from l3 to sel4
play

From L3 to seL4 Background What Have We Learnt in 20 Years of L4 - PowerPoint PPT Presentation

From L3 to seL4 What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser From L3 to seL4 Background What Have We Learnt in 20 Years of L4 From L3 to L4 L3 Microkernels? L4 L4 Development Presented by Andrew


  1. From L3 to seL4 What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser From L3 to seL4 Background What Have We Learnt in 20 Years of L4 From L3 to L4 L3 Microkernels? L4 L4 Development Presented by Andrew Shugarts The Retained The Abandoned The Replaced and Added The Design of seL4 K. Elphinstone G. Heiser Security Memory Management Object Independence Preemption & Notifications Open Problems October 23, 2013 Conclusions

  2. From L3 to seL4 Outline What Have We Learnt in 20 Years of L4 Background Microkernels? K. Elphinstone, From L3 to L4 G. Heiser L3 Background L4 From L3 to L4 L3 L4 Development L4 The Retained L4 Development The Retained The Abandoned The Abandoned The Replaced and The Replaced and Added Added The Design of seL4 Security The Design of seL4 Memory Management Object Independence Security Preemption & Notifications Memory Management Open Problems Object Independence Conclusions Preemption & Notifications Open Problems Conclusions

  3. From L3 to seL4 Design Goal What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser Background From L3 to L4 ◮ Create an operating system kernel with bare minimum L3 L4 functionality. L4 Development The Retained The Abandoned The Replaced and Added The Design of seL4 Security Memory Management Object Independence Preemption & Notifications Open Problems Conclusions

  4. From L3 to seL4 Design Goal What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser Background From L3 to L4 ◮ Create an operating system kernel with bare minimum L3 L4 functionality. L4 Development ◮ We only need support for virtual address spaces, thread The Retained The Abandoned The Replaced and management, and inter-process communication, so Added The Design of seL4 Security Memory Management Object Independence Preemption & Notifications Open Problems Conclusions

  5. From L3 to seL4 Design Goal What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser Background From L3 to L4 ◮ Create an operating system kernel with bare minimum L3 L4 functionality. L4 Development ◮ We only need support for virtual address spaces, thread The Retained The Abandoned The Replaced and management, and inter-process communication, so Added The Design of seL4 ◮ Move features like device drivers, network stacks, and Security file systems into userland (called servers ). Memory Management Object Independence Preemption & Notifications Open Problems Conclusions

  6. From L3 to seL4 The Problem What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser Background From L3 to L4 ◮ Traditional system services are implemented as L3 L4 programs in userspace L4 Development ◮ So programs that require a service need to use The Retained The Abandoned The Replaced and inter-process communication (IPC) Added The Design of seL4 ◮ However, this typically costs 100 µ s to complete a Security one-way message pass Memory Management Object Independence Preemption & Notifications Open Problems Conclusions

  7. From L3 to seL4 Why? What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser Background Let’s say you need to read 1000 bytes from a file. From L3 to L4 L3 In a monolithic kernel, L4 L4 Development 1. The process calls read which invokes the kernel. The Retained The Abandoned 2. The kernel retrieves the data and copies it into a buffer The Replaced and Added supplied by the process. The Design of seL4 Security 3. The kernel returns and the processer switches back to Memory Management Object Independence user mode. Preemption & Notifications Open Problems Conclusions

  8. From L3 to seL4 Why? (Cont.) What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser In comparison, in a micro-kernel, Background 1. The process uses IPC to send a message to the file From L3 to L4 server L3 L4 2. This invokes the microkernel who copies the message L4 Development into the file server’s address space The Retained The Abandoned The Replaced and 3. The microkernel calls the scheduler and we Added context-switch into the file server. The Design of seL4 Security 4. The file server receives the message, retrieves the data Memory Management Object Independence Preemption & and then sends it to the process. Notifications Open Problems 5. The microkernel is invoked, copies the data into the Conclusions process and so on...

  9. From L3 to seL4 Why? The Picture What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser Background From L3 to L4 L3 L4 L4 Development The Retained The Abandoned The Replaced and Added The Design of seL4 Security Memory Management Object Independence Preemption & Notifications Open Problems Conclusions

  10. From L3 to seL4 The L3 Microkernel What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser Background From L3 to L4 ◮ In the early 80s, Jochen Liedtke developed the L3 L3 L4 microkernel. L4 Development ◮ L3 was similar to other microkernels, including poor IPC The Retained The Abandoned The Replaced and performance. Added The Design of seL4 Security Memory Management Object Independence Preemption & Notifications Open Problems Conclusions

  11. From L3 to seL4 The L3 Microkernel What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser Background From L3 to L4 ◮ In the early 80s, Jochen Liedtke developed the L3 L3 L4 microkernel. L4 Development ◮ L3 was similar to other microkernels, including poor IPC The Retained The Abandoned The Replaced and performance. Added The Design of seL4 ◮ Liedtke recognizes a key improvement for IPC that Security Memory Management becomes the basis for L4. Object Independence Preemption & Notifications Open Problems Conclusions

  12. From L3 to seL4 The L4 Microkernel What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser Background ◮ Originally implemented in assembler for i486 by Liedtke From L3 to L4 and then ported to Pentium. L3 L4 ◮ Various others reimplemented L4 in different L4 Development The Retained combinations of languages and platforms. The Abandoned The Replaced and ◮ Most recently, seL4 was designed and implemented to Added The Design of seL4 be formally verified. Security Memory Management ◮ Liedtke’s original L4 and others derivations achieve sub Object Independence Preemption & microsecond IPC performance. Notifications Open Problems Conclusions

  13. From L3 to seL4 Overview What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser Background From L3 to L4 For the last two decades of L4 development, we’ll discuss L3 L4 some of the major features that were L4 Development The Retained ◮ retained The Abandoned The Replaced and ◮ abandoned Added The Design of seL4 ◮ and replaced or added Security Memory Management Object Independence Preemption & Notifications Open Problems Conclusions

  14. From L3 to seL4 Retained Concepts What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser In 1995, Liedtke outlines a minimality principle for the design Background of L4 which was retained for seL4: From L3 to L4 L3 L4 L4 Development A concept is tolerated inside the microkernel only if moving The Retained The Abandoned it outside the kernel, i.e. permitting competing The Replaced and Added implementations, would prevent the implementation of the The Design of seL4 systems required functionality. Security Memory Management Object Independence Preemption & Notifications User-level drivers and interrupts implemented as IPC were Open Problems retained. Conclusions

  15. From L3 to seL4 Abandoned Concepts What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser Features that were abandoned include: Background ◮ Recursive address spaces From L3 to L4 L3 ◮ “Long” IPC messages and IPC timeouts L4 L4 Development ◮ Hierarchical task management and communication The Retained The Abandoned control – “Clans and chiefs” The Replaced and Added ◮ Process kernel and virtual TCB addressing The Design of seL4 Security ◮ Non-standard calling conventions and assembler code Memory Management Object Independence for performance Preemption & Notifications Open Problems ◮ Non-portable implementations Conclusions

  16. From L3 to seL4 Recursive Address Spaces What Have We Learnt in 20 Years of L4 Microkernels? K. Elphinstone, G. Heiser Background ◮ L4 provided address spaces through “donation”. From L3 to L4 L3 ◮ Spaces start empty and are given pages (via mappings) L4 L4 Development from another address space. The Retained The Abandoned ◮ Allowed for the implementation of traditional virtual The Replaced and Added paged memory (and other devices) outside the kernel The Design of seL4 Security ◮ Bookkeeping typically consumed 25-50% of kernel Memory Management Object Independence memory Preemption & Notifications Open Problems Conclusions

Recommend


More recommend