Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying...
Transcript of Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying...
![Page 1: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/1.jpg)
MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group
RESOURCE MANAGEMENT
![Page 2: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/2.jpg)
TU Dresden MOS: Resource Management
AGENDA
done: time, drivers
today: misc. resources architectures for resource management solutions for specific resources capabilities to manage resource access
upcoming: applications, legacy support
2
![Page 3: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/3.jpg)
TU Dresden MOS: Resource Management
KERNEL RESOURCES
3
![Page 4: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/4.jpg)
TU Dresden MOS: Resource Management
PROBLEMkernel needs memory for its abstractions
tasks: page tables threads: kernel-TCB capability tables IPC wait queues mapping database
kernel memory is limited
opens the possibility of DoS attacks4
![Page 5: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/5.jpg)
TU Dresden MOS: Resource Management
IDEAmemory management policy should not be in the kernel
account all memory to the application it is needed for (directly or indirectly)
kernel provides memory control mechanism
exception for bootstrapping:initial kernel memory is managed by kernel
5
![Page 6: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/6.jpg)
TU Dresden MOS: Resource Management
SOLUTIONuntyped memory in seL4
all physical memory unused after bootstrap is represented by untyped memory capabilities
can be granted, split or retyped
restricted to powers of 2 (see flexpages)
initial resource manager gets all (see σ0)
user code decides how to use them6
![Page 7: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/7.jpg)
TU Dresden MOS: Resource Management
SOLUTIONapplication retype UM to kernel objects
TCB, endpoint, CNode, VNode, frame, interrupt all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel
retyping and splitting is remembered in capability derivation tree
revoking recursively destroys all derived capabilities and kernel objects
7
![Page 8: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/8.jpg)
TU Dresden MOS: Resource Management
PRINCIPLE
8
separate enforcement and management
![Page 9: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/9.jpg)
TU Dresden MOS: Resource Management
ARCHITECTURES
9
![Page 10: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/10.jpg)
TU Dresden MOS: Resource Management
SPECTRUM
10
high-level resource abstractions implicit management
low-level resource abstractions explicit management
mon
olith
reso
urce
co
ntai
ners
exok
erne
l
mul
tiser
ver
![Page 11: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/11.jpg)
TU Dresden MOS: Resource Management
MONOLITHSenforcement and management implicitly tied to process abstraction
resource containers were proposed to make resource management explicit
bags of resources assigned to subsystems11
isolation accountingprocess
protection domain resource container
![Page 12: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/12.jpg)
TU Dresden MOS: Resource Management
EXOKERNEL
12
Exokernel
Library OS
Application
Enforcement
Management
![Page 13: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/13.jpg)
TU Dresden MOS: Resource Management
DESIGNprovide primitives at the lowest possible level necessary for protection
use physical names wherever possible
resource management primitives: explicit allocation exposed revocation protected sharing ownership tracking
13
![Page 14: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/14.jpg)
TU Dresden MOS: Resource Management
CONSEQUENCESapplications can use their own library OS
library OS’es cannot trust each other
no global management for resources
think of a file system kernel manages disk block ownership each library OS comes with its own filesystem implementation
one partition per application?14
![Page 15: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/15.jpg)
TU Dresden MOS: Resource Management
SHARINGinvariants in shared resources must be maintained
4 mechanisms provided by the exokernel software regions for sub-page memory protection, allows to share state capabilities for access control critical sections wakeup predicates: code downloaded into the kernel for arbitrary checks
15
![Page 16: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/16.jpg)
TU Dresden MOS: Resource Management
MULTISERVER
16
Low-Level Resource Manager
ApplicationHigher-Level Resource Manager
Client-LibsL4 Microkernel
works on monolithic kernels too
![Page 17: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/17.jpg)
TU Dresden MOS: Resource Management
LEVELSdifferent abstraction levels for resources
17
basic resources memory, CPU,IO-ports, interrupts
hardware block device, framebuffer, network card
compound resources
file, GUI window,TCP session
![Page 18: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/18.jpg)
TU Dresden MOS: Resource Management
HIERARCHIESapplications can access resource on the abstraction level they need
servers implementing a resource can use other, lower-level resources
isolation allows managers to provide real-time guarantees for their specific resource
DROPS:Dresden Real-time OPerating System
18
![Page 19: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/19.jpg)
TU Dresden MOS: Resource Management
EXAMPLES
19
![Page 20: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/20.jpg)
TU Dresden MOS: Resource Management
ANKHdriver for physical network card
built with DDE using Linux 2.6 drivers
provides multiple virtual network cards
implements a simple virtual bridge
20
Ankh
lwip
wget
![Page 21: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/21.jpg)
TU Dresden MOS: Resource Management
wget
LWIP
light-weight IP Stack
TCP/IP, UDP, ICMP
21
Ankh
lwip
![Page 22: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/22.jpg)
TU Dresden MOS: Resource Management
WGET
clients can use standard BSD socket interface
22
Ankh
lwip
wget
![Page 23: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/23.jpg)
TU Dresden MOS: Resource Management
BLOCK SERVERIDE driver to access hard disks
includes disk request scheduling
based on DDE
provides block device
ongoing work on USB block devices
23
Windhoek
Filesystem
L4Re VFS
![Page 24: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/24.jpg)
TU Dresden MOS: Resource Management
L4Re VFS
FILESYSTEM
no real one implemented yet
we have a tmpfs using RAM as backing store
VPFS: securely reuse a Linux filesystem
24
Windhoek
Filesystem
![Page 25: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/25.jpg)
TU Dresden MOS: Resource Management
L4RE VFS
hierarchical name space
connects subtrees to different backend servers
aka mounting
25
Windhoek
Filesystem
L4Re VFS
![Page 26: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/26.jpg)
TU Dresden MOS: Resource Management
MAGmultiplexes the frame buffer
no virtual desktops, but window merging
details in the legacy / security lectures
26
mag
DOpE
Terminal
![Page 27: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/27.jpg)
TU Dresden MOS: Resource Management
Terminal
DOPE
widget drawing server
handles mouse and keyboard input
can also operate on raw framebuffer
real-time capable
27
mag
DOpE
![Page 28: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/28.jpg)
TU Dresden MOS: Resource Management
TERMINALDOpE client providing a terminal window
VT100 emulation
can support readline applications
shell python
28
mag
DOpE
Terminal
![Page 29: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/29.jpg)
TU Dresden MOS: Resource Management
RESOURCE ACCESS
29
![Page 30: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/30.jpg)
TU Dresden MOS: Resource Management
EXAMPLE
30
Service
Manager
Worker A Worker B
![Page 31: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/31.jpg)
TU Dresden MOS: Resource Management
GOOGLE CHROMEseparate processes
chrome parent sandboxes for tabs
implementation on Linux: glorious mix of chroot(), clone() and setuid()
there must be a better way…
31
![Page 32: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/32.jpg)
TU Dresden MOS: Resource Management
TWO WORLDS
32
POSIX POLA
operations allowed by default
nothing allowed by default
some limited restrictions apply
every right must be granted
ambient authority explicit authority
![Page 33: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/33.jpg)
TU Dresden MOS: Resource Management
L4RE
33
L4Re — the L4 Runtime Environment set of libraries and system services on
top of the Fiasco.OC microkernel
![Page 34: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/34.jpg)
TU Dresden MOS: Resource Management
CAPABILITIESFiasco.OC and L4Re form an object-capability system
actors in the system are objects objects have local state and behavior
capabilities are references to objects any object interaction requires a capability unseparable and unforgeable combination of reference and access right
34
![Page 35: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/35.jpg)
TU Dresden MOS: Resource Management
CAPABILITIES
35
Fiasco.OC
Task A
A B C D E
Task BCa
pabi
lity
Tabl
e 12345 Ca
pabi
lity
Tabl
e12345
![Page 36: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/36.jpg)
TU Dresden MOS: Resource Management
HOW TO USE?invocation of any object requires a capability to that object
no global names
no sophisticated rights representation beyond capability ownership
just four rights bits on objects
C++ language integration
capabilities passed as message payload36
![Page 37: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/37.jpg)
TU Dresden MOS: Resource Management
CAP TRANSFER
37
X
Task A Task B
1 2 3 4 5 1 2 3 4 5
![Page 38: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/38.jpg)
TU Dresden MOS: Resource Management
EXAMPLE
38
Manager
Service
Worker A Worker B
![Page 39: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/39.jpg)
TU Dresden MOS: Resource Management
EXAMPLE
39
Manager
Service
Worker A Worker B
mag
![Page 40: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/40.jpg)
TU Dresden MOS: Resource Management
mag
MAGfactory for new framebuffer sessions
session object backing store memory view: visible rectangle on the backing store metadata, refresh method
How does it appear on the screen?
40
Factory S S
Manager
![Page 41: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/41.jpg)
TU Dresden MOS: Resource Management
mag
MAGhardware framebuffer is memory with side effect
all memory is initially mapped to the root task
framebuffer driver find framebuffer memory wrap in FB-interface
same interface as mag’s41
Factory S S
Memory
moe
fb-drv
![Page 42: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/42.jpg)
TU Dresden MOS: Resource Management
INTERFACESvirtualizable interfaces
L4Re uses one interface per resource independent of the implementation servers can (re-)implement any interface
the kernel is a special server: provides low-level objects that need CPU privileges
minimal policy userland servers can augment
42
![Page 43: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/43.jpg)
TU Dresden MOS: Resource Management
EXAMPLES
43
fb-drv
mag
kernel
balancer
Graphics Thread scheduling
pong multithreaded application
![Page 44: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/44.jpg)
TU Dresden MOS: Resource Management
CONCLUSION
all services provided as objects
uniform access control with capabilities
invocation is the only system call
virtualizable: all interfaces can be interposed
resource refinement and multiplexing transparent to clients
44
![Page 45: Resource Management - TU Dresden€¦ · all kernel bookkeeping for the object uses the underlying physical memory no implicit memory allocation by the kernel retyping and splitting](https://reader035.fdocuments.us/reader035/viewer/2022070808/5f06f7be7e708231d41aa245/html5/thumbnails/45.jpg)
TU Dresden MOS: Resource Management
SUMMARYkernel resource management
basic resource management concepts resource containers exokernel multiserver
management details for specific resources
object capabilities and virtualizable interfaces
45