Virtual Processors as Kernel Interface Adam Lackorzynski, Alexander Warg Michael Peter Technische Universit¨at Dresden Technische Universit¨at Berlin Department of Computer Science Deutsche Telekom Laboratories Operating Systems Group Security in Telecommunications {adam, warg}@os.inf.tu-dresden.de [email protected] Abstract After virtualization has gained traction in a variety of fields ranging from the desktop computer to datacenter servers, it is likely to make inroads into embedded systems as well. The complexity of a VM implementation depends on the virtualization abilities of the processor used. Unfortunately, the instruction set architecture of many popular embedded CPUs is not virtualizable, which precludes efficient pure or faithful virtualization. In this paper, we make the case for operating system (OS) rehosting, a flavor of virtualization that lends itself to implementations of low complexity and does not rely an CPU virtualization extensions. The feasibility of OS rehosting crucially depends on the traits of the interface of the underlying kernel. Our observation was that the ubiquitously used thread model is rather poorly suited to run an OS on top. As a solution, we propose the currently often employed threads be supplemented with virtual processors (vCPUs), an abstraction that is more aligned with the underlying hardware. To evaluate our proposition, we ported the Linux kernel to a vCPU enhanced version of the Fiasco microkernel. Compared to a previous thread-based version, the vCPU version required much less devel- opment effort. The performance gains range from slight to well-pronounced depending on the workload. 1 Introduction codes protected. The network operator is concerned about stable network operations. Content providers insist on the enforcement of the consumption rules The market for embedded devices has undergone a for their content. Unfortunately, current systems fundamental transition in the recent past. Closed have inherent design and implementation flaws that special purpose devices with a fairly limited re- prevent them from isolating multiple stakeholders on source budget have turned into general purpose gad- one machine reliably. The underlying reason is the gets that often exhibit performance characteristics lack of mechanisms to grant authority selectively fol- of desktop machines of a couple of years ago. Such lowing the principle of least authority. There are too rapid strides in capabilities led to calls for new fea- many parts of the system that run with privileges tures, foremost the ability to customize devices by sufficient to take over the whole system if subverted. installing software according to personal preferences. Microkernels have shown that they can con- However, the record of operating systems in the last tribute to making the trustworthiness problem more years does not instill confidence when it comes to tractable. Their contribution is twofold: first, they security. What is a nuisance on desktop systems, be- allow for the construction of systems with very small comes an unacceptable risk for some embedded sys- trusted computing bases (TCB). That is achieved by tems. For example, no network operator can tolerate minimizing the amount of code running in the most smartphones that came under illegitimate control af- privileged execution mode, where it is, by definition, ter a downloaded application subverted the handset part of the trusted computing base of any applica- and turned it into a jammer. tion regardless of whether the code is actually needed The situation is complicated by the presence by an application. In contrast, functionality resident of multiple parties who want their interests safe- in user-level tasks can only affect other applications guarded. The owner wants his assets such as access if it was explicitly granted sufficient authority. 1 Second, not subject to backward compatibility whereby operating systems run on a machine with- requirements, microkernels can break new grounds out exercising absolute control over it. In that mean- regarding security features. A huge step for- ing it is left open whether the guest OS is modified ward was the adoption of capability-based security and, if so, how intrusive that modification is. Apart schemes [19][12]. Facilitating the principle of least from (faithful or pure) virtualization, paravirtualiza- authority, capabilities are regarded as superior to tion and OS rehosting are possible. access-control lists based systems [16]. In a stricter sense, virtualization denotes a Their individual shortcomings notwithstanding, method whereby software is provided with an envi- operating systems are valuable components that no ronment that is a genuine replica of a physical ma- non-trivial system can dispense with. Economic chine. If used in that context, it contrasts with par- pressure mandates the deployment of existing sys- avirtualization and OS rehosting as the two latter tems as no single organisation can hope for devel- provide environments that only resemble a physical oping a reasonable OS in an acceptable time frame. machine. Accordingly, virtualization is, in principle, Virtualization allows leveraging their strengths while compatible with all operating systems whereas par- still enforcing isolation thereby limiting the poten- avirtualization and OS rehosting require more or less tially affected scope in case of a failure or subversion. intrusive changes. Figure 1 illustrates the different virtualization approaches, which we will describe in Commodity processors in desktop and server sys- more details in the following sections. tems feature to a large extent virtualization exten- sions, which are missing from most embedded pro- a) OS OS cessors. Yet, previous work[9] has shown that small OS b) kernels can encapsulate operating systems on com- Hypervisor/VMM modity processors that do not efficiently support vir- Hardware tualization. No virtualization Hardware Full Virtualization For reasons that are partly historical, microker- nel designs paid more attention to raw message pass- c) OS OS d) OS OS ing performance than to the ease of OS rehosting. Hypervisor/VMM In this paper, we propose to augment the kernel in- Hypervisor/VMM terface with virtual CPUs, an execution abstraction Hardware Hardware that bears a close resemblance to physical CPUs. Paravirtualization This addition to the kernel interface has the poten- OS Rehosting tial to reduce the porting effort while increasing the OS API HW Interface confidence in the correctness of the changes to the HW Interface with problematic guest operating system. instructions replaced with Hypervisor calls 1.1 Outline FIGURE 1: Overview over different vir- tualization approaches. Virtualization dupli- We will proceed with a discussion of what the choices cates the machine interface with high fidelity, are regarding the implementation of the CPU part of whereas paravirtualization replaces problem- virtual machines (Section 2) before we detail the de- atic instructions with calls to the underlying sign of virtual CPUs in Section 3. To prove the feasi- kernel. OS rehosting goes further and provides bility of the proposition, we report on our implemen- a fairly abstracted kernel interface with many tation (Section 5) and describe how the Linux kernel implementation specifics left out. can be ported onto it (Section 6). Our conclusion (Section 9) is preceded by measurements (Section 7) 2.1 Faithful Virtualization that give an impression of the performance charac- teristics and related work (Section 8). Faithful virtualization – sometimes also referred to as pure or full virtualization – provides an environ- ment that is a genuine copy of a physical machine. 2 Virtualization That allows for an existing operating system to be deployed without any modifications. The term virtualization itself is used in two differ- However, despite its merits, virtualization did ent contexts which occasionally gives rise to confu- not catch on in the commodity market because com- sion. In a wider sense, virtualization is a technology modity processors did not have adequate support for 2 virtualization. For an instruction set architecture 2.3 OS Rehosting (ISA) to be virtualizable, it has to meet the Popek- Goldberg criterion[17]. Briefly, it mandates that Paravirtualization pays for the non-intrusive guest each sensitive instruction is also privileged. A sensi- changes with the introduction of complexity into the tive instruction is one that either reveals (privileged) kernel, which has to cover all quirks of a given ISA. 1 execution state or affects the execution . Many pop- That contrasts with OS rehosting, which aims to cap- ular ISAs, though, are not virtualizable with x86[18] ture only those features that are necessary to host an and ARM[6] the most prominent examples. operating system. The intention behind that change Although it is possible to implement faithful vir- is to simplify the implementation of the kernel by tualization on CPUs with non-virtualizable ISAs, do- deliberately dropping unused features that are of no ing so efficiently involves complex technologies such importance for modern operating systems. as binary translation[3][1]. As such, this approach The simplification of the kernel comes at the cost is of little appeal to security-concerned systems be- of more intrusive changes required for the guest OS. cause their trustworthiness is negatively affected by Depending on the used system, it is likely possi- complexity. ble that the features provided by the kernel such as threads or address