seL4操作系统手册：详解安全系统调用与权限管理

需积分: 13 23 浏览量更新于2024-07-09 收藏 521KB PDF 举报

"seL4-manual-3.0.0.pdf 是一份详细的seL4系统操作手册，由NICTA Trustworthy Systems团队编写，旨在介绍这个高度安全微内核的使用和操作。该手册是英文版的高清PDF格式，并带有书签，方便查阅。" seL4是一个经过形式验证的微内核，被广泛用于构建高安全性、高可靠性以及高性能的系统。这份手册详细介绍了seL4的关键特性、服务和对象，以及如何有效地利用它们。 1. **Introduction**（简介） seL4手册首先提供了一个简短的介绍，概述了seL4内核的基本概念和设计目标，包括其能力基础访问控制模型，以及系统调用和内核对象的概念。 2. **Kernel Services and Objects**（内核服务和对象） - **Capability-based Access Control**（基于能力的访问控制）：seL4的核心特性之一是使用能力进行访问控制，这允许精确地控制对象的权限，确保只有持有特定能力的进程才能访问对应的资源。 - **System Calls**（系统调用）：手册详细解释了如何通过系统调用来请求内核服务，这些服务涵盖了从内存分配到进程间通信的各种操作。 - **Kernel Objects**（内核对象）：seL4内核支持多种对象，如任务、中断处理程序、内存区域等，这些对象通过能力进行管理，以实现细粒度的访问控制和资源管理。 - **Kernel Memory Allocation**（内核内存分配）：内核内存分配机制包括如何分配、释放和重新使用内存，确保高效且安全的内存管理。 3. **Capability Spaces**（能力空间） - **Capability and CSpace Management**（能力与CSpace管理）：CSpace是存储能力的地方，手册详细阐述了如何创建、管理和操作CSpace，包括创建新的CSpace，使用CNode方法，以及理解能力权利。 - **CSpace Creation**（CSpace创建）：这部分介绍如何在seL4中创建新的能力空间，以便容纳更多能力。 - **CNode Methods**（CNode方法）：CNodes是CSpace中的数据结构，用于组织和操作能力。手册详细描述了各种CNode操作，如分配、复制和删除能力。 - **Capability Rights**（能力权利）：每个能力都有相应的权利，决定持有者可以对对象执行的操作，例如读取、写入或修改对象的其他能力。 - **Capability Derivation Tree**（能力派生树）：seL4允许通过能力派生创建新的能力，形成一个树状结构，以实现权限的分发和限制。 4. **Deletion, Revocation, and Recycling**（删除、撤销和回收）手册还涉及了如何删除不再需要的对象，撤销已分配的能力，以及回收资源的策略，这些都是保持系统安全性和效率的关键操作。此手册对于开发者、研究人员以及任何希望深入理解seL4内核的人来说，都是宝贵的资源。它详细解释了seL4的底层工作原理，有助于理解和利用seL4构建安全、可靠的系统。通过阅读这份手册，读者能够掌握如何有效地使用seL4提供的服务，以及如何设计和实现基于seL4的复杂系统。

4 CHAPTER 2. KERNEL SERVICES AND OBJECTS

Send or Call, depending on whether or not the method returns a result. The Yield

system call is not associated with any kernel object and is the only operation that does

not invoke a capability.

The complete set of system calls is:

seL4 Send() delivers a message through the named capability and the application to

continue. If the invoked capability is an endpoint, and no receiver is ready to

receive the message immediately, the sending thread will block until the message

can be delivered. No error code or response will be returned by the receiving

object.

seL4 NBSend() performs a polling send on an endpoint. It is similar to seL4 Send(),

except that it is guaranteed not to block. If the message cannot be delivered

immediately, i.e. there is no receiver waiting on the destination Endpoint, the

message is silently dropped. Like seL4 Send(), no error code or response will be

returned.

seL4 Call() combines seL4 Send() and seL4 Recv(). The call blocks the sending

thread until its message is delivered and a reply message is received. When the

sent message is delivered to another thread (via an Endpoint), the kernel adds

an additional ‘reply’ capability to the message that is delivered to the receiver,

giving the latter the right to reply to the original sender. The reply capability

is deposited in a dedicated slot in the receiver’s TCB, and is a single-use right,

meaning that the kernel invalidates it as soon as it has been invoked.

The seL4 Call() operation exists not only for eﬃciency reasons (combining two

operations into a single system call). It diﬀers from seL4 Send() immediately

followed by seL4 Recv() in two ways:

1. the single-use reply capability is created to establish a reply channel with

minimal trust;

2. the transition from send to recv phase is atomic, meaning it cannot be

preempted, and the receiver can reply without any risk of blocking.

When invoking capabilities to kernel services, using seL4 Call() allows the ker-

nel to return an error code or other response through the reply message.

seL4 Recv() is used by a thread to receive messages through endpoints or notiﬁca-

tions. If no sender or notiﬁcation is pending, the caller will block until a message

or notiﬁcation can be delivered. This system call works only on Endpoint or No-

tiﬁcation capabilities, raising a fault (see section 6.2) when attempted with other

capability types.

seL4 Reply() is used to respond to a seL4 Call(), using the reply capability gener-

ated by the seL4 Call() system call and stored in the replying thread’s TCB.

It delivers the message to the thread that invoked the seL4 Call(), waking it in

the process.

There is space for only one reply capability in each thread’s TCB, so the seL4 -

Reply() syscall can be used to reply to the most recent caller only. The seL4 -

CNode SaveCaller() method that will be described later can be used to save

2.3. KERNEL OBJECTS 5

the reply capability into regular capability space, where it can be used with

seL4 Send().

seL4 ReplyRecv() combines seL4 Reply() and seL4 Recv(). It exists mostly for

eﬃciency reasons: the common case of replying to a request and waiting for

the next can be performed in a single kernel system call instead of two. The

transition from the reply to the receive phase is also atomic.

seL4 NBRecv() is used by a thread to check for signals pending on a notiﬁcation object

or messages pending on an endpoint without blocking. This system call works

only on endpoints and notiﬁcation object capabilities, raising a fault (see section

6.2) when attempted with other capability types.

seL4 Yield() is the only system call that does not require a capability to be used.

It forfeits the remainder of the calling thread’s timeslice and causes invocation

of the kernel’s scheduler. If there are no other runnable threads with the same

priority as the caller, the calling thread will immediately be scheduled with a

fresh timeslice.

2.3 Kernel Objects

In this section we give a brief overview of the kernel-implemented object types whose

instances (also simply called objects) can be invoked by applications. The interface to

these objects forms the interface to the kernel itself. The creation and use of kernel

services is achieved by the creation, manipulation, and combination of these kernel

objects:

CNodes (see Chapter 3) store capabilities, giving threads permission to invoke methods

on particular objects. Each CNode has a ﬁxed number of slots, always a power

of two, determined when the CNode is created. Slots can be empty or contain a

capability.

Thread Control Blocks (TCBs; see Chapter 6) represent a thread of execution in

seL4. Threads are the unit of execution that is scheduled, blocked, unblocked,

etc., depending on the application’s interaction with other threads.

Endpoints (see Chapter 4) facilitate message-passing communication between threads.

IPC is synchronous: A thread trying to send or receive on an endpoint blocks until

the message can be delivered. This means that message delivery only happens

if a sender and a receiver rendezvous at the endpoint, and the kernel can deliver

the message with a single copy (or without copying for short messages using only

registers).

A capability to an endpoint can be restricted to be send-only or receive-only.

Additionally, Endpoint capabilities can have the grant right, which allows sending

capabilities as part of the message.

Notiﬁcation Objects (see Chapter 5) provide a simple signalling mechanism. A Notiﬁ-

cation is a word-size array of ﬂags, each of which behaves like a binary semaphore.

Operations are signalling a subset of ﬂags in a single operation, polling to check

6 CHAPTER 2. KERNEL SERVICES AND OBJECTS

any ﬂags, and blocking until any are signalled. Notiﬁcation capabilities can be

signal-only or wait-only.

Virtual Address Space Objects (see Chapter 7) are used to construct a virtual

address space (or VSpace) for one or more threads. These objects largely directly

correspond to those of the hardware, and as such are architecture-dependent. The

kernel also includes ASID Pool and ASID Control objects for tracking the status of

address spaces.

Interrupt Objects (see Chapter 8) give applications the ability to receive and ac-

knowledge interrupts from hardware devices. Initially, there is a capability to

IRQControl, which allows for the creation of IRQHandler capabilities. An IRQHandler

capability permits the management of a speciﬁc interrupt source associated with

a speciﬁc device. It is delegated to a device driver to access an interrupt source.

The IRQHandler object allows threads to wait for and acknowledge individual

interrupts.

Untyped Memory (see Section 2.4) is the foundation of memory allocation in the

seL4 kernel. Untyped memory capabilities have a single method which allows

the creation of new kernel objects. If the method succeeds, the calling thread

gains access to capabilities to the newly-created objects. Additionally, untyped

memory objects can be divided into a group of smaller untyped memory objects

allowing delegation of part (or all) of the system’s memory. We discuss memory

management in general in the following sections.

2.4 Kernel Memory Allocation

The seL4 microkernel does not dynamically allocate memory for kernel objects. In-

stead, objects must be explicitly created from application-controlled memory regions

via Untyped Memory capabilities. Applications must have explicit authority to memory

(through these Untyped Memory capabilities) in order to create new objects, and all

objects consume a ﬁxed amount of memory once created. These mechanisms can be

used to precisely control the speciﬁc amount of physical memory available to appli-

cations, including being able to enforce isolation of physical memory access between

applications or a device. There are no arbitrary resource limits in the kernel apart from

those dictated by the hardware

, and so many denial-of-service attacks via resource

exhaustion are avoided.

At boot time, seL4 pre-allocates the memory required for the kernel itself, including the

code, data, and stack sections (seL4 is a single kernel-stack operating system). It then

creates an initial user thread (with an appropriate address and capability space). The

kernel than hands all remaining memory to the initial thread in the form of capabilities

to Untyped Memory, and some additional capabilities to kernel objects that were required

to bootstrap the initial thread. These Untyped Memory regions can then be split into

smaller regions or other kernel objects using the seL4 Untyped Retype() method; the

created objects are termed children of the original untyped memory object.

The treatment of virtual ASIDs imposes a ﬁxed number of address spaces. This limitation is to

be removed in future versions of seL4.

2.4. KERNEL MEMORY ALLOCATION 7

The user-level application that creates an object using seL4 Untyped Retype() re-

ceives full authority over the resulting object. It can then delegate all or part of the

authority it possesses over this object to one or more of its clients.

2.4.1 Reusing Memory

The model described thus far is suﬃcient for applications to allocate kernel objects,

distribute authority among client applications, and obtain various kernel services pro-

vided by these objects. This alone is suﬃcient for a simple static system conﬁguration.

The seL4 kernel also allows Untyped Memory regions to be reused. Reusing a region

of memory is allowed only when there are no dangling references (i.e., capabilities)

left to the objects inside that memory. The kernel tracks capability derivations, i.e.,

the children generated by the methods seL4 Untyped Retype(), seL4 CNode Mint(),

seL4 CNode Copy(), and seL4 CNode Mutate().

The tree structure so generated is termed the capability derivation tree (CDT).

For

example, when a user creates new kernel objects by retyping untyped memory, the

newly created capabilities would be inserted into the CDT as children of the untyped

memory capability.

For each Untyped Memory region, the kernel keeps a watermark recording how much

of the region has previously been allocated. Whenever a user requests the kernel to

create new objects in an untyped memory region, the kernel will carry out one of two

actions: if there are already existing objects allocated in the region, the kernel will

allocate the new objects at the current watermark level, and increase the watermark.

If all objects previously allocated in the region have been deleted, the kernel will reset

the watermark and start allocating new objects from the beginning of the region again.

Finally, the seL4

CNode Revoke() method provided by CNode objects destroys all ca-

pabilities derived from the argument capability. Revoking the last capability to a

kernel object triggers the destroy operation on the now unreferenced object. This

simply cleans up any in-kernel dependencies between it, other objects and the kernel.

By calling seL4 CNode Revoke() on the original capability to an untyped memory

object, the user removes all of the untyped memory object’s children—that is, all

capabilities pointing to objects in the untyped memory region. Thus, after this invo-

cation there are no valid references to any object within the untyped region, and the

region may be safely retyped and reused.

Although the CDT conceptually is a separate data structure, it is implemented as part of the

CNode object and so requires no additional kernel meta-data.

Chapter 3

Capability Spaces

Recall from Section 2.1 that seL4 implements a capability-based access control model.

Each userspace thread has an associated capability space (CSpace) that contains the

capabilities that the thread possesses, thereby governing which resources the thread

can access.

Recall that capabilities reside within kernel-managed objects known as CNodes. A

CNode is a table of slots, each of which may contain a capability. This may include

capabilities to further CNodes, forming a directed graph. Conceptually a thread’s

CSpace is the portion of the directed graph that is reachable starting with the CNode

capability that is its CSpace root.

A CSpace address refers to an individual slot (in some CNode in the CSpace), which

may or may not contain a capability. Threads refer to capabilities in their CSpaces

(e.g. when making system calls) using the address of the slot that holds the capa-

bility in question. An address in a CSpace is the concatenation of the indices of the

CNode capabilities forming the path to the destination slot; we discuss this further in

Section 3.3.

Recall that capabilities can be copied and moved within CSpaces, and also sent in

messages (message sending will be described in detail in Section 4.2.2). Furthermore,

new capabilities can be minted from old ones with a subset of their rights. Recall,

from Section 2.4.1, that seL4 maintains a capability derivation tree (CDT) in which it

tracks the relationship between these copied capabilities and the originals. The revoke

method removes all capabilities (in all CSpaces) that were derived from a selected

capability. This mechanism can be used by servers to restore sole authority to an

object they have made available to clients, or by managers of untyped memory to

destroy the objects in that memory so it can be retyped.

seL4 requires the programmer to manage all in-kernel data structures, including C-

Spaces, from userspace. This means that the userspace programmer is responsible for

constructing CSpaces as well as addressing capabilities within them. This chapter ﬁrst

discusses capability and CSpace management, before discussing how capabilities are

addressed within CSpaces, i.e. how applications can refer to individual capabilities

within their CSpaces when invoking methods.

剩余95页未读，继续阅读

xiaoholmes

粉丝: 29
资源: 7

seL4操作系统手册：详解安全系统调用与权限管理

seL4-manual-latest.pdf

centos7 docker26.1.4本地部署安装包

libaio-devel-0.3.107-10.SEL6.x86_64.rpm

el-cascader样式

el-cascader 显示背景色

el-cascader 怎么修改文字颜色

用abap写一个ALV程序

ipmitool sel time set

最新资源