Features for Secure Mobile

Devices

Low-overhead system virtualization

Separation of guest domains

Hot plug-in/-out of guest domains

Secure boot

Secure storage

Access control

Issues in virtualization

Efficiency is a major concern in

embedded virtualization.

Paravirtualization approach is more efficient

than full virtualization because expensive

translation is not necessary.

ARM CPU has only one unprivileged

mode

Architecture

CPU Virtualization

Physically two privilege modes (User mode

and Supervisor mode) in ARM CPU.

However,

Supervisor mode is assigned to Xen mode

User mode is split into two logical modes (kernel

and user User mode is split into two logical

modes (kernel and user process of Linux)

Address space protection between kernel mode

and user process mode is guaranteed by ARM

domain access control mechanism.

CPU Virtualization

Xen Mode

Kernel Mode

User Mode

Logical

mode split

CPU Virtualization

Exception Handling

Para-virtualization of system calls.

○ System calls are implemented with software

interrupt.

○ In Xen on ARM, system calls are interpreted

by Xen

Memory Virtualization

Isolation requirements

VMM memory region should be protected

from guest OS kernel and user processes

Guest OS kernel memory should be

protected from user processes

User process memory should be protected

from other processes

Every virtual machine should be isolated

from each other

Memory Virtualization

With paging mechanism we can protect

Xen memory from guest OS / user

processes.

How about Guest OS and user

processes isolation? They are in the

same user space.

Address Space Isolation

Simply separating the address space of

applications and OS kernel will lead to

significant cache/TLB flushing overheads

since ARM v4/v5 architecture has virtually

indexed virtually tagged (VIVT) cache, and

Translation Look-aside Buffer (TLB) entries

are not tagged with address space ID

Memory Virtualization

* ARM11 has virtually indexed physically tagged (VIPT)

cache and Mpcore has physically indexed physically

tagged (PIPT) cache

Memory Virtualization CPU Cache

PIPT

VIVT

VIPT

PIVT

CPU Cache

Virtual Addr.

32 bits

Physical Addr.26 bits

TLB DRAM

CPU Cache

Virtual Addr.

32 bits

Physical Addr.

26 bits

TLB DRAM

CPU

Cache

Virtual Addr.

32 bits

Physical Addr.

26 bits

TLB

DRAM

Memory Virtualization

Memory Map

Xen and guest domain (kernel + user

process) are mapped on a same virtual

address space.

Guest Domain

Xen

Virtual Address Space

0xC0000000

0xFF000000

0xFFFFFFFF

User space

Kernel

0xC0000000

0xFEFFFFFF

0x00000000

Guest Domain Virtual

Address Space

Memory Virtualization Conventional MMU based paging

mechanism can’t protect the OS kernel

from application when they are running

in the same user mode

Domain Access Control is used to

prevent a user process from accessing

to address space of kernel process in

ARM CPU user mode.

c3, Domain Access Control Register

Memory Virtualization

The fields D15-D0 in the register define the access

permissions for each one of the 16 domains. These

domains can be either sections, large pages, or small

pages of memory:

Access Bit field Comment

No access b00 Any access generates a domain fault

Client b01 Accesses are checked based on the page

table entry’s AP flag setting

Reserved b10 Any access generates a domain fault

Manager b11 Accesses are not checked against the access

permission bits in the TLB entry, so a

permission fault cannot be generated.

Memory Virtualization

VMM mode

User process

mode

Kernel mode

D0

D1

D2

D0 D1 D2

VMM Client Client Client

Kernel Client Client Client

User No access No access

Memory Virtualization Keep Xen address translation info from

being flushed.

After page table changes (domain/process switching),

TLB entries are flushed explicitly.

TLB lockdown mechanism provided by processor can be used to avoid TLB flushing and reloading

Two lockdown TLB entries used for Xenpages

○ ARM926 provides 8 lockdown TLB entries

Memory Virtualization

Benchmark

System Boot Procedure Xen and dom 0 kernel images are loaded

at predefined memory location.

Hardware Initialization

Load kernel image for Dom 0

Load and jump to Xen image

Initialize system resources

(Timer, UART, Memory, IRQ)

Create Dom 0

Execute Dom 0

Create / Load guest Domains

System Boot Procedure

Platform Load Address

Xen Dom 0

I.MX21 0xC0008000 0xC1C00000

Partition 0

Xen

Partition 1

Kernel Image

Partition 2

File System

NOR Flash Partition for Dom 0

Virtual space address

VM Create / Destroy

Guest domains (dom U) are created and

destroyed by a user level application,

dom0_util.

Dom0_util supports only create and destroy

functions.

Dom0_util

Domain control driver

Xen

Control guest domain

Request Xen to create and execute /

destroy dom U kernel, where this

driver loads the kernel image.

Create and execute dom U /

destroy dom U

VM Create / Destroy

Partition 0

Kernel Image

Partition 1

File System

Platform Load Address

I.MX21 0xc3c00000

NAND Flash Partition for Dom 1

Virtual space address

Experiment

Host OS: Ubuntu 10.04

Emulator: Goldfish emulator

platform(QEMU 0.82 based Android

emulator)

Guest OS: mini-OS (it is used to test if

Xen can work)

Supported OS: uc OS II

Experiment

Screenshot