More Related Content
Similar to ARM Architecture-based System Virtualization: Xen ARM open source software project
Similar to ARM Architecture-based System Virtualization: Xen ARM open source software project (20)
More from The Linux Foundation
More from The Linux Foundation (20)
ARM Architecture-based System Virtualization: Xen ARM open source software project
- 1. ARM Architecture-based System Virtualization:
Xen ARM open source software project
Sang-bum Suh Vice President, Jae-min Ryu Research Staff
{sbuk.suh, jm77.ryu}@samsung.com
S/W Platform Team
DMC Research Center
SAMSUNG Electronics Co.
2011.08.
Xen Summit North America 2011
© 2011 SAMSUNG Electronics Co.
- 2. Agenda
Overview
- History of Xen ARM
- Use Cases
Xen ARM: Core
- Xen ARM Virtualization
- Performance Comparison
Xen ARM Application: Security
- Mobile Malware
- Access Control
Xen ARM Application: Real-time
- Xen ARM: Preemption
- Real-time Performance
© 2011 SAMSUNG Electronics Co.
- 3. Overview
© 2011 SAMSUNG Electronics Co.
- 4. History of Xen ARM
‘04 ‘08 ‘09 ‘10
Xen ARM 1st Xen ARM 2nd Xen ARM 3rd Xen ARM 4th
x86 Xen Hypervisor
Release: Release: Release: Release:
Release
ARM9 Xen Paravirtualized ARM11MPCore Performance
(Cambridge university)
Hypervisor, Linux kernel Support Optimization
Mini-OS (v2.6.24), Xen tool (Samsung) (Samsung)
(Samsung) (Samsung)
Xen-ARM Open Source Community
Samsung leads the Xen ARM project
http://wiki.xensource.com/xenwiki/XenARM
Supported Hardware & Guest OS
ARM926EJ-S (i.MX21, OMAP5912) Linux v2.6.11, v2.6.18, v2.6.21, v2.6.24, v2.6.27
Xscale 3rd Generation Architecture (multicore supported)
uC/OS-II
(PXA310, Samsung SGH- i780)
ARM1136/ARM1176(Core Only)
Goldfish (QEMU Emulator)
Versatile Platform Board
ARM11MPCore (Realview PB11MP)
Cortex-A9 (Tegra250)
© 2011 SAMSUNG Electronics Co.
SW Platform Team. 3 / 22
- 5. Use Cases
1 – HW Consolidation: AP(Application Processor) and BP(Baseband Processor) can share
multicore ARM CPU SoC in order to run both Linux and Real-time OS efficiently.
2 – OS Isolation: important call services can be effectively separated from downloaded third
party applications by Xen ARM combined with access control.
3 – Rich User Experience: multiple OS domains can run concurrently on a single smartphone.
1 2 3
를
Android
Nucleus
Secure
Kernel
Linux
GPOS RTOS
Virtualization SW (Realtime Hypervisor)
V -Core V -Core V -Core V -Core V -Core V-Core V-Core V -Core
Core Core Core Core
Linux 1 Linux 2
Memory
Multi-Core Peri Important Hypervisor Hypervisor
services H/W
Hardware
AP SoC +BP SoC -> Consolidated Multicore SoC Secure Smartphone Rich Applications from Multiple OS
© 2011 SAMSUNG Electronics Co.
SW Platform Team. 4 / 22
- 7. Xen ARM Virtualization
Goals
Light weight virtualization for secure 3G/4G mobile devices
High performance hypervisor based on ARM processor
Fine-grained access control fitted to mobile devices
Architecture of Xen-ARM
VM 0 VM 1
Application
Application Application
Application
Guest Backend Drivers Frontend Drivers
Domain
Native Drivers
VM Interface VM Interface
Secure Domain Resource Access
Xen-ARM Manager Allocator Control
hypervisor
Hardware Peripheral System Flash
CPU
Devices Memory Memory
© 2011 SAMSUNG Electronics Co.
SW Platform Team. 6 / 22
- 8. Xen ARM Virtualization
Overview
Logical
mode
split
CPU virtualization
Virtualization requires 3 privilege CPU level, but ARM supports 2 level Xen-ARM mode
Xen-ARM mode: supervisor mode ( most privileged level) virtual kernel mode
virtual user mode
Virtual kernel mode: User mode ( least privileged level)
Virtual user mode: User mode ( least privileged level)
VM 0 VM 1 VM 2 VM 2 Xen-ARM
Memory virtualization Address
Spaces
Address
Spaces
Address
Spaces VM 1
Kernel
VM’s own memory should be VM 0
User Process
User Process
User Process
User Process
Xen-ARM
protected from others
MMU
Xen-ARM switches VM’s virtual address space Xen-ARM
Physical Virtual
Address Space Address Space
using MMU
VM is not allowed to manipulate MMU directly
VM0 (Linux) VM1 (Linux )
Application
Application Application
Application
Application Application
I/O virtualization
Front-end
Split driver model of Xen-ARM Native
driver
Back-end
driver
driver
Client & Server architecture for shared I/O devices
I/O event
Client: frontend driver Interrupt
Xen-ARM
Server: native/backend driver Device
© 2011 SAMSUNG Electronics Co.
SW Platform Team. 7 / 22
- 9. Performance Comparison
Micro-benchmark Results
LMBENCH Micro Benchmark ( Bandwidth )
Evaluation Environments : Samsung
Blackjack Phone
CPU : Xscale PXA310, 624MHz
Higher is better
L1 Cache : 32KB + 32KB
L2 Cache : 256KB (Disabled)
Memory : 128MB
Guest OS: Linux-2.6.21
LMBENCH Micro Benchmark ( latency )
Lower is better
© 2011 SAMSUNG Electronics Co.
SW Platform Team. 8 / 22
- 10. Performance Comparison
Micro-benchmark Results
Evaluation Environments : nVidia Tegra250
CPU : Cortex-A9 1GHz Dual Core
L1 Cache : 32KB + 32KB Lower is better
L2 Cache : 1MB 1600
Memory : 1GB
1400 Native Linux Para-virtualized Linux
Guest OS: Linux-2.6.29
1200
(Latency) usec
1000
800
600
400
200
0
LMBENCH Micro Benchmark ( latency )
© 2011 SAMSUNG Electronics Co.
SW Platform Team. 9 / 22
- 11. Performance Comparison
Benchmark Results
LMBENCH Micro Benchmark ( latency )
9
Evaluation Environments : Samsung Higher is better Xen/ARM L4
8
Relative Performance
Blackjack Phone
7
CPU : Xscale PXA310, 624MHz
L1 Cache : 32KB + 32KB 6
L2 Cache : 256KB (Disabled) 5
Memory : 128MB 4
Guest OS: Linux-2.6.21 3
2
1
0
AIM7 Macro Benchmark S : size(byte)
P : # of processes
Normalized Performance
1
0.8
0.6 Native Linux
Xen/ARM
0.4
L4
0.2
0
1 2 3
Number of Tasks
© 2011 SAMSUNG Electronics Co.
SW Platform Team. 10 / 22
- 13. Mobile Malware
[Source: F-Secure]
Number of mobile malware 600
- More than 420 mobile phone 400 421
viruses (2008) 345
400
- Tens of thousands of infections
worldwide 146
200
27
0
2004 2005 2006 2007 2008
[Source: McAfee]
Concerns about mobile phone 100%
16.1 18.4
6.9 13.9
security – by market 80%
60%
93.1 86.1
83.9 81.6
40%
Feel safe
20%
Concerned
0%
UK US Japan Total
© 2011 SAMSUNG Electronics Co.
SW Platform Team. 12 / 22
- 14. Access Control
Definition: Access control is a system which enables an authority to control area and resources in a given
physical facility or computer-based information system [source: Wikipedia]
Technical Issues
Problem with performance isolation
Availability threat: denial of service (DoS) attack from a compromised domain in a mobile device
- CPU overuse: a greater share of CPU time than initial allocation
- Performance degradation: The Performance of other domains that share the same I/O device
with the compromised domain
- Battery drain
Isolated Driver Domain1 DomainN
Domain (IDD)
Malware
Excessive I/O
…
Requests
Back-end Front-end Front-end
Device drivers Device drivers Device drivers
Native
Device drivers
Secure Xen
Devices Hardware
© 2011 SAMSUNG Electronics Co.
SW Platform Team. 13 / 22
- 15. Access Control
Approach
Technical Issues
Fine-grained I/O access control module in the IDD and coarse-grained access control module in Xen
Estimation of CPU consumption by each virtual I/O operation using regression analysis
- Network and storage devices
I/O access control enforcement based on the policy and regression equations
Target HW spec: XScale 624MHz, 128MB DRAM
Domain0 (IDD) Kernel Domain1 Kernel Regression Analysis: Network
(4). Asking for decision
Access Control fNET, Tx(x) = 370.18 + 0.01 * x
Hook Backend Frontend
Enforcer
driver driver
(I/O Scheduler)
(3). Connecting to backend driver Regression Analysis: Storage
(5). Virtual I/O CPU Usage fMTD,READ(x) = 250 + 0.24 * x
(1). Loading policy I/O Resource fMTD,READOOB(x) = 533 + 0.06 * x
Accounting fMTD,WRITE(x) = 160 + 0.24 * x
fMTD,WRITEOOB(x) = 583
(2). Loading equations fMTD,ERASE(x) = 153.33 + 0.02 * x
fMTD,ISBADBLOCK(x) = 58
Secure Xen on ARM fMTD,MARKBAD(x) = 60
Secure Storage x: bytes, f(x): usec
© 2011 SAMSUNG Electronics Co.
SW Platform Team. 14 / 22
- 16. Access Control
Effectiveness
Technical Issues
CPU Utilization: Network
Test Environment Domain0 (IDD) Domain1
iperf
(client) Policy
net_atk CPU 100
bonnie
Manager
mtd_atk
Usage
(%)
iperf
(server)
Linux
80
Linux kernel v2.6.21
Kernel
TcN0
minicom
I/O ACM v2.6.21
Linux
60
kernel Secure Xen on ARM TcN1
40 TcN2
Serial Cable Measurement
Cable 20 TcN3
WT3000 power meter
SGH-i780
Power Meter 0
Linux PC
SGH-i780
3 6 9 12 15 18 21 24 27 30
net_atk: UDP packet flooding (sending out UDP packets with the Time
size of 44,160 bytes every 1msec) (Sec)
mtd_atk: excessive NAND READ operations (scanning every
directory in the filesystem and reading file contents) CPU Utilization: Storage
CPU 100
Usage
Test Cases (%) 80
Network I/O Test Storage I/O Test
Cases Cases TcS0
60
No Attack TcN0 TcS0
TcS1
Under Attack 40
(No I/O ACM)
TcN1 TcS1 TcS2
Under Attack 20 TcS3
TcN2 TcS2
(20% I/O ACM Policy)
Under Attack
TcN3 TcS3 0
(10% I/O ACM Policy)
3 6 9 12 15 18 21 24 27 30
Time
(Sec)
© 2011 SAMSUNG Electronics Co.
SW Platform Team. 15 / 22
- 17. Access Control
Effectiveness
Throughput: Network
No attack
800
700
Throughput (KB/Sec)
600 Throughput increase and power consumption
500 UDP
decrease even under malware attack
Under
400
attack TCP
300
200
100
0
TcN0 TcN1 TcN2 TcN3 Power Consumption
Test Cases No attack Under attack
Throughput: Storage 3
No attack
4500 2.5
Throughput (KB/Sec)
4000
2
3500
Under
3000
attack 1.5 Network
2500 Seq.out
Storage
2000 Seq.in
1
1500 Rand.seek
1000 0.5
500
Test Cases
0 0
TcS0 TcS1 TcS2 TcS3 TcN0/TcS0 TcN1/TcS1 TcN2/TcS2 TcN3/TcS3
16 Test Cases Test Cases 2011 SAMSUNG Electronics Co.
©
SW Platform Team. 16 / 22
- 19. Xen ARM: Pre-emption
Status of real-time support
Technical Issues
The jitter of timer interrupt latency by the hypervisor is bounded within 10% compared with native real-time OS.
Technical Issue
DI and NP sections should be minimized.
Latency caused by interrupt-disabled(DI) section Latency caused by non-preemptible(NP) section
EN DI EN P NP P
Time Time
interrupt VM interrupt interrupt VM
handler switch handler handler switch
Delay Urgent Interrupt Delay
Urgent Interrupt
Wake up next VM
Hypervisor should support RT Domain via priority-based scheduling, VMM pre-emption and so on.
Delay
Non RT Non RT Non RT Voluntary
Guest RT RT Non RT
Domain Interrupt Domain Domain
Domain Interrupt domain CPU domain
Domain (Running) occurs (Running) (Running)
occurs release
time
Xen-ARM Interrupt Timer Interrupt
Send IRQ to Real-time Domain
(As Non RT Domain has credits, Scheduling Scheduling
Scheduling
RT Domain is not scheduled.
Furthermore Xen cannot tell difference
between Non RT Domain and RT Domain.) Preemption
© 2011 SAMSUNG Electronics Co.
SW Platform Team. 18 / 22
- 20. Real-time Performance
• Evaluation Environment Cyclictest benchmark repeats
Category Description 1. RT task sleeps for 10ms
2. Timer interrupt will occur after 10ms
H/W CPU Cortex-A9 / 1GHz / Dual Core 3. Timer interrupt wakes up the RT
(Tegra250)
RAM 1GB
domain(uC/OS-II)
4. uC/OS-II preempts Xen-ARM
S/W Hypervisor Xen-ARM 5. RT task is scheduled
6. RT task logs timestamp
Guest OS Linux-2.6.29
(DOM0) (Running Busy Loop Task)
Guest OS uC/OS-II
(DOM1) (Running RT Task : Cyclictest benchmark)
Native(uC/OS-II)
Min Avg Max
9995 9996.810169 10000
Xen-ARM(uC/OS-II)
Min Avg Max
Response Overhead(3us)
9996 9999.327119 10001
Unit : usec
© 2011 SAMSUNG Electronics Co.
SW Platform Team. 19 / 22
- 21. Q&A
© 2011 SAMSUNG Electronics Co.