Hi Norman, L4 Hackers,
let me try to clarify what Karma is by giving an very short overview on L4Linux, Afterburner and Vancouver.
L4Linux is a port of the Linux kernel to the microkernel API. In this setup Linux runs in its own address space as an L4 task. Its applications also reside in L4 tasks that reside beside L4Linux. This setup requires in depth modification to the Linux kernel, and -due to the increased number if context switches- has an inherent performance penalty. L4Linux runs on platforms that are not virtualizable (e.g. ARM, x86). It uses the L4Re infrastructure to implement peripheral devices, such as framebuffer, shared memory network interface and device discovery.
As far as I know, Afterburner also runs OS kernels on top of a microkernel on platforms that are not virtualizable. Hereby the guest kernel binary is modified to replace virtualization sensitive instructions with "hypercalls". The "hypervisor" resides in the same address space as the guest kernel, and implements an emulation for sensitive instructions, mostly using functionality of the underlying kernel.
Vancouver is a virtual machine monitor (VMM) that runs on top of the NOVA microkernel. NOVA provides means to do page table management for first and second stage page tables, as well as the means to do a world switch (switch the CPU from host to guest). Vancouver uses hardware virtualization through the microkernel interface to implement memory and CPU virtualization. For everything else (platform devices, peripheral devices, 16bit code), Vancouver does emulation. Each instance of Vancouver runs exactly one virtual machine (VM). If the attacker is able to escape the VM and compromise the VMM, it is up to the microkernel to ensure that the attack remains contained.
In some sense, the Karma VMM is a mixture between Vancouver and L4Linux. Let me explain this.
Karma does CPU and memory virtualization using the interfaces of Fiasco.OC [0]. It runs as a task on top of the microkernel, and one instance of Karma drives exactly one VM. In contrast to Vancouver, Karma does no emulation at all. Instead, it implements its own custom device models to provide platform devices such as interrupt controllers. For peripheral devices, Karma relies on the L4Re infrastructure, which is very similar to L4Linux. In contrast to L4Linux, Karma requires hardware CPU virtualization (e.g. Intel VT or AMD SVM), and can make use of nested paging for hardware accelerated memory virtualization. As you said, the modifications to Linux are much simpler than those of L4Linux, and basically implement the drivers for Karma's device models. The Karma VMM is tiny (about 8500 lines of code), and the modifications to Linux comprise about 3000 lines of code.
Actually we are working on reviving a technology called nested virtualization [1], where we run KVM inside the VM established by Karma. That allows us to run any OS that KVM can run (e.g. Windows).
For additional information about Karma, you can have a look into my diploma thesis, where you will also find a number of benchmarks: http://os.inf.tu-dresden.de/papers_ps/liebergeld-diplom.pdf
I would be happy if this spawns even more questions, and I am looking forward to answering those.
Best regards, Steffen Liebergeld
[0] Fiasco.OC has support for Intel VT, AMD SVM and Nested Paging. For platforms without Nested Paging, Karma implements a shadow tlb. [1] The term nested virtualization is also used for multi-stage virtualization on Intel VT and AMD SVM, and is implemented in current versions of KVM. You may read about it in the paper "The Turtles Project: Design and Implementation of Nested Virtualization" by Ben-Yehuda et al.
On 16.05.2012 11:15, Norman Feske wrote:
Hello,
congratulations for getting Karma out of the door finally. :-)
The project looks very interesting. However, I think it would be sensible of you to contrast your approach with existing projects, in particular L4Linux, Afterburner, and Vancouver. This way, potential users would gain a better understanding of the incentive behind Karma.
From what I gathered from personal conversations with you:
- Karma has a higher performance than L4Linux.
- The VMM runs outside of the Linux kernel similar to Afterburner.
- The patch against the vanilla Linux kernel is much simpler and trivial to maintain compared to the L4Linux kernel. (similar to Afterburner)
- Karma has no ambition to become a VMM with support for faithful virtualization. Hence, running Windows on Karma won't be possible.
- Because Karma depends on x86 H/W-virtualization support, the approch cannot be used on ARM for now.
Are these assumptions valid?
Again, thanks for sharing your work with the community. I'm looking forward to look into it.