● VMware ESX ● L4Re Microkernel Hypervisor Device CPU 0MICROKERNELCPU 1 MADEPhys. IN Memory GERMANY www.kernkonzept.com 7 Type 2 hypervisors Hosted‌ on conventional host OS VMM‌ runs in a host application ‌ File File Driver Net Driver Net sys sys Example‌ systems: virt virt guest virt virt guest VMM dev CPU mem dev CPU mem ● Linux KVM ● VMware Host OS Kernel Workstation Driver Filesys Net ● VirtualBox Device CPU 0MICROKERNELCPU 1 MADEPhys. IN Memory GERMANY www.kernkonzept.com 8 Paravirtualization Relaxes‌ requirement to keep programming model intact Software‌ API instead of faithful hardware emulation ● Simpler ● Faster ● No need for hardware acceleration For‌ entire guest system No need to emulate privileged CPU modes Or‌ just for devices Virtual‌ network, block devices, clocks, … Downside:‌ Need to change guest OSes MICROKERNEL MADE IN GERMANY www.kernkonzept.com 9 Microkernel Run OS components as Paravirt. system untrusted user-mode Secure app app app applications app Reduces trusted computing base for Real-time app trusted apps Blends well with Linux server File paravirtualization Native app Driver Net sys virt virt guest Example systems: Driver Filesys Net dev CPU mem ● L4Re microkernel ● PikeOS Microkernel ● seL4 microkernel Device CPU 0MICROKERNELCPU 1 MADEPhys. IN Memory GERMANY www.kernkonzept.com 10 Microhypervisor Run‌ VMM as untrusted user-mode applications Secure app Can‌ even have one VMM Real-time app per guest ‌ VMM ‌ Example systems: File File Driver Net Driver Net Net sys sys ● L4Re virt guest virt guest Microkernel Driver virt virt Filesys dev CPU mem dev CPU mem ● Nova microhypervisor Microhypervisor Device CPU 0MICROKERNELCPU 1 MADEPhys. IN Memory GERMANY www.kernkonzept.com 11 Security – Trust – Certification Complexity‌ defeats security Fight‌ complexity: Remove‌ untrusted systems from the TCB (VMs) Minimize‌ your application's TCB ● Remove dependencies to unneeded components ● Isolate noncritical functions into secure compartments Minimal‌ TCBs are amenable to certification / verification MICROKERNEL MADE IN GERMANY www.kernkonzept.com 12 Thank you! www.kernkonzept.com MICROKERNEL MADE IN GERMANY.