Lompat ke isi

Mikrokernel: Perbedaan antara revisi

Dari Wikipedia bahasa Indonesia, ensiklopedia bebas
Konten dihapus Konten ditambahkan
Jazle (bicara | kontrib)
kTidak ada ringkasan suntingan
TXiKiBoT (bicara | kontrib)
k bot Menambah: en Mengubah: ja, pl, ru, uk
Baris 244: Baris 244:
[[cs:Mikrojádro]]
[[cs:Mikrojádro]]
[[de:Mikrokernel]]
[[de:Mikrokernel]]
[[en:Microkernel]]
[[es:Micronúcleo]]
[[es:Micronúcleo]]
[[fr:Noyau de système d'exploitation#Systèmes à micro-noyaux]]
[[fr:Noyau de système d'exploitation#Systèmes à micro-noyaux]]
[[hu:Mikrokernel]]
[[hu:Mikrokernel]]
[[ja:マイクロカーネル]]
[[nl:Microkernel]]
[[nl:Microkernel]]
[[ja:????????]]
[[no:Mikrokjerne]]
[[no:Mikrokjerne]]
[[pl:Mikrojadro]]
[[pl:Mikrojądro]]
[[pt:Micro-kernel]]
[[pt:Micro-kernel]]
[[ru:?????????]]
[[ru:Микроядро]]
[[sk:Mikrokernel]]
[[sk:Mikrokernel]]
[[sv:Mikrokärna]]
[[sv:Mikrokärna]]
[[uk:?????????]]
[[uk:Мікроядро]]

Revisi per 23 Maret 2009 18.18

Structure of monolithic and microkernel-based operating systems, respectively

Dalam pengetahuan Ilmu Komputer, mikrokernel merupakan modul inti yang meyediakan beragam mekanisme yang dibutuhkan untuk mengembangkan sebuah sistem operasi, seperti halnya manajemen pengalamatan ruang tingkat rendah, manajemen thread, dan komunikasi antar proses. Dalam implementasinya mikrokernel merupakan satu-satunya perangkat lunak yang berjalan dengan tingkat kewenangan tertinggi (umumnya disebut sebagai modus supervisor atau modus kernel) dari serangkaian level kewenangan yang tersedia pada perangkat kerasnya. Layanan yang disediakan oleh sebuah sistem operasi beberapa diantaranya adalah device driver, protocol stack, Sistem berkas, dan kode antarmuka pengguna yang berada dalam Ruang pengguna.

Mikrokernel sangat erat terkait dengan exokernel[1] , serta memiliki banyak kesamaan dengan hypervisor.[2] namun implementasinya lebih bersifat minimalis, dan secara spesifik untuk mendukung pengimplementasian Mesin virtual. L4 microkernel sering juga disebut sebagai hypervisor, yang mengindikasikan kemungkinan pengimplementasian sebuah mikrokernel sebagai hypervisor. Istilah nanokernel dalam sejarahnya digunakan untuk membedakan mikrokernel saat ini dengan istilah mikrokernel sebelumnya yang menyediakan layanan sistem aktual, namun secara prinsip minimalitas menurut Jochen Liedtke dalam desain L4 microkernel menyebutkan bahwa istilah-istilah tersebut memiliki arti yang kurang lebih sama; mikrokernel merupakan terminologi modern.

Pendahuluan

Pada mulanya, kernel sistem operasi umumnya berukuran kecil, penyebabnya adalah besarnya ingatan komputer yang terbatas. Dengan semakin berkembangnya kapabiltas komputer, jumlah perangkat yang harus dikontrol oleh suatu kernel menjadi meningkat pula. Namun pada masa-masa awal sejarah sistem operasi unix, kernel pada umumnya berukuran kecil, meskipun kernel-kernel tersebut menyediakan device driver dan pengatur sistem berkas. Saat pengalamatan ruang meningkat dari 16 menjadi 32 bit, disain kernel diubahsuai menjadi tidak lagi bergantung pada arsitektur perangkat keras yang ada, dan ukuran kernel pun mulai tumbuh membesar.

Berkeley UNIX (BSD) tercatat sebagai yang memulai era kernel berukuran besar. Sebagai tambahan dari pengoperasian sistem yang paling mendasar seperti CPU, media penyimpanan, dan pencetak, BSD mulai menambahkan sistem berkas, sistem jaringan TCP/IP yang lengkap, dan sejumlah perangkat "virtual" yang mengijinkan program yang ada untuk bekerja secara tersembunyi pada jaringan. Pertumbuhan ini berlanjut selama beberapa dekade dan menyebabkan kernel yang ada saat ini terdiri hingga jutaan baris kode. Sebagai akibat dari pertumbuhan ini pun, kernel yang ada saat ini lebih rentan terhadap bug dan menjadi lebih sulit untuk dikelola.

Mikrokernel didisain untuk mengatasi permasalahan yang disebabkan karena pertumbuhan kernel yang membesar dan kesulitan mengelolanya. Secara teori, disain mikrokernel mengijinkan pengelolaan kode yang lebih mudah karena arsitekturnya yang mendistribusikan layanan pada divisi ruang pengguna. Pengimplementasian seperti ini berdampak positif pula pada peningkatan keamanan dan stabilitas yang disebabkan karena menurunnya jumlah kode yang berjalan pada modus kernel. Sebagai contoh, jika layanan jaringan tidak bekerja karena serangan buffer overflow, sistem lainnya masih dapat berfungsi secara normal.

Komunikasi Antarproses

Komunikasi antarproses (IPC) merupakan suatu mekanisme yang memungkinkan suatu proses yang terpisah untuk berkomunikasi dengan proses lainnya, biasanya hal ini dilakukan dengan memanfaatkan mekanisme pengiriman pesan. Disamping itu Ingatan berbagi (shared memory) secara spesifik juga sering pula digunakan sebagai salah satu mekanisme yang digunakan untuk komunikasi antarproses, namun demikian, umumnya makna IPC lebih mengarah pada komunikasi memanfaatkan mekanisme pengiriman pesan, dan lebih lanjut menjadi relevan terhadap mekanisme yang digunakan pada mikrokernel. IPC mengijinkan sistem operasi dibuat dari sejumlah program kecil yang disebut pelayan, yang digunakan oleh program lainnya dalam sistem, melalui IPC sebagai mediator. Hampir dari semua dukungan atas periferal perangkat keras ditangani memalui cara ini, dengan peladen atas device driver, protokol jaringan, sistem berkas, grafis, dan lain-lain.

IPC dapat pula berjalan secara sinkronis, dan asinkronis. Analogi IPC asinkronis pada komunikasi jaringan contohnya: Pesan dikirim oleh program pengirim dan melajutkan proses tanpa menunggu pesan baliknya. Program penerima menampung/mengecek keberadaan pesan yang harus diproses baik secara inisialisasi mandiri, atau diingatkan oleh suatu mekanisme notifikasi. IPC asinkronis mensyaratkan kernel mengelola penampung dan mengimplementasikan antrian atas pesan-pesan tersebut, dan berkompromi terhadap kemungkinan terjadinya "buffer-overflow"; Kernel juga harus melakukan duplikasi pesan (pengirim-ke-kernel dan kernel-ke-penerima). Sementara pada IPC sinkronis, pihak pertama (baik pengirim atau penerima) yang melakukan blokade hingga pihak yang dituju siap untuk melakukan proses IPC. modus IPC sinkronis tidak membutuhkan pengelolaan penampung di sisi kernel, ataupun duplikasi pesan, namun komunikasi yang bersifat sinkronis seperti ini akan menyebabkan pemrograman menjadi lebih sulit. Kebanyakan programer lebih memilih menggunakan modus asinkronis untuk pengiriman dan modus sinkronis untuk penerimaan.

Peladen

Peladen mikrokernel pada dasarnya merupakan program jurik biasa seperti umumnya, dengan pengecualian kernel memberikan sejumlah kewenangan untuk berinteraksi dengan sebagian dari ingatan fisik yang biasanya dibatasi untuk program pada umumnya. Dengan cara demikian, hal ini memungkinkan para peladen, khususnya device driver, bisa berinteraksi secara langsung dengan perangkat keras.

Seperangkat peladen pada mikrokernel untuk kebutuhan umum melingkupi peladen sistem berkas, peladen device driver, peladen jaringan, pelanden tampilan, dan peladen antar muka pengguna. Seperangkat peladen tersebut secara kasar adalah menyediakan sejumlah layanan yang sama yang diberikan pada kernel monolithic UNIX. Peladen yang dibutuhkan akan dijalankan pada saat sistem mulai berjalan dan secara aktif menyediakan layanan, seperti berkas, jaringan, dan akses terhadap perangkat, pada program-program aplikasi. Dengan sejumlah peladen yang berjalan pada lingkungan aplikasi pengguna seperti ini, pengembangan sebuah peladen sama seperti halnya halnya pengembangan aplikasi umum biasa.

Device Driver

Device driver secara frekuentif melakukan akses pengingat langsung (DMA), dengan demikian bisa menulis dan melakukan relokasi atas ingatan fisik, termasuk pula struktur data kernel, oleh karenanya atas driver tersebut perlu diberikan kewenangan khusus (trusted). Kekeliruan konsepsi yang terjadi menganggap bahwa untuk device driver seperti itu haruslah merupakan bagian dari kernel. Padahal faktanya, driver tidak selalu menjadi bagian yang tidak terpisahkan dari kernel.

While running a device driver in user space does not necessarily reduce the damage a misbehaving driver can cause, in practice it is beneficial for system stability in the presence of buggy (rather than malicious) drivers: memory-access violations by the driver code itself (as opposed to the device) may still be caught by the memory-management hardware. Furthermore, many devices are not DMA-capable, their drivers can be made untrusted by running them in user space. Recently, an increasing number of computers feature IOMMUs, many of which can be used to restrict a device's access to physical memory.[3] (IBM mainframes have had IO MMUs since the IBM System/360 Model 67 and System/370.) This also allows user-mode drivers to become untrusted.

User-mode drivers actually predate microkernels. The Michigan Terminal System (MTS), in 1967, supported user space drivers, the first operating system to be designed with that capability.[4] Historically, drivers were less of a problem, as the number of devices was small and trusted anyway, so having them in the kernel simplified the design and avoided potential performance problems. This led to the traditional driver-in-the-kernel style of UNIX, Linux, and Windows.[5] With the proliferation of various kinds of peripherals, the amount of driver code escalated and in modern operating systems dominates the kernel in terms of code size.

Essential components & minimality

As a microkernel must allow building arbitrary operating-system services on top, it must provide some core functionality. At the least this includes:

This minimal design was pioneered by Brinch Hansen's Nucleus and the hypervisor of IBM's VM. It has since been formalised in Liedtke's minimality principle:

A concept is tolerated inside the microkernel only if moving it outside the kernel, i.e., permitting competing implementations, would prevent the implementation of the system's required functionality.[6]

Everything else can be done in a user program, although device drivers implemented as user programs may require special privileges to access I/O hardware.

Related to the minimality principle, and equally important for microkernel design, is the separation of mechanism and policy, it is what enables the construction of arbitrary systems on top of a minimal kernel. Any policy built into the kernel cannot be overwritten at user level and therefore limits the generality of the microkernel.[1] Policy implemented in user-level servers can be changed by replacing the servers (or letting the application choose between competing servers offering similar services).

For efficiency, most microkernels contain schedulers and manage timers, in violation of the minimality principle and the principle of policy-mechanism separation.

Start up (booting) of a microkernel-based system requires device drivers, which are not part of the kernel. Typically this means that they are packaged with the kernel in the boot image, and the kernel supports a bootstrap protocol that defines how the drivers are located and started. Some microkernels simplify this by placing some key drivers inside the kernel (in violation of the minimality principle), LynxOS and the original Minix are examples. Some even include a file system in the kernel to simplify booting. On other cases microkernel-based system may boot via multiboot compatible boot loader, GNU GRUB for example, such systems usually loads statically linked servers to make an initial bootstrap or mount OS image to continue bootstrapping.

A key component of a microkernel is a good IPC system and virtual memory manager design that allows to implement page fault handling and swapping in user space servers side in a safe way. Since all services are performed by usermode programs, efficient means of communication between programs are essential, far more so than in monolithic kernels. The design of the IPC system makes or breaks a microkernel. To be effective, the IPC system must not only have low overhead, but also interact well with CPU scheduling.

Performance

Obtaining a service is inherently more expensive in a microkernel-based system than a monolithic system.[1] In the monolithic system, the service is obtained by a single system call, which requires two mode switches (changes of the processor's privilege level). In the microkernel-based system, the service is obtained by sending an IPC message to a server, and obtaining the result in another IPC message from the server. This requires a context switch if the drivers are implemented as processes, or a function call if they are implemented as procedures. In addition, passing actual data to the server and back may incur extra copying overhead, while in a monolithic system the kernel can directly access the data in the client's buffers.

Performance is therefore a potential issue in microkernel systems. Indeed, the experience of first-generation microkernels such as Mach and Chorus showed that systems based on them performed very poorly.[7] However, Jochen Liedtke showed that Mach's performance problems were the result of poor design and implementation, and specifically Mach's excessive cache footprint.[6] Liedtke demonstrated with his own L4 microkernel that through careful design and implementation, and especially by following the minimality principle, IPC costs could be reduced by more than an order of magnitude compared to Mach. L4's IPC performance is still unbeaten across a range of architectures.[8][9][10]

While these results demonstrate that the poor performance of systems based on first-generation microkernels is not representative for second-generation kernels such as L4, this constitutes no proof that microkernel-based systems can be built with good performance. It has been shown that a monolithic Linux server ported to L4 exhibits only a few percent overhead over native Linux.[11] However, such a single-server system exhibits few, if any, of the advantages microkernels are supposed to provide by structuring operating-system functionality into separate servers.

A number of commercial multi-server systems exist, in particular the real-time systems QNX and Integrity. No comprehensive comparison of performance relative to monolithic systems has been published for those multiserver systems. Furthermore, performance does not seem to be the overriding concern for those commercial systems, which instead emphasize simplicity for the sake of robustness. An attempt to build a high-performance multiserver operating system was the IBM Sawmill Linux project.[12] However, this project was never completed.

It has been shown in the meantime that user-level device drivers can come close to the performance of in-kernel drivers even for such high-throughput, high-interrupt devices as Gigabit Ethernet.[13] This seems to imply that high-performance multi-server systems are possible.

Security

The security benefits of microkernels have been frequently discussed.[14][15] In the context of security the minimality principle of microkernels is a direct consequence of the principle of least privilege, according to which all code should have only the privileges needed to provide required functionality. Minimality requires that a system's trusted computing base (TCB) should be kept minimal. As the kernel (the code that executes in the privileged mode of the hardware) is always part of the TCB, minimizing it is natural in a security-driven design.

Consequently, microkernel designs have been used for systems designed for high-security applications, including KeyKOS, EROS and military systems. In fact common criteria (CC) at the highest assurance level (EAL7) has an explicit requirement that the target of evaluation be “simple”, an acknowledgment of the practical impossibility of establishing true trustworthiness for a complex system.

Recent work on microkernels is focusing on formal specifications of the kernel API, and formal proofs of security properties of the API. The first example of this is a mathematical proof of the confinement mechanisms in EROS, based on a simplified model of the EROS API.[16] More recently, a comprehensive set of machine-checked proofs has been performed of the properties of the protection model of the seL4 version of L4.[17]

Some projects go even further, aiming at complete formal verification, i.e. a mathematical proof that the kernel's implementation is consistent with its specification, which then provides a guarantee that the properties proved about the API actually hold for the real kernel. This degree of assurance goes beyond even CC EAL7. Such proofs are being attempted for Coyotos and seL4.

Nanokernel

In computer science, the term nanokernel or picokernel historically referred to:

  1. A kernel where the total amount of kernel code, i.e. code executing in the privileged mode of the hardware, is very small. The term picokernel was sometimes used to further emphasize small size. The term nanokernel was coined by Jonathan S. Shapiro in the paper The KeyKOS NanoKernel Architecture. It was a sardonic response to Mach, which claimed to be a microkernel while being monolithic, essentially unstructured, and slower than the systems it sought to replace. Subsequent reuse of and response to the term, including the picokernel coinage, suggest that the point was largely missed. Both nanokernel and picokernel have subsequently come to have the same meaning expressed by the term microkernel.
  2. A virtualization layer underneath an operating system; this is more correctly referred to as a hypervisor.
  3. A hardware abstraction layer that forms the lowest-level part of a kernel, sometimes used to provide real-time functionality to normal OS's, like Adeos.

There is also at least one case where the term nanokernel is used to refer not to a small kernel, but one that supports a nanosecond clock resolution. [1]

See also

References

  1. ^ a b c Liedtke, Jochen (1996). "Towards Real Microkernels". Communications of the ACM. 39 (9): 70–77.  Kesalahan pengutipan: Tanda <ref> tidak sah; nama "Liedtke_96" didefinisikan berulang dengan isi berbeda
  2. ^ Heiser, Gernot; Uhlig, Volkmar and LeVasseur, Joshua (2006). "Are Virtual-Machine Monitors Microkernels Done Right?" (PDF). ACM SIGOPS Operating Systems Review. ACM. 40 (1): 95–99. doi:10.1145/1113361.1113363. 
  3. ^ Wong, William (April 27, 2007). "I/O, I/O, It's Off to Virtual Work We Go". Electronic Design. 
  4. ^ Alexander, M.T. (1972). "Organization and Features of the Michigan Terminal System". AFIPS Conference Proceedings, 1972 Spring Joint Computer Conference. 40: 589. 
  5. ^ Lions, John (August 1, 1977). Lions' Commentary on UNIX 6th Edition, with Source Code. Peer-To-Peer Communications. ISBN 1573980137. 
  6. ^ a b Liedtke, Jochen (1995). "On µ-Kernel Construction". 15th ACM symposium on Operating Systems Principles. hlm. 237–250.  Kesalahan pengutipan: Tanda <ref> tidak sah; nama "Liedtke_95" didefinisikan berulang dengan isi berbeda
  7. ^ Chen, Bradley (1993). "The Impact of Operating System Structure on Memory System Performance". 14th ACM Symposium on Operating System Principles. Asheville, NC, USA. hlm. 120–33. 
  8. ^ Liedtke, Jochen (1997). "Achieved IPC performance (still the foundation for extensibility)". 6th Workshop on Hot Topics in Operating Systems. Cape Cod, MA, USA: IEEE. hlm. 28–31. 
  9. ^ Gray, Charles (April 2005). "Itanium—a system implementor's tale". USENIX Annual Technical Conference. Annaheim, CA, USA. hlm. 264–278. 
  10. ^ van Schaik, Carl (January 2007). "High-performance microkernels and virtualisation on ARM and segmented architectures". 1st International Workshop on Microkernels for Embedded Systems. Sydney, Australia: NICTA. hlm. 11–21. Diakses tanggal 2007-04-01. 
  11. ^ Härtig, Hermann (1997). "The performance of µ-kernel-based systems". Proceedings of the sixteenth ACM symposium on Operating systems principles: 66–77. doi:10.1145/268998.266660. ISBN 0-89791-916-5. 
  12. ^ Gefflaut, Alain (2000). "The Sawmill multiserver approach". 9th ACM SIGOPS European Worshop. Kolding, Denmark. hlm. 109–114. 
  13. ^ Leslie, Ben (2005). "User-level device drivers: achieved performance". Journal of Computer Science and Technology. 5 (20): 654–664. doi:10.1007/s11390-005-0654-4. 
  14. ^ Tanenbaum, Andrew S., Tanenbaum-Torvalds debate, part II
  15. ^ Tanenbaum, A., Herder, J. and Bos, H. (May 2006).
  16. ^ Shapiro, Jonathan S. "Verifying the EROS Confinement Mechanism". IEEE Conference on Security and Privacy. 
  17. ^ Elkaduwe, Dhammika; Klein, Gerwin; Elphinstone, Kevin (2007), Verified Protection Model of the seL4 Microkernel, submitted for publication 

Further reading