Features for Secure MobileDevices Low-overhead system virtualization Separation of guest domains Hot plug-in/-out of guest domains Secure boot Secure storage Access control
Issues in virtualization Efficiency is a major concern in embedded virtualization. Paravirtualization approach is more efficient than full virtualization because expensive translation is not necessary. ARM CPU has only one unprivileged mode
CPU Virtualization Physically two privilege modes (User mode and Supervisor mode) in ARM CPU. However, Supervisor mode is assigned to Xen mode User mode is split into two logical modes (kernel and user User mode is split into two logical modes (kernel and user process of Linux) Address space protection between kernel mode and user process mode is guaranteed by ARM domain access control mechanism.
CPU Virtualization User Mode Kernel Mode Xen Mode Logical mode split
CPU Virtualization Exception Handling Para-virtualization of system calls. ○ System calls are implemented with software interrupt. ○ In Xen on ARM, system calls are interpreted by Xen
Memory Virtualization Isolation requirements VMM memory region should be protected from guest OS kernel and user processes Guest OS kernel memory should be protected from user processes User process memory should be protected from other processes Every virtual machine should be isolated from each other
Memory Virtualization With paging mechanism we can protect Xen memory from guest OS / user processes. How about Guest OS and user processes isolation? They are in the same user space.
Memory Virtualization Address Space Isolation Simply separating the address space of applications and OS kernel will lead to significant cache/TLB flushing overheads since ARM v4/v5 architecture has virtually indexed virtually tagged (VIVT) cache, and Translation Look-aside Buffer (TLB) entries are not tagged with address space ID * ARM11 has virtually indexed physically tagged (VIPT) cache and Mpcore has physically indexed physically tagged (PIPT) cache
Memory Virtualization CPU Cache PIPT CPU TLB Cache DRAM Virtual Addr. Physical Addr. 32 bits 26 bits CPU Cache TLB DRAM VIVT Virtual Addr. Physical Addr. 32 bits 26 bits VIPT TLB CPU DRAM PIVT Cache Virtual Addr. Physical Addr. 32 bits 26 bits
Memory Virtualization Memory Map Xen and guest domain (kernel + user process) are mapped on a same virtual address space. 0xFFFFFFFF Xen 0xFEFFFFFF 0xFF000000 Kernel 0xC0000000 Guest Domain User space 0xC0000000 0x00000000 Virtual Address Space Guest Domain Virtual Address Space
Memory Virtualization Conventional MMU based paging mechanism can’t protect the OS kernel from application when they are running in the same user mode Domain Access Control is used to prevent a user process from accessing to address space of kernel process in ARM CPU user mode. c3, Domain Access Control Register
Memory Virtualization The fields D15-D0 in the register define the access permissions for each one of the 16 domains. These domains can be either sections, large pages, or small pages of memory: Access Bit field Comment No access b00 Any access generates a domain fault Client b01 Accesses are checked based on the page table entry’s AP flag setting Reserved b10 Any access generates a domain fault Manager b11 Accesses are not checked against the access permission bits in the TLB entry, so a permission fault cannot be generated.
Memory VirtualizationVMM mode D0 D0 D1 D2Kernel mode D1 VMM Client Client Client Kernel Client Client ClientUser process User No access No access D2 mode
Memory Virtualization Keep Xen address translation info from being flushed. After page table changes (domain/process switching), TLB entries are flushed explicitly. TLB lockdown mechanism provided by processor can be used to avoid TLB flushing and reloading Two lockdown TLB entries used for Xen pages ○ ARM926 provides 8 lockdown TLB entries
System Boot Procedure Xen and dom 0 kernel images are loaded at predefined memory location. Hardware Initialization Load kernel image for Dom 0 Load and jump to Xen image Initialize system resources (Timer, UART, Memory, IRQ) Create Dom 0 Execute Dom 0 Create / Load guest Domains
System Boot Procedure NOR Flash Partition for Dom 0 Partition 0 Partition 1 Partition 2 Xen Kernel Image File System Virtual space address Platform Load Address Xen Dom 0 I.MX21 0xC0008000 0xC1C00000
VM Create / Destroy Guest domains (dom U) are created and destroyed by a user level application, dom0_util. Dom0_util supports only create and destroy functions. Control guest domain Dom0_util Request Xen to create and execute / destroy dom U kernel, where this Domain control driver driver loads the kernel image. Xen Create and execute dom U / destroy dom U
VM Create / DestroyNAND Flash Partition for Dom 1 Partition 0 Partition 1 Kernel Image File System Virtual space address Platform Load Address I.MX21 0xc3c00000
Experiment Host OS: Ubuntu 10.04 Emulator: Goldfish emulator platform(QEMU 0.82 based Android emulator) Guest OS: mini-OS (it is used to test if Xen can work) Supported OS: uc OS II