SlideShare a Scribd company logo

From L3 to seL4: What Have We Learnt in 20 Years of L4 Microkernels

M
microkerneldude

The document summarizes learnings from 20 years of L4 microkernel development. It discusses how early L4 designs focused on performance through techniques like lazy scheduling and direct process switching, but modern kernels emphasize principles like minimality and formal verification. Minimality has driven designs to become simpler over time, with policies separated from mechanisms and drivers moved to user-space. While IPC speed remains important, verification shows it need not compromise performance. Capabilities have also proven effective for access control compared to early process hierarchies. Overall, microkernels remain valuable if guided by core principles demonstrated over L4's evolution.

Software
1 of 26
Download to read offline
From L3 to seL4: What Have We Learnt in 20 Years of L4 Microkernels? Kevin Elphinstone & @GernotHeiser NICTA and UNSW Australia SOSP'13
Copyright Notice These slides are distributed under the Creative Commons Attribution 3.0 License • You are free: – to share—to copy, distribute and transmit the work – to remix—to adapt the work • under the following conditions: – Attribution: You must attribute the work (but not in any way that suggests that the author endorses you or your use of the work) as follows: • “Courtesy of Gernot Heiser, [Institution]”, where [Institution] is one of “UNSW” or “NICTA” The complete license text can be found at http://creativecommons.org/licenses/by/3.0/legalcode ©2013 Gernot Heiser, NICTA 2 COMP9242 S2/2014 W01
1993 ©2013 Gernot Heiser, NICTA 3 SOSP'13 Improving IPC by Kernel Design [SOSP]
400 300 200 100 0 Mach 0 2000 4000 6000 ©2013 Gernot Heiser, NICTA 4 Message Length [B] [μs] L4 1993 IPC Performance SOSP'13 115 μs 5 μs i486 @ 50 MHz Culprit: Cache footprint [SOSP’95] raw copy
IPC Performance over 20 Years Name Year Processor MHz Cycles μs Original 1993 i486 50 250 5.00 Original 1997 Pentium 160 121 0.75 L4/MIPS 1997 R4700 100 86 0.86 L4/Alpha 1997 21064 433 45 0.10 Hazelnut 2002 Pentium 4 1,400 2,000 1.38 Pistachio 2005 Itanium 1,500 36 0.02 OKL4 2007 XScale 255 400 151 0.64 NOVA 2010 i7 Bloomfield (32-bit) 2,660 288 0.11 seL4 2013 i7 Haswell (32-bit) 3,400 301 0.09 seL4 2013 ARM11 532 188 0.35 seL4 2013 Cortex A9 1,000 316 0.32 ©2013 Gernot Heiser, NICTA 5 SOSP'13
Core Microkernel Principle: Minimality A concept is tolerated inside the microkernel only if moving it outside the kernel, i.e. permitting competing implementations, would prevent the implementation of the system’s required functionality. [SOSP’95] ©2013 Gernot Heiser, NICTA 6 SOSP'13
Minimality: Source Code Size Name Architecture C/C++ asm total kSLOC Original i486 0 6.4 6.4 L4/Alpha Alpha 0 14.2 14.2 L4/MIPS MIPS64 6.0 4.5 10.5 Hazelnut x86 10.0 0.8 10.8 Pistachio x86 22.4 1.4 23.0 L4-embedded ARMv5 7.6 1.4 9.0 OKL4 3.0 ARMv6 15.0 0.0 15.0 Fiasco.OC x86 36.2 1.1 37.6 seL4 ARMv6 9.7 0.5 10.2 ©2013 Gernot Heiser, NICTA 7 SOSP'13
L4 Family Tree L4/MIPS L4/Alpha L3 → L4 “X” Hazelnut Pistachio OKL4 Microvisor Fiasco Fiasco.OC UNSW/NICTA 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 ©2013 Gernot Heiser, NICTA 8 seL4 OKL4 μKernel Codezero P4 → PikeOS L4-embed. GMD/IBM/Karlsruhe NOVA Dresden Commercial Clone OK Labs SOSP'13 API Inheritance Code Inheritance
L4 Deployments – in the Billions ©2013 Gernot Heiser, NICTA 9 SOSP'13 SiMKo 3 “Merkelphone”
seL4: Unprecedented Dependability Proof Proof Proof Non-interference [S&P’13] ©2013 Gernot Heiser, NICTA 10 SOSP'13 Integrity Abstract Model C Imple-mentation Confiden-tiality Availability Binary code Functional correctness [SOSP’09] Integrity [ITP’11] Translation correctness [PLDI’13] • First & only OS kernel with security proofs to binary code • First & only protected-mode OS kernel with sound timeliness analysis Timeliness [RTSS’11, EuroSys’12]
L4 Design and Implementation Implement. Tricks [SOSP’93] • Process kernel • Virtual TCB array • Lazy scheduling • Direct process switch • Non-preemptible • Non-portable • Non-standard calling convention • Assembler ©2013 Gernot Heiser, NICTA 11 Design Decisions [SOSP’95] • Synchronous IPC • Rich message structure, arbitrary out-of-line messages • Zero-copy register messages • User-mode page-fault handlers • Threads as IPC destinations • IPC timeouts • Hierarchical IPC control • User-mode device drivers • Process hierarchy • Recursive address-space construction SOSP'13 Objective: Minimise cache footprint and TLB misses
DESIGN ©2013 Gernot Heiser, NICTA 12 SOSP'13
L4 Synchronous IPC ©2013 Gernot Heiser, NICTA 13 SOSP'13 Thread1 Running Blocked Thread2 Blocked Running Send (dest, msg) Wait (src, msg) ….... Kernel copy Rendezvous model Kernel executes in sender’s context • copies memory data directly to receiver (single-copy) • leaves message registers unchanged during context switch (zero copy)
“Long” IPC Sender address space Kernel copy Receiver address space LONG IPC ABANDONED • IPC page faults are nested exceptions ⇒ In-kernel concurrency – L4 executes with interrupts disabled for performance, no concurrency • Must invoke untrusted usermode page-fault handlers – potential for DOSing other thread • Timeouts to avoid DOS attacks – complexity ©2013 Gernot Heiser, NICTA 14 Page fault! Why have long IPC? • POSIX-style APIs write (fd, buf, nbytes) • Usually prefer shared buffers SOSP'13
Timeouts IPC Timeouts ABANDONED in seL4, OKL4 ©2013 Gernot Heiser, NICTA 15 SOSP'13 Thread1 Running Blocked Thread2 Blocked Running Send (dest, msg) ….... Wait (src, msg) Kernel copy Limit IPC blocking time Thread1 Running Blocked Rcv(NIL_THRD, delay) ….... Timed wait • No theory/heuristics for determining timeouts • Typically server reply with zero TO, else ∞ • Can do timed wait with timer syscall
Synchronous IPC Issues ©2013 Gernot Heiser, NICTA 16 SOSP'13 Thread1 Running Blocked Initiate_IO(…,…) IO_Wait(…,…) Not generally possible Worker_Th Running Blocked IO_Th Blocked Running Unblock (IO_Th) ….... Call (IO,msg) Sync(Worker_Th) Sync(IO_Th) ….... • Sync IPC forces multi-threaded code! • Also poor choice for multi-core
Asynchronous Notifications ©2013 Gernot Heiser, NICTA 17 SOSP'13 ….... Thread1 Running Blocked Thread2 Blocked Running w = Poll (…) …... w = Wait (…) Send (Thr _ 2 , …) ….... Send (Thr_2, …) • Delivers few bits (destructively) • Kernel only buffers single word • Maps well to interrupts, exceptions Server Client Driver Sync Async • Thread can wait for synchronous and asynchronous messages concurrently Sync IPC complemented with async
IPC Destination Naming Client Server Thread IDs replaced by IPC “endpoints” (ports) ©2013 Gernot Heiser, NICTA 18 SOSP'13 IPC Client Server Load balancer Workers Client Server All IPCs duplicated! Original L4 addressed IPC to threads Client must do load balancing? RPC reply from wrong thread! • Inefficient designs • Poor information hiding • Covert channels [Shapiro ‘02]
Endpoints Client Server Client Server ©2013 Gernot Heiser, NICTA 19 SOSP'13 IPC Send Rcv Sync EP • Sync EP queues senders/receivers • Does not buffer messages 0x01 0x10 0x30 Async EP 00xx0013011 • Async EP accumulates bits
Other Design Issues IPC Control: “Clans & Chiefs” Process Hierarchy ©2013 Gernot Heiser, NICTA 20 SOSP'13 IPC Chief Clan IPC outside clan re-directs to chief Create Hierarchical resource management Inflexible, clumsy, inefficient hierarchies! Hierarchies replaced by delegatable cap-based access control
IMPLEMENTATION ©2013 Gernot Heiser, NICTA 21 SOSP'13
Virtual TCB Array Thread ID ©2013 Gernot Heiser, NICTA 22 SOSP'13 VM TCB TCB Fast TCB & stack lookup TCB proper Kernel stack Get own TCB base by masking stack pointer Trades cache for TLB footprint and virtual address space • Not worthwhile on modern processors! • Stacks can dominate kernel memory use! Trades TLB footprint for cache and kernel memory
“Lazy” Scheduling • In IPC-based systems, threads block and unblock frequenty • Many ready queue manipulations ©2013 Gernot Heiser, NICTA 23 SOSP'13 thread_t schedule() { foreach (prio in priorities) { foreach (thread in runQueue[prio]) { if (isRunnable(thread)) return thread; else schedDequeue(thread); } } return idleThread; } Idea: leave blocked threads in ready queue, scheduler cleans up Scheduler execution time is unbounded! “Benno scheduling”: • All threads on ready queue are runnable • All runnable threads in ready queue except the running one
L4 Design and Implementation Implement. Tricks [SOSP’93] • Process kernel • Virtual TCB array • Lazy scheduling • Direct process switch • Non-preemptible • Non-portable • Non-standard calling convention • Assembler ©2013 Gernot Heiser, NICTA 24 Design Decisions [SOSP’95] • Synchronous IPC • Rich message structure, arbitrary out-of-line messages • Zero-copy register messages • User-mode page-fault handlers • Threads as IPC destinations • IPC timeouts • Hierarchical IPC control • User-mode device drivers • Process hierarchy • Recursive address-space construction SOSP'13
What are the Principles? • Minimality is excellent driver of design decisions – L4 kernels have become simpler over time – Policy-mechanism separation (user-mode page-fault handlers) – Device drivers really belong to user level – Minimality is key enabler for formal verification! • IPC speed still matters – But not everywhere, premature optimisation is wastive – Compilers have got so much better – Verification does not compromise performance – Verification invariants can help improve speed! [Shi, OOPSLA’13] • Also found that capabilities are the way to go – Shapiro (EROS) was right • However, a clean abstraction of time still elusive ©2013 Gernot Heiser, NICTA 25 SOSP'13
Conclusions Where to find more: • UNSW Advanced Operating Systems Course http://www.cse.unsw.edu.au/~cs9242 • NICTA Trustworthy Systems research http://trustworthy.systems • seL4 open-source portal http://sel4.systems • L4 Microkernel Headquarters http://l4hq.org • Gernot’s blog: http://microkerneldude.wordpress.com/ • Gernot’s research home page: http://ssrg.nicta.com.au/people/?cn=Gernot+Heiser ©2013 Gernot Heiser, NICTA 26 SOSP'13 • Details changed, but principles remained • Microkernels rock! (If done right!)

Recommended

seL4 intro
seL4 introseL4 intro
seL4 intromicrokerneldude
 
Microkernel-based operating system development
Microkernel-based operating system developmentMicrokernel-based operating system development
Microkernel-based operating system developmentSenko Rašić
 
Affordable trustworthy-systems
Affordable trustworthy-systemsAffordable trustworthy-systems
Affordable trustworthy-systemsmicrokerneldude
 
Microkernel design
Microkernel designMicrokernel design
Microkernel designmicrokerneldude
 
seL4 on RISC-V/lowRISC - ORCONF'15
seL4 on RISC-V/lowRISC - ORCONF'15seL4 on RISC-V/lowRISC - ORCONF'15
seL4 on RISC-V/lowRISC - ORCONF'15Hesham Almatary
 
Introduction to Microkernels
Introduction to MicrokernelsIntroduction to Microkernels
Introduction to MicrokernelsVasily Sartakov
 
Implement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVMImplement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVMNational Cheng Kung University
 
L4 Microkernel :: Design Overview
L4 Microkernel :: Design OverviewL4 Microkernel :: Design Overview
L4 Microkernel :: Design OverviewNational Cheng Kung University
 

Recommended

seL4 intro
seL4 introseL4 intro
seL4 intromicrokerneldude
 
Microkernel-based operating system development
Microkernel-based operating system developmentMicrokernel-based operating system development
Microkernel-based operating system developmentSenko Rašić
 
Affordable trustworthy-systems
Affordable trustworthy-systemsAffordable trustworthy-systems
Affordable trustworthy-systemsmicrokerneldude
 
Microkernel design
Microkernel designMicrokernel design
Microkernel designmicrokerneldude
 
seL4 on RISC-V/lowRISC - ORCONF'15
seL4 on RISC-V/lowRISC - ORCONF'15seL4 on RISC-V/lowRISC - ORCONF'15
seL4 on RISC-V/lowRISC - ORCONF'15Hesham Almatary
 
Introduction to Microkernels
Introduction to MicrokernelsIntroduction to Microkernels
Introduction to MicrokernelsVasily Sartakov
 
Implement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVMImplement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVMNational Cheng Kung University
 
L4 Microkernel :: Design Overview
L4 Microkernel :: Design OverviewL4 Microkernel :: Design Overview
L4 Microkernel :: Design OverviewNational Cheng Kung University
 
A tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisorA tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisorLouie Lu
 
Embedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesEmbedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesNational Cheng Kung University
 
Unix v6 Internals
Unix v6 InternalsUnix v6 Internals
Unix v6 InternalsNational Cheng Kung University
 
Construct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoTConstruct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoTNational Cheng Kung University
 
Hints for L4 Microkernel
Hints for L4 MicrokernelHints for L4 Microkernel
Hints for L4 MicrokernelNational Cheng Kung University
 
olibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded Linuxolibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded LinuxNational Cheng Kung University
 
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsNational Cheng Kung University
 
Faults inside System Software
Faults inside System SoftwareFaults inside System Software
Faults inside System SoftwareNational Cheng Kung University
 
Advanced Components on Top of L4Re
Advanced Components on Top of L4ReAdvanced Components on Top of L4Re
Advanced Components on Top of L4ReVasily Sartakov
 
Memory, IPC and L4Re
Memory, IPC and L4ReMemory, IPC and L4Re
Memory, IPC and L4ReVasily Sartakov
 
High Performance Storage Devices in the Linux Kernel
High Performance Storage Devices in the Linux KernelHigh Performance Storage Devices in the Linux Kernel
High Performance Storage Devices in the Linux KernelKernel TLV
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsNational Cheng Kung University
 
Gnu linux for safety related systems
Gnu linux for safety related systemsGnu linux for safety related systems
Gnu linux for safety related systemsDTQ4
 
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...The Linux Foundation
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersMichelle Holley
 
XPDS14: Unikernels: Who, What, Where, When, Why - Adam Wick, Galois
XPDS14: Unikernels: Who, What, Where, When, Why - Adam Wick, GaloisXPDS14: Unikernels: Who, What, Where, When, Why - Adam Wick, Galois
XPDS14: Unikernels: Who, What, Where, When, Why - Adam Wick, GaloisThe Linux Foundation
 
Microservices in Unikernels
Microservices in UnikernelsMicroservices in Unikernels
Microservices in UnikernelsMadhuri Yechuri
 
What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...
What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...
What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...Novell
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
 
The Role of a Network Software Developer in Network Transformation
The Role of a Network Software Developer in Network TransformationThe Role of a Network Software Developer in Network Transformation
The Role of a Network Software Developer in Network TransformationMichelle Holley
 
Network & Filesystem: Doing less cross rings memory copy
Network & Filesystem: Doing less cross rings memory copyNetwork & Filesystem: Doing less cross rings memory copy
Network & Filesystem: Doing less cross rings memory copyScaleway
 
The Quest for the Perfect API
The Quest for the Perfect APIThe Quest for the Perfect API
The Quest for the Perfect APImicrokerneldude
 

More Related Content

What's hot

A tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisorA tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisorLouie Lu
 
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsNational Cheng Kung University
 
Advanced Components on Top of L4Re
Advanced Components on Top of L4ReAdvanced Components on Top of L4Re
Advanced Components on Top of L4ReVasily Sartakov
 
High Performance Storage Devices in the Linux Kernel
High Performance Storage Devices in the Linux KernelHigh Performance Storage Devices in the Linux Kernel
High Performance Storage Devices in the Linux KernelKernel TLV
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsNational Cheng Kung University
 
Gnu linux for safety related systems
Gnu linux for safety related systemsGnu linux for safety related systems
Gnu linux for safety related systemsDTQ4
 
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...The Linux Foundation
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersMichelle Holley
 
XPDS14: Unikernels: Who, What, Where, When, Why - Adam Wick, Galois
XPDS14: Unikernels: Who, What, Where, When, Why - Adam Wick, GaloisXPDS14: Unikernels: Who, What, Where, When, Why - Adam Wick, Galois
XPDS14: Unikernels: Who, What, Where, When, Why - Adam Wick, GaloisThe Linux Foundation
 
Microservices in Unikernels
Microservices in UnikernelsMicroservices in Unikernels
Microservices in UnikernelsMadhuri Yechuri
 
What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...
What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...
What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...Novell
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
 
The Role of a Network Software Developer in Network Transformation
The Role of a Network Software Developer in Network TransformationThe Role of a Network Software Developer in Network Transformation
The Role of a Network Software Developer in Network TransformationMichelle Holley
 

What's hot (20)

A tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisorA tour of F9 microkernel and BitSec hypervisor
A tour of F9 microkernel and BitSec hypervisor
 
Embedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile DevicesEmbedded Virtualization applied in Mobile Devices
Embedded Virtualization applied in Mobile Devices
 
Unix v6 Internals
Unix v6 InternalsUnix v6 Internals
Unix v6 Internals
 
Construct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoTConstruct an Efficient and Secure Microkernel for IoT
Construct an Efficient and Secure Microkernel for IoT
 
Hints for L4 Microkernel
Hints for L4 MicrokernelHints for L4 Microkernel
Hints for L4 Microkernel
 
olibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded Linuxolibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded Linux
 
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded SystemsF9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
F9: A Secure and Efficient Microkernel Built for Deeply Embedded Systems
 
Faults inside System Software
Faults inside System SoftwareFaults inside System Software
Faults inside System Software
 
Advanced Components on Top of L4Re
Advanced Components on Top of L4ReAdvanced Components on Top of L4Re
Advanced Components on Top of L4Re
 
Memory, IPC and L4Re
Memory, IPC and L4ReMemory, IPC and L4Re
Memory, IPC and L4Re
 
High Performance Storage Devices in the Linux Kernel
High Performance Storage Devices in the Linux KernelHigh Performance Storage Devices in the Linux Kernel
High Performance Storage Devices in the Linux Kernel
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation Systems
 
Gnu linux for safety related systems
Gnu linux for safety related systemsGnu linux for safety related systems
Gnu linux for safety related systems
 
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...
CIF16: Unikernels: The Past, the Present, the Future ( Russell Pavlicek, Xen ...
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear Containers
 
XPDS14: Unikernels: Who, What, Where, When, Why - Adam Wick, Galois
XPDS14: Unikernels: Who, What, Where, When, Why - Adam Wick, GaloisXPDS14: Unikernels: Who, What, Where, When, Why - Adam Wick, Galois
XPDS14: Unikernels: Who, What, Where, When, Why - Adam Wick, Galois
 
Microservices in Unikernels
Microservices in UnikernelsMicroservices in Unikernels
Microservices in Unikernels
 
What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...
What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...
What's LUM Got To Do with It: Deployment Considerations for Linux User Manage...
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
 
The Role of a Network Software Developer in Network Transformation
The Role of a Network Software Developer in Network TransformationThe Role of a Network Software Developer in Network Transformation
The Role of a Network Software Developer in Network Transformation
 

Similar to From L3 to seL4: What Have We Learnt in 20 Years of L4 Microkernels

Network & Filesystem: Doing less cross rings memory copy
Network & Filesystem: Doing less cross rings memory copyNetwork & Filesystem: Doing less cross rings memory copy
Network & Filesystem: Doing less cross rings memory copyScaleway
 
The Quest for the Perfect API
The Quest for the Perfect APIThe Quest for the Perfect API
The Quest for the Perfect APImicrokerneldude
 
Beneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBeneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBhoomil Chavda
 
Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Hajime Tazaki
 
Include os @ flossuk 2018
Include os @ flossuk 2018Include os @ flossuk 2018
Include os @ flossuk 2018Per Buer
 
Porting_uClinux_CELF2008_Griffin
Porting_uClinux_CELF2008_GriffinPorting_uClinux_CELF2008_Griffin
Porting_uClinux_CELF2008_GriffinPeter Griffin
 
finaldraft-intelcorei5processorsarchitecture-130207093535-phpapp01.pdf
finaldraft-intelcorei5processorsarchitecture-130207093535-phpapp01.pdffinaldraft-intelcorei5processorsarchitecture-130207093535-phpapp01.pdf
finaldraft-intelcorei5processorsarchitecture-130207093535-phpapp01.pdfNazarAhmadAlkhidir
 
BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!Linaro
 
Brief Introduction to Parallella
Brief Introduction to ParallellaBrief Introduction to Parallella
Brief Introduction to ParallellaSomnath Mazumdar
 
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...The Linux Foundation
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaumeurobsdcon
 
Final draft intel core i5 processors architecture
Final draft intel core i5 processors architectureFinal draft intel core i5 processors architecture
Final draft intel core i5 processors architectureJawid Ahmad Baktash
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Large Scale Computing Infrastructure - Nautilus
Large Scale Computing Infrastructure - NautilusLarge Scale Computing Infrastructure - Nautilus
Large Scale Computing Infrastructure - NautilusGabriele Di Bernardo
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack eurobsdcon
 

Similar to From L3 to seL4: What Have We Learnt in 20 Years of L4 Microkernels (20)

Network & Filesystem: Doing less cross rings memory copy
Network & Filesystem: Doing less cross rings memory copyNetwork & Filesystem: Doing less cross rings memory copy
Network & Filesystem: Doing less cross rings memory copy
 
The Quest for the Perfect API
The Quest for the Perfect APIThe Quest for the Perfect API
The Quest for the Perfect API
 
Beneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBeneath the Linux Interrupt handling
Beneath the Linux Interrupt handling
 
Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)
 
Include os @ flossuk 2018
Include os @ flossuk 2018Include os @ flossuk 2018
Include os @ flossuk 2018
 
Ceph on arm64 upload
Ceph on arm64 uploadCeph on arm64 upload
Ceph on arm64 upload
 
Porting_uClinux_CELF2008_Griffin
Porting_uClinux_CELF2008_GriffinPorting_uClinux_CELF2008_Griffin
Porting_uClinux_CELF2008_Griffin
 
finaldraft-intelcorei5processorsarchitecture-130207093535-phpapp01.pdf
finaldraft-intelcorei5processorsarchitecture-130207093535-phpapp01.pdffinaldraft-intelcorei5processorsarchitecture-130207093535-phpapp01.pdf
finaldraft-intelcorei5processorsarchitecture-130207093535-phpapp01.pdf
 
BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!
 
Brief Introduction to Parallella
Brief Introduction to ParallellaBrief Introduction to Parallella
Brief Introduction to Parallella
 
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
 
Final draft intel core i5 processors architecture
Final draft intel core i5 processors architectureFinal draft intel core i5 processors architecture
Final draft intel core i5 processors architecture
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Large Scale Computing Infrastructure - Nautilus
Large Scale Computing Infrastructure - NautilusLarge Scale Computing Infrastructure - Nautilus
Large Scale Computing Infrastructure - Nautilus
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
 
Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack Running Applications on the NetBSD Rump Kernel by Justin Cormack
Running Applications on the NetBSD Rump Kernel by Justin Cormack
 
General Purpose GPU Computing
General Purpose GPU ComputingGeneral Purpose GPU Computing
General Purpose GPU Computing
 
pps Matters
pps Matterspps Matters
pps Matters
 

Recently uploaded

cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 

Recently uploaded (20)

cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 

From L3 to seL4: What Have We Learnt in 20 Years of L4 Microkernels

  • 1. From L3 to seL4: What Have We Learnt in 20 Years of L4 Microkernels? Kevin Elphinstone & @GernotHeiser NICTA and UNSW Australia SOSP'13
  • 2. Copyright Notice These slides are distributed under the Creative Commons Attribution 3.0 License • You are free: – to share—to copy, distribute and transmit the work – to remix—to adapt the work • under the following conditions: – Attribution: You must attribute the work (but not in any way that suggests that the author endorses you or your use of the work) as follows: • “Courtesy of Gernot Heiser, [Institution]”, where [Institution] is one of “UNSW” or “NICTA” The complete license text can be found at http://creativecommons.org/licenses/by/3.0/legalcode ©2013 Gernot Heiser, NICTA 2 COMP9242 S2/2014 W01
  • 3. 1993 ©2013 Gernot Heiser, NICTA 3 SOSP'13 Improving IPC by Kernel Design [SOSP]
  • 4. 400 300 200 100 0 Mach 0 2000 4000 6000 ©2013 Gernot Heiser, NICTA 4 Message Length [B] [μs] L4 1993 IPC Performance SOSP'13 115 μs 5 μs i486 @ 50 MHz Culprit: Cache footprint [SOSP’95] raw copy
  • 5. IPC Performance over 20 Years Name Year Processor MHz Cycles μs Original 1993 i486 50 250 5.00 Original 1997 Pentium 160 121 0.75 L4/MIPS 1997 R4700 100 86 0.86 L4/Alpha 1997 21064 433 45 0.10 Hazelnut 2002 Pentium 4 1,400 2,000 1.38 Pistachio 2005 Itanium 1,500 36 0.02 OKL4 2007 XScale 255 400 151 0.64 NOVA 2010 i7 Bloomfield (32-bit) 2,660 288 0.11 seL4 2013 i7 Haswell (32-bit) 3,400 301 0.09 seL4 2013 ARM11 532 188 0.35 seL4 2013 Cortex A9 1,000 316 0.32 ©2013 Gernot Heiser, NICTA 5 SOSP'13
  • 6. Core Microkernel Principle: Minimality A concept is tolerated inside the microkernel only if moving it outside the kernel, i.e. permitting competing implementations, would prevent the implementation of the system’s required functionality. [SOSP’95] ©2013 Gernot Heiser, NICTA 6 SOSP'13
  • 7. Minimality: Source Code Size Name Architecture C/C++ asm total kSLOC Original i486 0 6.4 6.4 L4/Alpha Alpha 0 14.2 14.2 L4/MIPS MIPS64 6.0 4.5 10.5 Hazelnut x86 10.0 0.8 10.8 Pistachio x86 22.4 1.4 23.0 L4-embedded ARMv5 7.6 1.4 9.0 OKL4 3.0 ARMv6 15.0 0.0 15.0 Fiasco.OC x86 36.2 1.1 37.6 seL4 ARMv6 9.7 0.5 10.2 ©2013 Gernot Heiser, NICTA 7 SOSP'13
  • 8. L4 Family Tree L4/MIPS L4/Alpha L3 → L4 “X” Hazelnut Pistachio OKL4 Microvisor Fiasco Fiasco.OC UNSW/NICTA 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 ©2013 Gernot Heiser, NICTA 8 seL4 OKL4 μKernel Codezero P4 → PikeOS L4-embed. GMD/IBM/Karlsruhe NOVA Dresden Commercial Clone OK Labs SOSP'13 API Inheritance Code Inheritance
  • 9. L4 Deployments – in the Billions ©2013 Gernot Heiser, NICTA 9 SOSP'13 SiMKo 3 “Merkelphone”
  • 10. seL4: Unprecedented Dependability Proof Proof Proof Non-interference [S&P’13] ©2013 Gernot Heiser, NICTA 10 SOSP'13 Integrity Abstract Model C Imple-mentation Confiden-tiality Availability Binary code Functional correctness [SOSP’09] Integrity [ITP’11] Translation correctness [PLDI’13] • First & only OS kernel with security proofs to binary code • First & only protected-mode OS kernel with sound timeliness analysis Timeliness [RTSS’11, EuroSys’12]
  • 11. L4 Design and Implementation Implement. Tricks [SOSP’93] • Process kernel • Virtual TCB array • Lazy scheduling • Direct process switch • Non-preemptible • Non-portable • Non-standard calling convention • Assembler ©2013 Gernot Heiser, NICTA 11 Design Decisions [SOSP’95] • Synchronous IPC • Rich message structure, arbitrary out-of-line messages • Zero-copy register messages • User-mode page-fault handlers • Threads as IPC destinations • IPC timeouts • Hierarchical IPC control • User-mode device drivers • Process hierarchy • Recursive address-space construction SOSP'13 Objective: Minimise cache footprint and TLB misses
  • 12. DESIGN ©2013 Gernot Heiser, NICTA 12 SOSP'13
  • 13. L4 Synchronous IPC ©2013 Gernot Heiser, NICTA 13 SOSP'13 Thread1 Running Blocked Thread2 Blocked Running Send (dest, msg) Wait (src, msg) ….... Kernel copy Rendezvous model Kernel executes in sender’s context • copies memory data directly to receiver (single-copy) • leaves message registers unchanged during context switch (zero copy)
  • 14. “Long” IPC Sender address space Kernel copy Receiver address space LONG IPC ABANDONED • IPC page faults are nested exceptions ⇒ In-kernel concurrency – L4 executes with interrupts disabled for performance, no concurrency • Must invoke untrusted usermode page-fault handlers – potential for DOSing other thread • Timeouts to avoid DOS attacks – complexity ©2013 Gernot Heiser, NICTA 14 Page fault! Why have long IPC? • POSIX-style APIs write (fd, buf, nbytes) • Usually prefer shared buffers SOSP'13
  • 15. Timeouts IPC Timeouts ABANDONED in seL4, OKL4 ©2013 Gernot Heiser, NICTA 15 SOSP'13 Thread1 Running Blocked Thread2 Blocked Running Send (dest, msg) ….... Wait (src, msg) Kernel copy Limit IPC blocking time Thread1 Running Blocked Rcv(NIL_THRD, delay) ….... Timed wait • No theory/heuristics for determining timeouts • Typically server reply with zero TO, else ∞ • Can do timed wait with timer syscall
  • 16. Synchronous IPC Issues ©2013 Gernot Heiser, NICTA 16 SOSP'13 Thread1 Running Blocked Initiate_IO(…,…) IO_Wait(…,…) Not generally possible Worker_Th Running Blocked IO_Th Blocked Running Unblock (IO_Th) ….... Call (IO,msg) Sync(Worker_Th) Sync(IO_Th) ….... • Sync IPC forces multi-threaded code! • Also poor choice for multi-core
  • 17. Asynchronous Notifications ©2013 Gernot Heiser, NICTA 17 SOSP'13 ….... Thread1 Running Blocked Thread2 Blocked Running w = Poll (…) …... w = Wait (…) Send (Thr _ 2 , …) ….... Send (Thr_2, …) • Delivers few bits (destructively) • Kernel only buffers single word • Maps well to interrupts, exceptions Server Client Driver Sync Async • Thread can wait for synchronous and asynchronous messages concurrently Sync IPC complemented with async
  • 18. IPC Destination Naming Client Server Thread IDs replaced by IPC “endpoints” (ports) ©2013 Gernot Heiser, NICTA 18 SOSP'13 IPC Client Server Load balancer Workers Client Server All IPCs duplicated! Original L4 addressed IPC to threads Client must do load balancing? RPC reply from wrong thread! • Inefficient designs • Poor information hiding • Covert channels [Shapiro ‘02]
  • 19. Endpoints Client Server Client Server ©2013 Gernot Heiser, NICTA 19 SOSP'13 IPC Send Rcv Sync EP • Sync EP queues senders/receivers • Does not buffer messages 0x01 0x10 0x30 Async EP 00xx0013011 • Async EP accumulates bits
  • 20. Other Design Issues IPC Control: “Clans & Chiefs” Process Hierarchy ©2013 Gernot Heiser, NICTA 20 SOSP'13 IPC Chief Clan IPC outside clan re-directs to chief Create Hierarchical resource management Inflexible, clumsy, inefficient hierarchies! Hierarchies replaced by delegatable cap-based access control
  • 21. IMPLEMENTATION ©2013 Gernot Heiser, NICTA 21 SOSP'13
  • 22. Virtual TCB Array Thread ID ©2013 Gernot Heiser, NICTA 22 SOSP'13 VM TCB TCB Fast TCB & stack lookup TCB proper Kernel stack Get own TCB base by masking stack pointer Trades cache for TLB footprint and virtual address space • Not worthwhile on modern processors! • Stacks can dominate kernel memory use! Trades TLB footprint for cache and kernel memory
  • 23. “Lazy” Scheduling • In IPC-based systems, threads block and unblock frequenty • Many ready queue manipulations ©2013 Gernot Heiser, NICTA 23 SOSP'13 thread_t schedule() { foreach (prio in priorities) { foreach (thread in runQueue[prio]) { if (isRunnable(thread)) return thread; else schedDequeue(thread); } } return idleThread; } Idea: leave blocked threads in ready queue, scheduler cleans up Scheduler execution time is unbounded! “Benno scheduling”: • All threads on ready queue are runnable • All runnable threads in ready queue except the running one
  • 24. L4 Design and Implementation Implement. Tricks [SOSP’93] • Process kernel • Virtual TCB array • Lazy scheduling • Direct process switch • Non-preemptible • Non-portable • Non-standard calling convention • Assembler ©2013 Gernot Heiser, NICTA 24 Design Decisions [SOSP’95] • Synchronous IPC • Rich message structure, arbitrary out-of-line messages • Zero-copy register messages • User-mode page-fault handlers • Threads as IPC destinations • IPC timeouts • Hierarchical IPC control • User-mode device drivers • Process hierarchy • Recursive address-space construction SOSP'13
  • 25. What are the Principles? • Minimality is excellent driver of design decisions – L4 kernels have become simpler over time – Policy-mechanism separation (user-mode page-fault handlers) – Device drivers really belong to user level – Minimality is key enabler for formal verification! • IPC speed still matters – But not everywhere, premature optimisation is wastive – Compilers have got so much better – Verification does not compromise performance – Verification invariants can help improve speed! [Shi, OOPSLA’13] • Also found that capabilities are the way to go – Shapiro (EROS) was right • However, a clean abstraction of time still elusive ©2013 Gernot Heiser, NICTA 25 SOSP'13
  • 26. Conclusions Where to find more: • UNSW Advanced Operating Systems Course http://www.cse.unsw.edu.au/~cs9242 • NICTA Trustworthy Systems research http://trustworthy.systems • seL4 open-source portal http://sel4.systems • L4 Microkernel Headquarters http://l4hq.org • Gernot’s blog: http://microkerneldude.wordpress.com/ • Gernot’s research home page: http://ssrg.nicta.com.au/people/?cn=Gernot+Heiser ©2013 Gernot Heiser, NICTA 26 SOSP'13 • Details changed, but principles remained • Microkernels rock! (If done right!)