[Announcement] Karma VMM first public release

[Steffen Liebergeld]

Hi Norman, L4 Hackers,

let me try to clarify what Karma is by giving an very short overview on
L4Linux, Afterburner and Vancouver.

L4Linux is a port of the Linux kernel to the microkernel API. In this
setup Linux runs in its own address space as an L4 task. Its
applications also reside in L4 tasks that reside beside L4Linux. This
setup requires in depth modification to the Linux kernel, and -due to
the increased number if context switches- has an inherent performance
penalty. L4Linux runs on platforms that are not virtualizable (e.g. ARM,
x86). It uses the L4Re infrastructure to implement peripheral devices,
such as framebuffer, shared memory network interface and device discovery.

As far as I know, Afterburner also runs OS kernels on top of a
microkernel on platforms that are not virtualizable. Hereby the guest
kernel binary is modified to replace virtualization sensitive
instructions with "hypercalls". The "hypervisor" resides in the same
address space as the guest kernel, and implements an emulation for
sensitive instructions, mostly using functionality of the underlying kernel.

Vancouver is a virtual machine monitor (VMM) that runs on top of the
NOVA microkernel. NOVA provides means to do page table management for
first and second stage page tables, as well as the means to do a world
switch (switch the CPU from host to guest). Vancouver uses hardware
virtualization through the microkernel interface to implement memory and
CPU virtualization. For everything else (platform devices, peripheral
devices, 16bit code), Vancouver does emulation. Each instance of
Vancouver runs exactly one virtual machine (VM). If the attacker is able
to escape the VM and compromise the VMM, it is up to the microkernel to
ensure that the attack remains contained.

In some sense, the Karma VMM is a mixture between Vancouver and L4Linux.
Let me explain this.

Karma does CPU and memory virtualization using the interfaces of
Fiasco.OC [0]. It runs as a task on top of the microkernel, and one
instance of Karma drives exactly one VM. In contrast to Vancouver, Karma
does no emulation at all. Instead, it implements its own custom device
models to provide platform devices such as interrupt controllers. For
peripheral devices, Karma relies on the L4Re infrastructure, which is
very similar to L4Linux. In contrast to L4Linux, Karma requires hardware
CPU virtualization (e.g. Intel VT or AMD SVM), and can make use of
nested paging for hardware accelerated memory virtualization. As you
said, the modifications to Linux are much simpler than those of L4Linux,
and basically implement the drivers for Karma's device models. The Karma
VMM is tiny (about 8500 lines of code), and the modifications to Linux
comprise about 3000 lines of code.

Actually we are working on reviving a technology called nested
virtualization [1], where we run KVM inside the VM established by Karma.
That allows us to run any OS that KVM can run (e.g. Windows).

For additional information about Karma, you can have a look into my
diploma thesis, where you will also find a number of benchmarks:
http://os.inf.tu-dresden.de/papers_ps/liebergeld-diplom.pdf

I would be happy if this spawns even more questions, and I am looking
forward to answering those.

Best regards,
Steffen Liebergeld

[0] Fiasco.OC has support for Intel VT, AMD SVM and Nested Paging. For
platforms without Nested Paging, Karma implements a shadow tlb.
[1] The term nested virtualization is also used for multi-stage
virtualization on Intel VT and AMD SVM, and is implemented in current
versions of KVM. You may read about it in the paper "The Turtles
Project: Design and Implementation of Nested Virtualization" by
Ben-Yehuda et al.

On 16.05.2012 11:15, Norman Feske wrote:
> Hello,
>
> congratulations for getting Karma out of the door finally. :-)
>
> The project looks very interesting. However, I think it would be
> sensible of you to contrast your approach with existing projects, in
> particular L4Linux, Afterburner, and Vancouver. This way, potential
> users would gain a better understanding of the incentive behind Karma.
>
> From what I gathered from personal conversations with you:
>
>  * Karma has a higher performance than L4Linux.
>  * The VMM runs outside of the Linux kernel similar to Afterburner.
>  * The patch against the vanilla Linux kernel is much simpler and
>    trivial to maintain compared to the L4Linux kernel. (similar to
>    Afterburner)
>  * Karma has no ambition to become a VMM with support for faithful
>    virtualization. Hence, running Windows on Karma won't be possible.
>  * Because Karma depends on x86 H/W-virtualization support, the
>    approch cannot be used on ARM for now.
>
> Are these assumptions valid?
>
> Again, thanks for sharing your work with the community. I'm looking
> forward to look into it.