seL4 Microkernel Status Update Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser • FOSDEM, Bruxelles, 2020-02-02 https://trustworthy.systems
What is seL4?
seL4: Assurance and Performance The world’s first operating- World’s most system kernel with provable advanced mixed- Open Source security enforcement criticality OS The world’s fastest The world’s only general-purpose protected-mode OS microkernel, designed with complete, sound for real-world use timeliness analysis 3 | FOSDEM | Bruxelles | Feb'20
World’s Most Secure OS: Arm v7 Confidentiality Integrity Availability Proof Proof f Model enforces o o r P security Abstract Functional correctness: Model C code only behaves Proof as specified Translation validation: Binary retains C Imple- Limitations (work in progress): C-code semantics mentation • Kernel initialisation not yet verified • MMU & caches modelled abstractly Proof Sound worst-case • Timing channels not ruled out execution time bound Binary code 4 | FOSDEM | Bruxelles | Feb'20
Military-Strength Security Autonomous trucks DARPA HACMS: DARPA HACMS: Retrofit existing Retrofit existing system! system! Unmanned Little Bird (ULB) Cross-Domain Secure Desktop Comms Compositor Dongle 5 | FOSDEM | Bruxelles | Feb'20
seL4 on RISC-V
Background: HENSOLD Cyber Untrusted Secured app app File Crypto server Munich-based startup • Secure RISC-V processor • Based on open-source Ariane core (ETH) • Supply chain secured through logic encryption • Secure OS based on seL4 Disclosure: I have an interest • Targets defence, industrial control, critint, automotive in HENSOLDT Cyber 7 | FOSDEM | Bruxelles | Feb'20
Performance on RV64 Message-passing round-trip latency in cycles Not yet fully optimised! Arch Arch x86 32b x86 32b x86 64b x86 64b Arm 32b Arm 32b Arm 64b Arm 64b RISC-V 64b Intra address space Intra address space 427 427 565 565 625 625 752 752 690 Inter address space Inter address space 752 752 1041 1041 625 625 752 752 1006 Meltdown-workaround No ASIDS on HiFive disabled (else much slower!) Unleashed , else inter-AS would be same as intra-AS Hypervisor extensions supported in branch, tracking draft spec 8 | FOSDEM | Bruxelles | Feb'20
Verification: RISC-V Status Confidentiality Integrity Availability Proof Proof f o o r P Abstract Model Functional correctness: Proof RISC-V due Q1’20 Translation validation: C Imple- RISC-V due Q2’20 mentation Proof Sound WCET bound RISC-V in progress Binary code 9 | FOSDEM | Bruxelles | Feb'20
Experience with RISC-V Architecture • Kernel port straightforward: - simple and clean RISC architecture • Verification benefitted from cleanness U mode VU mode - … but some challenges from less typing in page tables apps VMM • Hypervisor (draft) extensions even simpler • M (machine) mode makes firmware explicit S mode HS mode - configures HW, delegates to S (supervisor) mode (Guest) OS hypervisor - emulates features not implemented in HW - should be verified M mode Firmware • Extensibility of ISA could be a concern - could undermine portability • Formal ISA spec is great!
Mixed-Criticality Scheduling (FOSDEM’19 Refresher)
Mixed Criticality: Critical + Untrusted NW driver must preempt control loop • … to avoid packet loss • Driver must run at high prio • Driver must be trusted not to monopolise CPU Runs every 100 ms Runs frequently but for for few millisecods short time (order of µs) Critical: Untrusted: NW Sensor Control NW interrupts readings loop driver 12 | FOSDEM | Bruxelles | Feb'20
MCS Challenge: Sharing Vehicle control must see consistent state Less Critical critical Updates Vehicle Shared Navigation Control Data 13 | FOSDEM | Bruxelles | Feb'20
Sharing Through Resource Server Communication Single-threaded, endpoint (port) guarantees atomicity Control P 1 Server P S Navig. P 2 Implements immediate priority Who pays for ceiling protocol (IPCP) if P S = max (P 1 , P 2 ) server time? 14 | FOSDEM | Bruxelles | Feb'20
Solution: Time Capabilities Classical thread attributes New thread attributes • Priority • Priority Not runnable Not runnable • Time slice • Scheduling context capability if null if null Limits CPU Capability Scheduling context object access! for time • T: period • C: budget (≤ T) Enables reasoning about time and temporal isolation C = 2 C = 250 for mixed-criticality systems T = 3 T = 1000 15 | FOSDEM | Bruxelles | Feb'20
Time Caps (MCS) Kernel Verification New Mainline MCS MCS Mainline Mainline Arm v7 Arm v7 RISC-V RISC-V Spec Spec Spec Spec Proof Proof Proof Proof Merge Merge Q4’20 Q1’20 Q4’20 C C C C Proof Proof Proof Proof Q2’20 Q4’20 Binary Binary Binary Binary 16 | FOSDEM | Bruxelles | Feb'20
Community/ Ecosystem
Experience with RISC-V Foundation Security Standing Committee Privileged Spec Tech Committee • Invited me on • Hypervisor-extension feedback well received • Very receptive and supportive - Easy engagement • Committed to making RISC-V - Constructive proposal from TC chair “most secure architcture” addressing our issues • Facilitated engagement with • Time-protection slow to get traction Privspec TC (now Standing - Now good engagement, hopefully Committee) progress soon • Open but skeptical • They need to manage conflicting ideas • Keen to get “most secure arch” recognition 18 | FOSDEM | Bruxelles | Feb'20
We Are Creating the seL4 Foundation! Aims: • Provide a neutral entity for coordinating & enhancing seL4 ecosystem • Grow adoption of seL4 • Improve (organisational and individual) community participation & cooperation • Developers • Adopters • Develop / standardise seL4 system • kernel & proofs • libraries, services, tools • Protect and promote the seL4 brand • prevent reputational damage from using modified seL4 (verification invalidated) • Provide platform for pooling funds for critical “big-ticket” items (verification)
Foundation Structure LF Projects LLC seL4 Foundation seL4 Series LLC seL4 TM seL4 Board https://sel4.systems seL4 Technical seL4 Fund seL4 Technical Project Charter Directed Charter Fund $$ Contributor Contributor Contributor Contributor Contributor 20 | FOSDEM | Bruxelles | Feb'20
Membership and Governance 3 directors Trustworthy Systems Chair ex officio Board Technical Premium Members Steering 1 director each US$ 100k/a Committee Members 1 director US$ 3–30k/a Technical Committer Committer Initial Board: Leader(s) Committer • June Andronick, TS Associate Members • Gernot Heiser, TS US$ 0 • Gerwin Klein, TS • John Launchbury, Galois (ex DARPA) Note: members must be financial • Sascha Kegreiß, HENSOLDT Cyber members of Linux Foundation! • Daniel Potts, Ghost Locomotion 21 | FOSDEM | Bruxelles | Feb'20
Community Engagement Adopt/ extend/ Other Provide maintain/ userland samples/ innovate! templates Provide & Core maintain Trustworthy userland Systems Community Contribute, Team adopt&maintain? Evolve Maintain/ Platform extend ports Proofs Code 22 | FOSDEM | Bruxelles | Feb'20
Foundation Status • Legal docs (fund charter & technical charter) approved by Linux Foundation • Trademark ready for transfer to Foundation • Initial board appointed • Interim web site shows structure, “Principles” and legal docs • Hopefully days away from being able to set up members - Mail foundation@sel4.systems if you’re interested in joining! - Will make announcement on seL4.systems mailing lists https://sel4.systems/Foundation
Recommend
More recommend