The lecture by Norman Feske for Summer Systems School'12.
Genode Architecture
SSS'12 - Education event, organized by ksys labs[1] in 2012, for students interested in system software development and information security.
Genode[2] - The Genode operating-system framework provides a uniform API for applications on top of 8 existing microkernels/hypervisors: Linux, L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, Fiasco.OC, Codezero, and a custom kernel for the MicroBlaze architecture.
1. http://ksyslabs.org/
2. http://genode.org
2. Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 2
3. Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 3
5. Problem: Complexity
Today’s commodity OSes Exceedingly complex trusted computing
base (TCB)
TCB of an application on Linux:
Kernel + loaded kernel modules
Daemons
X Server + window manager
Desktop environment
All running processes of the user
→ User credentials are exposed to millions of lines of code
Genode OS Framework Architecture 5
6. Problem: Complexity (II)
Implications:
High likelihood for bugs (need for frequent security updates)
Huge attack surface for directed attacks
Zero-day exploits
Genode OS Framework Architecture 6
7. Problem: Global names
Many examples on traditional systems
UIDs, PIDs
network interface names
port numbers
device nodes
...
Leak information
Name is a potential attack vector (ambient authority)
Genode OS Framework Architecture 7
8. Problem: Resource management
Pretension of unlimited resources
Lack of accounting
→ Largely indeterministic behavior
→ Need for complex heuristics, schedulers
Genode OS Framework Architecture 8
10. Tricky questions
How to...
...build a system without global names?
...trade between parties that do not know each other?
...reclaim kidnapped goods from an alien? (without violence)
...deal with distributed access-control policies?
...transparently monitor communication?
...recycle a subsystem without knowing its internal structure?
Genode OS Framework Architecture 10
11. Even more tricky questions
How to...
...avoid performance hazards through many indirections?
...translate architectural ideas into a real implementation?
Genode OS Framework Architecture 11
12. Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 12
13. A bit of history
Research timeline at TU Dresden
Genode OS Framework Architecture 13
14. A new generation of kernels on the horizon
Genode OS Framework Architecture 14
15. Unique feature: Cross-kernel portability
When started, no suitable microkernel was available
→ Prototyped on Linux and L4/Fiasco
→ Later ported to other kernels
Genode OS Framework Architecture 15
16. Today: Rich OS construction kit
Support of a variety of kernels
OKL4, L4/Fiasco, L4ka::Pistachio, NOVA, Fiasco.OC, Linux, Codezero
Preservation of special kernel features
OKLinux on OKL4,
L4Linux on Fiasco.OC,
Vancouver on NOVA,
Real-time priorities on L4/Fiasco
Uniform API → kernel-independent components
Many ready-to-use device drivers, protocol stacks, and
3rd-party libraries
Genode OS Framework Architecture 16
17. Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 17
18. Object capabilities
Delegation of rights
Each process lives in a virtual environment
A process that possesses a right (capability) can
Use it (invoke)
Delegate it to acquainted processes
Genode OS Framework Architecture 18
32. Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 32
33. Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Debug output
amount write(string)
Genode OS Framework Architecture 33
34. Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Physical memory
ram_dataspace_capability alloc(size, cached)
void free(ram_dataspace_capability)
void ref_account(ram_session_capability)
void transfer_quota(ram_session_capability, amount)
amount quota()
amount used()
Genode OS Framework Architecture 34
35. Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Object identities
capability alloc(entrypoint_capability)
void free(capability)
Genode OS Framework Architecture 35
36. Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Threads
thread_capability create_thread(name)
void kill_thread(thread_capability)
void start(thread_capability, ip, sp)
Genode OS Framework Architecture 36
37. Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Memory-mapped I/O
Session arguments base, size, write-combined
io_mem_dataspace_capability dataspace()
Genode OS Framework Architecture 37
38. Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Port-based I/O
Session arguments base, size
value inb(address)
value inw(address)
value inl(address)
void outb(address, value)
void outw(address, value)
void outl(address, value)
Genode OS Framework Architecture 38
39. Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Device interrupts
Session argument irq number
void wait_for_irq()
Genode OS Framework Architecture 39
40. Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Protection domain
void bind_thread(thread_capability)
void assign_parent(parent_capability)
Genode OS Framework Architecture 40
41. Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Access to boot modules
Session argument filename
rom_dataspace_capability dataspace()
Genode OS Framework Architecture 41
42. Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Address-space management
local_addr attach(dataspace_capability, size, offset,
use_local_addr, local_addr,
executable)
void detach(local_addr)
void add_client(thread_capability thread)
/* managed dataspaces */
dataspace_capability dataspace()
void fault_handler(signal_context_capability)
state state()
Genode OS Framework Architecture 42
43. Core services
LOG RAM CAP CPU IO MEM IO PORT IRQ PD ROM RM SIGNAL
Asynchronous signal delivery
signal_context_capability alloc_context(imprint)
void free_context(signal_context_capability)
void submit(signal_context_capability, count)
signal wait_for_signal()
Genode OS Framework Architecture 43
44. Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 44
45. Ingredients
Process environment set up by the parent:
RAM session for BSS and heap,
ROM session for executable binary,
CPU session for main thread,
RM session for address-space layout,
PD session for protection domain
Genode OS Framework Architecture 45
47. Parent: ELF binary decoding
1. Create a new region map using the RM service:
Rm_connection rm;
2. Attach read-only parts of dataspace
rm.attach(ds_cap, size, offset, true, addr);
3. Create RAM session, assign memory quantum
Ram_connection ram;
ram.ref_account(env()->ram_session_cap());
env()->ram_session()->transfer_quota(ram, RAM_QUOTA);
4. Use RAM dataspaces for writable sections (DATA, BSS)
rw_cap = ram.alloc(section_size);
void *sec_addr = env()->rm_session()->attach(rw_cap);
... /* write to buffer at sec_addr */
env()->rm_session()->detach(sec_addr);
rm.attach(rw_cap, section_size, offset, true, addr);
Genode OS Framework Architecture 47
48. Parent: Creating the first thread
1. Create CPU session
Cpu_connection cpu;
2. Create main thread
Thread_capability thread_cap =
cpu.create_thread("noname");
3. Associate thread with the address space layout of the process
rm.add_client(thread_cap);
Genode OS Framework Architecture 48
49. Parent: Creating the protection domain
1. Create PD session
Pd_connection pd;
2. Assign parent capability
pd.assign_parent(parent_cap);
3. Associate main thread to PD
pd.bind_thread(thread_cap);
4. Start main thread at instruction pointer and stack pointer
cpu.start(thread_cap, ip, sp);
Genode OS Framework Architecture 49
50. Child: Execute startup code
1. C++ runtime initialization
Exception handling
Execute global constructors
2. Request process environment (env) capabilities from parent
3. Call main() function
Genode OS Framework Architecture 50
51. Outline
1. Why do we need another operating system?
2. Genode entering the picture
3. Architectural principles
4. Core - the root of the process tree
5. Genesis of a new process
6. Simple example setup
Genode OS Framework Architecture 51
58. Thank you
What we covered today Coming up next...
Architecture Programming environment
1. Why do we need another 1. Source tree overview
operating system? 2. Build system
2. Genode entering the picture 3. Run scripts
3. Architectural principles 4. Inter-process communication
4. Genesis of a new process 5. Client-server example
5. Simple example setup
More information and resources:
http://genode.org
Genode OS Framework Architecture 58