[Announcement] Karma VMM first public release
We are happy to announce the first public release of the Karma Virtual Machine Monitor [0]. Karma is a virtual machine monitor (VMM) that runs Linux in a virtual machine on top of the Fiasco.OC [1] microkernel. Its main design directives are speed and simplicity. Unlike KVM, VirtualBox or VMWare, Karma does no emulation, but resorts to aggressive paravirtualization and therefore has low complexity and shows superior performance for a number of benchmarks. Karma requires hardware assisted CPU virtualization. A feature that is available on all recent x86 CPUs (SVM or VT). Optionally, it can make use of hardware assisted memory virtualization (Nested Paging or ePT), if available. The Karma VMM is currently being used as a research vehicle at Technische Universität Berlin and Technische Universität Dresden. It main features are: - Trustworthy isolation of virtual machines by means of the microkernel. VMM compromise does no harm to other virtual machines as one instance of Karma runs exactly one virtual machine. - Clean, tiny code base, less than 9000 source lines of code. - Near native (guest)-Linux performance. - Supports: * SMP * Networking * Direct harddisk access via AHCI * RTC and Hpet support Karma is released under the terms of the Gnu General Public License Version 2. [0] http://karma-vmm.org [1] http://os.int.tu-dresden.de/fiasco [2] http://www.isti.tu-berlin.de/security_in_telecommunications [3] http://os.inf.tu-dresden.de -- Dipl.-Inf. Matthias Lange <mlange@sec.t-labs.tu-berlin.de> Security in Telecommunications TU Berlin / Telekom Innovation Laboratories Ernst-Reuter-Platz 7, 10587 Berlin Phone: +49 - 30 - 8353 58 553 Mobile: +49 - 160 - 587 28 07 Web: http://www.t-labs.tu-berlin.de/sect
Why not just let go of the linux and run posix w/ gcc? And make a windows-friendly driver conversion kit? On Mon, May 14, 2012 at 6:44 AM, Matthias Lange <mlange@sec.t-labs.tu-berlin.de> wrote:
We are happy to announce the first public release of the Karma Virtual Machine Monitor [0].
Karma is a virtual machine monitor (VMM) that runs Linux in a virtual machine on top of the Fiasco.OC [1] microkernel. Its main design directives are speed and simplicity. Unlike KVM, VirtualBox or VMWare, Karma does no emulation, but resorts to aggressive paravirtualization and therefore has low complexity and shows superior performance for a number of benchmarks.
Karma requires hardware assisted CPU virtualization. A feature that is available on all recent x86 CPUs (SVM or VT). Optionally, it can make use of hardware assisted memory virtualization (Nested Paging or ePT), if available.
The Karma VMM is currently being used as a research vehicle at Technische Universität Berlin and Technische Universität Dresden.
It main features are: - Trustworthy isolation of virtual machines by means of the microkernel. VMM compromise does no harm to other virtual machines as one instance of Karma runs exactly one virtual machine. - Clean, tiny code base, less than 9000 source lines of code. - Near native (guest)-Linux performance. - Supports: * SMP * Networking * Direct harddisk access via AHCI * RTC and Hpet support
Karma is released under the terms of the Gnu General Public License Version 2.
[0] http://karma-vmm.org [1] http://os.int.tu-dresden.de/fiasco [2] http://www.isti.tu-berlin.de/security_in_telecommunications [3] http://os.inf.tu-dresden.de
-- Dipl.-Inf. Matthias Lange <mlange@sec.t-labs.tu-berlin.de> Security in Telecommunications TU Berlin / Telekom Innovation Laboratories Ernst-Reuter-Platz 7, 10587 Berlin Phone: +49 - 30 - 8353 58 553 Mobile: +49 - 160 - 587 28 07 Web: http://www.t-labs.tu-berlin.de/sect
_______________________________________________ l4-hackers mailing list l4-hackers@os.inf.tu-dresden.de http://os.inf.tu-dresden.de/mailman/listinfo/l4-hackers
Hello, congratulations for getting Karma out of the door finally. :-) The project looks very interesting. However, I think it would be sensible of you to contrast your approach with existing projects, in particular L4Linux, Afterburner, and Vancouver. This way, potential users would gain a better understanding of the incentive behind Karma.
From what I gathered from personal conversations with you:
* Karma has a higher performance than L4Linux. * The VMM runs outside of the Linux kernel similar to Afterburner. * The patch against the vanilla Linux kernel is much simpler and trivial to maintain compared to the L4Linux kernel. (similar to Afterburner) * Karma has no ambition to become a VMM with support for faithful virtualization. Hence, running Windows on Karma won't be possible. * Because Karma depends on x86 H/W-virtualization support, the approch cannot be used on ARM for now. Are these assumptions valid? Again, thanks for sharing your work with the community. I'm looking forward to look into it. Cheers Norman On 05/14/2012 11:44 AM, Matthias Lange wrote:
We are happy to announce the first public release of the Karma Virtual Machine Monitor [0].
Karma is a virtual machine monitor (VMM) that runs Linux in a virtual machine on top of the Fiasco.OC [1] microkernel. Its main design directives are speed and simplicity. Unlike KVM, VirtualBox or VMWare, Karma does no emulation, but resorts to aggressive paravirtualization and therefore has low complexity and shows superior performance for a number of benchmarks.
Karma requires hardware assisted CPU virtualization. A feature that is available on all recent x86 CPUs (SVM or VT). Optionally, it can make use of hardware assisted memory virtualization (Nested Paging or ePT), if available.
The Karma VMM is currently being used as a research vehicle at Technische Universität Berlin and Technische Universität Dresden.
It main features are: - Trustworthy isolation of virtual machines by means of the microkernel. VMM compromise does no harm to other virtual machines as one instance of Karma runs exactly one virtual machine. - Clean, tiny code base, less than 9000 source lines of code. - Near native (guest)-Linux performance. - Supports: * SMP * Networking * Direct harddisk access via AHCI * RTC and Hpet support
Karma is released under the terms of the Gnu General Public License Version 2.
[0] http://karma-vmm.org [1] http://os.int.tu-dresden.de/fiasco [2] http://www.isti.tu-berlin.de/security_in_telecommunications [3] http://os.inf.tu-dresden.de
Hi Norman, L4 Hackers, let me try to clarify what Karma is by giving an very short overview on L4Linux, Afterburner and Vancouver. L4Linux is a port of the Linux kernel to the microkernel API. In this setup Linux runs in its own address space as an L4 task. Its applications also reside in L4 tasks that reside beside L4Linux. This setup requires in depth modification to the Linux kernel, and -due to the increased number if context switches- has an inherent performance penalty. L4Linux runs on platforms that are not virtualizable (e.g. ARM, x86). It uses the L4Re infrastructure to implement peripheral devices, such as framebuffer, shared memory network interface and device discovery. As far as I know, Afterburner also runs OS kernels on top of a microkernel on platforms that are not virtualizable. Hereby the guest kernel binary is modified to replace virtualization sensitive instructions with "hypercalls". The "hypervisor" resides in the same address space as the guest kernel, and implements an emulation for sensitive instructions, mostly using functionality of the underlying kernel. Vancouver is a virtual machine monitor (VMM) that runs on top of the NOVA microkernel. NOVA provides means to do page table management for first and second stage page tables, as well as the means to do a world switch (switch the CPU from host to guest). Vancouver uses hardware virtualization through the microkernel interface to implement memory and CPU virtualization. For everything else (platform devices, peripheral devices, 16bit code), Vancouver does emulation. Each instance of Vancouver runs exactly one virtual machine (VM). If the attacker is able to escape the VM and compromise the VMM, it is up to the microkernel to ensure that the attack remains contained. In some sense, the Karma VMM is a mixture between Vancouver and L4Linux. Let me explain this. Karma does CPU and memory virtualization using the interfaces of Fiasco.OC [0]. It runs as a task on top of the microkernel, and one instance of Karma drives exactly one VM. In contrast to Vancouver, Karma does no emulation at all. Instead, it implements its own custom device models to provide platform devices such as interrupt controllers. For peripheral devices, Karma relies on the L4Re infrastructure, which is very similar to L4Linux. In contrast to L4Linux, Karma requires hardware CPU virtualization (e.g. Intel VT or AMD SVM), and can make use of nested paging for hardware accelerated memory virtualization. As you said, the modifications to Linux are much simpler than those of L4Linux, and basically implement the drivers for Karma's device models. The Karma VMM is tiny (about 8500 lines of code), and the modifications to Linux comprise about 3000 lines of code. Actually we are working on reviving a technology called nested virtualization [1], where we run KVM inside the VM established by Karma. That allows us to run any OS that KVM can run (e.g. Windows). For additional information about Karma, you can have a look into my diploma thesis, where you will also find a number of benchmarks: http://os.inf.tu-dresden.de/papers_ps/liebergeld-diplom.pdf I would be happy if this spawns even more questions, and I am looking forward to answering those. Best regards, Steffen Liebergeld [0] Fiasco.OC has support for Intel VT, AMD SVM and Nested Paging. For platforms without Nested Paging, Karma implements a shadow tlb. [1] The term nested virtualization is also used for multi-stage virtualization on Intel VT and AMD SVM, and is implemented in current versions of KVM. You may read about it in the paper "The Turtles Project: Design and Implementation of Nested Virtualization" by Ben-Yehuda et al. On 16.05.2012 11:15, Norman Feske wrote:
Hello,
congratulations for getting Karma out of the door finally. :-)
The project looks very interesting. However, I think it would be sensible of you to contrast your approach with existing projects, in particular L4Linux, Afterburner, and Vancouver. This way, potential users would gain a better understanding of the incentive behind Karma.
From what I gathered from personal conversations with you:
* Karma has a higher performance than L4Linux. * The VMM runs outside of the Linux kernel similar to Afterburner. * The patch against the vanilla Linux kernel is much simpler and trivial to maintain compared to the L4Linux kernel. (similar to Afterburner) * Karma has no ambition to become a VMM with support for faithful virtualization. Hence, running Windows on Karma won't be possible. * Because Karma depends on x86 H/W-virtualization support, the approch cannot be used on ARM for now.
Are these assumptions valid?
Again, thanks for sharing your work with the community. I'm looking forward to look into it.
Hi Steffen, thank you for the elaborate reply! The text you have just written would fit pretty well on karma-vmm.org, doesn't it?. .-)
As far as I know, Afterburner also runs OS kernels on top of a microkernel on platforms that are not virtualizable. Hereby the guest kernel binary is modified to replace virtualization sensitive instructions with "hypercalls". The "hypervisor" resides in the same address space as the guest kernel, and implements an emulation for sensitive instructions, mostly using functionality of the underlying kernel.
I am far from being proficient when it comes to Afterburner but from what I understand so far, there seem to be quite a few similarities between this project and the approach you have taken with Karma. Code-wise, the Afterburner VMM (called wedge) is cleanly separated from the Linux kernel. The fact that its code is executed in the same address space as the Linux kernel rather than a different address space (as in Vancouver and Karma) is just a performance optimization. The list of interface functions provided by the wedge is illustrative: https://github.com/l4ka/afterburner/blob/master/afterburn-wedge/ia32/vmiCall... Most of those functions are concerned with low-level CPU emulation. In the original form of Afterburner, they are invoked by little code stubs that replace their corresponding CPU instructions by upcalls to the wedge. (the replacement of those the critical CPU instructions with stub codes is done via a semi-automated procedure dubbed pre-virtualization) However, support for H/W virtualization has been added at a later stage, which alleviates the need for instrumenting the Linux kernel. So from a large distance, Karma reminds me of the latter variant of Afterburner. To see more clearly how your work integrates with the (quite diverse) virtualization landscape of the L4 world, it would be just great if you contrast both projects in a little more technical detail.
Vancouver is a virtual machine monitor (VMM) that runs on top of the NOVA microkernel. NOVA provides means to do page table management for
From the insights I got with porting Vancouver to Genode (on NOVA), I got that Vancouver is in fact not inherently coupled to NOVA. It is a largely freestanding code base with only little glue between the VMM and the kernel. Technically, it should feasible to port Vancouver to other kernels with virtualization support such as Fiasco.OC.
first and second stage page tables, as well as the means to do a world switch (switch the CPU from host to guest). Vancouver uses hardware virtualization through the microkernel interface to implement memory and CPU virtualization. For everything else (platform devices, peripheral devices, 16bit code), Vancouver does emulation. Each instance of Vancouver runs exactly one virtual machine (VM). If the attacker is able to escape the VM and compromise the VMM, it is up to the microkernel to ensure that the attack remains contained.
In some sense, the Karma VMM is a mixture between Vancouver and L4Linux. Let me explain this.
Karma does CPU and memory virtualization using the interfaces of Fiasco.OC [0]. It runs as a task on top of the microkernel, and one instance of Karma drives exactly one VM. In contrast to Vancouver, Karma does no emulation at all. Instead, it implements its own custom device models to provide platform devices such as interrupt controllers. For peripheral devices, Karma relies on the L4Re infrastructure, which is very similar to L4Linux. In contrast to L4Linux, Karma requires hardware CPU virtualization (e.g. Intel VT or AMD SVM), and can make use of nested paging for hardware accelerated memory virtualization. As you
From this statement, I looks like Vancouver facilitates the same design but provides a superset of Karma's functionality. What is the main advantage of Karma compared to Vancouver (apart from running on a different kernel)? Why have you opted to create a new VMM rather than facilitate a port of Vancouver to Fiasco.OC?
Actually we are working on reviving a technology called nested virtualization [1], where we run KVM inside the VM established by Karma. That allows us to run any OS that KVM can run (e.g. Windows).
That looks promising. I am confident that those puzzle pieces will do well together. .-)
For additional information about Karma, you can have a look into my diploma thesis, where you will also find a number of benchmarks: http://os.inf.tu-dresden.de/papers_ps/liebergeld-diplom.pdf
I would be happy if this spawns even more questions, and I am looking forward to answering those.
Please do not take my statements above as offense. I am just genuinely interested. Cheers Norman -- Dr.-Ing. Norman Feske Genode Labs http://www.genode-labs.com · http://genode.org Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth
participants (5)
-
John van V. -
Julian Stecklina -
Matthias Lange -
Norman Feske -
Steffen Liebergeld