[okl4-developer] OKL4 and timer service.

Josh Matthews jmatthews at ok-labs.com
Wed Sep 9 03:50:06 EST 2009 

Hi JC,

There are a couple of reasons for OKL4 not externally exposing the timer it
uses:

a) Minimality: a guiding principle of microkernel design. Why should the
kernel provide a timer service when the same can be done at user level (this
assumes that platforms tend to have multiple timer sources, which they
generally do nowdays). Additionally, the functionality required by the
kernel of the timer is quite minimal: just a repeating hardcoded timeout;
for it to provide a useful external service the internal driver would need
to be significantly extended beyond the needs of the kernel, also violating
the minimality principle.

b) Security: if the kernel provides a time source, then you cannot
virtualize time. This not only limits what you can do with virtualization,
it makes it much easier to exploit covert timing channels, and makes it
impossible to employ some standard approaches to reducing CTC bandwidth.
(Note CTC are in general impossible to prevent, but steps can be taken to
reduce their bandwidth.)

Of course, the user is free to extend the OKL4 provided functionality
(easiest is to use the provided PlatControl system call, extensible via the
SDK) if their design dictates compelling reasons to provide a timer source.

Kind regards,

Josh

On Thu, Aug 27, 2009 at 6:52 PM, Jean-Christophe Dubois <jcd at tribudubois.net
> wrote:

> Hi,
>
> I am just wondering if somebody could give me some rational on the decision
> not to include a generic timer service inside OKL4.
>
> The fact is that OKL4 is capturing at least one set of timer from the
> platform
> preventing any Cell to access this one (which is a good thing) and uses it
> for its own internal need.
>
> Now if the platform has no more other timer to offer to the Cells, it does
> mean
> that the Cells will never be able to grab any timer in order to do some
> type
> of timeout functions. So simple function like sleep() and such would not be
> possible.
>
> Moreover, assuming you have one timer free for use, if you have multiple
> Cells
> in need of such services you would have to actually implement something
> like a
> virtual timer server to serve the need of your multiple Cells.
>
> Meanwhile the OKL4 kernel has its own timer with which it does its own tick
> stuff without any intention to share it.
>
> So why is it a bad thing (or at least not considered) to offer one central
> an
> easily accessible timer service in OKL4 lib using the OKL4 timer under the
> cover? Why is it preferable to force the user to implement its own virtual
> timer server to be used by its application (possibly composed of multiple
> cells each running a program or an OS in need of a time interrupt source)
>
> Thanks
>
> JC
>
>
>
> _______________________________________________
> Developer mailing list
> Developer at okl4.org
> https://lists.okl4.org/mailman/listinfo/developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.okl4.org/pipermail/developer/attachments/20090908/7857ac6e/attachment.htm

More information about the Developer mailing list