Operating systems (OS) can support multiple execution contexts in which a plurality of independent services and applications are implemented. Theoretically, these execution contexts can be implemented as collections of processes in which each process is wholly contained within its own virtual address space. This isolation ensures that processes cannot accidentally or maliciously damage each other, nor can secrets leak or be stolen across virtual address boundaries.
However, for both performance and programming model reasons, operating systems often break down the strong barriers between processes; shared memory communication is much faster than a formal inter-process communication (IPC) facility; and shared libraries between processes provide convenience, function, and performance benefits. The architectures of all known commercial operating systems have evolved in this way.
The breakdown of the formal barriers between processes has had the deleterious effect of introducing security vulnerabilities and has made it very difficult for applications and services to protect the integrity of the data they are processing.
To date, there have been two general approaches to provide isolation between processes. First, a microkernel-based operating system approach does not rely on any hardware facility beyond virtual addressing, but experience has shown (repeatedly) that it is very expensive and time-consuming to build such an operating system that can support legacy applications, and it suffers from severe performance problems. Second, virtual machine systems, which provide abstraction at a higher level than a microkernel OS, are implemented so that each execution context is contained within its own virtual machine with (naturally) strong boundaries between virtual machines. These virtual machines can (optionally) be optimized with special-purpose hardware. The IPC within a virtual machine can be optimized as described above, allowing existing operating systems applications and programming models to apply within a virtual machine. The protection boundary is between virtual machines, and the communication between virtual machines has a significant network-like overhead.
Neither of these approaches has been able to provide the necessary security, performance, programming model, and legacy support required. A need thus exists to not compromise security for the sake of performance or programming convenience.
In various embodiments, separation of different physical domains of a system may be effected. As used herein, a “physical domain” is one or more physical partitions of memory. That is, a physical domain is directly mapped to a set of physical partitions of memory. In turn, a physical partition of memory is a section of contiguous physical memory.
In certain embodiments, the system may be a mobile platform, such as a cellular telephone, personal digital assistant (PDA), personal computer, or the like. The OS may be a code base having a reentrant architecture. In various embodiments, such an OS may be a legacy OS having modifications to support an embodiment of the present invention, or another such OS hereafter developed. As used herein, the term “legacy” means a presently existing OS (or a future OS) that as originally available cannot perform in accordance with an embodiment of the present invention (without modification).
An OS may be modified (or specially developed) to provide multiple physical domains. In such an OS architecture, a plurality of physical domains may be present to execute various user applications and system services. Multiple physical domains may be created using this architecture which, in certain embodiments, may be based upon functional/logical partitioning.
Referring now to
As further shown in
First domain 120 may be formed of a plurality of physical partitions 125a-125d. While each partition 125a-125d is a contiguous section of physical memory that may be of equal size, first domain 120 need not be necessarily contiguous. In certain embodiments, physical partitions 125a-125d may each be a one Megabyte (MB)-sized partition of physical memory. However in other embodiments, different granularities are possible. Further, in certain embodiments such granularities may be configurable. Also, in other embodiments more or fewer partitions may be present in physical domains, as desired.
Within a given domain, such as first domain 120, all physical addressing in the domain may be limited by a processor (not shown in
As further shown in
In other embodiments, instead of such a memory structure a plurality of architectural control registers may be present in a processor, each of which addresses a respective physical partition. For example, four control registers define first domain 120. As discussed above, in an embodiment in which each partition is 1 MB, each control register may include the high-order 12 bits of the physical address of the respective partition. In embodiments using control registers, on a context switch the control registers may be reloaded with different values to identify a different domain.
Because there are a plurality of processes 122a-122d within first domain 120, such processes may share memory space within first domain 120. However, the processes may be prevented from accessing memory locations outside first domain 120, in various embodiments.
For example, any of processes 122a-d of first domain 120 may be prevented from accessing memory locations in physical partitions 118a-d of second domain 115. Similarly, processes 116a-c, grouped within second domain 115 may access any of partitions 118a-d. However, processes 115a-c may be prevented from accessing any locations in partitions 125a-d.
In user mode, addressability may be limited to the physical domain in which an application is being executed; however in non-user mode, no such limitations may be present.
In various embodiments, a processor in accordance with an embodiment of the present invention may include memory accessing extensions, such as hardware registers. In one embodiment, a processor may have a reduced instruction set computing (RISC) architecture, such as an architecture based on an Advanced RISC Machines (ARM) architecture. For example, in one embodiment a processor may be a 32-bit version of an XSCALE™ processor available from Intel Corporation, Santa Clara, Calif.
In various embodiments, the OS may segment mutually-trusted applications and services in the same domain. In such manner, these mutually-trusted applications and services may share memory, thus providing performance gains while maintaining a protection boundary around the set. While what is considered mutually-trusted may vary in different usage models, as an example a word processing application and an email application may be segmented into a single domain. Further, secure applications, such as the downloading of code updates and the downloading of secure digital content may share a given domain.
In certain embodiments, applications may include trusted and non-trusted applications. User applications may run in a domain where, if they were to corrupt memory or drivers, the impact would be limited to the user application environment. In certain embodiments, a trusted domain may include a trusted JAVA™ application (or set of trusted JAVA™ applications and services) that executes in a trusted JAVA™ runtime environment of the trusted domain.
In certain embodiments, the scheduling of tasks may be coherent so that the OS is cognizant of all tasks running on the platform, even though the environments the tasks are running in are in physically different domains. In one embodiment, an OS scheduler may perform such task coherency. Thus during execution, if a given action is to be taken on a task, such action may be carried out in the secure partition. Such actions may include, for example spawning, killing, terminating, pending, or synchronizing a task.
Referring to
In the embodiment shown in
In one embodiment, each entry may be 32 bits and may include a 16-bit domain ID to identify a given domain of the system, a partition ID, which may be the 12 most significant bits of a physical address of a memory partition (in an embodiment in which physical partitions are each 1 MB), and four control bits, one of which may be a valid bit. The other control bits may be used for other desired functions.
As further shown in
In light of the hierarchical structure of memory structures 130 and 140, if a partition ID is not present in one of entries 130a-130d, a domain table walk may occur in which a requested physical address is compared against entries 140a-140n of domain table 140.
In one embodiment, upon a domain table walk (shown by arrow 135) if an entry corresponding to a physical address is found (e.g., entry 140b, as shown in
Referring now to
As further shown in
As shown further in
Referring now to
As further shown in
If a hit occurs, next the method may determine whether the domain ID of the matching entry matches the current domain ID as stored in a hardware register of the processor (diamond 340). If the domain IDs match, this indicates that the memory access is for a physical memory location in a physical partition of the currently running domain. Accordingly the memory access is allowed (block 350). Alternately, if there is no match, this indicates that the memory access request does not correspond to the currently running domain and accordingly the memory access is prevented (block 360). For example, such memory access denial may be indicated by an exception, a fault, or otherwise.
Alternately, if it is determined that there is not a hit at diamond 330, a domain table walk may be performed (block 370), and a domain table may be searched to find a matching entry (block 380). The matching entry may then be loaded into the DLB (block 390). Further, control may pass to diamond 330 to test whether the domain ID of the matching entry corresponds to a domain ID in a processor register, as discussed above.
Referring now to
Next, it may be determined whether the physical domain corresponding to the desired context is the same as the physical domain of the presently running context (i.e., process) (diamond 420). In one embodiment, such a determination may be made by comparing a domain ID associated with the second process to a hardware register of a processor having the domain ID of the currently running process (for example, hardware register 210 shown in
If the first and second contexts are both running in the same physical domain, the context switch may be performed (block 430). If instead, the new process is of a different physical domain than the currently running process, the processor register may be updated (block 440). In one embodiment, the processor register may be updated by inserting a domain ID associated with the second physical domain into the processor register from metadata stored in an operating system control structure. Finally, the context switch may be performed (block 450).
In one embodiment, a domain ID of zero may be associated with an operating system, for example, a single homogeneous operating system of a system. When the operating system domain is active (e.g., a hardware register of the processor has a value of zero, indicating that the OS is the currently operating domain), physical addresses in any domain may be accessed (regardless of the partition in which it is contained), in certain embodiments. In yet another embodiment, to access all partitions, not only must a domain ID be equal to an operating system value but also the OS must be operating in a privileged mode (i.e., a privileged mode of 0).
In one embodiment, an OS kernel may include memory management functions and task management functions, such as scheduling and the like. However, other OS services may be implemented in a different domain, such as is done in a microkernel-based OS architecture. In such an embodiment, the OS kernel may have a domain ID of zero and a privilege level of zero. However, other OS services may have a domain level that is not equal to zero, yet a privilege level of zero. In such manner, essential OS memory management and scheduling functions may be in one domain and other OS services may be in another domain such that, while they are privileged, cannot access memory partitions associated with the OS kernel itself.
In one embodiment, a domain may include one or more processes that are to be run in a privileged mode, such as a process requiring execution of interrupts. In accordance with an embodiment of the present invention, such a process may be allowed to perform privileged actions, but be prevented from accessing memory locations of other domains.
Embodiments may be implemented in a program. As such, these embodiments may be stored on a storage medium having stored thereon instructions which can be used to program a system to perform the embodiments. The storage medium may include, but is not limited to, any type of disk including floppy disks, optical disks, compact disk read-only memories (CD-ROMs), compact disk rewritables (CD-RWs), and magneto-optical disks, semiconductor devices such as read-only memories (ROMs), random access memories (RAMs), erasable programmable read-only memories (EPROMs), electrically erasable programmable read-only memories (EEPROMs), flash memories, a phase change or ferroelectric memory, a silicon-oxide-nitride-oxide-silicon (SONOS) memory, magnetic or optical cards, or any type of media suitable for storing electronic instructions. Similarly, embodiments may be implemented as software modules executed by a programmable control device, such as a computer processor or a custom designed state machine.
Referring now to
Applications processor 510 may be coupled to a communications processor 520, which may be a digital signal processor (DSP) based on a micro signal architecture, via an internal bus, which may include a scalable link 525 (such as a mobile scalable link), which may be formed of a plurality of gating devices to scalably transfer data between the processors. A memory subsystem 530 may be coupled to both applications processor 510 and communications processor 520, in certain embodiments. Memory subsystem 530 may include both volatile and nonvolatile memory, such as static RAM (SRAM), dynamic RAM (DRAM), flash memories, and the like. While shown in
It is to be understood that communications processor 520 may include various functionalities including wireless communication with external sources. For example, communications processor 520 may include a wireless interface (which in turn may have an antenna which, in various embodiments, may be a dipole antenna, helical antenna, global system for wireless communication (GSM) or another such antenna). In certain embodiments, the wireless interface may support General Packet Radio Services (GPRS) or another data service. GPRS may be used by wireless devices such as cellular phones of a 2.5 generation (G) or later configuration.
Other embodiments of the present invention may be implemented in a circuit switched network such as used by 2G technologies, a Personal Communications System (PCS) network, a Universal Wireless Telecommunications System (UMTS), or UMTS Telecommunications Radio Access (UTRA) network or other communication schemes, such as a BLUETOOTH™ protocol or an infrared protocol (such as Infrared Data Association (IrDA)).
While the present invention has been described with respect to a limited number of embodiments, those skilled in the art will appreciate numerous modifications and variations therefrom. It is intended that the appended claims cover all such modifications and variations as fall within the true spirit and scope of this present invention.