the quest v separation kernel
play

The Quest-V Separation Kernel Richard West richwest@cs.bu.edu - PowerPoint PPT Presentation

Sep 21, 2023 •130 likes •547 views

The Quest-V Separation Kernel Richard West richwest@cs.bu.edu Computer Science Goals Develop system for high-confidence (embedded) systems Mixed criticalities (timeliness and safety) Predictable real-time support

  1. The Quest-V Separation Kernel Richard West richwest@cs.bu.edu Computer Science

  2. Goals • Develop system for high-confidence (embedded) systems – Mixed criticalities (timeliness and safety) • Predictable – real-time support • Resistant to component failures & malicious manipulation • Self-healing • Online recovery of software component failures 2

  3. Target Applications • Healthcare • Avionics • Automotive • Factory automation • Robotics • Space exploration • Other safety-critical domains 3

  4. Case Studies • $327 million Mars Climate Orbiter – Loss of spacecraft due to Imperial / Metric conversion error (September 23, 1999) • 10 yrs & $7 billion to develop Ariane 5 rocket – June 4, 1996 rocket destroyed during flight – Conversion error from 64-bit double to 16-bit value • 50+ million people in 8 states & Canada in 2003 without electricity due to software race condition 4

  5. Approach • Quest-V for multi-/many-core processors – Distributed system on a chip – Time as a first-class resource • Cycle-accurate time accountability – Separate sandbox kernels for system components – Memory isolation using h/w-assisted memory virtualization • Extended page tables (EPTs – Intel) • Nested page tables (NPTs – AMD) – Also need CPU, I/O, cache isolation, etc (later!) 6

  6. Related Work • Existing virtualized solutions for resource partitioning – Wind River Hypervisor, XtratuM, PikeOS, Mentor Graphics Hypervisor – Xen, Oracle PDOMs, IBM LPARs – Muen, (Siemens) Jailhouse 7

  7. Problem • Traditional Virtual Machine approaches too expensive – Require traps to VMM (a.k.a. hypervisor) to mux & manage machine resources for multiple guests – e.g., ~1500 clock cycles VM-Enter/Exit on Xeon E5506 8

  8. Traditional Approach (Type 1 VMM) ... VM VM VM VM VM Type 1 VMM / Hypervisor Hardware (CPUs, memory, devices) 9

  9. Contributions • Quest-V Separation Kernel [WMC'13, VEE'14] – Uses H/W virtualization to partition resources amongst services of different criticalities – Each partition, or sandbox , manages its own CPU cores, memory area, and I/O devices w/o hypervisor intervention – Hypervisor typically only needed for bootstrapping system + managing comms channels b/w sandboxes 10

  10. Contributions • Quest-V Separation Kernel Eliminates hypervisor intervention during normal virtual machine operations 11

  11. Architecture Overview 12

  12. Memory Partitioning • Guest kernel page tables for GVA-to-GPA translation • EPTs (a.k.a. shadow page tables) for GPA-to- HPA translation – EPTs modifiable only by monitors – Intel VT-x: 1GB address spaces require 12KB EPTs w/ 2MB superpaging 13

  13. Quest-V Linux Memory Layout 14

  14. Quest-V Memory Partitioning 15

  15. Memory Virtualization Costs • Example Data TLB overheads • Xeon E5506 4-core @ 2.13GHz, 4GB RAM 16

  16. I/O Partitioning • Device interrupts directed to each sandbox – Use I/O APIC redirection tables – Eliminates monitor from control path • EPTs prevent unauthorized updates to I/O APIC memory area by guest kernels • Port-addressed devices use in/out instructions • VMCS configured to cause monitor trap for specific port addresses • Monitor maintains device "blacklist" for each sandbox – DeviceID + VendorID of restricted PCI devices 17

  17. Quest-V I/O Partitioning Data Port: 0xCFC Address Port: 0xCF8 18

  18. Monitor Intervention During normal operation only one monitor trap every 3-5 mins by CPUID No I/O Partitioning I/O Partitioning (Block COM and NIC) Exception (TF) 0 9785 CPUID 502 497 VMCALL 2 2 I/O Instruction 0 11412 EPT Violation 0 388 XSETBV 1 1 Table: Monitor Trap Count During Linux Sandbox Initialization 19

  19. CPU Partitioning • Scheduling local to each sandbox – partitioned rather than global – avoids monitor intervention • Uses real-time VCPU approach for Quest native kernels [RTAS'11] 20

  20. Predictability ● VCPUs for budgeted real-time execution of threads and system events (e.g., interrupts) ● Threads mapped to VCPUs ● VCPUs mapped to physical cores ● Sandbox kernels perform local scheduling on assigned cores ● Avoid VM-Exits to Monitor – eliminate cache/TLB flushes 21

  21. VCPUs in Quest(-V) Address Threads Space Main VCPUs I/O VCPUs PCPUs (Cores) 22

  22. VCPUs in Quest(-V) • Two classes Main → – for conventional tasks I/O → – for I/O event threads (e.g., ISRs) • Scheduling policies Main → – sporadic server (SS) I/O → – priority inheritance bandwidth- preserving server (PIBS) 23

  23. SS Scheduling • Model periodic tasks – Each SS has a pair (C,T) s.t. a server is guaranteed C CPU cycles every period of T cycles when runnable • Guarantee applied at foreground priority • background priority when budget depleted – Rate-Monotonic Scheduling theory applies 24

  24. PIBS Scheduling IO VCPUs have utilization factor, U V,IO • • IO VCPUs inherit priorities of tasks (or Main VCPUs) associated with IO events Currently, priorities are ƒ (T) for – corresponding Main VCPU – IO VCPU budget is limited to: • T V,main * U V,IO for period T V,main 25

  25. PIBS Scheduling • IO VCPUs have eligibility times, when they can execute t e = t + C actual / U V,IO • – t = start of latest execution – t >= previous eligibility time 26

  26. Example VCPU Schedule 27

  27. Sporadic Constraint • Worst-case preemption by a sporadic task for all other tasks is not greater than that caused by an equivalent periodic task (1) Replenishment, R must be deferred at least t+T V (2) Can be deferred longer (3) Can merge two overlapping replenishments • R1.time + R1.amount >= R2.time then MERGE • Allow replenishment of R1.amount +R2.amount at R1.time 28

  28. Example Replenishments amount , time Replenishment Queue Element VCPU 0 (C=10, T=40, Start=1) VCPU 1 (C=20, T=50, Start=0) IOVCPU (Utilization=4%) 20,00 02,00 02,40 18,50 02,50 02,80 02,90 16,100 00,00 18,50 18,50 02,90 02,90 02,90 16,100 02,130 00,00 00,00 00,00 00,00 16,100 16,100 02,130 02,140 (A) 1 10 17 2 1 10 1 16 2 1 10 12 8 Corrected Algorithm 0 10 20 30 40 50 60 70 80 90 100 110 (B) 1 10 17 2 1 10 17 2 1 10 17 Premature Replenishment 0 10 20 30 40 50 60 70 80 90 100 110 Interval [t=0,100] (A) VCPU 1 = 40%, (B) VCPU 1 = 46% 29

  29. Utilization Bound Test • Sandbox with 1 PCPU, n Main VCPUs, and m I/O VCPUs – Ci = Budget Capacity of Vi – Ti = Replenishment Period of Vi – Main VCPU, Vi – Uj = Utilization factor for I/O VCPU, Vj n − 1 Ci m − 1 Ti + ∑ ∑ √ 2 − 1 ) n ( 2 − Uj ) ⋅ Uj ≤ n ⋅ ( i = 0 j = 0 30

  30. Cache Partitioning • Shared caches controlled using color-aware memory allocator • Cache occupancy prediction based on h/w performance counters – E' = E + (1-E/C) * m l – E/C * m o – Enhanced with hits + misses [Book Chapter, OSR'11, PACT'10] 31

  31. Linux Front End • For low criticality legacy services • Based on Puppy Linux 3.8.0 • Runs entirely out of RAM including root filesystem • Low-cost paravirtualization – less than 100 lines – Restrict observable memory – Adjust DMA offsets • Grant access to VGA framebuffer + GPU • Quest native SBs tunnel terminal I/O to Linux via shared memory using special drivers 32

  32. Quest-V Linux Screenshot 33

  33. Quest-V Linux Screenshot 1 CPU + 512 MB No VMX or EPT flags 34

  34. Quest-V Performance Overhead • Measured time to play back 1080P MPEG2 video from the x264 HD video benchmark • Mini-ITX Intel Core i5-2500K 4-core, HD3000 graphics, 4GB RAM mplayer Benchmark 35

  35. Conclusions • Quest-V separation kernel built from scratch – Distributed system on a chip – Uses (optional) h/w virtualization to partition resources into sandboxes – Protected comms channels b/w sandboxes • Sandboxes can have different criticalities – Linux front-end for less critical legacy services • Sandboxes responsible for local resource management – avoids monitor involvement 36

  36. Quest-V Status • About 11,000 lines of kernel code • 200,000+ lines including lwIP, drivers, regression tests • SMP, IA32, paging, VCPU scheduling, USB, PCI, networking, etc • Quest-V requires BSP to send INIT-SIPI-SIPI to APs, as in SMP system – BSP launches 1 st (guest) sandbox – APs “VM fork” their sandboxes from BSP copy 37

  37. Future Work • Online fault detection and recovery • Technologies for secure monitors – e.g., Intel TXT + VT-d • Separation kernel support for: – Accelerators / GPUs (time partitioning) – NoCs – Heterogeneous platforms (ala Helios satellite kernels) See www.questos.org for more details 38

  38. Quest-V Demo ● Bootstrapping Quest native kernel (core 0) + Linux (core 1) – Linux kernel + filesystem in RAM – Secure comms channel b/w Quest SB & Linux SB using a pseudo-char device – /dev/qSBx device for each sandbox x ● Triple modular redundancy (TMR) fault recovery for unmanned aerial vehicle (UAV) http://quest.bu.edu/demo.html 39

  39. The Quest Team • Richard West • Ye Li • Eric Missimer • Matt Danish • Gary Wong 40

Recommend

Predictable Communication and Migration in the Quest-V Separation Kernel Ye Li, Richard West,

Predictable Communication and Migration in the Quest-V Separation Kernel Ye Li, Richard West,

Introduction Quest-V Overview Inter-Sandbox Communication Predictable Migration Conclusions Predictable Communication and Migration in the Quest-V Separation Kernel Ye Li, Richard West, Zhuoqun Cheng, Eric Missimer Boston University 1 / 29

870 views • 29 slides
Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Data Separation x 2 x 2 Class #10: Kernel Functions and Support Vector Machines (SVMs) x 1 x 1 Machine Learning (COMP 135): M. Allen, 07 Oct. 19 Linear classification with a perceptron or logistic function look for a dividing line in } the

162 views • 5 slides
Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Data Separation x 2 x 2 Class #13: Support Vector Machines (SVMs) and Kernel Functions x 1 x 1 Machine Learning (COMP 135): M. Allen, 02 Mar. 20 Linear classification with a perceptron or logistic function look for a dividing line in } the

170 views • 6 slides
FreeBSD Development for Smarties The quest for a better kernel development environment Lawrence

FreeBSD Development for Smarties The quest for a better kernel development environment Lawrence

FreeBSD Development for Smarties The quest for a better kernel development environment Lawrence Stewart lastewart@swin.edu.au Centre for Advanced Internet Architectures (CAIA) Swinburne University of Technology Outline Getting started 1

394 views • 35 slides
Kernel Spectrogram Models for source separation Antoine Liutkus 1 , Zafar Rafii 2 , Bryan Pardo 2

Kernel Spectrogram Models for source separation Antoine Liutkus 1 , Zafar Rafii 2 , Bryan Pardo 2

Audio separation Spectrogram models Results Conclusion Kernel Spectrogram Models for source separation Antoine Liutkus 1 , Zafar Rafii 2 , Bryan Pardo 2 Derry Fitzgerald 3 , Laurent Daudet 4 1 Inria, Universit e de Lorraine, LORIA, UMR 7503,

197 views • 18 slides
Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018 The Goal Hypervisor Context switch: Fixed round-robin

1.16k views • 67 slides
Muen - An x86/64 Separation Kernel for High Assurance Reto Buerki Adrian-Ken Rueegsegger

Muen - An x86/64 Separation Kernel for High Assurance Reto Buerki Adrian-Ken Rueegsegger

Outline Introduction Implementation Analysis Conclusion Muen - An x86/64 Separation Kernel for High Assurance Reto Buerki Adrian-Ken Rueegsegger Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil

784 views • 27 slides
Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation Nathan Dautenhahn, Theodoros Kasampalis, Will Dietz, John Criswell, and Vikram Adve Nested Kernel - Motivation Monoliths have single

398 views • 17 slides
Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop 2010 Austin, Texas Timothy Levin, Thuy Nguyen, Cynthia Irvine, Michael McEvilley LAW 2010 Overview Purpose Help users of SKPP understand

383 views • 17 slides
A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric

A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric

Introduction Architecture Performance Conclusions Ongoing and Future Work A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric Missimer Boston University March 2nd, 2014 Introduction Architecture

449 views • 21 slides
Quantification of Uncertainty in Extreme Scale Computations (QUEST) www.quest-scidac.org H. Najm

Quantification of Uncertainty in Extreme Scale Computations (QUEST) www.quest-scidac.org H. Najm

Intro QUEST Technical Progress Closure Quantification of Uncertainty in Extreme Scale Computations (QUEST) www.quest-scidac.org H. Najm 1 , B. Debusschere 1 , M. Eldred 1 , R. Ghanem 2 , O. Ghattas 3 , R. Moser 3 , E. Prudencio 3 , D. Higdon 4

510 views • 28 slides
Verification of a Separation Kernel Inzemamul Haque Indian Institute of Science, Bangalore 17

Verification of a Separation Kernel Inzemamul Haque Indian Institute of Science, Bangalore 17

Introduction Muen Intel Virtualization Support Challenges Approach Verification of a Separation Kernel Inzemamul Haque Indian Institute of Science, Bangalore 17 July 2017 Introduction Muen Intel Virtualization Support Challenges

272 views • 25 slides
The Quest for Quarks Quest for Quarks p. 1/2 The Frontiers of Matter (in 1932) The periodic

The Quest for Quarks Quest for Quarks p. 1/2 The Frontiers of Matter (in 1932) The periodic

The Quest for Quarks Quest for Quarks p. 1/2 The Frontiers of Matter (in 1932) The periodic chart orders the chemical elements according to their properties. It provides clues to the underly- ing atomic structure. The fundamental

421 views • 29 slides
Atsuto Suzuki 1 in 2007 2 Quest for Quest for Unifying International Linear Collider

Atsuto Suzuki 1 in 2007 2 Quest for Quest for Unifying International Linear Collider

Atsuto Suzuki 1 in 2007 2 Quest for Quest for Unifying International Linear Collider Birth-Evolution Matter and Force ILC of Universe Scie cientific ic A Act ctiv ivit ities Lepton CP Asymmetry Beyond Standard Physics

657 views • 33 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
Separation energies A = 21 isobaric chain one-nucleon separation energies two-nucleon separation

Separation energies A = 21 isobaric chain one-nucleon separation energies two-nucleon separation

Separation energies A = 21 isobaric chain one-nucleon separation energies two-nucleon separation energies Using http://www.nndc.bnl.gov/chart/ find one- and two-nucleon separation energies of 8 He, 11 Li, 45 Fe, 141 Ho, and 208 Pb. Discuss the

237 views • 5 slides
GWG QUEST Recommendations Gil R Sambrano Vice President of Portfolio Development and Review

GWG QUEST Recommendations Gil R Sambrano Vice President of Portfolio Development and Review

MISSION GWG QUEST Recommendations Gil R Sambrano Vice President of Portfolio Development and Review California Institute for Regenerative Medicine October 18, 2018 1 CIRM Quest Discovery Program Objective The Quest Program promotes the

298 views • 6 slides
1 Kernel methods & optimization One example of a kernel that is frequently used in practice

1 Kernel methods & optimization One example of a kernel that is frequently used in practice

Machine Learning Class Notes 9-25-12 Prof. David Sontag 1 Kernel methods & optimization One example of a kernel that is frequently used in practice and which allows for highly non-linear discriminant functions is the Gaussian kernel,

241 views • 5 slides
A QUEST TO UNDERSTAND THE ORGANISATION OF LARGE RELATIONAL DATA: FROM WILD GOATS TO BITCOINS

A QUEST TO UNDERSTAND THE ORGANISATION OF LARGE RELATIONAL DATA: FROM WILD GOATS TO BITCOINS

A QUEST TO UNDERSTAND THE ORGANISATION OF LARGE RELATIONAL DATA: FROM WILD GOATS TO BITCOINS Rmy Cazabet INTRODUCTION: THE QUEST QUEST Data coming from the real world Human/Animal/Natural activity Complex Systems Many

486 views • 33 slides
Muen Design Inzemamul Haque 25 Nov 2016 Introduction Muen is an open-source separation

Muen Design Inzemamul Haque 25 Nov 2016 Introduction Muen is an open-source separation

Muen Design Inzemamul Haque 25 Nov 2016 Introduction Muen is an open-source separation kernel for x86 platform Uses Intel hardware support for virtualization What Muen does? Takes a policy as input and works according to it

622 views • 32 slides
SCHOOL PROGRAM FUNDING QUEST ART SCHOOL + GALLERY Quest Art School + Gallery is one of three

SCHOOL PROGRAM FUNDING QUEST ART SCHOOL + GALLERY Quest Art School + Gallery is one of three

SCHOOL PROGRAM FUNDING QUEST ART SCHOOL + GALLERY Quest Art School + Gallery is one of three pubic not-for-profit art exhibition and education institutions within Simcoe County. It operates in excellence while providing exhibition and

483 views • 22 slides
Wet Separation Techniques The current status & overall perspective in Europe 23 may 2016

Wet Separation Techniques The current status & overall perspective in Europe 23 may 2016

Wet Separation Techniques The current status & overall perspective in Europe 23 may 2016 SUEZ SOIL REMEDIATION STEVE LEROI Basic Building Stones of Wet Separation Technology Differences in properties allows separation, decomposition

333 views • 11 slides
UWaterloos Quest 7/17/2019 CS 846 Presented by: Yilun Bai Masters student in Computer

UWaterloos Quest 7/17/2019 CS 846 Presented by: Yilun Bai Masters student in Computer

Case Study on UWaterloos Quest 7/17/2019 CS 846 Presented by: Yilun Bai Masters student in Computer Science Outline Motivation Goal About Quest Features New look Case study on Quest Email

436 views • 39 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Overview Preliminaries Kernel ridge regression Kernel -means clustering

476 views • 25 slides

More recommend