高级操作系统高级操作系统 (21).pdf

第 4 讲：Optimization of Virtual Machine Monitor第三节：Dune:Safe User-level Access to Privileged CPU FeaturesRequirement of DUNEFor MORE performance&featuresSafe User-level Access to Privileged CPU FeaturesDune:Safe User-level Access to Privileged CPU Features,Adam Belay,etc.,OSDI12.Requirement of DUNEFor MORE performance&featuresSpeed up garbage collection(Azul C4)pagetablePrivilege separation within a process(Palladium)MMUSafe native code in web browsers(Xax)Syscall handler.Some thoughts of DUNE Change kernelProblem:stability concerns,challenging to Optimization analysisdistribute,composability concerns.Some thoughts of DUNE exokernelProblem:must replace entire OS stack.Some thoughts of DUNE VMMProblem:virtual machines have strict partitioning.Some thoughts of DUNE Dune in a NutshellProvide safe user-level access to privileged CPU featuresStill a normal process in all ways(POSIX API,etc)Key idea:leverage existing virtualization hardware(VTx).Some thoughts of DUNE Dune Simple ArchHost mode-VMX root mode on IntelNormally used for hypervisorsIn Dune,we run the kernel here，for access VT-x instructions.Some thoughts of DUNE Dune Simple ArchGuest mode-VMX non-root mode on IntelNormally used by the guest kernelIn Dune,we run ordinary processes here,for access to privileged features.Some thoughts of DUNE Dune Simple ArchConfigures and manages virtualization hardwareProvides integration with the rest of the kernel in order to support a process abstractionUses Intel VTx.Some thoughts of DUNE Dune Simple ArchA uAlity library to help applicaAons manage privileged hardware featuresCompletely untrustedException handling,syscall handling,page allocator,page table management,ELF loader.Diff Between VMM&DUNEDUNE:using virtualization hardware to providea process.Contributions of DUNEDUNEa design that uses hardware-assisted virtualizationto safely and efficiently expose privileged hardwarefeatures to user programs while preserving standardOS abstractions.Memory managementSystem callsPOSIX Signals.Supported Hardware FeaturesHardware features exposed by Dune and theircorresponding privileged x86 instructions.Supported Hardware Features ExceptionsHardware features exposed by DuneNormally,reporting an exception to a user programrequires privilege mode transitions and an upcallmechanism(e.g.,signals)Dune can reduce exception overhead because it usesVT-x to deliver exceptions directly in hardware.proves the speed of delivering page fault exceptionsby more than 4 X.Supported Hardware Features Virtual MemoryHardware features exposed by Dunegives user programs the ability to manually controlTLB invalidations.page table updates can be performed in batcheswhen permitted by the application.Dune exposes TLB tagging by providing access toIntels recently added process-context identifier(PCID)or virtual-processor identifiers(VPID)featureDune results in a 7 speedup over Linux in the Appeland Li user-level virtual memory benchmarks.Supported Hardware Features Virtual Memory.Supported Hardware Features Privilege ModesHardware features exposed by DuneTwo motivating use cases for privilege modes areprivilege separation and sandboxing of untrustedcode.page table updates can be performed in batcheswhen permitted by the application.system call instructions trap to the process itself,rather than to the kernel,can be used for system call interposition and toprevent untrusted code from directly accessing thekernel.Compared to ptrace in Linux,we show that Dunecan intercept a system call with 25 X less overhead.Supported Hardware Features Privilege ModesSYSCALL will only trap back into the processUse VMCALL(i.e.a hypercall)to perform normal kernel system calls.Supported Hardware Features Privilege ModesIsolate untrusted code by running it in a less privileged mode(i.e.ring 3 on x86)Leverage the supervisorbit in the page table to protect memory.Implementation ChallengesReducing VM exit and VM entry overheadPthread and fork were tricky to integrate with theLinux kernelEPT does not support enough address spaceSignals should only be delivered to ring 0,butprocess is in ring 3.Implementation ChallengesReducing VM exit and VM entry overhead.Implementation ChallengesApplication:garbage collection.Implementation ChallengesApplication:sandbox.PerformanceOverhead analysis:VMX trans,EPT transOptimization analysis:Faster system call，Virt Mem manipulation.PerformanceSandbox:SPEC2000 performanceEPT overhead:use of large pages.PerformanceSandbox:Lighttpd performanceSlight reduction in throughput(less than 2%)due to VMCALL overhead.ConclusionsApplications can benefit from access to privilegedCPU featuresVirtualization hardware allows us to provide suchaccess safelyDune creates new opportunities to build andimprove applications without kernel changesDune has modest performance overhead.