L4Linux - A virtualized Linux on a componentized, small kernel system
Adam Lackorzynski
2006-03-11
Welcome to the interactive presentation of L4Linux. L4Linux is
a virtualized Linux kernel running on an L4 micro-kernel. It is binary
compatible with normal Linux and can thus run any unmodified Linux
distribution.
There are several scenarios in which one or multiple virtualized legacy
operating systems are needed or handy to build different systems.
We are going through some of them in the following pages.
History
L4Linux was invented in 1996 in Dresden's Operating System Group. Initially
it was based on Linux 2.0. Ports to more recent Linux versions have
followed since then. The current L4Linux version is based on 2.6 and is kept
up to date with the released Linux versions. We aim at modifying Linux as
little as possible.
Architecture
The system in which L4Linux runs looks as follows:
Starting from the bottom, there is a micro-kernel running in privileged mode.
In the de-privileged mode above some basic services provide the foundation
for more advanced applications. Those basic services include a memory
manager, a name server, a program loader and some more components. L4Linux
utilizes those core services. By the way, the GUI you currently see is
also a native service which is used by L4Linux for graphical interaction.
Usage Scenarios
L4Linux can be used in different scenarios, among them:
-
Running your legacy applications on a micro-kernel based system.
-
Running your security sensitive applications side by side with your
commodity applications downloaded from the Internet with the
micro-kernel ensuring that both classes are properly separated.
-
Reuse functionality of the legacy operating system in your micro-kernel
based system, e.g. use the disk and filesystem drivers in L4Linux to
access the disk from your L4 application.
-
Machine consolidation: Run multiple instances of L4Linux on one machine
to reduce your maintenance needs for many physical machines. The
micro-kernel ensures that the virtual machines are isolated from each
other.
-
Secure your privacy! Use L4Linux to run your comfortable Internet
browsing and E-mail software and use small and trusted software on the
micro-kernel side to sign or decrypt your messages. The legacy operating
system will never see your private keys!
-
Multi Compartment Workstation: Use one virtual machine for every security
level in your organization, eliminating the need for multiple physical
machines. Once again the micro-kernel makes sure each virtual machine is
properly isolated from the other ones.
The following pages will show some scenarios in more detail.
VPN Gateway
In this scenario two L4Linux instances are used to build a Virtual Private
Network gateway. One L4Linux, the outer one, sends and receives data from
the public interned while the inner L4Linux sends and receives data from the
internal intra-net. The en- and decryption of the data stream is done by a
small component that runs independent from the Linuxes and is the only path
for communication and has a very low profile for attacks.
The Viaduct is a small component that only relies on a few other L4
components. It is therefore quite easy to understand and audit.
An attacker may take over the outer Linux but has very little chances to
corrupt either the Viaduct or the inner Linux.
Its trusted computing base (TCB) is small compared to the code involved
when placing the encryption component into a conventional legacy
operating system.
The code reused from the legacy operating system are mainly the network card
driver and the networking software, namely the TCP/IP stack.
Machine Consolidation
L4Linux can be started multiple times and thus run several virtual machines in
parallel on one physical machine. Depending on the needs an L4Linux instance
may be granted access to the physical hardware of the machine, relaying device
access for the other instances. Hardware access may also be implemented by
specialized L4 components.
In this example the L4 driver may be a network server which handles all
network traffic for the virtual machines. The device L4Linux may have an IDE
driver compiled in and accesses the disk on behalf of the green L4Linux
instances. Disk virtualization will then be done in the device L4Linux.
The green instances without hardware access need to have device drivers that
talk to the corresponding servers. For example, there needs to be a virtual
disk driver in the green L4Linux-es that talks to the device Linux. Such a
driver is usually called "stub driver".
Running L4Linux
The simplest way to run L4Linux is to use a hardware independent setup as
it is done for this demo.
This demo boots up an L4Linux with a simple and small RAM disk, it will not
touch the disks in the host system. The RAM disk is small and only contains
a very basic set of programs. For a demo with a more complete user land,
please refer to the other setups.
By clicking here (in the Demo-CD version of this document) a new window
should come up, showing the Tux in the left upper corner and the familiar
Linux boot up scrolling. A shell prompt should appear shortly after that.
Click into the window with your mouse to enter commands.
In the window you can switch virtual Linux console with Alt-F2, Alt-F3 and
so on, as usual.
To close the virtual machine, just issue "halt" and the machine will shut
down and the window will close. All resources will be freed.
Running Multiple Instances of L4Linux
There is nothing special about running multiple instances of L4Linux. Just
start another copy (in the Demo-CD version of this document),
and another one (in the Demo-CD version of this document)...
If no more resources like free memory are available no more instances will
appear. Just shut down a currently running instance and you should be able
to start another one.
Reboot the machine
Click here (in the Demo-CD version of this document) to reboot your machine.
|
