2011 10-19
TRANSCRIPT
Features for Secure Mobile
Devices
Low-overhead system virtualization
Separation of guest domains
Hot plug-in/-out of guest domains
Secure boot
Secure storage
Access control
Issues in virtualization
Efficiency is a major concern in
embedded virtualization.
Paravirtualization approach is more efficient
than full virtualization because expensive
translation is not necessary.
ARM CPU has only one unprivileged
mode
Architecture
CPU Virtualization
Physically two privilege modes (User mode
and Supervisor mode) in ARM CPU.
However,
Supervisor mode is assigned to Xen mode
User mode is split into two logical modes (kernel
and user User mode is split into two logical
modes (kernel and user process of Linux)
Address space protection between kernel mode
and user process mode is guaranteed by ARM
domain access control mechanism.
CPU Virtualization
Xen Mode
Kernel Mode
User Mode
Logical
mode split
CPU Virtualization
Exception Handling
Para-virtualization of system calls.
○ System calls are implemented with software
interrupt.
○ In Xen on ARM, system calls are interpreted
by Xen
Memory Virtualization
Isolation requirements
VMM memory region should be protected
from guest OS kernel and user processes
Guest OS kernel memory should be
protected from user processes
User process memory should be protected
from other processes
Every virtual machine should be isolated
from each other
Memory Virtualization
With paging mechanism we can protect
Xen memory from guest OS / user
processes.
How about Guest OS and user
processes isolation? They are in the
same user space.
Address Space Isolation
Simply separating the address space of
applications and OS kernel will lead to
significant cache/TLB flushing overheads
since ARM v4/v5 architecture has virtually
indexed virtually tagged (VIVT) cache, and
Translation Look-aside Buffer (TLB) entries
are not tagged with address space ID
Memory Virtualization
* ARM11 has virtually indexed physically tagged (VIPT)
cache and Mpcore has physically indexed physically
tagged (PIPT) cache
Memory Virtualization CPU Cache
PIPT
VIVT
VIPT
PIVT
CPU Cache
Virtual Addr.
32 bits
Physical Addr.26 bits
TLB DRAM
CPU Cache
Virtual Addr.
32 bits
Physical Addr.
26 bits
TLB DRAM
CPU
Cache
Virtual Addr.
32 bits
Physical Addr.
26 bits
TLB
DRAM
Memory Virtualization
Memory Map
Xen and guest domain (kernel + user
process) are mapped on a same virtual
address space.
Guest Domain
Xen
Virtual Address Space
0xC0000000
0xFF000000
0xFFFFFFFF
User space
Kernel
0xC0000000
0xFEFFFFFF
0x00000000
Guest Domain Virtual
Address Space
Memory Virtualization Conventional MMU based paging
mechanism can’t protect the OS kernel
from application when they are running
in the same user mode
Domain Access Control is used to
prevent a user process from accessing
to address space of kernel process in
ARM CPU user mode.
c3, Domain Access Control Register
Memory Virtualization
The fields D15-D0 in the register define the access
permissions for each one of the 16 domains. These
domains can be either sections, large pages, or small
pages of memory:
Access Bit field Comment
No access b00 Any access generates a domain fault
Client b01 Accesses are checked based on the page
table entry’s AP flag setting
Reserved b10 Any access generates a domain fault
Manager b11 Accesses are not checked against the access
permission bits in the TLB entry, so a
permission fault cannot be generated.
Memory Virtualization
VMM mode
User process
mode
Kernel mode
D0
D1
D2
D0 D1 D2
VMM Client Client Client
Kernel Client Client Client
User No access No access
Memory Virtualization Keep Xen address translation info from
being flushed.
After page table changes (domain/process switching),
TLB entries are flushed explicitly.
TLB lockdown mechanism provided by processor can be used to avoid TLB flushing and reloading
Two lockdown TLB entries used for Xenpages
○ ARM926 provides 8 lockdown TLB entries
Memory Virtualization
Benchmark
System Boot Procedure Xen and dom 0 kernel images are loaded
at predefined memory location.
Hardware Initialization
Load kernel image for Dom 0
Load and jump to Xen image
Initialize system resources
(Timer, UART, Memory, IRQ)
Create Dom 0
Execute Dom 0
Create / Load guest Domains
System Boot Procedure
Platform Load Address
Xen Dom 0
I.MX21 0xC0008000 0xC1C00000
Partition 0
Xen
Partition 1
Kernel Image
Partition 2
File System
NOR Flash Partition for Dom 0
Virtual space address
VM Create / Destroy
Guest domains (dom U) are created and
destroyed by a user level application,
dom0_util.
Dom0_util supports only create and destroy
functions.
Dom0_util
Domain control driver
Xen
Control guest domain
Request Xen to create and execute /
destroy dom U kernel, where this
driver loads the kernel image.
Create and execute dom U /
destroy dom U
VM Create / Destroy
Partition 0
Kernel Image
Partition 1
File System
Platform Load Address
I.MX21 0xc3c00000
NAND Flash Partition for Dom 1
Virtual space address
Experiment
Host OS: Ubuntu 10.04
Emulator: Goldfish emulator
platform(QEMU 0.82 based Android
emulator)
Guest OS: mini-OS (it is used to test if
Xen can work)
Supported OS: uc OS II
Experiment
Screenshot