The Microkernel Landscape in 2023
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 542 | |
| Author | ||
| License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/61583 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Kernel (computing)Operations researchMultiplicationSystem programmingPhysical systemForschungszentrum RossendorfSoftwareEnterprise architectureModul <Datentyp>SpacetimeFlow separationMechanism designComponent-based software engineeringBranch (computer science)Process (computing)Orientation (vector space)CodeVirtual realityMessage passingAsynchronous Transfer ModeMicroprocessorSeries (mathematics)Information securityFormal languageComputer programmingIntegrated development environmentSimultaneous localization and mappingPlastikkarteEnergy levelSource codeGEDCOMMaxima and minimaInformationField programmable gate arrayEscape characterDevice driverAbstractionService (economics)Computer hardwareWeb pageNetwork topologyLine (geometry)Focus (optics)Resource allocationCNNState diagramTime domainArithmetic meanParity (mathematics)DisintegrationVisualization (computer graphics)Operating systemOperating systemContext awarenessComponent-based software engineeringImplementationLatent heatFinite differenceUniverse (mathematics)Arithmetic meanProper mapSlide ruleMikrokernelOpen sourceLine (geometry)CodeVirtualizationMereologyMedical imagingSpacetimeTerm (mathematics)Kernel (computing)Physical systemParity (mathematics)Computer hardwareDifferent (Kate Ryan album)Software developerFocus (optics)State of matterDistribution (mathematics)ResultantDescriptive statisticsPoint (geometry)Run time (program lifecycle phase)Flow separationMechanism designComplete metric spaceSoftwareMatching (graph theory)Closed setData managementOcean currentIntegrated development environmentMixed realityParameter (computer programming)WebsiteCore dumpHeegaard splittingBitWindowConstructor (object-oriented programming)Software development kitProjective planeMaxima and minima
09:40
GradientIntegrated development environmentKernel (computing)Focus (optics)Visualization (computer graphics)Information securityCodeVapor barrierComponent-based software engineeringDefault (computer science)Configuration spaceSource codeData typeSurvival analysisArchitectureBefehlsprozessorGame controllerInterrupt <Informatik>Device driverInterprozesskommunikationScalabilityShared memoryComputer networkPower (physics)Resource allocationAbstractionComputer hardwareEnterprise architectureIndependence (probability theory)String (computer science)CoroutineData managementCommunications protocolVideo game consoleOSI modelPhysical systemClient (computing)VelocityAverageInternetworkingSoftware maintenanceFormal languageCore dumpImplementationGoogolTerm (mathematics)ChainEmulatorCache (computing)Web pageReduced instruction set computingGraphics processing unitGame controllerMultiplication signVirtual machineVapor barrierInterrupt <Informatik>Gastropod shellDevice driverInternet der DingeOcean currentPhysical systemConfiguration spaceDegree (graph theory)BootingIntegrated development environmentProjective planeDifferent (Kate Ryan album)Term (mathematics)Stress (mechanics)Computer hardwareMilitary baseSoftware developerQuicksortAndroid (robot)Axiom of choiceAbstractionSpacetimeDirectory serviceNumberBitCodeBlock (periodic table)Message passingSoftware development kitLink (knot theory)Kernel (computing)Operator (mathematics)CurveVector potentialCache (computing)Stack (abstract data type)Enterprise architectureMikrokernelInformation securityWeb pagePublic key certificateRemote procedure callCore dumpComponent-based software engineeringOperating systemTransport Layer SecurityCartesian coordinate systemComputing platformData structureMedical imagingCommunications protocolGoogolSimilarity (geometry)Run time (program lifecycle phase)Computer animation
19:14
Kernel (computing)Component-based software engineeringCore dumpSpacetimeFocus (optics)ImplementationTerm (mathematics)Operator overloadingArchitectureIntegrated development environmentPlastikkarteInformation securityFundamental theorem of algebraMemory managementForschungszentrum RossendorfTablet computerModel theorySoftware engineeringCodeState of matterFormal verificationSoftwareMach's principlePredictabilityInterprozesskommunikationThread (computing)Scheduling (computing)Human migrationHypercubeKerberos <Kryptologie>Computing platformVisualization (computer graphics)Product (business)Flow separationSystem programmingGoogolSoftware frameworkEscape characterKnowledge-based configurationInformation securityReal-time operating systemFormal verificationDynamical systemComponent-based software engineeringPoint (geometry)PhysicalismPhysical systemBuildingCore dump1 (number)PredictabilityQuicksortProjective planeOperating systemProduct (business)Human migrationThread (computing)MikrokernelPublic key certificateFluid staticsKernel (computing)Semiconductor memoryFamilyIntegrated development environmentFlow separationImplementationSoftware maintenanceCartesian coordinate systemElectronic mailing listLibrary (computing)Tablet computerAnalytic continuationMach's principleSoftware developerSmartphoneLevel (video gaming)Software engineeringMemory managementOperating systemBitEntire functionFinite differenceCodeGastropod shellMereologyRadical (chemistry)Computer animation
28:47
Kernel (computing)Web pageCache (computing)Focus (optics)Reduced instruction set computingGraphics processing unitDevice driverComputer animation
29:17
Internet service providerTwitterPublic key certificateOcean currentLatent heatMikrokernelTerm (mathematics)Cycle (graph theory)BefehlsprozessorPhysical systemComputer hardwareOperating systemComputer animation
31:13
Program flowchart
Transcript: English(auto-generated)
00:06
All righty. So hi, everyone. I'm Razvan. We are now a part of the Microkernel component-based OS Dev Room. It's a pleasure to have you all here. We're going to start right away.
00:20
So we have, I think, 10 talks. We're going to delve into Microkernel, UNICOL, and component-based OS topics. We're going to start with Martin with his talk on the state of the Microkernel environment. So Martin, please go ahead. Thank you. Good morning. Thanks for coming. Welcome. It's my pleasure and honor to open this Dev Room today.
00:43
And it's also a great pleasure that we can continue this tradition of this Dev Room since 2012. I would like to thank Razvan for organizing the Dev Room this year. And let's go to it. So my talk will be about the currently developed
01:00
Microkernels that I'm aware of. Maybe I'm missing some, but this should be an overview if you might be interested in seriously using a Microkernel or just trying it out, what you can expect. This first slide is about me. I won't go into it.
01:21
Let me just say that I have been working with Microkernels and contributing to Microkernels for almost 20 years now, half of my lifetime. I assume that most people here do know what a Microkernel is, or at least most people have some kind of idea.
01:41
But I will still try to very briefly introduce the Microkernels to you. Maybe I will save a few minutes for the follow-up speakers. So a Microkernel-based operating system is a fundamental way how to achieve operating system
02:00
reliability and dependability by the means of having proper software architecture, especially driven by specific design principles. Now, every Microkernel has their own design principles. This is where the different implementations differ, obviously. But I think there are three common universal design
02:24
principles, the separation of concerns, the split of mechanism and policy, and the principle of least privilege. So this generally results in a system that is modular, customizable, and potentially
02:41
formally verifiable. By the way, some Microkernels do have a minimality as an explicit design principle, but many Microkernels actually don't. So the micro part in the Microkernel and the whole Microkernel term is a little bit of a misnomer, at least as I see it, because having
03:03
the Microkernel as small as possible is not necessary. The a priori goal is just the result of the other design principles. And I really think that there is no point in comparing whether one Microkernel might have 20,000 lines of code and the other one 30,000. It's really comparing apples to oranges.
03:21
These design principles also don't affect just the kernel design, but potentially also the user space design. So therefore, you might see descriptions like Microkernel multi-server operating system with fine-grained components. This means that not only the kernel is non-monolithic.
03:42
Maybe that would be a better term, but we are stuck with the Microkernel term. But also this might suggest that in many of these systems also there are no monoliths in the user space. I have some slides about the history, but I will skip them.
04:00
You can go to the slides if you are interested. Just one note, the idea of Microkernels has been around almost as long as the idea of operating systems. So if some people say that Microkernels are this strange over-engineered idea
04:22
that proper operating systems should be monolithic because this was the way how they started and et cetera, I don't think those are very valid arguments. So let's go to the core of my talk. There is a website, microkernel.info,
04:40
which is basically a condensed version of this. So this is a very simple site that lists the current state-of-the-art open source Microkernels. So if you are interested or if you are looking around, going to this site is probably a good idea.
05:02
By the way, this site was started by Jakub Mirmar, my colleague, and I'm maintaining it right now. Of course, if you are a Microkernel developer and you don't see your project on this site, just send us a pull request. It's so simple. OK, let's start with the overview.
05:21
I should say that there are surprisingly many projects, active projects, that are Microkernel-based. And for a Microkernel developer, this is really exciting times, I would say. So Genode by Genode Labs is perhaps the most versatile
05:46
example of a Microkernel-based operating system. But I mind you, it's actually not an operating system in the common sense like what you would consider Windows or a GNU Linux distribution. It's actually an operating system construction kit.
06:03
So it's a way how to pick and match different operating system components, including different microkernels or kernels in general, with some user space components and how to build a bespoke operating
06:22
system for your specific needs. So what is really interesting about Genode that you can really use all these different microkernels like SCL4, Fiasco OC, micro-hypervisors like Nova. And you can even use their own custom microkernel, which is called Base-HW.
06:42
You can even run this infrastructure on top of Linux for development purposes, maybe. There is strong focus on resource accounting and management in Genode. You can read the Genode book for the details.
07:03
Genode is driven by a commercial company. So they have customers. Somebody is paying them to do that. They don't state their references publicly, as far as I know. I might know some, but I'm not in the liberty to name them. And there is also this thing called Sculp OS,
07:21
which is like a pre-built distribution of Genode. So if you would like to try something that you don't have to pre-configure in advance for your specific needs, you can go for that. This is a picture from Norman Feske, one
07:43
of the co-authors of Genode from, I think, Fosdam 2017. So maybe the image is a little bit outdated, but I still think it gives you the big picture. So you have all these components, like the different kernels, different user space,
08:02
runtime environments, if I can say. So this one is, for example, Unix-like runtime environment, drivers, and UI components, and stuff like that. And you mix and match them. And then this is a screenshot of the Sculp OS.
08:20
Like this one instantiation of Genode. And you see that it's actually a nice desktop-oriented operating system. Some final closing remarks to Genode. I really like Base HW as the bespoke microkernel for Genode,
08:45
because it's really nicely integrated with the rest of the system. For some reason that I don't know, I don't understand, but there are Genode guys here. You can ask them. I don't see complete feature parity of Base HW
09:01
with the other microkernels they support. So as far as I know, there is no support for hardware virtualization. And this is not a criticism. This is just a comment. If you start playing with Genode, you need to read some documentation. There is very nice documentation available,
09:23
no doubt about it. But really, it's not so simple by just downloading an image and running it and expecting a fully-blown desktop environment, at least not from just by booting it. You have to do something. But I think it's definitely worth it.
09:42
So there are some links you can follow. It's an open-source project. By the way. OK, now let me talk about L4E, which is something slightly similar in some aspects different by my current employer, current concept.
10:01
So this is also a production-grade microkernel-based environment, a little bit more integrated, I would say, because we basically support just the one kernel, which we called the L4E microkernel. But you all know it by the name Fiasco. We use this name currently because Fiasco
10:21
is a very poor name. Trust me. So we strongly focus on virtualization. We strongly focus on safety and security certification currently. And we also have customers, because we are a company that pays us, et cetera. Again, not in the liberty to name them,
10:43
but I can say that if you're going to buy a new car from a German car manufacturer, there is a high chance you will be running L4E code running in the software stack of that car.
11:02
To be honest, the code base is not the most verbose recommended that I have seen, especially the kernel itself. So again, the learning curve is a little bit steep. But at least there are some scenarios you can just build
11:22
or download and pre-build image, and this will show you the potential to a certain degree. And here are some links. Again, it's an open-source project. Now let's talk about HalonOS, which is to compare with the
11:41
previous two. It's a slightly different breed. So this is like an integrated operating system. So the purpose is to build it or download an image, boot it, and be presented with a desktop environment with a shell and some mostly familiar commands which you can use to explore the system.
12:01
So it's not about compile time or deployment time configuration. It's really about configuring the system at runtime as you go, what you expect from a desktop-oriented OS. And of course, I'm a little bit biased because this is my project, but I would argue that if you want to
12:22
understand how a microkernel-based system works inside, this is the one to pick because of the lowest entry barrier. The code base is portable, self-contained, well-structured. So for example, we know how to use directories and not
12:44
only a single level of them. So this is how we structure the system to be more understandable. The code is well-commented, and this is not just my observation. If you run a tool that will analyze the sources, you will get a number around 30%, 35% of commands, which is not bad.
13:06
And believe me, I have seen many microkernel code bases. I have seen the code of many operating systems in general, and I can tell the difference. So I would compare LNOS to something like the Solaris
13:21
kernel in terms of the structure and commands and stuff like that. And we also prefer to use our native components, so no ported components or components that might use some unikernel layers to really make the system feel
13:44
coherent, let's put it that way. So this is how it looks like when you boot the image which you can compile or download. So you have a user interface, a shell, et cetera. And we have some interesting features that are not
14:01
presented in the other microkernels. So we are portable not only in theory, but also in real life. So we support eight different architectures, including strange beasts like Itanium. And yes, the RISC-V port is still not finished.
14:21
And that goes to me. We are using asynchronous IPC, which transparently uses shared memory for performance. We have interrupt controller drivers in user space compared to some other microkernels. We have a fully decomponentized TCP IP stack.
14:43
We support USB 3.0, and we have a sound stack, so just a few highlights. I will go quickly through these slides. We don't have the time to go to the details. But the microkernel, while being quite small, still has
15:01
a structure. So we have a well-defined hardware abstraction layer in the kernel. This is how the user space, or how the entire architecture of the system looks like. So you might see some similarities with the G node image, but the difference is that all of this is
15:20
potentially running in the system for all the time, depending on the actual configuration of your machine. And there are some device drivers which are, again, somehow structured in a tree, starting with some platform drivers, et cetera. If you want the details, please come to me.
15:42
Yeah, it's a community-driven effort currently. So we are not so fast regarding the development, but we still do semi-regular releases. And sadly, we don't support some of the new hardware features. If you'd like to contribute, you are more than welcome.
16:03
Fuchsia by Google is a relatively new kit on the block. It's a microkernel-based system that is strongly focusing on Internet of Things. Specifically, their target is to support maintenance,
16:21
remote management, and remote upgrading of a fleet of devices. So imagine, for example, the Google Nest Hub, which is the device where Fuchsia is being shipped currently with. And they even managed to do a remote update of all those
16:43
Nest Hubs from the previous Linux-based OS to Fuchsia over the air without the users even noticing. So I think this is quite impressive. The microkernel is called Zircon, and it's capability-based, message-passing microkernel.
17:02
And I have spoken to the developers why they don't actually stress that it's microkernel. And it's their deliberate choice to somehow underplay that it's a microkernel because of some bad press of the term. So they don't call it microkernel explicitly unless
17:21
you ask them, but it is a microkernel for sure. This is how it looks like on the Nest Hub. Or this is the way how you can tell whether your device is still running Linux or is running Fuchsia. And yeah, the learning curve, again, somewhat steep
17:44
because this is not a desktop-oriented system or server-oriented system that would be Unix-like. There you have to install a non-trivial toolchain and a custom emulator, sort of like when you do Android development and other things.
18:00
But again, what I believe is very nice about Fuchsia is that they are only using their own native core components, not ported components. And it's an open-source project. Managarb, again, a relatively younger operating system,
18:21
which is microkernel-based, at least compared to the first three. One of the key features, a fully asynchronous kernel design which tries to somehow mitigate some performance problems by implementing some features in the kernel
18:41
which might not be considered pure by microkernel purists like the page cache. And Managarm tries to be compatible with Linux. So they already support the Wayline protocol in Western and some other applications.
19:02
They even have some accelerated GPU drivers, or at least one, and it's an open-source project. And this is how it looks like. Of course, you can run more than just the clock there, but yeah, you get the idea. Redux, another interesting microkernel-based operating system
19:23
that tries to be Unix-like. But this one has this primary feature of being implemented almost completely in Rust. Also, the core user-based components are written in Rust like the libc, so they have actually a C library written in Rust.
19:44
Interesting. What to say? Again, POSIX compatibility layer, they already support some interesting end-user applications and libraries, and it's an open-source project again.
20:02
And this is how it looks like when you boot it. So again, you can run a terminal with Bash shell in this case, and just explore the system. A little bit aside, there are also other, let's say, currently non-open-source microkernels
20:22
being around. I just tried to mention them here very quickly. I know we are at FOSDEM, but just to complete the picture. So Huawei is working on something which they call Homonq. It's actually quite buried under this Harmony OS brand,
20:43
and it's a little bit confusing because you might have heard rumors. The original ones were that Harmony OS will be a microkernel-based system, then Huawei released something that was clearly Linux-based. So yeah, this did not resonate well
21:00
with us technical folks, but the point is that this is just a marketing confusion. So the Harmony OS is a common brand for different operating systems. One of them is Linux-based, one of them is Lite OS-based, which is a real-time kernel by Huawei, and the most progressive one, unreleased so far,
21:21
is the microkernel-based. The microkernel was originally inspired by best practices and state-of-the-art in other microkernels, but it's a clean slate implementation and design.
21:41
For example, they have the capability-based physical memory management in user space, so the kernel does not manage the physical memory. It's sort of similar, the design is sort of similar to SEL4, but it's slightly more practical, in my personal opinion.
22:01
Sorry that I can't go into the details. And they also target safety and security certification. And actually, this is also running in the wild as trusted execution environment in several Huawei smartphones. Then there is this R&D project called Duck,
22:22
which is primarily being driven by my former colleagues at the Dresden Research Center, which tries to be, again, a completely clean slate design and implementation. The primary goal was really to use state-of-the-art
22:42
best practices and software engineering to achieve really the highest code quality and maintainability. For example, one of the goals was to be fully Mrassy compliant. Another goals were high-level safety and security certification and other interesting features.
23:03
It's an R&D project, and honestly, I don't know what's the current state. Maybe you can informally ask some of the Huawei guys here, but it's good to know that this is there. Okay, very quickly, some other systems. GNU-Hort, for 30 years,
23:21
the intended replacement of Linux in the GNU-Linux equation, still alive, still kicking, still with semi-regular releases. And yeah, I mean, you can actually run 70% of Debian packages on top of it, which is not bad, I mean, honestly. Yes, it's limited to 32-bit x86,
23:44
but as I always say, if they would get one third, one fourth of the Linux contributors, they would finish it in a few months. ARS, which is a microkernel-based operating system
24:02
based on the Helios microkernel, which is supposedly inspired by CL4. There will be a talk later today from the author, so I'll skip the details for now. Composite, another microkernel-based project
24:21
that is focusing on predictability and component composition. The kernel itself is designed as lockless, and it has user-space scheduling, and it uses thread migration IPC, so if you remember vaguely the idea
24:41
from Mach 3.0 from Ford at all, this is the continuation of that. Then there is UXRT, which is like a user-space part built on top of CL4. This is still an ongoing project
25:01
in early stages of the development. Let's see how it goes. And finally, let's mention a few standalone micropranels. So these are not entire operating systems. These are just the kernel building blocks. Nova Microhypervisor by Udo is,
25:21
again, alive and kicking. It has been used by Bedrock Systems as their primary product, as I believe. So this is one of the projects that sort of went into limbo for many years, and now they are alive again. By the way, Genote, I believe, is maintaining their fork of Nova,
25:41
or maybe Nova with their own patches, but there is also Hedron, which is an official fork of Nova from Sybarus, and they are also using it as their commercial product. Again, I think there might be Yulian somewhere here
26:00
who might tell you more. CL4, of course, the microkernel with the most, I would say, the most visible formal verification story. We need to mention it. We also need to say that Google has adopted CL4 recently as their foundation for secure firmware,
26:29
sort of something like that. I'm not really sure what are the targets of this KenTrip OS, also Escata OS,
26:40
but it's a static configuration, mostly, so it's not a dynamic system. It's a really static configuration system. And in that same area, I would mention also the Muon separation kernel, which again is a separation kernel, so its primary goal is to do static partitioning,
27:01
but I think it belongs to the family. And yeah, sadly, there are some microkernels that are interesting, worth looking into for inspiration, but are currently in limbo, like Escape, M3, Minix3, Rubigalia, and Redleaf.
27:20
Well, I hope they will be resurrected. And of course, I might continue with a list of other microkernels that are certifiably dead, and of course, those could be resurrected as well, and it's always good to know the history, right? Yeah, but I will stop here.
27:40
Thank you, and if there are any questions, I would be happy to answer them. Thank you so much, Marty. If there are, yeah, please. Thank you. We have time, yeah, two questions, two questions. Hello, congratulations for your excellent talk. Thank you.
28:01
Among all those that you studied, which one you think it would be more compatible to the Linux end user base, like for a person to use Minix or? I mean, that is a good question, thank you. So the question is, which of those systems
28:21
would be most Linux compatible? Most of them, actually, most of the systems that I have presented do have some POSIX compatibility layer. So I would not make this as the only criterion. I understand it might be important for you, but I would look also into other aspects of that,
28:42
because most of the systems do provide some kind of Linux compatibility. But if you would be looking for something that is really Linux compatible by design, or that makes it as one of its primary goals, then I would probably go for Managar.
29:00
But again, this is just a first idea, first suggestion, I would not rule out the others. Thank you, other questions? Alex. Hi, thank you for the talk.
29:20
So what trends do you think you'll see in the next few years with the microcosm? Oh, that's a tricky question, but thanks for that. So the question was about the trends. So I think there will be this kind of retargeting of the systems to very specific use cases, like Fuchsia is doing, so really implementing
29:44
custom microkernel-based operating systems that really do fulfill the specific needs of those areas. That's one thing. The other thing that I would like to see, I'm not sure if it's going to happen soon,
30:01
but I would like to see, I would like to see more hardware-software co-design. So basically, the Achilles' heel of microkernels is the fact that most current CPUs don't really provide hardware features that would help the microkernels, especially in the terms of performance.
30:21
And we see this vicious cycle. The microkernels are not performing greatly on the current hardware, so nobody is, nobody, quote unquote, is using them. So the hardware vendors don't see a need for changing the CPUs to make, to provide features that would help the microkernels.
30:43
But I think with RISC-V and the possibility, or the democratization of the hardware design, I think this might change hopefully quite soon. And the third trend that I definitely see, which was probably also seen on the slides, is really the certifications in terms of safety,
31:01
security, and hopefully more formal verification, because this is where microkernels really excel. So yeah, why not go for it? Okay, thank you so much, Martin. Thank you.