Difference between hypercells and address spaces

Hi,

I don't understand why there are 2 concepts to isolate programs in OKL4.
Why is it possible to have more than one address space in a hypercell?
Can someone explain me the purpose of each concept or give me a link to some documentation?

Best regards

Xavier Langellier.

_______________________________________________
Developer mailing list
[hidden email]
https://lists.okl4.org/mailman/listinfo/developer

I post here the answers from Geoff Revill to my first question because it's still not clear.
If anyone has an idea about the question:

OK, I can see your confusion, because this confuses me too.  This diagram and explanation does not correspond to the definition on the web site, which seemed crystal clear to me.  a SHC is not a partition/memory space according to that definition.  



Even if it was, I cannot see how/why you'd have 2 memory spaces within a partition anyway.



Lemme look into this some more.  In the meantime I suggest you raise the question on the forum, because to me the web page definition is simple and clear, and this slide seems to contradict that definition.



Xavier.LANGELLIER@fr.thalesgroup.com wrote:

Thanks for your effort,

It is in the presentation called Overview of the OKL4 3.0 API on the Open Kernel Labs' wiki.

On the slide 54, there is a diagram showing 2 hypercells, the first with only one address space in it and the second with two.

This is the point that confuse me because I don't see the need for different address spaces since we already have hypercells to isolate.

 

Xavier.

 

-----Message d'origine-----

De : Geoff Revill [mailto:geoff@marketbroad.com]

Envoyé : lundi 23 mars 2009 16:51

À : Xavier.LANGELLIER@fr.thalesgroup.com

Objet : Re: [okl4-developer] Difference between hypercells and address sp aces





not sure I understand the question....but here is an answer to A question...just not sure if this is your question :)



Within any memory space (or secured partition) you can have multiple threads of execution, because of course you can have a complete Linux OS within a OKL4 managed memory space.  From an OKL4 point of view though it will be scheduling a context for a memory space which is thus a single thread of execution.  For example you may have 2 memory partitions being managed by OKL4, one is running Linux the other is running Windows.  From an OKL4 perspective this is 2 threads of execution.  From any application perspective within those memory partitions there may indeed be many threads of execution being managed by the virtualized OS.  



Or to put it another way....be very careful when you read a piece of text discussing a thread and make sure you are looking at that type of thread from the same point of view as the person writing about it.  When you get this close to the hardware silicon vendors sometimes talk about threads when they really mean contexts; add in a virtualizing microkernel like OKL4 and you get another way of thinking about threads that's in addition to the threads being executed within a managed memory partition.



That said...the text you seem to have read may indeed be wrong....so can you send a ref to the info that has got you confused?  Then I might be able to be more specific.



Geoff





Xavier.LANGELLIER@fr.thalesgroup.com wrote:

Thank you for the answer,

I think I understand the concept of SHC/partitions but i don't see the purpose of the address spaces if there is already a mean to isolate threads.

 

Xavier

-----Message d'origine-----

De : Geoff Revill [mailto:geoff@marketbroad.com]

Envoyé : lundi 23 mars 2009 15:59

À : Xavier.LANGELLIER@fr.thalesgroup.com

Objet : Re: [okl4-developer] Difference between hypercells and address spaces





see

http://www.ok-labs.com/products/product-strategy/secure-hypercell-technology



Which I think provides a pretty crystal clear definition of Secure HyperCell.



In effect the environment provided by OKL4 is the Secure Hypercell, as thus as an architecture there is only one Secure HyperCell, SHC is the technology environment not the definition of a secured cell.



Any Hypervisor can provide partitioned cells/memory spaces, as does OKL4, where OKL4 is different is its ability to provide the capability to build a secured systems with each of these partitions still able to communicate through the secured IPC mechanisms supported by the fact that only OKL4 runs in privileged mode and architected to be as small as possible (minimal Trusted compute base) and still provide these integration/build services.



This is about as far as you can go to build software securely in an embedded design, the rest of the secure solution is of course to ensure you select a processor and memory management environment that does not create any additional security attack points.



Geoff





Xavier.LANGELLIER@fr.thalesgroup.com wrote:

Hi,



I don't understand why there are 2 concepts to isolate programs in OKL4.

Why is it possible to have more than one address space in a hypercell?

Can someone explain me the purpose of each concept or give me a link to some documentation?



Best regards



Xavier Langellier.



_______________________________________________

Developer mailing list

Developer@okl4.org

https://lists.okl4.org/mailman/listinfo/developer



 





--

Geoff Revill

Partner  

 

 

Work: +44 1647 253011

 Email: geoff@marketbroad.com

IM: geoffrevill (Skype)



http://www.linkedin.com/in/geoffrevill

 

 Marketbroad

 

 

See who we know in common Want a signature like this?







--

Geoff Revill

Partner  

 

 

Work: +44 1647 253011

 Email: geoff@marketbroad.com

IM: geoffrevill (Skype)



http://www.linkedin.com/in/geoffrevill

 

 Marketbroad

 

 

See who we know in common Want a signature like this?







--

Geoff Revill

Partner  

 

 

Work: +44 1647 253011

 Email: geoff@marketbroad.com

IM: geoffrevill (Skype)



http://www.linkedin.com/in/geoffrevill

 

 Marketbroad

 

 

See who we know in common Want a signature like this?

XavierL wrote:

Hi,

I don't understand why there are 2 concepts to isolate programs in OKL4.
Why is it possible to have more than one address space in a hypercell?
Can someone explain me the purpose of each concept or give me a link to some documentation?

Best regards

Xavier Langellier.

_______________________________________________
Developer mailing list
Developer@okl4.org
https://lists.okl4.org/mailman/listinfo/developer

On Monday 23 March 2009 05:29:28 pm [hidden email]
wrote:
> Hi,
>
> I don't understand why there are 2 concepts to isolate programs in OKL4.
> Why is it possible to have more than one address space in a hypercell?
> Can someone explain me the purpose of each concept or give me a link to
> some documentation?
        You can find the description of cell in this documentation.
http://wiki.ok-labs.com/downloads/release-3.0/okl4lib-ref-manual-3.0.pdf
I think page 20 could give you answer about why cell and address space are
different and why it is possible to have many address spaces in one cell.
        In addition i think hypercell is only a name to show the OKL4 secure
architecture. In my opininion it is cell.
        Thanks.
                                                                                                        cheng Guanghui

_______________________________________________
Developer mailing list
[hidden email]
https://lists.okl4.org/mailman/listinfo/developer

I'd like to thank Xavier, Geoff, and Cheng for the feedback regarding
Secure HyperCell Technology. I hope in this developer post to completely
clarify the concept and give some insight into why a Secure HyperCell is
an extremely useful abstraction to simplify the design and development of
secure embedded systems.

Firstly, to clarify terminology: "Secure HyperCell", "HyperCell", and
"Cell" are all synonymous terms, and are used to denote a distinct secure
partition of an embedded system (more on this shortly). "Secure HyperCell
Technology" means the underlying technology infrastructure within OKL4
that enables the system designer to create Secure HyperCells (or, more
simply, to create cells).

The original question was "why are there two concepts to isolate
programs"; i.e. why do we have this cell abstraction when we also provide
the usual address space abstraction that is common in most operating
systems?

The first part of the answer relates to the complementary concepts of
virtualization and componentization. While address spaces are useful to
provide isolation between individual _programs_, cells operate at a higher
level: isolation between individual _components_ within your system. i.e.
A cell contains a single isolated system component. A component can indeed
be a single program, in which case (from a memory isolation perspective,
at least) the cell abstraction is analogous to the address space
abstraction (the cell would contain a single address space). However, the
real power in Secure HyperCell technology arises from the fact that a
component (a cell) can exist at several levels of granularity - from an
individual device driver or operating system component (such as a file
system), to a program (a "native OKL4 application"), and all the way up to
a full virtualized high level operating system (such as Linux). In the
latter virtual machine case, the cell obviously contains numerous address
spaces (one for each program executing within the VM cell). The ability to
componentize your system in this manner was a primary motivator in
providing the Secure HyperCell abstraction (and, I'd note, it's unique to
OKL4. Other hypervisors provide componentization only at the highest level
of granularity (virtualization, or full VM's), which is quite unsuitable
for embedded systems).

The second part of the answer relates to security (i.e. the "Secure" in
"Secure HyperCell"), and this really strikes at the core of why
hypervisors that provide only full granularity componentization are
unsuitable in embedded. Embedded systems are highly integrated - as an
easy example, you're obviously going to be sharing most devices between
higher level components - and this integration implies that a level of
communication is required between components. However, you don't want the
requirement for communication to undermine your requirement for security.
What you really want is the ability to strongly isolate your components at
multiple levels, and then to be able to select, in an extremely fine
grained manner, what level of interaction is possible between those
components.

Secure HyperCell Technology provides this ability in the form of
capabilities. A capability represents a token for an operation on a system
object, and conveys both the right for the holder of the token to perform
the operation, along with the totality of the knowledge that the holder
requires of the system object. This limitation of knowledge is a
fundamental aspect of secure communication: system object identifiers
(such as thread identifiers) are not global in scope, and the only
knowledge a component of the system can have about any other component,
including its existence, is via the explicit granting of a locally-scoped
capability to that component. No operation, knowledge, or communication
with a component is possible without the granting of a capability.

Capabilities are stored in capability lists (or "clists"). An address
space is associated with exactly one clist; a cell can contain multiple
clists, and a clist can be shared by many address spaces within a cell.
For those who are used to the address space abstraction, you can think of
this as a complementary "capability space" abstraction: where address
spaces are useful for partitioning and abstracting physical memory,
capability spaces are a powerful concept to partition the security of your
system.

In summary:

 - Technically: A system can contain multiple components in the form of
cells. A cell can contain multiple address spaces and multiple capability
lists. There is a 1:many relationship between a capability list and an
address space (an address space is associated with a single capability
list; a single capability list can be associated with multiple address
spaces).

 - Conceptually: Secure HyperCell Technology provides a very powerful
abstraction to componentize your embedded system at multiple levels of
granularity, from individual drivers all the way up to full virtual
machines, while giving the system designer very fine-grained control over
the security of the system. The ability to do this is fundamental to the
construction of secure embedded systems.

Secure HyperCell Technology is at the core of OKL4's innovations in
providing the world's most advanced embedded hypervisor, and I would
certainly welcome any and all further discussion on the subject.

Best regards,

Josh

--
Josh Matthews | Field Application Engineer
Open Kernel Labs
t +1 518 956 3528 e [hidden email]
www.ok-labs.com


On Mon, March 23, 2009 5:29 am, [hidden email] wrote:


_______________________________________________
Developer mailing list
[hidden email]
https://lists.okl4.org/mailman/listinfo/developer