norman.feske at ...1...
Wed Oct 30 18:10:07 CET 2013
thanks for tuning-in on the Genode mailing list! :-)
> Is the intention that the base-hw remain experimental? Or, is the
> long-term plan to make it a proper microkernel? From what you say
> here, it sounds like I shouldn't consider base-hw as a potential
> microkernel. Martin, however, seems to suggest it will become a
> viable target in the near future.
Sure, base-hw is definitely planned to become a proper platform. But the
word "kernel" does not really express well the role of base-hw. Let me
Base-hw was born out of the observation that classical L4-based systems
carry quite significant redundancies between the microkernel and
roottask as both kernel and roottask have to keep track of how resources
are assigned to processes. I.e., the kernel contains a mapping data base
and page tables, but roottask also keeps records of how memory pages are
used by user-level processes. The same story can be told of other kernel
objects such as threads and protection domains.
The crux is that both kernel and roottask are mandatory parts of the
trusted computing base. On typical L4-based systems, the code for those
parts amounts to 20,000+ LOC (10+ KLOC kernel plus 10 KLOC roottask).
This observation led us to the idea to merge both kernel and Genode's
roottask (core) into one program. In this design, the "kernel" is not a
self-sustaining piece of software but a mere library that provides
back-end functionality for roottask. I.e., it performs no allocations
and becomes active only when called by the roottask code (via one of the
roottask-local system calls) or by IPC operations. All the dynamic (and
complicated) stuff like memory management is handled by roottask code
using Genode's user-level abstractions. The outcome of this experiment
is that the combined program (base-hw core) comprises about 13,000 LOC,
indicating that the approach is able to drastically reduce the mandatory
parts of the trusted computing base.
As of now, we don't recommend the use of base-hw in serious settings
because it is still in flux. That said, Genode hides the peculiarities
of the particular kernels. Because hopping between kernels (such as
base-hw and Fiasco.OC) is almost seamless, there is no need to pick a
kernel upfront when starting the development of a Genode-based system.
Just pick the most convenient kernel to start with. At the API level,
Genode is capability-based. So developers using the API effectively
develop components for a capability-based system. Once kernel-protected
capabilities become available in base-hw, this change will be
transparent to users of the API.
Regardless of the state of base-hw, if you desire a Genode base platform
with kernel-protected capabilities today, you can use Fiasco.OC (ARM,
x86) or NOVA (x86) right away.
Dr.-Ing. Norman Feske
http://www.genode-labs.com · http://genode.org
Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth
More information about the users