sel4 on risc-v/lowrisc - orconf'15
TRANSCRIPT
seL4 on RISC-V/lowRISCHesham AlmataryMentor: Stefan Wallentowitz
Outline
● What’s seL4○ Security ○ L4○ seL4
● seL4 details○ Design/Implementation ○ Applications○ Roadmap
● seL4 on RISC-V/lowRISC○ Current state○ Port details○ Challenges○ Discussion points
What is seL4?
“The world's first operating-system kernel with an end-to-end proof of implementation correctness and security enforcement is available as open source.”
se L4
se for Security
● Why security matters● Security application● Security on HW/SW● SW security/bugs depend on size of code
L4 Microkernels
● History● Design● Implementations● Applications
L4 microkernels
● Originally developed by Liedtke (L3) - 1993 [1].● Minimality Principle & High IPC Performance.
A concept is tolerated inside the µ-kernel only if moving it outside the kernel, i.e. permitting competing implementations, would prevent the implementation of the
system’s required functionality [2].
● deployed on a large scale and in safety-critical systems.
Monolithic (Linux) vs. L4 Kernel (seL4)
L4 microkernel History/Evolution
The L4 family tree (simplified). Black arrows indicate code, green arrows ABI inheritance. Box colours indicate origin as per key at the bottom left. [3]
L4 microkernel - IPC and LOC
seL4 - Overview
● Formally verified (no bugs).● Open Source.● Capability-based.● Small/Simple (L4 microkernel minimality).● IPC (using endpoints)
○ Synchronous ○ Asynchronous
● ARM/x86 support.
seL4 applications● Verification, the seL4 proofs.
● seL4test, a test suite for seL4, including a Library OS layer.
● CAmkES, a component architecture for embedded systems based on seL4.
● VMM a componentised virtual machine monitor for ia32 platforms using Intel VT-X and VT-D extensions.
● RefOS, a reference example of how one might build a multi-server operating system on top of seL4.
● SOS, Simple Operating System to learn about seL4 programming.
100,000 LoC
seL4 microkernel services
● Threads.● Address Spaces.● IPC.● Device Primitives. ● Capability Spaces.
seL4-based project structure
seL4 Roadmap
seL4 on RISC-V
● seL4 (RV32) runs on Spike and jor1k.
● seL4 (RV64/SV39) runs on Spike and Rocket Chip.
● SOS (Simple Operating System) runs on seL4.
● For HOWTO build/run seL4 on RICS-V visit my blog [4].
seL4 on RISC-V
seL4 libraries that are RISC-V involved
● seL4 microkernel, it now supports memory management capabilities, context switch, traps from user applications, and a lot (than what has been discussed here) more architecture-dependent functions were implemented.
● libseL4: This is the user-level library for applications to deal with seL4 microkernel via system calls. It defines the format of the system calls, kernel objects definitions, user-level context and it exposes them all to the user.
● libmuslc: The C library that seL4 and its libraries depend on. It has been ported to RISC-V part of this project, and now it's working pretty fine as expected.
● libsel4muslcsys: A minimal muslc implementation for the root task to bootstrap, it provides stdio related system call handlers and it's part of the bootstrap procedure of the root task, defining the system call table and entry point for muslc-based applications.
seL4 libraries that are RISC-V involved● libplatsupport: Some platform related functions (BSP) for seL4 supported platforms. For example serial driver initialization and console
driver functions for a given board are provided there. libsel4platsupport depends on it. I had to add Spike platform with very basic implementation just to get over build dependencies.
● libsel4platsupport: For RISC-V it has to be ported to provide the bootstraping and the exe entry point __sel4_start for the root task. It gets the boot frame address from the seL4 microkernel, constructs the stack vector as muslc expects, and then jumps to the normal muslc _start entry, enabling it to populate the libc environment's data-structures with its details, initializes TLS, files and stdio handlers, etc. Finally the muslc task bootstrap procedure jumps to the user's main() function, or the root task, which in our use case is SOS.
● libcpio: used by SOS to parse the cpio archive, searching for user binaries.
● libelf: This one is used by SOS to parse the ELF binaries extracted from the cpio archive. Hence SOS can read the ELF's section headers, and do the loading/mapping consequently.
● libsel4cpace: a library provided to abstract away the details of seL4 CSpace management, this library had to also be ported for RISC-V. It's used by SOS to construct tasks' CSpace.
● mapping: SOS comes with mapping.c file that's needed in conjunction with elf.c to load/map the user ELF binaries. It's ported to RISC-V and it invokes the newly provided RISC-V system calls like seL4_RISCV_Page_Map and seL4_RISCV_PageTable_Map
seL4 on RISC-V - Memory Mapping
seL4 Microkernel and Untyped (free) memory
Because you like demos!
seL4 on RISC-V - Dicussion points
● Port seL4 to capability-based hardware like CHERI [5].● Off-loading seL4 apps to lowRISC (future) minion cores.● Formal verification seL4/RISC-V.● Virtualization opportunities.● Trusted Execution Module.● Multikernel/Multi-core support.
References[1] Liedtke, Jochen. "Improving IPC by kernel design." ACM SIGOPS Operating Systems Review. Vol. 27. No. 5. ACM, 1994.
[2] Liedtke, Jochen. On micro-kernel construction. Vol. 29. No. 5. ACM, 1995.
[3] Elphinstone, Kevin, and Gernot Heiser. "From L3 to seL4 what have we learnt in 20 years of L4 microkernels?." Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles. ACM, 2013.
[4] http://heshamelmatary.blogspot.co.uk/
[5] Jonathan Woodruff, Robert N. M. Watson, David Chisnall, Simon W. Moore, Jonathan Anderson, Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. The CHERI capability model: Revisiting RISC in an age of risk, Proceedings of the 41st International Symposium on Computer Architecture (ISCA 2014), June 14–16, 2014, Minneapolis, MN, USA.