Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2011 10-19


Published on

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

2011 10-19

  1. 1. Features for Secure MobileDevices Low-overhead system virtualization Separation of guest domains Hot plug-in/-out of guest domains Secure boot Secure storage Access control
  2. 2. Issues in virtualization Efficiency is a major concern in embedded virtualization.  Paravirtualization approach is more efficient than full virtualization because expensive translation is not necessary. ARM CPU has only one unprivileged mode
  3. 3. Architecture
  4. 4. CPU Virtualization Physically two privilege modes (User mode and Supervisor mode) in ARM CPU. However,  Supervisor mode is assigned to Xen mode  User mode is split into two logical modes (kernel and user User mode is split into two logical modes (kernel and user process of Linux)  Address space protection between kernel mode and user process mode is guaranteed by ARM domain access control mechanism.
  5. 5. CPU Virtualization User Mode Kernel Mode Xen Mode Logical mode split
  6. 6. CPU Virtualization Exception Handling  Para-virtualization of system calls. ○ System calls are implemented with software interrupt. ○ In Xen on ARM, system calls are interpreted by Xen
  7. 7. Memory Virtualization Isolation requirements  VMM memory region should be protected from guest OS kernel and user processes  Guest OS kernel memory should be protected from user processes  User process memory should be protected from other processes  Every virtual machine should be isolated from each other
  8. 8. Memory Virtualization With paging mechanism we can protect Xen memory from guest OS / user processes. How about Guest OS and user processes isolation? They are in the same user space.
  9. 9. Memory Virtualization Address Space Isolation  Simply separating the address space of applications and OS kernel will lead to significant cache/TLB flushing overheads since ARM v4/v5 architecture has virtually indexed virtually tagged (VIVT) cache, and Translation Look-aside Buffer (TLB) entries are not tagged with address space ID * ARM11 has virtually indexed physically tagged (VIPT) cache and Mpcore has physically indexed physically tagged (PIPT) cache
  10. 10. Memory Virtualization CPU Cache  PIPT CPU TLB Cache DRAM Virtual Addr. Physical Addr. 32 bits 26 bits CPU Cache TLB DRAM  VIVT Virtual Addr. Physical Addr. 32 bits 26 bits  VIPT TLB CPU DRAM  PIVT Cache Virtual Addr. Physical Addr. 32 bits 26 bits
  11. 11. Memory Virtualization Memory Map  Xen and guest domain (kernel + user process) are mapped on a same virtual address space. 0xFFFFFFFF Xen 0xFEFFFFFF 0xFF000000 Kernel 0xC0000000 Guest Domain User space 0xC0000000 0x00000000 Virtual Address Space Guest Domain Virtual Address Space
  12. 12. Memory Virtualization Conventional MMU based paging mechanism can’t protect the OS kernel from application when they are running in the same user mode Domain Access Control is used to prevent a user process from accessing to address space of kernel process in ARM CPU user mode. c3, Domain Access Control Register
  13. 13. Memory Virtualization The fields D15-D0 in the register define the access permissions for each one of the 16 domains. These domains can be either sections, large pages, or small pages of memory: Access Bit field Comment No access b00 Any access generates a domain fault Client b01 Accesses are checked based on the page table entry’s AP flag setting Reserved b10 Any access generates a domain fault Manager b11 Accesses are not checked against the access permission bits in the TLB entry, so a permission fault cannot be generated.
  14. 14. Memory VirtualizationVMM mode D0 D0 D1 D2Kernel mode D1 VMM Client Client Client Kernel Client Client ClientUser process User No access No access D2 mode
  15. 15. Memory Virtualization Keep Xen address translation info from being flushed.  After page table changes (domain/process switching),  TLB entries are flushed explicitly.  TLB lockdown mechanism provided by processor can be used to avoid TLB flushing and reloading  Two lockdown TLB entries used for Xen pages ○ ARM926 provides 8 lockdown TLB entries
  16. 16. Memory Virtualization Benchmark
  17. 17. System Boot Procedure Xen and dom 0 kernel images are loaded at predefined memory location. Hardware Initialization Load kernel image for Dom 0 Load and jump to Xen image Initialize system resources (Timer, UART, Memory, IRQ) Create Dom 0 Execute Dom 0 Create / Load guest Domains
  18. 18. System Boot Procedure NOR Flash Partition for Dom 0 Partition 0 Partition 1 Partition 2 Xen Kernel Image File System Virtual space address Platform Load Address Xen Dom 0 I.MX21 0xC0008000 0xC1C00000
  19. 19. VM Create / Destroy Guest domains (dom U) are created and destroyed by a user level application, dom0_util.  Dom0_util supports only create and destroy functions. Control guest domain Dom0_util Request Xen to create and execute / destroy dom U kernel, where this Domain control driver driver loads the kernel image. Xen Create and execute dom U / destroy dom U
  20. 20. VM Create / DestroyNAND Flash Partition for Dom 1 Partition 0 Partition 1 Kernel Image File System Virtual space address Platform Load Address I.MX21 0xc3c00000
  21. 21. Experiment Host OS: Ubuntu 10.04 Emulator: Goldfish emulator platform(QEMU 0.82 based Android emulator) Guest OS: mini-OS (it is used to test if Xen can work) Supported OS: uc OS II
  22. 22. Experiment Screenshot