Genode Architecture
-
Upload
vasily-sartakov -
Category
Education
-
view
531 -
download
2
description
Transcript of Genode Architecture
![Page 2: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/2.jpg)
Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 2
![Page 3: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/3.jpg)
Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 3
![Page 4: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/4.jpg)
Myths
Genode OS Framework Architecture 4
![Page 5: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/5.jpg)
Problem: Complexity
Today’s commodity OSes Exceedingly complex trusted computingbase (TCB)
TCB of an application on Linux:
Kernel + loaded kernel modulesDaemonsX Server + window managerDesktop environmentAll running processes of the user
→ User credentials are exposed to millions of lines of code
Genode OS Framework Architecture 5
![Page 6: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/6.jpg)
Problem: Complexity (II)
Implications:
High likelihood for bugs (need for frequent security updates)Huge attack surface for directed attacksZero-day exploits
Genode OS Framework Architecture 6
![Page 7: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/7.jpg)
Problem: Global names
Many examples on traditional systemsI UIDs, PIDsI network interface namesI port numbersI device nodesI ...
Leak information
Name is a potential attack vector (ambient authority)
Genode OS Framework Architecture 7
![Page 8: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/8.jpg)
Problem: Resource management
Pretension of unlimited resourcesLack of accounting→ Largely indeterministic behavior→ Need for complex heuristics, schedulers
Genode OS Framework Architecture 8
![Page 9: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/9.jpg)
Key technologies
MicrokernelsDecomponentization, kernelizationCapability-based securityVirtualization
Genode OS Framework Architecture 9
![Page 10: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/10.jpg)
Tricky questions
How to...
...build a system without global names?
...trade between parties that do not know each other?
...reclaim kidnapped goods from an alien? (without violence)
...deal with distributed access-control policies?
...transparently monitor communication?
...recycle a subsystem without knowing its internal structure?
Genode OS Framework Architecture 10
![Page 11: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/11.jpg)
Even more tricky questions
How to...
...avoid performance hazards through many indirections?
...translate architectural ideas into a real implementation?
Genode OS Framework Architecture 11
![Page 12: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/12.jpg)
Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 12
![Page 13: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/13.jpg)
A bit of history
Research timeline at TU Dresden
Genode OS Framework Architecture 13
![Page 14: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/14.jpg)
A new generation of kernels on the horizon
Genode OS Framework Architecture 14
![Page 15: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/15.jpg)
Unique feature: Cross-kernel portability
When started, no suitable microkernel was available→ Prototyped on Linux and L4/Fiasco→ Later ported to other kernels
Genode OS Framework Architecture 15
![Page 16: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/16.jpg)
Today: Rich OS construction kit
Support of a variety of kernelsOKL4, L4/Fiasco, L4ka::Pistachio, NOVA, Fiasco.OC, Linux, Codezero
Preservation of special kernel features
I OKLinux on OKL4,I L4Linux on Fiasco.OC,I Vancouver on NOVA,I Real-time priorities on L4/Fiasco
Uniform API → kernel-independent components
Many ready-to-use device drivers, protocol stacks, and3rd-party libraries
Genode OS Framework Architecture 16
![Page 17: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/17.jpg)
Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 17
![Page 18: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/18.jpg)
Object capabilities
Delegation of rights
Each process lives in a virtual environmentA process that possesses a right (capability) can
I Use it (invoke)I Delegate it to acquainted processes
Genode OS Framework Architecture 18
![Page 19: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/19.jpg)
Recursive system structure
Genode OS Framework Architecture 19
![Page 20: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/20.jpg)
Service announcement
Genode OS Framework Architecture 20
![Page 21: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/21.jpg)
Session creation
Genode OS Framework Architecture 21
![Page 22: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/22.jpg)
Session creation
Genode OS Framework Architecture 22
![Page 23: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/23.jpg)
This works recursively
→ Application-specific TCB
Genode OS Framework Architecture 23
![Page 24: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/24.jpg)
Combined with virtualization
Genode OS Framework Architecture 24
![Page 25: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/25.jpg)
Resource management
Explicit assignment of physical resources to processes
Genode OS Framework Architecture 25
![Page 26: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/26.jpg)
Resource management (II)
Resources can be attached to sessions
Genode OS Framework Architecture 26
![Page 27: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/27.jpg)
Resource management (III)
Intermediation of resource requests
Genode OS Framework Architecture 27
![Page 28: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/28.jpg)
Resource management (IV)
Virtualization of resources
Genode OS Framework Architecture 28
![Page 29: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/29.jpg)
Resource management (V)
Server-side heap partitioning
Genode OS Framework Architecture 29
![Page 30: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/30.jpg)
Parent interface
void exit(exit_value)
void announce(service_name, root_capability)
session_capability session(service_name, session_args)
void upgrade(to_session_capability, quantum)
void close(session_capability)
Genode OS Framework Architecture 30
![Page 31: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/31.jpg)
Root interface
session_capability session(session_args)
void upgrade(session_capability, upgrade_args)
void close(session_capability)
Genode OS Framework Architecture 31
![Page 32: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/32.jpg)
Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 32
![Page 33: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/33.jpg)
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Debug output
amount write(string)
Genode OS Framework Architecture 33
![Page 34: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/34.jpg)
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Physical memory
ram_dataspace_capability alloc(size, cached)
void free(ram_dataspace_capability)
void ref_account(ram_session_capability)
void transfer_quota(ram_session_capability, amount)
amount quota()
amount used()
Genode OS Framework Architecture 34
![Page 35: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/35.jpg)
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Object identities
capability alloc(entrypoint_capability)
void free(capability)
Genode OS Framework Architecture 35
![Page 36: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/36.jpg)
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Threads
thread_capability create_thread(name)
void kill_thread(thread_capability)
void start(thread_capability, ip, sp)
Genode OS Framework Architecture 36
![Page 37: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/37.jpg)
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Memory-mapped I/O
Session arguments base, size, write-combined
io_mem_dataspace_capability dataspace()
Genode OS Framework Architecture 37
![Page 38: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/38.jpg)
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Port-based I/O
Session arguments base, size
value inb(address)
value inw(address)
value inl(address)
void outb(address, value)
void outw(address, value)
void outl(address, value)
Genode OS Framework Architecture 38
![Page 39: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/39.jpg)
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Device interrupts
Session argument irq number
void wait_for_irq()
Genode OS Framework Architecture 39
![Page 40: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/40.jpg)
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Protection domain
void bind_thread(thread_capability)
void assign_parent(parent_capability)
Genode OS Framework Architecture 40
![Page 41: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/41.jpg)
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Access to boot modules
Session argument filename
rom_dataspace_capability dataspace()
Genode OS Framework Architecture 41
![Page 42: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/42.jpg)
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Address-space management
local_addr attach(dataspace_capability, size, offset,
use_local_addr, local_addr,
executable)
void detach(local_addr)
void add_client(thread_capability thread)
/* managed dataspaces */
dataspace_capability dataspace()
void fault_handler(signal_context_capability)
state state()
Genode OS Framework Architecture 42
![Page 43: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/43.jpg)
Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Asynchronous signal delivery
signal_context_capability alloc_context(imprint)
void free_context(signal_context_capability)
void submit(signal_context_capability, count)
signal wait_for_signal()
Genode OS Framework Architecture 43
![Page 44: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/44.jpg)
Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 44
![Page 45: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/45.jpg)
Ingredients
Process environment set up by the parent:
RAM session for BSS and heap,ROM session for executable binary,CPU session for main thread,RM session for address-space layout,PD session for protection domain
Genode OS Framework Architecture 45
![Page 46: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/46.jpg)
Parent: Obtain executable ELF binary
Rom_connection rom("init");
Rom_dataspace_capability ds_cap = rom.dataspace();
void *elf_addr = env()->rm_session()->attach(ds_cap);
Genode OS Framework Architecture 46
![Page 47: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/47.jpg)
Parent: ELF binary decoding
1. Create a new region map using the RM service:Rm_connection rm;
2. Attach read-only parts of dataspacerm.attach(ds_cap, size, offset, true, addr);
3. Create RAM session, assign memory quantumRam_connection ram;
ram.ref_account(env()->ram_session_cap());
env()->ram_session()->transfer_quota(ram, RAM_QUOTA);
4. Use RAM dataspaces for writable sections (DATA, BSS)rw_cap = ram.alloc(section_size);
void *sec_addr = env()->rm_session()->attach(rw_cap);
... /* write to buffer at sec_addr */
env()->rm_session()->detach(sec_addr);
rm.attach(rw_cap, section_size, offset, true, addr);
Genode OS Framework Architecture 47
![Page 48: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/48.jpg)
Parent: Creating the first thread
1. Create CPU sessionCpu_connection cpu;
2. Create main threadThread_capability thread_cap =
cpu.create_thread("noname");
3. Associate thread with the address space layout of the processrm.add_client(thread_cap);
Genode OS Framework Architecture 48
![Page 49: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/49.jpg)
Parent: Creating the protection domain
1. Create PD sessionPd_connection pd;
2. Assign parent capabilitypd.assign_parent(parent_cap);
3. Associate main thread to PDpd.bind_thread(thread_cap);
4. Start main thread at instruction pointer and stack pointercpu.start(thread_cap, ip, sp);
Genode OS Framework Architecture 49
![Page 50: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/50.jpg)
Child: Execute startup code
1. C++ runtime initializationI Exception handlingI Execute global constructors
2. Request process environment (env) capabilities from parent3. Call main() function
Genode OS Framework Architecture 50
![Page 51: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/51.jpg)
Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 51
![Page 52: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/52.jpg)
Default demo scenario
Genode OS Framework Architecture 52
![Page 53: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/53.jpg)
Configuration
<config>
<parent-provides>
<service name="ROM"/> <service name="RAM"/> <service name="IRQ"/>
<service name="IO_MEM"/> <service name="IO_PORT"/> <service name="CAP"/>
<service name="PD"/> <service name="RM"/> <service name="CPU"/>
<service name="LOG"/>
</parent-provides>
<default-route> <any-service> <parent/> <any-child/> </any-service> </default-route>
<start name="pci_drv">
<resource name="RAM" quantum="1M"/>
<provides><service name="PCI"/></provides> </start>
<start name="vesa_drv">
<resource name="RAM" quantum="1M"/>
<provides><service name="Framebuffer"/></provides> </start>
<start name="ps2_drv">
<resource name="RAM" quantum="1M"/>
<provides><service name="Input"/></provides> </start>
<start name="timer">
<resource name="RAM" quantum="1M"/>
<provides><service name="Timer"/></provides> </start>
<start name="nitpicker">
<resource name="RAM" quantum="1M"/>
<provides><service name="Nitpicker"/></provides> </start>
<start name="launchpad">
<resource name="RAM" quantum="32M"/> </start>
</config>
Genode OS Framework Architecture 53
![Page 54: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/54.jpg)
Screenshot
Genode OS Framework Architecture 54
![Page 55: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/55.jpg)
Sessions
Genode OS Framework Architecture 55
![Page 56: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/56.jpg)
Virtualized framebuffer
Genode OS Framework Architecture 56
![Page 57: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/57.jpg)
Sessions including virtualized framebuffer
Genode OS Framework Architecture 57
![Page 58: Genode Architecture](https://reader033.fdocuments.in/reader033/viewer/2022052904/557ed72fd8b42a815a8b4a21/html5/thumbnails/58.jpg)
Thank you
What we covered todayArchitecture
1. Why do we need anotheroperating system?
2. Genode entering the picture3. Architectural principles4. Genesis of a new process5. Simple example setup
Coming up next...Programming environment
1. Source tree overview2. Build system3. Run scripts4. Inter-process communication5. Client-server example
More information and resources:http://genode.org
Genode OS Framework Architecture 58