kiszka - real safe times in the jailhouse hypervisor
TRANSCRIPT
![Page 1: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/1.jpg)
Unrestricted © Siemens AG 2014. All rights reserved
Real Safe Timesin the Jailhouse Hypervisor
Siemens Corporate Technology | October 2014
![Page 2: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/2.jpg)
Page 2 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Real Safe Times in the Jailhouse Hypervisor
Agenda
Jailhouse introduction
Safe isolation
Architecture support
Jailhouse application development
Summary
[Demo]
![Page 3: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/3.jpg)
Page 3 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
What is Jailhouse?
A tool to run
… real-time and/or safety tasks
… on multicore platforms (AMP)
… aside Linux
It provides
• strong & clean isolation
• bare-metal-like performance & latencies
• no reason to modify Linux
… and it's open source (GPLv2)
![Page 4: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/4.jpg)
Page 4 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
What makes Jailhouse different?
• Use virtualization for isolation
• Prefer simplicity over features
• Resource access controlinstead of resource virtualization
• 1:1 resource assignmentinstead of scheduling
• Partition booted systeminstead of booting Linux
• Do not hide existence of Jailhouse
• Offload work to Linux
• System boot
• Jailhouse and partition (“cell”) loading & starting
• Control and monitoring
Features Simplicity
– ok, nothing new
![Page 5: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/5.jpg)
Page 5 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Asymmetric Multi-Processing with Jailhouse
RTOS /Bare-Metal
Hardware
Linux
Core 4Core 3Core 1 Core 2
Jailhouse Hypervisor
Device A Device B Device C Device D
Stahlkocher,CC BY-SA 3.0
Non-rootCell
RootCell
![Page 6: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/6.jpg)
Page 6 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Real Safe Times in the Jailhouse Hypervisor
Agenda
Jailhouse introduction
Safe isolation
Architecture support
Jailhouse application development
Summary
[Demo]
![Page 7: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/7.jpg)
Page 7 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Isolation Properties of Jailhouse
• Prevents access to unassigned resources –enforced for both CPUs and devices• Memory
• I/O
• Interrupt channels
• Prevents cell interferences• System reset / shutdown
• Inappropriate power settings [WiP]
• Hypervisor is protected against all cells
• Cell creation/destruction and hypervisor disablingare privileged operations• Can only be issued by root cell
• Non-root cells may lock system configuration
• Hypervisor supports non-root cells in validating system setup [WiP]
![Page 8: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/8.jpg)
Page 8 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Limits of Hypervisor-based Isolation
• No magic to avoid hardware errors
• Sporadic hardware faults can bring down the system
• Or worse: produce wrong output!
• Jailhouse catches and forwardshardware error reports [WiP]
• Reaction configurable, usually application-specific
• Don't forget potential hardware mistakes
• Hidden design errors
• Undocumented side effects
=> System design has to account for this!
![Page 9: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/9.jpg)
Page 9 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
TÜV-approved Hypervisor Safety Concept
• Hypervisor safety concept completed
• Safety features
• Architecture
• Hardware requirements
• Software measures
• Safety-related application conditions
• TÜV Rheinland confirmed
• No deficiencies
• Concept feasible
![Page 10: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/10.jpg)
Page 10 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Real Safe Times in the Jailhouse Hypervisor
Agenda
Jailhouse introduction
Safe isolation
Architecture support
Jailhouse application development
Summary
[Demo]
![Page 11: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/11.jpg)
Page 11 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Jailhouse Status – x86
• Initial focus on Intel x86
• Requirements
• VT-x (~Sandy Bridge)
• VT-d (IOMMU with interrupt remapping)
• ≥ 2 cores
• Currently: 7300 lines of code
• Recent Linux kernel (3.1x)
• Supports direct interrupt delivery
=> Zero VM exits, minimal latencies feasible
• AMD64 ready for merge
• Supported by AMD, performed by Valentine Sinitsyn
• IOMMU on to-do list
![Page 12: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/12.jpg)
Page 12 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Jailhouse Status – ARM
• ARMv7
• Initial port sponsored by ARM,performed by Jean-Philippe Brucker
• (Almost) no changes to Jailhouse core
• Status
• Preparing for merge
• Works fine in Fast Model
• Rough support for ODROID-XU
• Arndale and TI Keystone II board support planned
• To-Do
• SMMU / System MMU
• Improve board support (device tree?)
• ARMv8
![Page 13: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/13.jpg)
Page 13 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Real Safe Times in the Jailhouse Hypervisor
Agenda
Jailhouse introduction
Safe isolation
Architecture support
Jailhouse application development
Summary
[Demo]
![Page 14: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/14.jpg)
Page 14 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Difference to Standard Hypervisors
Cell
Hardware
Linux
Core 4Core 3Core 2
Jailhouse Hypervisor
Device A Device B Device C Device DHardware(e.g. x86 PC)
Hypervisor
Virtual Hardware(PC-compatible)
Guest OS(e.g. Linux)
Core 1
Device E
![Page 15: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/15.jpg)
Page 15 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Available Resources for Cells
Resource x86
RAM● Address space customizable
● No restrictions by BIOS, ROMs etc.
CPU cores● Inter-processor communication● Non-virtualized IDs● Modified CPU bootstrap
● Inter-processor interrupts● Different start vector & SMP boot,
no boot through BIOS
Clock● At least one reference clock
● ACPI PM timer● CPU-local TSC
Timer ● Local APIC timer
Data exchange withassigned devices
● MMIO & PIO to device● DMA to cell RAM
Interrupts from assigned devices ● Accesses to required IOAPIC slots
Inter-cell communication ● Virtual PCI device [WiP]
![Page 16: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/16.jpg)
Page 16 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
OS-less Jailhouse Application
• For simple scenarios
• Single task
• Typically single-core
• Few devices
• New design or few dependencies
• Required infrastructure
• CPU bootstrap (assembly)
• I/O initialization and operation
• Devices
• Inter-cell [if needed]
=> Use Jailhouse “inmate” skeleton
• Enables “main loop” development in C
• Essential I/O library available for x86 and ARM
void main(void){ init(); while (1) { do_work(); }}
void main(void){ init(); while (1) { do_work(); }}
![Page 17: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/17.jpg)
Page 17 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
RTOS-based Application
• For advanced scenarios
• Multiple tasks
• SMP
• Complex device setups
• Preexisting RTOS stacks
• Required steps
• Remove most platform setup logic
• Switch to available timers, clocks etc.[if needed]
• Add inter-cell I/O support [if needed]
=> Reference: Jailhouse support for RTEMS
![Page 18: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/18.jpg)
Page 18 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
RTEMS as Jailhouse “Inmate”
• Why RTEMS?
• Open source, actively developed
• Reasonable x86 & PCI support
• Required porting steps
• Removed BIOS dependencies,adjusted CPU bootstrap
• Console only via serial
• Legacy PIC & PIT → x2APIC & IOAPIC
• Suitable clock & timer calibrations
• To be published soon (watch mailing list)
• Jailhouse “Board Support Package”
• Intel e1000-class PCI NIC driver
RTEMS
![Page 19: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/19.jpg)
Page 19 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Emulation-based Application Debugging
• Option #1:Hardware debugger
• Option #2:Fast emulation, virtualization
• Challenge:Emulate Jailhouse environment (not a “normal” PC)
• Approach:Extend Linux/KVM hypervisor with Jailhouse awareness
• QEMU/KVM supports OS-level debugging via gdb
• We added x86 Jailhouse partition emulation
• Enables source-level debugging of Jailhouse applications
• Use (PCI) device pass-through for I/O access
• Warning: no real-time guarantees!
![Page 20: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/20.jpg)
Page 20 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Real Safe Times in the Jailhouse Hypervisor
Agenda
Jailhouse introduction
Safe isolation
Architecture support
Jailhouse application development
Summary
[Demo]
![Page 21: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/21.jpg)
Page 21 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Summary
• Jailhouse provides clean AMP for Linux
• Full CPU isolation
• Minimal latency I/O
• Reduced to the minimum (goal: <10k LOC/arch)
• Jailhouse aims at safe segregation
• Enable mixed-criticality on multicore
• TÜV-approved safety concept
• Jailhouse is a community project
• GPLv2, public development for 1 year
• Significant contributions enabled AMD64 and ARMv7
• You are invited to join!
![Page 22: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/22.jpg)
Page 22 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Any Questions?
Thank you!
https://github.com/siemens/jailhouse
Jan Kiszka <[email protected]>
![Page 23: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/23.jpg)
Page 23 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
Real Safe Times in the Jailhouse Hypervisor
Agenda
Jailhouse introduction
Safe isolation
Architecture support
Jailhouse application development
Summary
Demo!
![Page 24: Kiszka - Real Safe Times in the Jailhouse Hypervisor](https://reader034.vdocuments.mx/reader034/viewer/2022051814/62838dc052c6b952012bac54/html5/thumbnails/24.jpg)
Page 24 October 2014 Jan Kiszka, Corporate Technology Unrestricted © Siemens AG 2014. All rights reserved
QEMU/KVM
Live Demonstration
Running Jailhouse in a virtual machine?!
Core 0Thread 1
Core 1Thread 0
Devices UART
Jailhouse Hypervisor
PMTimer
TimedEvent Loop
Linux
Core 1Thread 1
Core 0Thread 0