From 1169983c69a673edd3fbf7ff6e2f3ed66645b4ab Mon Sep 17 00:00:00 2001 From: Holger Dengler Date: Thu, 12 Jul 2018 19:11:54 +0200 Subject: misc: Jailhouse Slides - Overview embedded Hypervisor - Concepts - Configuration - RT-Measurements Signed-off-by: Andreas Messerschmid (adapt to schulung repo) Signed-off-by: Holger Dengler --- misc/Kconfig | 6 + misc/Makefile | 1 + misc/frm_jailhouse.tex | 443 ++++++++++++++++++++++++++++++++++++++++++++++++ misc/pres_jailhouse.tex | 25 +++ 4 files changed, 475 insertions(+) create mode 100644 misc/frm_jailhouse.tex create mode 100644 misc/pres_jailhouse.tex (limited to 'misc') diff --git a/misc/Kconfig b/misc/Kconfig index cf1e7dd..232f0e6 100644 --- a/misc/Kconfig +++ b/misc/Kconfig @@ -34,3 +34,9 @@ config MISC_UPDATE default n help Presenation about embedded Update concepts + +config MISC_JAILHOUSE + bool "Jailhouse" + default n + help + Presenation about Jailhouse diff --git a/misc/Makefile b/misc/Makefile index 9c631ed..2d6e321 100644 --- a/misc/Makefile +++ b/misc/Makefile @@ -4,3 +4,4 @@ obj-$(CONFIG_MISC_MINICOREDUMPER) += pres_minicoredumper_en.pdf obj-$(CONFIG_MISC_BEST) += pres_best_en.pdf obj-$(CONFIG_MISC_IPC) += pres_ipc_en.pdf obj-$(CONFIG_MISC_UPDATE) += pres_update.pdf +obj-$(CONFIG_MISC_JAILHOUSE) += pres_jailhouse.pdf diff --git a/misc/frm_jailhouse.tex b/misc/frm_jailhouse.tex new file mode 100644 index 0000000..6718925 --- /dev/null +++ b/misc/frm_jailhouse.tex @@ -0,0 +1,443 @@ +\section{Introduction} +\subsection{Jailhouse - yet another hypervisor?} + +\begin{frame} +\frametitle{Hypervisors and security} +\begin{itemize} +\item Partition resources (CPU, memory, interfaces, \dots) +\pause +\item Isolate such resources +\pause +\item Make unauthorized access more difficult due to logical and physical separation +\pause +\item Prevent one guest OS from injecting malicious code into another +\pause +\item Decrease threat conditions caused by excessive resource consumption, e.g. DoS attacks +\pause +\item Become the central security layer +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{The desktop and server world} +\begin{itemize} +\item Type 1 (bare metal) hypervisors +\begin{itemize} +\item Linux KVM +\item Xvisor +\item VMware vSphere / ESXi +\item Xen +\item \dots +\end{itemize} +\pause +\item Type 2 (hosted) hypervisors +\begin{itemize} +\item VirtualBox +\item Lguest +\item VMware Workstation Player +\item \dots +\end{itemize} +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Virtualization in Embedded Systems} +\begin{itemize} +\item \dots wasn't very popular in the past due to +\begin{itemize} +\item introduction of increased latencies and cycle times +\item high system complexity +\end{itemize} +\pause +\item \dots was realized by microkernel based hypervisors +\begin{itemize} +\item L4re +\item TOPPERS SafeG +\item QNX +\item \dots +\end{itemize} +\pause +\item can be realized by Jailhouse to run real-time/security or safety critical tasks on multicore platforms +\end{itemize} +\end{frame} + +\subsection{Jailhouse principles and features} + +\begin{frame} +\frametitle{Jailhouse is \dots} +\begin{minipage}{0.6\textwidth} +\begin{itemize} +\item a bare metal partitioning hypervisor +\item assisted by Linux +\item running on multicore platforms +\item open source (GPLv2) +\item maintained by Jan Kiszka / Siemens +\end{itemize} +\end{minipage} +\begin{minipage}{0.3\textwidth} +\includegraphics[width=\linewidth]{images/tux_in_jail.png} +\end{minipage} +\end{frame} + +\begin{frame} +\frametitle{Jailhouse uses \dots} +\begin{itemize} +\item hardware virtualization extensions for isolation + \begin{itemize} + \item Intel x86 support -> 64Bit, VMX, VT-d + \item AMD x86 support -> 64Bit, AMD-V + \item ARM support -> ARMv7 with virtualization extensions or ARMv8 + \end{itemize} +\item Linux infrastructure for housekeeping +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Jailhouse doesn't \dots} +\begin{itemize} +\item emulate resources we do not have +\item have a scheduler +\item boot Linux in the root-cell +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Asymmetric multiprocessing} +\begin{block}{Isolated cores can run something else than Linux} +\begin{itemize} +\item RTOS (RTEMS, FreeRTOS, ...) +\item bare-metal applications +\item Windows +\item QNX +\item VxWorks +\item \dots +\end{itemize} +\end{block} +\end{frame} + +\begin{frame} +\frametitle{Block diagram} +\begin{center} +\includegraphics[height=0.8\textheight]{images/jailhouse_blockdiagram.png} +\end{center} +\end{frame} + +\begin{frame} +\frametitle{Booting} +\begin{center} +\includegraphics[height=0.8\textheight]{images/jailhouse_partitioning1.png} +\end{center} +\end{frame} + +\begin{frame} +\frametitle{Partitioning} +\begin{center} +\includegraphics[height=0.8\textheight]{images/jailhouse_partitioning2.png} +\end{center} +\end{frame} + +\begin{frame} +\frametitle{Operating} +\begin{center} +\includegraphics[height=0.8\textheight]{images/jailhouse_partitioning3.png} +\end{center} +\end{frame} + +\section{System Partitioning with Jailhouse on ZYNQ Ultrascale+} +\subsection{System configuration} + +\begin{frame} +\frametitle{Xilinx ZYNQ Ultrascale+ MPSoC overview} +\begin{center} +\includegraphics[height=0.7\textheight]{images/zynq-ev-block.png} +\end{center} +\end{frame} + +\begin{frame} +\frametitle{Surveillance application} +\begin{center} +\includegraphics[height=0.7\textheight]{images/jailhouse_surveil_diagram.png} +\end{center} +\end{frame} + +\begin{frame} +\frametitle{Surveillance application} +\begin{center} +\includegraphics[height=0.7\textheight]{images/jailhouse_surveil_diagram1.png} +\end{center} +\end{frame} + +\subsection{Partitioning example} + +\begin{frame} +\frametitle{Partitioned surveillance application} +\begin{center} +\includegraphics[height=0.7\textheight]{images/jailhouse_surveil_partitioned_with_rt.png} +\end{center} +\end{frame} + +\begin{frame} +\frametitle{Security improvements} +\begin{itemize} +\item Cascading is easy (it's done in software) +\item Reduce the attack surface +\item TCB can be minimized +\item Reduce inter-cell communication to a minimum +\item Securing and authenticating communication channels +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Realtime latency measurements} +\begin{figure} + \centering + \subfloat[Native RT Linux 4.9.20-rt16]{{\includegraphics[width=5cm]{images/plot_rt_nohyp_4.9.20-rt16-isolcpus1-3.png} }} + \qquad + \subfloat[Jailhouse guest RT Linux 4.9.20-rt16]{{\includegraphics[width=5cm]{images/plot_rt_inmate_2threads_4.9.20-rt16_isolcpu1.png} }} + \caption{cyclictest latency plots} + \label{fig:latencyplots} +\end{figure} +\end{frame} + +\subsection{Setup and run Jailhouse} + +\begin{frame} +\frametitle{Creating a system config} +\begin{itemize} +\item Config generator for x86 is available (jailhouse-config-create) +\item No tooling for ARM at the moment +\item Create c-File in jailhouse/configs +\item Fill the C-structures to describe your hardware +\item Adapt the cell device tree when running Linux +\end{itemize} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Root-cell configuration} +\begin{lstlisting} +struct { + struct jailhouse_system header; + __u64 cpus[1]; + struct jailhouse_memory mem_regions[5]; + struct jailhouse_irqchip irqchips[1]; + struct jailhouse_pci_device pci_devices[2]; +} __attribute__((packed)) config = { + .header = { + .signature = JAILHOUSE_SYSTEM_SIGNATURE, + .revision = JAILHOUSE_CONFIG_REVISION, + .hypervisor_memory = { + .phys_start = 0x800000000, + .size = 0x000400000, + }, + .cpus = { + 0xf, + }, +\end{lstlisting} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Root-cell configuration continued} +\begin{lstlisting} + .mem_regions = { + /* MMIO (permissive) */ { + .phys_start = 0xfd000000, + .virt_start = 0xfd000000, + .size = 0x03000000, + .flags = JAILHOUSE_MEM_READ | JAILHOUSE_MEM_WRITE | JAILHOUSE_MEM_IO, + }, + /* RAM */ { + .phys_start = 0x0, + .virt_start = 0x0, + .size = 0x80000000, + .flags = JAILHOUSE_MEM_READ | JAILHOUSE_MEM_WRITE | JAILHOUSE_MEM_EXECUTE, + }, + } + .irqchips = { + /* GIC */ { + .address = 0xf9010000, + .pin_base = 32, + .pin_bitmap = { + 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, + }, + }, + }, +\end{lstlisting} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Inmate configuration} +\begin{lstlisting} +struct { + struct jailhouse_cell_desc cell; + __u64 cpus[1]; + struct jailhouse_memory mem_regions[6]; + struct jailhouse_irqchip irqchips[1]; + struct jailhouse_pci_device pci_devices[2]; +} __attribute__((packed)) config = { + .cell = { + .signature = JAILHOUSE_CELL_DESC_SIGNATURE, + .revision = JAILHOUSE_CONFIG_REVISION, + .name = "ZynqMP-linux-demo", + .flags = JAILHOUSE_CELL_PASSIVE_COMMREG, + + .cpu_set_size = sizeof(config.cpus), + .num_memory_regions = ARRAY_SIZE(config.mem_regions), + .num_irqchips = ARRAY_SIZE(config.irqchips), + .num_pci_devices = ARRAY_SIZE(config.pci_devices), + + .vpci_irq_base = 140-32, + }, +} +\end{lstlisting} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Inmate configuration continued} +\begin{lstlisting} + .cpus = { + 0xc, + }, + + .mem_regions = { + /* UART */ { + .phys_start = 0xff010000, + .virt_start = 0xff010000, + .size = 0x1000, + .flags = JAILHOUSE_MEM_READ | JAILHOUSE_MEM_WRITE | + JAILHOUSE_MEM_IO | JAILHOUSE_MEM_ROOTSHARED, + }, + /* RAM */ { + .phys_start = 0x800600000, + .virt_start = 0, + .size = 0x10000, + .flags = JAILHOUSE_MEM_READ | JAILHOUSE_MEM_WRITE | + JAILHOUSE_MEM_EXECUTE | JAILHOUSE_MEM_LOADABLE, + }, + + ... +\end{lstlisting} +\end{frame} + +\lstset{language=bash, + basicstyle=\ttfamily, + keywordstyle=\color{blue}\ttfamily, + stringstyle=\color{red}\ttfamily, + commentstyle=\color{magenta}\ttfamily, + morecomment=[l][\color{grey}]{\#} + tabsize=8, + keepspaces, + extendedchars=true, + aboveskip=5pt, + upquote=true, + columns=fixed, + rulecolor=\color{black}, + basicstyle=\footnotesize, + showstringspaces=false, + extendedchars=true, + breaklines=true, + frame=single, + showtabs=true, + showspaces=false, + showstringspaces=false, +} + +\begin{frame}[fragile] +\frametitle{Building Jailhouse} +\begin{lstlisting} +# Get the Jailhouse sources: +git clone https://github.com/siemens/jailhouse.git +# Get a linux tree +git clone git://git.kiszka.org/linux.git +# setup environment +export ARCH=arm64 +export CROSS_COMPILE= +# Configure and build the linux tree +make O= xilinx_zynqmp_defconfig +make O= +# Build Jailhouse +make KDIR= +# Deploy Jailhouse +make KDIR= DESTDIR= install +\end{lstlisting} +\end{frame} + +\begin{frame}[fragile] +\frametitle{Starting Jailhouse} +\begin{lstlisting} +# load the jailhouse kernel driver +modprobe jailhouse +# enable the hypervisor +jailhouse enable zynqmp-zcu102.cell +# create inmate cell +jailhouse cell create zynqmp-zcu102-linux-demo.cell +# load and start linux inmate +jailhouse cell linux \ + zynqmp-zcu102-linux-demo.cell \ + Image \ + --dtb inmate-zynqmp-zcu102.dtb \ + --initrd initramfs.cpio.gz \ + --cmdline "console=ttyPS0,115200" \ + --arch arm64 +\end{lstlisting} +\end{frame} + +\begin{frame} +\frametitle{Debugging Jailhouse} +\begin{itemize} +\item Debug/console prints on UARTs +\item Hypervisor console via sysfs +\item Inmates can use the hypervisor's debug channel +\item Inmates can specify their own debug UART +\item Cell statistics via 'jailhouse cell stats' command +\end{itemize} +\end{frame} + +\subsection{Inter-cell communication} + +\begin{frame} +\begin{itemize} +\item Shared memory and signaling between cells +\item Device model similar to Qemu-ivshmem +\item 1:1 communication relationship per channel +\item Modeled as a virtual PCI device +\item MSI-X support for signaling (one IRQ per virtual device) +\item ivshmem-net -> virtual network device for linux available +\item ivshmem demos for bare metal / rtos usage +\end{itemize} +\end{frame} + +\section{Conclusion} + +\begin{frame} +\begin{block}{Jailhouse is great to \dots} +\begin{itemize} +\item partition your system +\item run security/safety and realtime critical tasks +\item divide and simplify your security system design +\item give additional levels of security +\item get nearly baremetal performance +\end{itemize} +\end{block} +\begin{block}{but \dots} +\begin{itemize} +\item you have to get a deep understanding of your multicore platform +\item you have to get familiar with your CPU architecture +\end{itemize} +\end{block} +\end{frame} + +\section*{} +\subsection*{} + +\begin{frame} +\frametitle{References} +\begin{itemize} +\item \url{http://events.linuxfoundation.org/sites/events/files/slides/ELCE2016-Jailhouse-Tutorial.pdf} +\item \url{https://github.com/siemens/jailhouse.git} +\item \url{git://git.kiszka.org/linux.git} +\item \url{https://lwn.net/Articles/578295/} +\item \url{https://lwn.net/Articles/578852/} +\item \url{http://www.linuxjournal.com/content/jailhouse} +\item \url{https://www.xilinx.com/content/dam/xilinx/imgs/products/zynq/zynq-ev-block.PNG} +\end{itemize} +\end{frame} diff --git a/misc/pres_jailhouse.tex b/misc/pres_jailhouse.tex new file mode 100644 index 0000000..834eba1 --- /dev/null +++ b/misc/pres_jailhouse.tex @@ -0,0 +1,25 @@ +\input{configpres} + +\AtBeginSubsection[] { +\begin{frame} +\tableofcontents[currentsection,currentsubsection] +\end{frame} +} + +% ---------------------------- +\title{Embedded Software Lock-Up} +\subtitle{Partition critical Systems with Jailhouse-Hypervisor} +\maketitle + +% ---------------------------- +\begin{frame}{Overview} +\tableofcontents +\end{frame} + +% ---------------------------- +\input{misc/frm_jailhouse.tex} + +% ---------------------------- +\section*{} +\subsection*{} +\input{tailpres} -- cgit v1.2.3