Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Genode Architecture

881 views

Published on

The lecture by Norman Feske for Summer Systems School'12.
Genode Architecture

SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.

Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.

1. http://ksyslabs.org/
2. http://genode.org

Published in: Education
  • Be the first to comment

  • Be the first to like this

Genode Architecture

  1. 1. Genode OS Framework Architecture Norman Feske<norman.feske@genode-labs.com>
  2. 2. Outline1. Why do we need another operating system?2. Genode entering the picture3. Architectural principles4. Core - the root of the process tree5. Genesis of a new process6. Simple example setup Genode OS Framework Architecture 2
  3. 3. Outline1. Why do we need another operating system?2. Genode entering the picture3. Architectural principles4. Core - the root of the process tree5. Genesis of a new process6. Simple example setup Genode OS Framework Architecture 3
  4. 4. Myths Genode OS Framework Architecture 4
  5. 5. Problem: ComplexityToday’s commodity OSes Exceedingly complex trusted computing base (TCB)TCB of an application on Linux: Kernel + loaded kernel modules Daemons X Server + window manager Desktop environment All running processes of the user→ User credentials are exposed to millions of lines of code Genode OS Framework Architecture 5
  6. 6. Problem: Complexity (II)Implications: High likelihood for bugs (need for frequent security updates) Huge attack surface for directed attacks Zero-day exploits Genode OS Framework Architecture 6
  7. 7. Problem: Global namesMany examples on traditional systems UIDs, PIDs network interface names port numbers device nodes ...Leak informationName is a potential attack vector (ambient authority) Genode OS Framework Architecture 7
  8. 8. Problem: Resource managementPretension of unlimited resourcesLack of accounting→ Largely indeterministic behavior→ Need for complex heuristics, schedulers Genode OS Framework Architecture 8
  9. 9. Key technologiesMicrokernelsDecomponentization, kernelizationCapability-based securityVirtualization Genode OS Framework Architecture 9
  10. 10. Tricky questionsHow to... ...build a system without global names? ...trade between parties that do not know each other? ...reclaim kidnapped goods from an alien? (without violence) ...deal with distributed access-control policies? ...transparently monitor communication? ...recycle a subsystem without knowing its internal structure? Genode OS Framework Architecture 10
  11. 11. Even more tricky questionsHow to... ...avoid performance hazards through many indirections? ...translate architectural ideas into a real implementation? Genode OS Framework Architecture 11
  12. 12. Outline1. Why do we need another operating system?2. Genode entering the picture3. Architectural principles4. Core - the root of the process tree5. Genesis of a new process6. Simple example setup Genode OS Framework Architecture 12
  13. 13. A bit of history Research timeline at TU Dresden Genode OS Framework Architecture 13
  14. 14. A new generation of kernels on the horizon Genode OS Framework Architecture 14
  15. 15. Unique feature: Cross-kernel portabilityWhen started, no suitable microkernel was available→ Prototyped on Linux and L4/Fiasco→ Later ported to other kernels Genode OS Framework Architecture 15
  16. 16. Today: Rich OS construction kitSupport of a variety of kernelsOKL4, L4/Fiasco, L4ka::Pistachio, NOVA, Fiasco.OC, Linux, CodezeroPreservation of special kernel features OKLinux on OKL4, L4Linux on Fiasco.OC, Vancouver on NOVA, Real-time priorities on L4/FiascoUniform API → kernel-independent componentsMany ready-to-use device drivers, protocol stacks, and3rd-party libraries Genode OS Framework Architecture 16
  17. 17. Outline1. Why do we need another operating system?2. Genode entering the picture3. Architectural principles4. Core - the root of the process tree5. Genesis of a new process6. Simple example setup Genode OS Framework Architecture 17
  18. 18. Object capabilitiesDelegation of rights Each process lives in a virtual environment A process that possesses a right (capability) can Use it (invoke) Delegate it to acquainted processes Genode OS Framework Architecture 18
  19. 19. Recursive system structure Genode OS Framework Architecture 19
  20. 20. Service announcement Genode OS Framework Architecture 20
  21. 21. Session creation Genode OS Framework Architecture 21
  22. 22. Session creation Genode OS Framework Architecture 22
  23. 23. This works recursively → Application-specific TCB Genode OS Framework Architecture 23
  24. 24. Combined with virtualization Genode OS Framework Architecture 24
  25. 25. Resource managementExplicit assignment of physical resources to processes Genode OS Framework Architecture 25
  26. 26. Resource management (II) Resources can be attached to sessions Genode OS Framework Architecture 26
  27. 27. Resource management (III) Intermediation of resource requests Genode OS Framework Architecture 27
  28. 28. Resource management (IV) Virtualization of resources Genode OS Framework Architecture 28
  29. 29. Resource management (V) Server-side heap partitioning Genode OS Framework Architecture 29
  30. 30. Parent interfacevoid exit(exit_value)void announce(service_name, root_capability)session_capability session(service_name, session_args)void upgrade(to_session_capability, quantum)void close(session_capability) Genode OS Framework Architecture 30
  31. 31. Root interfacesession_capability session(session_args)void upgrade(session_capability, upgrade_args)void close(session_capability) Genode OS Framework Architecture 31
  32. 32. Outline1. Why do we need another operating system?2. Genode entering the picture3. Architectural principles4. Core - the root of the process tree5. Genesis of a new process6. Simple example setup Genode OS Framework Architecture 32
  33. 33. Core servicesLOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL Debug output amount write(string) Genode OS Framework Architecture 33
  34. 34. Core servicesLOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL Physical memory ram_dataspace_capability alloc(size, cached) void free(ram_dataspace_capability) void ref_account(ram_session_capability) void transfer_quota(ram_session_capability, amount) amount quota() amount used() Genode OS Framework Architecture 34
  35. 35. Core servicesLOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL Object identities capability alloc(entrypoint_capability) void free(capability) Genode OS Framework Architecture 35
  36. 36. Core servicesLOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL Threads thread_capability create_thread(name) void kill_thread(thread_capability) void start(thread_capability, ip, sp) Genode OS Framework Architecture 36
  37. 37. Core servicesLOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL Memory-mapped I/O Session arguments base, size, write-combined io_mem_dataspace_capability dataspace() Genode OS Framework Architecture 37
  38. 38. Core servicesLOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL Port-based I/O Session arguments base, size value inb(address) value inw(address) value inl(address) void outb(address, value) void outw(address, value) void outl(address, value) Genode OS Framework Architecture 38
  39. 39. Core servicesLOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL Device interrupts Session argument irq number void wait_for_irq() Genode OS Framework Architecture 39
  40. 40. Core servicesLOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL Protection domain void bind_thread(thread_capability) void assign_parent(parent_capability) Genode OS Framework Architecture 40
  41. 41. Core servicesLOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL Access to boot modules Session argument filename rom_dataspace_capability dataspace() Genode OS Framework Architecture 41
  42. 42. Core servicesLOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL Address-space management local_addr attach(dataspace_capability, size, offset, use_local_addr, local_addr, executable) void detach(local_addr) void add_client(thread_capability thread) /* managed dataspaces */ dataspace_capability dataspace() void fault_handler(signal_context_capability) state state() Genode OS Framework Architecture 42
  43. 43. Core servicesLOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL Asynchronous signal delivery signal_context_capability alloc_context(imprint) void free_context(signal_context_capability) void submit(signal_context_capability, count) signal wait_for_signal() Genode OS Framework Architecture 43
  44. 44. Outline1. Why do we need another operating system?2. Genode entering the picture3. Architectural principles4. Core - the root of the process tree5. Genesis of a new process6. Simple example setup Genode OS Framework Architecture 44
  45. 45. IngredientsProcess environment set up by the parent: RAM session for BSS and heap, ROM session for executable binary, CPU session for main thread, RM session for address-space layout, PD session for protection domain Genode OS Framework Architecture 45
  46. 46. Parent: Obtain executable ELF binaryRom_connection rom("init");Rom_dataspace_capability ds_cap = rom.dataspace();void *elf_addr = env()->rm_session()->attach(ds_cap); Genode OS Framework Architecture 46
  47. 47. Parent: ELF binary decoding1. Create a new region map using the RM service: Rm_connection rm;2. Attach read-only parts of dataspace rm.attach(ds_cap, size, offset, true, addr);3. Create RAM session, assign memory quantum Ram_connection ram; ram.ref_account(env()->ram_session_cap()); env()->ram_session()->transfer_quota(ram, RAM_QUOTA);4. Use RAM dataspaces for writable sections (DATA, BSS) rw_cap = ram.alloc(section_size); void *sec_addr = env()->rm_session()->attach(rw_cap); ... /* write to buffer at sec_addr */ env()->rm_session()->detach(sec_addr); rm.attach(rw_cap, section_size, offset, true, addr); Genode OS Framework Architecture 47
  48. 48. Parent: Creating the first thread1. Create CPU session Cpu_connection cpu;2. Create main thread Thread_capability thread_cap = cpu.create_thread("noname");3. Associate thread with the address space layout of the process rm.add_client(thread_cap); Genode OS Framework Architecture 48
  49. 49. Parent: Creating the protection domain1. Create PD session Pd_connection pd;2. Assign parent capability pd.assign_parent(parent_cap);3. Associate main thread to PD pd.bind_thread(thread_cap);4. Start main thread at instruction pointer and stack pointer cpu.start(thread_cap, ip, sp); Genode OS Framework Architecture 49
  50. 50. Child: Execute startup code1. C++ runtime initialization Exception handling Execute global constructors2. Request process environment (env) capabilities from parent3. Call main() function Genode OS Framework Architecture 50
  51. 51. Outline1. Why do we need another operating system?2. Genode entering the picture3. Architectural principles4. Core - the root of the process tree5. Genesis of a new process6. Simple example setup Genode OS Framework Architecture 51
  52. 52. Default demo scenario Genode OS Framework Architecture 52
  53. 53. Configuration<config> <parent-provides> <service name="ROM"/> <service name="RAM"/> <service name="IRQ"/> <service name="IO_MEM"/> <service name="IO_PORT"/> <service name="CAP"/> <service name="PD"/> <service name="RM"/> <service name="CPU"/> <service name="LOG"/> </parent-provides> <default-route> <any-service> <parent/> <any-child/> </any-service> </default-route> <start name="pci_drv"> <resource name="RAM" quantum="1M"/> <provides><service name="PCI"/></provides> </start> <start name="vesa_drv"> <resource name="RAM" quantum="1M"/> <provides><service name="Framebuffer"/></provides> </start> <start name="ps2_drv"> <resource name="RAM" quantum="1M"/> <provides><service name="Input"/></provides> </start> <start name="timer"> <resource name="RAM" quantum="1M"/> <provides><service name="Timer"/></provides> </start> <start name="nitpicker"> <resource name="RAM" quantum="1M"/> <provides><service name="Nitpicker"/></provides> </start> <start name="launchpad"> <resource name="RAM" quantum="32M"/> </start></config> Genode OS Framework Architecture 53
  54. 54. Screenshot Genode OS Framework Architecture 54
  55. 55. Sessions Genode OS Framework Architecture 55
  56. 56. Virtualized framebuffer Genode OS Framework Architecture 56
  57. 57. Sessions including virtualized framebuffer Genode OS Framework Architecture 57
  58. 58. Thank youWhat we covered today Coming up next...Architecture Programming environment 1. Why do we need another 1. Source tree overview operating system? 2. Build system 2. Genode entering the picture 3. Run scripts 3. Architectural principles 4. Inter-process communication 4. Genesis of a new process 5. Client-server example 5. Simple example setup More information and resources: http://genode.org Genode OS Framework Architecture 58

×