[note] nooks reliability system (SOSP '03)
Nooks
The Nooks is a reliability subsystem that seeks to greatly enhance OS reliability by isolating the OS from driver failures.
Nooks Design
Nooks Isolation Manager (NIM) is a transparent OS layer inserted between the kernel and kernel extensions. NIM provides four major architectural functions: Isolation, Interposition, Object Tracking and Recovery.
Isolation
Memory management: lightweight kernel protection domain with access to a limited proportion of the kernel's address space.
Extension procedure call (XPC): transfer control safely between extensions and the kernel.
Interposition
Wrapper stubs: provide transparent control and data transfer across address space boundaries. Wrappers are in kernel's domain
Kernel wrappers: kernel supplied functions
Extension wrappers: extension supplied functions
Object-tracking
Maintain, control modification and provide info for cleanup.
Recovery
Detect and recover from a variety of extension faults.
Detects when the processor raise an exception
All extension access domain-local memory is managed and tracked through wrappers.
Nooks Implementation
This part talks about implementation of Nooks.
Isolation
Memory Management
Light-weight kernel protection domain each contains a single extension. All extensions exist in the kernel’s address space but with different access right: e.g. the kernel has full access to the entire address space, while each extension is restricted to read-only kernel access and full access to itself.
The Nooks maintains a synchronized copy of the kernel page table for each domain. Each Light-weight kernel protection domain has private structures, including heaps, stacks, MMIOs and kernel memory buffers.
Extension Procedure Call (XPC)
XPC transfer control safely between extensions and the kernel. These functions take a function pointer, an argument list, and a protection domain. The transfer routines save the caller’s context on the stack and find a stack for the calling domain, change page tables to the target domain, and then call the function. The reverse operations are performed when the call returns.
Modifications to Kernels
- Maintain extension page tables and insert code wherever the kernel modifies kernel page table.
- Modify exception handlers to detect domain exceptions. On return from exception, the code restores the stack pointers and page table.
- Use a global variable to hold the task pointer since original system store task structure in stack.
Interposition
Wrapper stubs: provide transparent control and data transfer across address space boundaries. Wrappers are in kernel's domain
Kernel wrappers: kernel supplied functions
Extension wrappers: extension supplied functions
Object-tracking
Maintain, control modification and provide info for cleanup.
Recovery
Detect and recover from a variety of extension faults.
Detects when the processor raise an exception
All extension access domain-local memory is managed and tracked through wrappers.