Presentation is loading. Please wait.

Presentation is loading. Please wait.

CertiKOS Implementation Progress Liang Gu Yale University.

Similar presentations


Presentation on theme: "CertiKOS Implementation Progress Liang Gu Yale University."— Presentation transcript:

1 CertiKOS Implementation Progress Liang Gu Yale University

2 Content Overview Virtual Disk Port to Intel platform Reduce virtual device code – Virtual device at user mode – Pass through device with IOMMU Demo 1

3 Progress after Boston PI meeting Virtualization – Virtual devices: PCI, Virtual Disk ( virtio,virtio block) – Support Multiple VM guests – Move virtual devices to execute in user mode – IOMMU based device pass-through to guest OS Port CertiKOS to work on bare metal PCI and AHCI Port to Intel platform with VT-x Green- done Blue- almost done Red- ongoing 2

4 CertiKOS Architecture Hardware Hardware Abstraction Layer SMP Management Memory Management Virtual Memory Interrup t Handling SVM Primitives Virtualization Abstraction Process Management Context IPC Virtual Machine Management Vconsole Memory V-Interrupt V-Devices Hypercall Master Slave Master Syscall Slave Syscall Mgmt Shell Mgmt OS (Linux) Mgmt OS (Linux) Commodity OS CertiKOS Application APP (uncer tified ) APP (uncer tified ) APP (certif ied ) APP (certif ied ) Virtual Devices 3

5 CertiKOS Architecture Hardware Hardware Abstraction Layer SMP Management Memory Management Virtual Memory Interrup t Handling SVM Primitives Virtualization Abstraction Process Management Context IPC Virtual Machine Management Vconsole Memory V-Interrupt V-Devices Hypercall Master Slave Master Syscall Slave Syscall Mgmt Shell Mgmt OS (Linux) Mgmt OS (Linux) Commodity OS CertiKOS Application Virtual Devices APP (uncer tified ) APP (uncer tified ) APP (certif ied ) APP (certif ied ) Virtual Devices 4 SVM /VMX Primitives

6 CertiKOS Architecture Hardware Hardware Abstraction Layer SMP Management Memory Management Virtual Memory Interrup t Handling SVM Primitives IOMMU Virtualization Abstraction Process Management Context IPC Virtual Machine Management Vconsole Memory V-Interrupt V-Devices Hypercall Master Slave Master Syscall Slave Syscall Mgmt Shell Mgmt OS (Linux) Mgmt OS (Linux) Commodity OS CertiKOS Application Virtual Devices APP (uncer tified ) APP (uncer tified ) APP (certif ied ) APP (certif ied ) 5 SVM /VMX Primitives

7 Content Overview Virtual Disk Port to Intel platform Reduce virtual device code – Virtual device at user mode – Pass through device with IOMMU Demo 6

8 Virtual Disk Motivation – Enable CertiKOS to boot guest OS on bare metal – Separate the storage of guest OS from CertiKOS physically Virtual PCI Virtual disk based on virtio c. CertiKOS- based APP d.Mgmt tool in Linux Linux b.Legacy OS, e.g., Linux disk0 disk1 a. Mgmt shell … Virtual Disk CertiKOS 7

9 Virtio – Rusty Russell, virtio: Towards a De-Facto Standard For Virtual I/O Devices – Available in both Linux and Windows – A simple and efficient framework to provide virtual devices to guest OS Virtio is an abstraction for a set of common virtual devices b.Legacy OS, e.g., Linux disk1 Front-end driver Back-end driver Disk driver Virtqueue … CertiKOS 8

10 Boot CertiKOS on Bare Metal Multiple settings for booting CertiKOS on bare metal – Boot CertiKOS and Guest on the same disk – Boot CertiKOS and Guest on different disks – Boot CertiKOS on USB and boot the guest on disk 9

11 Content Overview Virtual Disk Port to Intel platform Reduce virtual device code – Virtual device at user mode – Pass through device with IOMMU Demo 10

12 Port to Intel platform Motivation – Another widely supported Hardware-based Virtualization solution – Widely available VT-d support Modularized implementation – Separate architecture dependent modules – Integrated by interfaces in the abstraction layer LOCs – Sys/virt/svm 1775 – Sys/virt/vmx 2344 VMX uses more sophisticated methods to control the virtualization – Access memory region for control data structures by special instructions, instead of direct memory read and write – More sophisticated setup SVM Primitive Virtualization Abstraction Virtual Machine Management Virtual Devices VMX Primitive 11

13 Content Overview Virtual Disk Port to Intel platform Reduce virtual device code – Virtual device at user mode – Pass through device with IOMMU Demo 12

14 Virtual Device LOCs in previous version at Boston PI meeting – Sys/virt/ 4441 * – Sys/virt/dev/ 2384 * – With Virtual PIC, KBD, PIT, text mode VGA LOCs in current clean_code branch – Sys/virt/ 8237 *# – Sys/virt/dev/ 3643 * – Added virtual PCI, Virtio, Virtio-blk Considering more devices, such as USB, Network, … Moving virtual device to execute in user mode Securely pass through device with IOMMU ( * counted by cloc 1.56) ( # with Intel vt-x ) 13

15 Virtual Device at User Mode For untrusted guest domains, their virtual devices dont have to be trusted Process model extension – Multiple processes on a single core based on round-robin scheduling – Message passing via channels among processes d. Legacy Linux V-KBD CPU0 a. Idle … CertiKOS CPU1 V-PIC V-PIT … 14

16 Virtual Device at User Mode Support multiple VM guests with VM session extension d. Legacy Linux CPU0 a. Idle … CertiKOS CPU1 … CPU2 Guest Linux 2 … … VM Session 1 VM Session 2 … … 15

17 Pass Through Device Exclusively used devices can be directly exposed to guest VM, without introducing device virtualization code However, malicious DMA operations are capable of attacking memory spaces IOMMU / VT-d – allow a guest OS running under a VMM to have direct control of a device – Provide fine-grain control of device access to system memory 16

18 IOMMU from AMD IOMMU specification Revision 2 17

19 IOMMU from Main memory CPU MMUIOMMU Device Device Address Physical Address Virtual Address 18

20 IOMMU Based on image from CPU MMUIOMMU Device Device AddressVirtual Address … … … Device Table Page Table 2 Page Table 1 … … Interrupt Remapping Table 19

21 Pass through device with IOMMU Legacy OS, e.g., Linux device CertiKOS IOMMU … Device Table Interrupt Remapping Table NPT 20

22 Content Overview Virtual Disk Port to Intel platform Reduce virtual device code – Virtual device at user mode – Pass through device with IOMMU Demo 21

23 c. CertiKOS- based APP CertiKOS b.Legacy OS, e.g., Linux BSP AP a. Mgmt shell master slave … … CertiKOS Demo Setting For Previous Version Qemu BSP- Boot Strap Processor AP-Application Processor AMD processor with SVM Linux KVM 22

24 c. CertiKOS- based APP CertiKOS b.Legacy OS, e.g., Linux a. Mgmt shell master slave … CertiKOS Demo Setting BSP- Boot Strap Processor AP-Application Processor AMD processor with SVM/ Intel with VT-x 23

25 Thank you! 24


Download ppt "CertiKOS Implementation Progress Liang Gu Yale University."

Similar presentations


Ads by Google