Lecture: OS organization
preparation
- read OSPP §2, The Kernel Abstraction
- skim the exokernel paper
to get a high-level idea of what you are building in JOS
- don’t worry if you don’t get the paper now
- you’ll understand it pretty well by the end of this quarter!
administrivia
- lab 1 due tomorrow
- office hours
- anonymous feedback
exercises from last lecture
$ uptime > file
$ uptime | tr '[a-z]' '[A-Z]'
file descriptors: abstraction for terminals, disk files, pipes
overview
- goal: process isolation & sharing
- a process should not be able to
- corrupt the memory of the kernel or another process
- consume all the CPU time
- while still being able to communicate with other processes & hardware
- how the OS/hardware/compiler work together
- broader context: web browsers, web servers
- can tabs (websites) access each other’s data? why not?
- can JavaScript from a remote website access your local file systems?
process isolation
- real-world example: how do we manage a large building
- partitioning & virtualization
- memory
- keys
- split memory into chunks and assign a “key” to each chunk
- each process holds one or more keys
- check (who? when?) if the process has the key to access the memory chunk
- examples: IBM S/360, Intel’s MPK (Vol 3, §4.6.2, Protection Keys), SFI
- used Valgrind from CSE 333?
- virtual memory
- suppose process A writes some value to a memory address
- can process B read the value from the same address?
- can process B overwrite the value in A? why not?
- naming issue
- hide physical memory addresses from programs
- name memory using: <address space, virtual address> instead of
- isolate two processes
- need some virtual-to-physical address translation (by what?)
- use a safe language: e.g., write process in Java (any other example?)
- virtual machine: e.g., can JOS in QEMU harm your laptop?
- hardware: MMU (segmentation/paging) - segfaults if violated
- isolate kernel memory from processes
- take a look at
inc/memlayout.h in JOS
- can a process write to kernel? who checks?
- time
- cooperative scheduling
- each process voluntarily gives back the control (to whom?)
- what if they don’t
- virtual CPUs
- each process thinks it has a dedicated CPU
- kernel runs processes in turn on physical CPUs: save/store state
- example: take control back from a process that spins forever
- clock interrupt & preempt
- many plans to achieve isolation
- this class focues on isolation through kernel/user split
- will talk about other techniques in the second half of this quarter
(think how Java/QEMU work)
OS organization
- x86 support: kernel/user mode flag (ring)
- CPL (current privilege level): lower 2 bits of
%cs
- 0: kernel, privileged
- 3: user, unprivileged
- most OSes don’t use 1 or 2
- kernel can run privileged instructions
- examples: change the address translation map, talk to I/O devices
- including changing CPL
- user processes are unprivileged
- how do unprivileged processes work
- they cannot directly access files, network, etc.
- the kernel can
- can they simply jump into the kernel? no - CPL protection
- system calls: controlled transfer
- user → kernel:
int instruction sets CPL to 0
- kernel → user:
iret instruction sets CPL to 3
- newer OSes use
syscall/sysret instructions for syscalls on x86-64
- what to put below/above the system call interface:
a comparison
- monolithic kernel
- big kernel (including file systems, network, etc.)
- easy to develop applications
- hard to isolate kernel components
- microkernel
- kernel + user-space servers (e.g., file system, network)
- applications talk to servers via IPCs
- performance issues: IPCs may be slow
- exokernel (like JOS)
- end-to-end arguments
- kernel: expose low-level abstractions to applications
- applications can often do a better job
- library OS
- most real-world kernels are mixed: Linux, macOS, Windows
- debate: example
