Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
© 2011 SAMSUNG Electronics Co.
Sang-bum Suh Vice President, Jae-min Ryu Research Staff
{sbuk.suh, jm77.ryu}@samsung.com
S/W Platform Team
DMC Research Center
SAMSUNG Electronics Co.
2011.08.
Xen Summit North America 2011
ARM Architecture-based System Virtualization: Xen ARM open source software project
© 2011 SAMSUNG Electronics Co.
Agenda
Overview
- History of Xen ARM
- Use Cases
Xen ARM: Core - Xen ARM Virtualization
- Performance Comparison
Xen ARM Application: Security - Mobile Malware
- Access Control
Xen ARM Application: Real-time - Xen ARM: Preemption
- Real-time Performance
© 2011 SAMSUNG Electronics Co.
Overview
3 / 22 SW Platform Team. © 2011 SAMSUNG Electronics Co.
History of Xen ARM
Supported Hardware & Guest OS
Samsung leads the Xen ARM project
http://wiki.xensource.com/xenwiki/XenARM
Xen-ARM Open Source Community
‘04 ‘10 ‘09 ‘08
x86 Xen Hypervisor Release (Cambridge university)
Xen ARM 1st Release: ARM9 Xen Hypervisor, Mini-OS (Samsung)
Xen ARM 2nd Release: Paravirtualized Linux kernel (v2.6.24), Xen tool (Samsung)
Xen ARM 4th Release: Performance Optimization (Samsung)
Xen ARM 3rd Release: ARM11MPCore Support (Samsung)
ARM926EJ-S (i.MX21, OMAP5912) Xscale 3rd Generation Architecture
(PXA310, Samsung SGH- i780) ARM1136/ARM1176(Core Only) Goldfish (QEMU Emulator) Versatile Platform Board ARM11MPCore (Realview PB11MP) Cortex-A9 (Tegra250)
Linux v2.6.11, v2.6.18, v2.6.21, v2.6.24, v2.6.27
(multicore supported) uC/OS-II
4 / 22 SW Platform Team. © 2011 SAMSUNG Electronics Co.
Use Cases – HW Consolidation: AP(Application Processor) and BP(Baseband Processor) can share
multicore ARM CPU SoC in order to run both Linux and Real-time OS efficiently.
– OS Isolation: important call services can be effectively separated from downloaded third party applications by Xen ARM combined with access control.
– Rich User Experience: multiple OS domains can run concurrently on a single smartphone.
Hardware
Hypervisor
Secu
re
Kern
el
Linux
Andro
id
Nucle
us
Linux 2
Hypervisor H/W
Linux 1 Important services
Rich Applications from Multiple OS Secure Smartphone AP SoC +BP SoC -> Consolidated Multicore SoC
1
2
3
1 2 3
GPOS RTOS
Multi - Core
Core Core Core Core
Memory Peri
Virtualization SW ( Realtime Hypervisor) V - Core V - Core V - Core V - Core V - Core V - Core V - Core V - Core
를
© 2011 SAMSUNG Electronics Co.
Xen ARM: Core
6 / 22 SW Platform Team. © 2011 SAMSUNG Electronics Co.
Xen ARM Virtualization
Light weight virtualization for secure 3G/4G mobile devices
High performance hypervisor based on ARM processor
Fine-grained access control fitted to mobile devices
CPU Peripheral Devices
Resource Allocator
Domain Manager
Access Control
Application Application Application Application
VM Interface VM Interface
Backend Drivers Frontend Drivers
Native Drivers
System Memory
Flash Memory
VM 0 VM 1
Hardware
Secure Xen-ARM hypervisor
Guest Domain
Goals
Architecture of Xen-ARM
7 / 22 SW Platform Team. © 2011 SAMSUNG Electronics Co.
Xen ARM Virtualization
CPU virtualization
Virtualization requires 3 privilege CPU level, but ARM supports 2 level
Xen-ARM mode: supervisor mode ( most privileged level)
Virtual kernel mode: User mode ( least privileged level)
Virtual user mode: User mode ( least privileged level)
Memory virtualization
VM’s own memory should be
protected from others
Xen-ARM switches VM’s virtual address space
using MMU
VM is not allowed to manipulate MMU directly
I/O virtualization
Split driver model of Xen-ARM
Client & Server architecture for shared I/O devices
Client: frontend driver
Server: native/backend driver
Logical mode split
virtual user mode
Xen-ARM mode
virtual kernel mode
Xen-ARM
VM 0 Address Spaces
VM 1 Address Spaces
VM 2 Address Spaces
MMU
Xen-ARM
Application Application Application Application Application Application
Native driver
Front-end driver
Back-end driver
Device
Interrupt I/O event
VM0 (Linux) VM1 (Linux )
Xen-ARM
VM 1
VM 0
Xen-ARM
Physical Address Space
Virtual Address Space
User Process User Process User Process
Kernel
User Process
VM 2
Overview
8 / 22 SW Platform Team. © 2011 SAMSUNG Electronics Co.
Performance Comparison
LMBENCH Micro Benchmark ( latency )
LMBENCH Micro Benchmark ( Bandwidth ) Evaluation Environments : Samsung
Blackjack Phone
CPU : Xscale PXA310, 624MHz
L1 Cache : 32KB + 32KB
L2 Cache : 256KB (Disabled)
Memory : 128MB
Guest OS: Linux-2.6.21
Higher is better
Lower is better
Micro-benchmark Results
9 / 22 SW Platform Team. © 2011 SAMSUNG Electronics Co.
0
200
400
600
800
1000
1200
1400
1600
Native Linux Para-virtualized Linux
Performance Comparison
LMBENCH Micro Benchmark ( latency )
Evaluation Environments : nVidia Tegra250
CPU : Cortex-A9 1GHz Dual Core
L1 Cache : 32KB + 32KB
L2 Cache : 1MB
Memory : 1GB
Guest OS: Linux-2.6.29
Lower is better
Micro-benchmark Results
(Late
ncy
) use
c
10 / 22 SW Platform Team. © 2011 SAMSUNG Electronics Co.
0
1
2
3
4
5
6
7
8
9Xen/ARM L4
Rela
tive
Perform
ance
S : size(byte) P : # of processes
Higher is better
Performance Comparison
LMBENCH Micro Benchmark ( latency )
Evaluation Environments : Samsung Blackjack Phone
CPU : Xscale PXA310, 624MHz
L1 Cache : 32KB + 32KB
L2 Cache : 256KB (Disabled)
Memory : 128MB
Guest OS: Linux-2.6.21
Benchmark Results
0
0.2
0.4
0.6
0.8
1
1 2 3
Native Linux
Xen/ARM
L4
Number of Tasks
Norm
alize
d P
erform
ance
AIM7 Macro Benchmark
© 2011 SAMSUNG Electronics Co.
Xen ARM Application For Security
12 / 22 SW Platform Team. © 2011 SAMSUNG Electronics Co.
Mobile Malware
0
200
400
600
2004 2005 2006 2007 2008
27
146
345 400 421
[Source: F-Secure] Number of mobile malware
- More than 420 mobile phone viruses (2008)
- Tens of thousands of infections worldwide
Concerns about mobile phone security – by market
0%
20%
40%
60%
80%
100%
UK US Japan Total
83.9 81.693.1 86.1
16.1 18.46.9 13.9
Feel safe
Concerned
[Source: McAfee]
13 / 22 SW Platform Team. © 2011 SAMSUNG Electronics Co.
Access Control
Technical Issues
Availability threat: denial of service (DoS) attack from a compromised domain in a mobile device
- CPU overuse: a greater share of CPU time than initial allocation
- Performance degradation: The Performance of other domains that share the same I/O device with the compromised domain
- Battery drain
Hardware
Secure Xen
DomainN
…
Devices
Domain1
Isolated Driver Domain (IDD)
Excessive I/O Requests
Malware
Front-end Device drivers
Front-end Device drivers
Back-end Device drivers
Native Device drivers
Definition: Access control is a system which enables an authority to control area and resources in a given physical facility or computer-based information system [source: Wikipedia]
Problem with performance isolation
14 / 22 SW Platform Team. © 2011 SAMSUNG Electronics Co.
Access Control
Technical Issues
Fine-grained I/O access control module in the IDD and coarse-grained access control module in Xen
Estimation of CPU consumption by each virtual I/O operation using regression analysis
- Network and storage devices
I/O access control enforcement based on the policy and regression equations
Domain0 (IDD) Kernel Domain1 Kernel
Frontend driver
Backenddriver
I/O Resource Accounting
Access Control Enforcer
(I/O Scheduler)
Secure Storage
Secure Xen on ARM
(1). Loading policy
(2). Loading equations
(3). Connecting to backend driver
(4). Asking for decision
(5). Virtual I/O CPU Usage
Hook
fMTD,READ(x) = 250 + 0.24 * x fMTD,READOOB(x) = 533 + 0.06 * x fMTD,WRITE(x) = 160 + 0.24 * x fMTD,WRITEOOB(x) = 583 fMTD,ERASE(x) = 153.33 + 0.02 * x fMTD,ISBADBLOCK(x) = 58 fMTD,MARKBAD(x) = 60
fNET, Tx(x) = 370.18 + 0.01 * x
Regression Analysis: Network
Regression Analysis: Storage
Target HW spec: XScale 624MHz, 128MB DRAM
x: bytes, f(x): usec
Approach
15 / 22 SW Platform Team. © 2011 SAMSUNG Electronics Co.
Access Control
Technical Issues
Network I/O Test Cases
Storage I/O Test Cases
No Attack TcN0 TcS0
Under Attack (No I/O ACM)
TcN1 TcS1
Under Attack (20% I/O ACM Policy)
TcN2 TcS2
Under Attack (10% I/O ACM Policy)
TcN3 TcS3
CPU Utilization: Storage
CPU Utilization: Network
0
20
40
60
80
100
3 6 9 12 15 18 21 24 27 30
TcN0
TcN1
TcN2
TcN3
0
20
40
60
80
100
3 6 9 12 15 18 21 24 27 30
TcS0
TcS1
TcS2
TcS3
Test Cases
Test Environment
Secure Xen on ARM
Domain0 (IDD) Domain1
Linux kernel v2.6.21
I/O ACM
LinuxKernelv2.6.21
iperf(client) Policy
Managerbonnie mtd_atk
net_atk
Linuxkernel
iperf(server)
minicom
SGH-i780
WT3000 power meter
Linux PC
Serial Cable MeasurementCable
net_atk: UDP packet flooding (sending out UDP packets with the size of 44,160 bytes every 1msec) mtd_atk: excessive NAND READ operations (scanning every directory in the filesystem and reading file contents)
CPU Usage (%)
CPU Usage (%)
Time (Sec)
Time (Sec)
Power Meter SGH-i780
Effectiveness
16 / 22 SW Platform Team. © 2011 SAMSUNG Electronics Co.
Access Control
0
100
200
300
400
500
600
700
800
TcN0 TcN1 TcN2 TcN3
UDP
TCP
Test Cases
Thro
ugh
pu
t (K
B/S
ec)
No attack
Under attack
0
500
1000
1500
2000
2500
3000
3500
4000
4500
TcS0 TcS1 TcS2 TcS3
Seq.out
Seq.in
Rand.seek
Test Cases
Thro
ugh
pu
t (K
B/S
ec)
No attack
Under attack
0
0.5
1
1.5
2
2.5
3
TcN0/TcS0 TcN1/TcS1 TcN2/TcS2 TcN3/TcS3
Network
Storage
Test Cases
No attack Under attack
Test Cases
Power Consumption
Throughput: Storage
Throughput: Network
Throughput increase and power consumption decrease even under malware attack
16
Effectiveness
© 2011 SAMSUNG Electronics Co.
Xen ARM Application For Real-time
18 / 22 SW Platform Team. © 2011 SAMSUNG Electronics Co.
Xen ARM: Pre-emption
Technical Issues
Latency caused by interrupt-disabled(DI) section Latency caused by non-preemptible(NP) section
EN DI EN
interrupt handler
Urgent Interrupt
Time
P NP P
Urgent Interrupt Wake up next VM
VM switch
interrupt handler
Time
Delay Delay
interrupt handler
VM switch
The jitter of timer interrupt latency by the hypervisor is bounded within 10% compared with native real-time OS.
DI and NP sections should be minimized.
Status of real-time support
Technical Issue
Guest Domain
Xen-ARM
Non RT Domain
(Running)
Interrupt
RT Domain
Interrupt occurs
Non RT Domain
(Running)
Timer
Send IRQ to Real-time Domain (As Non RT Domain has credits,
RT Domain is not scheduled. Furthermore Xen cannot tell difference
between Non RT Domain and RT Domain.)
Delay
Voluntary CPU release
Non RT Domain
(Running)
Interrupt
RT domain Interrupt
occurs
Scheduling Scheduling
Non RT domain
Scheduling
Preemption
time
Hypervisor should support RT Domain via priority-based scheduling, VMM pre-emption and so on.
19 / 22 SW Platform Team. © 2011 SAMSUNG Electronics Co.
Real-time Performance
Cyclictest benchmark repeats 1. RT task sleeps for 10ms 2. Timer interrupt will occur after 10ms 3. Timer interrupt wakes up the RT
domain(uC/OS-II) 4. uC/OS-II preempts Xen-ARM 5. RT task is scheduled 6. RT task logs timestamp
Category Description
H/W (Tegra250)
CPU Cortex-A9 / 1GHz / Dual Core
RAM 1GB
S/W Hypervisor Xen-ARM
Guest OS (DOM0)
Linux-2.6.29 (Running Busy Loop Task)
Guest OS (DOM1)
uC/OS-II (Running RT Task : Cyclictest benchmark)
Native(uC/OS-II)
Min Avg Max
9995 9996.810169 10000
Xen-ARM(uC/OS-II)
Min Avg Max
9996 9999.327119 10001
Unit : usec
Response Overhead(3us)
• Evaluation Environment
© 2011 SAMSUNG Electronics Co.
Q & A