Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

slides - Yale University

advertisement 
CertiKOS Implementation Progress
Liang Gu
Yale University
Content
•
•
•
•
Overview
Virtual Disk
Port to Intel platform
Reduce virtual device code
– Virtual device at user mode
– Pass through device with IOMMU
• Demo
1
Progress after Boston PI meeting
• Virtualization
–
–
–
–
Virtual devices: PCI, Virtual Disk ( virtio ,virtio block)
Support Multiple VM guests
Move virtual devices to execute in user mode
IOMMU based device pass-through to guest OS
• Port CertiKOS to work on bare metal
• PCI and AHCI
• Port to Intel platform with VT-x
Green- done
Blue- almost done
Red- ongoing 2
CertiKOS Architecture
Application
Mgmt OS
(Linux)
Mgmt
Shell
Master
Context
CertiKOS
Commodity
OS
Master Syscall
IPC
SMP
Management
Slave Syscall
Slave
V-Interrupt
Memory
Process Management
APP
(certif
ied)
APP
(uncer
tified)
V-Devices
Hypercall
Virtual Machine Management
Virtual
Memory
Memory
Management
Interrup
t
Handling
Virtualization Abstraction
Vconsole
SVM
Primitives
Virtual
Devices
Hardware Abstraction Layer
Hardware
3
CertiKOS Architecture
Application
Mgmt OS
(Linux)
Mgmt
Shell
Master
Context
CertiKOS
Commodity
OS
Master Syscall
IPC
SMP
Management
Virtual
Devices
Slave Syscall
Slave
V-Interrupt
Memory
Process Management
APP
(certif
ied)
APP
(uncer
tified)
V-Devices
Hypercall
Virtual Machine Management
Virtual
Memory
Memory
Management
Interrup
t
Handling
Virtualization Abstraction
Vconsole
SVM
SVM
/VMX
Primitives
Virtual
Devices
Hardware Abstraction Layer
Hardware
4
CertiKOS Architecture
Application
Mgmt OS
(Linux)
Mgmt
Shell
Master
Context
CertiKOS
Commodity
OS
Master Syscall
IPC
SMP
Management
Virtual
Devices
Slave Syscall
Slave
V-Interrupt
Memory
Process Management
APP
(certif
ied)
APP
(uncer
tified)
V-Devices
Hypercall
Virtual Machine Management
Virtual
Memory
Memory
Management
Interrup
t
Handling
Virtualization Abstraction
Vconsole
SVM
SVM
/VMX
Primitives
IOMMU
Hardware Abstraction Layer
Hardware
5
Content
•
•
•
•
Overview
Virtual Disk
Port to Intel platform
Reduce virtual device code
– Virtual device at user mode
– Pass through device with IOMMU
• Demo
6
Virtual Disk
• Motivation
– Enable CertiKOS to boot guest OS on bare metal
– Separate the storage of guest OS from CertiKOS physically
• Virtual PCI
• Virtual disk based on virtio
Linux
a.
Mgmt
shell
d.Mgmt tool
in Linux
b. Legacy OS,
e.g., Linux
CertiKOS
Virtual
Disk
disk0
disk1
c. CertiKOSbased APP
…
7
Virtio
• Virtio
– Rusty Russell, “virtio: Towards a De-Facto Standard For Virtual I/O Devices”
– Available in both Linux and Windows
– A simple and efficient framework to provide virtual devices to guest OS
• Virtio is an abstraction for a set of common virtual devices
b. Legacy OS,
e.g., Linux
Front-end
driver
CertiKOS
Back-end
driver
Disk driver
disk1
Virtqueue
…
8
Boot CertiKOS on Bare Metal
• Multiple settings for booting CertiKOS on bare
metal
– Boot CertiKOS and Guest on the same disk
– Boot CertiKOS and Guest on different disks
– Boot CertiKOS on USB and boot the guest on disk
9
Content
•
•
•
•
Overview
Virtual Disk
Port to Intel platform
Reduce virtual device code
– Virtual device at user mode
– Pass through device with IOMMU
• Demo
10
Port to Intel platform
•
Motivation
– Another widely supported Hardware-based Virtualization solution
– Widely available VT-d support
•
Modularized implementation
– Separate architecture dependent modules
– Integrated by interfaces in the abstraction layer
•
•
Virtualization Abstraction
SVM
Primitive
LOCs
– Sys/virt/svm
– Sys/virt/vmx
Virtual Machine Management
VMX
Primitive
Virtual
Devices
1775
2344
VMX uses more sophisticated methods to control the virtualization
– Access memory region for control data structures by special instructions, instead of direct
memory read and write
– More sophisticated setup
11
Content
•
•
•
•
Overview
Virtual Disk
Port to Intel platform
Reduce virtual device code
– Virtual device at user mode
– Pass through device with IOMMU
• Demo
12
Virtual Device
• LOCs in previous version at Boston PI meeting
– Sys/virt/
4441*
– Sys/virt/dev/
2384*
– With Virtual PIC, KBD, PIT, text mode VGA
• LOCs in current clean_code branch
( * counted by cloc 1.56)
( # with Intel vt-x )
– Sys/virt/
8237*#
– Sys/virt/dev/
3643*
– Added virtual PCI, Virtio, Virtio-blk
• Considering more devices, such as USB, Network, …
• Moving virtual device to execute in user mode
• Securely pass through device with IOMMU
13
Virtual Device at User Mode
• For untrusted guest domains, their virtual devices don’t have to be trusted
• Process model extension
– Multiple processes on a single core based on round-robin scheduling
– Message passing via channels among processes
a. Idle
d. Legacy
Linux
V-KBD V-PIC V-PIT
…
…
CertiKOS
CPU0
CPU1
14
Virtual Device at User Mode
• Support multiple VM guests with VM session extension
VM Session 2
VM Session 1
a. Idle
…
d. Legacy
Linux
Guest Linux 2
…
…
…
CertiKOS
CPU0
…
CPU1
CPU2
…
15
Pass Through Device
• Exclusively used devices can be directly exposed to
guest VM, without introducing device virtualization
code
• However, malicious DMA operations are capable of
attacking memory spaces
• IOMMU / VT-d
– allow a guest OS running under a VMM to have direct
control of a device
– Provide fine-grain control of device access to system
memory
16
IOMMU
from AMD IOMMU specification Revision 2
17
IOMMU
Main memory
Physical Address
IOMMU
Device Address
Device
from http://en.wikipedia.org/wiki/IOMMU
MMU
Virtual Address
CPU
18
IOMMU
Page Table 1
Page Table 2
IOMMU
Device Table
…
…
…
…
Device Address
Device
MMU
Virtual Address
CPU
…
Interrupt Remapping Table
Based on image from http://en.wikipedia.org/wiki/IOMMU
19
Pass through device with IOMMU
Legacy OS,
e.g., Linux
NPT
Device Table
CertiKOS
…
Interrupt Remapping Table
IOMMU
device
20
Content
•
•
•
•
Overview
Virtual Disk
Port to Intel platform
Reduce virtual device code
– Virtual device at user mode
– Pass through device with IOMMU
• Demo
21
CertiKOS Demo Setting
For Previous Version
a. Mgmt shell
b. Legacy OS,
e.g., Linux
c. CertiKOSbased APP
master
slave
slave
…
CertiKOS
Qemu
Linux
BSP
AP
AP
…
KVM
AMD processor with SVM
BSP- Boot Strap Processor
AP-Application Processor
22
CertiKOS Demo Setting
a. Mgmt shell
b. Legacy OS,
e.g., Linux
c. CertiKOSbased APP
master
slave
slave
…
CertiKOS
AMD processor with SVM/ Intel with VT-x
BSP- Boot Strap Processor
AP-Application Processor
23
Thank you!
24
Related documents
Hotel Management System Presentation 3
Hotel Management System Presentation 3
z/Linux or Linux on the Mainframe
z/Linux or Linux on the Mainframe
slides - The Stanford NLP
slides - The Stanford NLP
Unit 6 Operating Systems
Unit 6 Operating Systems
System Administration
System Administration
Document5271810 5271810
Document5271810 5271810
Syndicated Data Analysis
Syndicated Data Analysis
National Symphony Orchestra joins Queen Mary 2
National Symphony Orchestra joins Queen Mary 2
iommu
iommu
Download
advertisement