This article was originally linked Dr. Xu Zhongxing speech: Fuchsia OS profile and download the slide , reprinted with permission to know almost by column, For reprint please get the original author consent.
Dr. Xu Zhongxing delivered a wonderful speech on Fuchsia at the OpenGDC 2018, and with the consent of the person, the Fuchsia OS Chinese community will organize the original slides and publish them on the community website, hoping to help Many friends who are studying the Fuchsia system, thanks to Dr. ZTE for their support and support. This is the
. Welcome to follow us.
- The PDF download address for this presentation is: https:// xuzhongxing.github.io/2 01806fuchsia.pdf
Fuchsia Chinese Community Backup Download:
The following is the finishing of the speech:
The origins of Fuchsia
- For many years, Android, ChromeOS development experience has enabled Google to accumulate enough talents and components in the operating system. On the other hand, it fully recognizes the limitations of the Linux kernel.
- Fuchsia is a collective term for a brand new operating system. Google has selected a range of technologies and components that it deems appropriate to enter the operating system, such as: microkernel, capability-based access control, Vulkan graphics interface, 3D desktop rendering Scenic, and Flutter application development framework. Currently supported programming languages are: C/C++, Go, Rust, Dart
- Google released all the code in 2016, but did not officially announce the goal of the project, the development community currently has an IRC channel to communicate
- The supported architectures are X86-64 and ARM 64, supported devices from IoT to the server
Modern and universal, open OS needs to face
- Upstream hardware vendor
- Downstream application developer
- Equipment friend
Fuchsia solves the pain points of modern OS
- Native process sandbox to address application security and distribution issues (hackers)
- Linux: namespace, control group, unionfs => docker
- Stable drive interface, hardware manufacturers can independently maintain hardware drivers (hardware)
- System modular, layered, equipment manufacturers can flexibly customize proprietary systems (friends)
- Pure 3D UI based on Vulkan and physical rendering, global illumination (user)
- Flutter Application Development Framework (developer)
Regarding the process sandbox, Fuchsia rethinks the basic abstraction mechanisms of the three Unixes.
- Global file system
- Process creation
Global file system
- In Unix, there is a global root file system
- It is the basic resource shared by each process
- The file system covers non-file resources: /proc, /sys, ..
- Network is an exception
- In Fuchsia, there is no global root file system
File and file system becomes a partial concept (limited to each file system process), so
there is no file in the process kernel data structure
- Use namespace to define a resource that a process can access
- Each name corresponds to the handle of a resource process channel
- "/" -> root vfs service handle, "/dev" -> dev fs service handle, "/net/dns" -> DNS service handle
- In Unix, user was originally used as a mechanism for different users to log in to the shared server.
- User is a real user
- Later used mainly as permission control, weakened sandbox mechanism
- In Fuchsia, there is no user concept at the bottom (Zircon, Garnet)
- Use namespace to control the resources that the process can access.
- Capability-based access control
- Thus there is no uid in the process
- In Unix, the new process comes from the old process fork
- The new process inherits all the resources of the parent process
- a lazy design
- In Fuchsia, the creation of a new process needs to start from scratch
- Create process, thread
- The parent process establishes the mapping of the initial namespace to the resource channel handle
- Call process_start to explicitly tell the kernel that the new process can run.
- In the process data structure of the Fuchsia kernel, there is no file and uid
As if it were designed specifically for exploits
- Typical exploit steps
- Fork()/exec() opens the reverse shell
- Inherit uid (or gain privilege by getting root uid) to get ubiquitous authorization
- Access to the global file system
- In Fuchsia, none of the above mechanisms exist.
- Explicitly establish a root namespace when creating a process
- No user, so there is no ambient authority (DAC/MAC)
- Capability-based access control
- The resource that can be accessed is the namespace given by the parent process.
- Can't see any resources other than the initial namespace
- Linus vs Tanenbaum's debate
- Tanenbaum: Linux is the technology of the seventies. Writing the macro kernel in 1991 was wrong. The debate has long since ended, and the microkernel has won. I am a professor, Minix is just my hobby, so don't talk about Minix.
- Linus: Linux is much better than the Minix you wrote. Microkernels are just toys for your academic world. I have seen all the papers on microkernel efficiency optimization. They are actually just techniques that have been used in repeating macro kernels.
- Mach, Hurd
- Performance overhead
- Context switching (user space <=> kernel space)
- Thread scheduling
The world needs a new operating system
- Windows is old, the historical burden is too heavy, Microsoft's own innovative Midori is dead, because it can't bear to re-implement all the functions of Windows in the new framework, can only be rebuilt in place.
- Linux only cares about the world of servers, like a boiler worker who specializes in working in a boiler room below the deck.
- MacOS, iOS is enclosed in Apple's hardware ecosystem
- In order to make up for the shortcomings of Linux, Android has a thick middle layer and is constantly making compromises.
- GNU Hurd has not been commercialized as the "last component" of the GNU project because "the microkernel messaging mechanism is too difficult to debug".
- The Unix successor, Plan 9, released the last version in 2002, and its waste heat has been integrated with Go.
Fuchsia's possible advantages on various platforms
- On the server platform, the native process sandbox mechanism will bring new security features and container mechanisms
- On the desktop platform, a graphics stack similar to the game 3D engine pipeline and a legacy-free implementation will make electronic entertainment applications more efficient; seamlessly compatible with the huge Android ecosystem
On the mobile platform, the modularity of the system is convenient for the full
customization of third-party equipment manufacturers . The driver framework facilitates hardware vendors to write and maintain private drivers.
- Fuchsia is an operating system assembled like a Lego toy.
- At the time of design, Google has considered other operating systems that may be deeply customized to adapt their products, so the modularization is much more thorough than Android.
- Vendor's deep customization can start from any of the following layers
- Zircon: microkernel, underlying service process (device manager, core device driver, libc, interprocess communication interface library fidl)
- Garnet: System-level system services: software installation, communication, media, graphics, package management, update systems, etc.
- Peridot: The infrastructure layer of the user experience: modules, users, storage services, etc.
- Topaz: The basic application of the system, Web, Dart, Flutter
- These names are from Steven Universe
Fuchsia startup process
Creation of the first user state process
- The previous microkernel generally needed to implement a basic file system loading function in the kernel, then load the first user process file, and then no longer use the file system function in the kernel.
Zircon embeds the ELF file of the first user-mode process into the kernel image
so that it does not need to be loaded from the file system.
System call vDSO
- The kernel image also embeds a vDSO that contains the system call entry.
- This vDSO is mapped into the memory address space of each process.
- It is itself an ELF shared object file format, but it is not in the form of a file, so it is called vDSO.
- The Linux kernel also implements some simple system calls in this way, such as getdaytime(). But Zircon is not meant to avoid switching kernel states, but to embed the system call code into the kernel.
Kernel state function
- Virtual memory and physical memory management
- Vmo: virtual memory object: contains physical memory
- Process and thread management
- Handle points to various objects in the kernel
- Interprocess communication
- Signal and wait
- Interrupt processing
- Wake up the user thread waiting for the interrupt
- No POSIX support
Zircon user mode
- Devmgr, devhost, svchost, fshost
- Fuchsia defines a stable DDK interface, and the convenience of hardware vendors to develop their own closed-source drivers is greatly improved. Because the Linux kernel refuses to provide a stable kernel internal driver interface. In order to be officially maintained, you have to put it in the kernel, otherwise you can only change the interface with the kernel.
- The kernel does not provide POSIX support, and the user layer can simulate a part of the POSIX interface.
- Channel is the (only) mechanism for interprocess communication
- A channel has 2 handles, h1, h2, write messages from one end, and read messages from the other.
- A process has some initial channel handles when it is created.
- To establish communication with a service x, the process creates a channel, takes h1 by itself, sends h2 to the corresponding service via the existing channel (root_svc), the service gets h2, and puts it into its own event. Listening loop
- Indicates api: connectToService(root_svc, "x", h2)
- For example, open(), in Linux, will add open file descriptors in the kernel data structure of the process, and does not involve other processes; in fuchsia, it creates a channel and sends the remote end to the corresponding service. Establish communication channel
- Channel_write() writes the message to a place that another process can see. Interprocesses do not share memory address space. Only the kernel's address space is shared by the process. So channel_write() must be a system call, switching to the kernel address space for message writing. Once you switch to the kernel address space, you can see another handle. Write to the message queue of the handle, and wait for another process to switch to the kernel address space, you can see the message.
Kernel Address Space Layout Randomization
- The loading position of the ELF is random and does not follow the v_addr specified in the ELF program header.
- Will correct the symbol address when loading
Fuchsia's current operating environment
- The most convenient environment, no GUI
- Intel NUC
- The best test environment at present, with GUI
- Vim2 dev board
- Learn ARM64 architecture, wait for Google to open GPU drivers and bootloader
- Can run directly in Qemu
- Booloader loaded to 0x40080000
- Kernel loaded to 0x40090000
- Ramdisk is loaded to 0x48000000
- Between 0x40000000-0x40080000 is FDT flattened device tree
- The development machine starts the paving service and will brush the entire Fuchsia operating system to NUC.
- Start zircon to zedboot mode, it will directly connect to the development machine
Khadas Vim2 development board
- Amlogic S912 SoC
- Quad Core A53
- Mali-T450MP5 GPU
- 3G DDR4
- 64G eMMC storage
- HDMI, USB-C, USB 2.0, TF Card, Ethernet, WiFi, Bluetooth
Start of Vim2
- Arm Trusted Firmware:
- BL1 in ROM
- Custom u-boot: BL2 + BL30 +BL31 + BL32 + u-boot(BL33)
- Where bl2, bl30, bl31, bl32 are binary provided by amlogic
- Bl33 starts at emmc offset 0x50200 and is loaded into memory at 16MB.
- Use the fastboot protocol to write the zircon kernel to the boot partition using usb-c
- Need a bootloader for zircon to start zircon, but Google has not released
- So can't start zircon yet
Acquisition of system software development capabilities
- System software is different from application software
- There is a lot of tacit knowledge, and the know-how accumulated during the flood season
- Toolchain: gcc, ld, as, clang, ELF,
- Microprocessor: X86, ARM,
- Peripherals: UEFI, ACPI, APIC, PCIE, USB, SATA, AHCI, GPU ...
- Knowledge exists in the code, there is no systematic know-how document, hardware standard documents are generally 1000+⻚
- Writing toy systems is easy, product-level design is very difficult: support massive devices, applications, loads
- Go through the following four stages
to sum up
- Fuchsia has important innovations in safety
- In the future Fuchsia will become a very important operating system
Dr. Xu Zhongxing's speech was very exciting. Basically, he gave a comprehensive introduction to the current situation of Fuchsia. Welcome to pay attention to Dr. ZTE's GitHub. At the same time, Fuchsia OS Chinese community will also launch Fuchsia kernel notes according to ZTE notes. Look forward to, and welcome to join the exchange:
- Fuchsia OS Chinese Community: FuchsiaOS Chinese Community - A Brand New Google Open Source Operating System
- Fuchsia OS Forum: https:// forum.fuchsia-china.com /
- GitHub: https:// github.com/FuchsiaOS
- Community QQ Group: 788645873 Developer QQ Group: 241234421
- Telegram Telegram Group: https:// t.me/FuchsiaOSzh
HTTPS: // the WWW.