From b1af96728071a5199f0297149a669ea693fc5732 Mon Sep 17 00:00:00 2001 From: "Tate, Hongliang Tian" Date: Wed, 20 Jul 2022 16:52:20 -0700 Subject: [PATCH] Transform the docs into a Markdown book --- docs/.gitignore | 1 + docs/book.toml | 9 ++ docs/src/README.md | 78 ++++++++++++++++++ docs/src/SUMMARY.md | 16 ++++ docs/src/capabilities/README.md | 0 docs/src/capabilities/capcomp.md | 0 .../capabilities/type_level_programming.md | 0 .../src/capabilities/what_are_capabilities.md | 0 .../{figures => src/images}/arch_overview.png | Bin docs/src/privilege_separation/README.md | 0 .../pci_virtio_drivers.md | 0 .../privilege_separation/syscall_workflow.md | 0 12 files changed, 104 insertions(+) create mode 100644 docs/.gitignore create mode 100644 docs/book.toml create mode 100644 docs/src/README.md create mode 100644 docs/src/SUMMARY.md create mode 100644 docs/src/capabilities/README.md create mode 100644 docs/src/capabilities/capcomp.md create mode 100644 docs/src/capabilities/type_level_programming.md create mode 100644 docs/src/capabilities/what_are_capabilities.md rename docs/{figures => src/images}/arch_overview.png (100%) create mode 100644 docs/src/privilege_separation/README.md create mode 100644 docs/src/privilege_separation/pci_virtio_drivers.md create mode 100644 docs/src/privilege_separation/syscall_workflow.md diff --git a/docs/.gitignore b/docs/.gitignore new file mode 100644 index 00000000..7585238e --- /dev/null +++ b/docs/.gitignore @@ -0,0 +1 @@ +book diff --git a/docs/book.toml b/docs/book.toml new file mode 100644 index 00000000..bed5cf0b --- /dev/null +++ b/docs/book.toml @@ -0,0 +1,9 @@ +[book] +authors = ["Tate, Hongliang Tian"] +language = "en" +multilingual = false +src = "src" +title = "KxOS: A Secure, Fast, and Modern OS in Rust" + +[rust] +edition = "2021" \ No newline at end of file diff --git a/docs/src/README.md b/docs/src/README.md new file mode 100644 index 00000000..f36a038e --- /dev/null +++ b/docs/src/README.md @@ -0,0 +1,78 @@ +This document describes KxOS, a secure, fast, and modern OS written in Rust. + +As the project is a work in progress, this document is by no means complete. +Despite the incompleteness, this evolving document serves several important purposes: + +1. To improve the quality of thinking by [putting ideas into words](http://www.paulgraham.com/words.html). +2. To convey the vision of this project to partners and stakeholders. +3. To serve as a blueprint for implementation. + +# Opportunities + +We believe now is the perfect time to start a new Rust OS project. We argue that +if we are doing things right, the project can have a promising prospect to +success and a real shot of challenging the dominance of Linux in the long run. +Our confidence stems from the three technological, industrial, geo-political +trends. + +First, [Rust](https://www.rust-lang.org/) is the future of system programming, +including OS development. Due to its advantages of safety, efficiency, and +productivity, Rust has been increasingly embraced by system developers, +including OS developers. [Linux is close to adopting Rust as an official +programming +language.](https://www.zdnet.com/article/linus-torvalds-is-cautiously-optimistic-about-bringing-rust-into-the-linux-kernels-next-release/) +Outside the Linux community, Rust enthusiasts are building from scratch new Rust +OSes, e.g., [Kerla](https://github.com/nuta/kerla), +[Occlum](https://github.com/occlum/occlum), +[Redox](https://github.com/redox-os/redox), +[rCore](https://github.com/rcore-os/rCore), +[RedLeaf](https://github.com/mars-research/redleaf), and +[zCore](https://github.com/rcore-os/zCore). Despite their varying degrees of +success, none of them are general-purpose, industrial-strength OSes that are or +will ever be competitive with Linux. Eventually, a winner will emerge out of this +market of Rust OSes, and KxOS is our bet for this competition. + +Second, Rust OSes are a perfect fit for +[Trusted Execution Environments (TEEs)](https://en.wikipedia.org/wiki/Trusted_execution_environment). +TEEs is an emerging hardware-based security technology that is expected to +become mainstream. All major CPU vendors have launched or announced their +implementations of VM-based TEEs, including +[ARM CCA](https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture), +[AMD SEV](https://developer.amd.com/sev/), +[Intel TDX](https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html) +and [IBM PEF](https://research.ibm.com/publications/confidential-computing-for-openpower). +Typical applications that demand protection of TEEs also desire a TEE OS that is +more secure and trustworthy than Linux, the latter of which is plagued by the +inevitable security vulnerabilities resulting from the unsafe nature of C +language and the sheer complexity of the codebase. A new Rust OS built from +scratch is less likely to contain memory safety bugs and can enjoy a +significantly smaller Trusted Computing Base (TCB). + +Third, the Chinese tech sector has a strong incentive to +invest in local alternatives of critical software like OSes. +Based in China, +we have been observing greater aspiration of Chinese companies +as well as greater support from the Chinese government +to [achieve independency in key technologies like chips and software](https://www.nytimes.com/2021/03/10/business/china-us-tech-rivalry.html). +One success story of Chinese software independence is +relational databases: +[Oracle and IBM are losing ground as Chinese vendors catch up with their US counterparts](https://www.theregister.com/2022/07/06/international_database_vendors_are_losing/). +Can such success stories be repeated in the field of OSes? I think so. +There are some China's home-grown OSes like [openKylin](https://www.openkylin.top/index.php?lang=en), but all of them are based on Linux and lack a self-developed +OS _kernel_. The long-term goal of KxOS is to fill this key missing core of the home-grown OSes. + +# Architecture Overview + +Here is an overview of the architecture of KxOS. + +![architecture overview](images/arch_overview.png) + +# Features + +**1. Security by design.** Security is our top priority in the design of KxOS. As such, we adopt the widely acknowledged security best practice of [least privilege principle](https://en.wikipedia.org/wiki/Principle_of_least_privilege) and enforce it in a fashion that leverages the full strengths of Rust. To do so, we partition KxOS into two halves: a _privileged_ OS core and _unprivileged_ OS components. As a result, we can write the OS components almost entirely in _safe_ Rust, while taking extra cautions with the _unsafe_ Rust code in the OS core. Furthermore, we propose the idea of _everything-is-a-capability_, which elevates the status of [capabilities](https://en.wikipedia.org/wiki/Capability-based_security) to the level of a ubiquitous security primitive used throughout the OS. We make novel use of Rust's advanced features (e.g., [type-level programming](https://willcrichton.net/notes/type-level-programming/)) to make capabilities more accessible and efficient. The net result is improved security and uncompromised performance. + +**2. Trustworthy OS-level virtualization.** OS-level virtualization mechanisms (like Linux's cgroups and namespaces) enable containers, a more lightweight and arguably more popular alternative to virtual machines (VMs). But there is one problem with containers: they are not as secure as VMs (see [StackExchange](https://security.stackexchange.com/questions/169642/what-makes-docker-more-secure-than-vms-or-bare-metal), [LWN](https://lwn.net/Articles/796700/), and [AWS](https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-tasks-containers.html)). There is a real risk that malicious containers may exploit privilege escalation bugs in the OS kernel to attack the host. [A study](https://dl.acm.org/doi/10.1145/3274694.3274720) found that 11 out of 88 kernel exploits are effective in breaking the container sandbox. The seemingly inherent insecurity of OS kernels leads to a new breed of container implementations (e.g., [Kata](https://katacontainers.io/) and [gVisor](https://gvisor.dev/)) that are based on VMs, instead of kernels, for isolation and sandboxing. We argue that this unfortunate retreat from OS-level virtualization to VM-based one is unwarranted---if the OS kernels are secure enough. And this is exactly what we plan to achieve with KxOS. We aim to provide a trustworthy OS-level virtualization mechanism on KxOS. + +**3. Fast user-mode development.** Traditional OS kernels like Linux are hard to develop, test, and debug. Kernel development involves countless rounds of programming, failing, and rebooting on bare-metal or virtual machines. This way of life is unproductive and painful. Such a pain point is also recognized and partially addressed by [research work](https://www.usenix.org/conference/fast21/presentation/miller), but we think we can do more. In this spirit, we design the OS core to provide high-level APIs that are largely independent of the underlying hardware and implement it with two targets: one target is as part of a regular OS in kernel space and the other is as a library OS in user space. This way, all the OS components of KxOS, which are stacked above the OS core, can be developed, tested, and debugged in user space, which is more friendly to developers than kernel space. + +**4. High-fidelity Linux ABI.** An OS without usable applications is useless. So we believe it is important for KxOS to fit in an established and thriving ecosystem of software, such as the one around Linux. This is why we conclude that KxOS should aim at implementing high-fidelity Linux ABI, including the system calls, the proc file system, etc. diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md new file mode 100644 index 00000000..dbb36aa3 --- /dev/null +++ b/docs/src/SUMMARY.md @@ -0,0 +1,16 @@ +# Summary + +- [Introduction](README.md) + +# Design + +- [Privilege Separation](privilege_separation/README.md) + - [Case Study 1: Syscall Workflow](privilege_separation/syscall_workflow.md) + - [Case Study 2: Drivers for Virtio Devices on PCI](privilege_separation/pci_virtio_drivers.md) +- [Everything as a Capability](capabilities/README.md) + - [What are Capabilities?](capabilities/what_are_capabilities.md) + - [Type-Level Programming in Rust](capabilities/type_level_programming.md) + - [CapComp: Zero-Cost Capabilities and Components](capabilities/capcomp.md) +- [Trustworthy Containers]() +- [TEEs as Top-Tier Targets]() +- [Fast User-Mode Development]() diff --git a/docs/src/capabilities/README.md b/docs/src/capabilities/README.md new file mode 100644 index 00000000..e69de29b diff --git a/docs/src/capabilities/capcomp.md b/docs/src/capabilities/capcomp.md new file mode 100644 index 00000000..e69de29b diff --git a/docs/src/capabilities/type_level_programming.md b/docs/src/capabilities/type_level_programming.md new file mode 100644 index 00000000..e69de29b diff --git a/docs/src/capabilities/what_are_capabilities.md b/docs/src/capabilities/what_are_capabilities.md new file mode 100644 index 00000000..e69de29b diff --git a/docs/figures/arch_overview.png b/docs/src/images/arch_overview.png similarity index 100% rename from docs/figures/arch_overview.png rename to docs/src/images/arch_overview.png diff --git a/docs/src/privilege_separation/README.md b/docs/src/privilege_separation/README.md new file mode 100644 index 00000000..e69de29b diff --git a/docs/src/privilege_separation/pci_virtio_drivers.md b/docs/src/privilege_separation/pci_virtio_drivers.md new file mode 100644 index 00000000..e69de29b diff --git a/docs/src/privilege_separation/syscall_workflow.md b/docs/src/privilege_separation/syscall_workflow.md new file mode 100644 index 00000000..e69de29b