Information Technology Reference
In-Depth Information
Figure 11. Xen architecture for device driver isolation. Drivers execute in a special driver virtual ma-
chine, called an Isolated Driver Domain (IDD)..
I/O operations, the virtual driver communicates
with a real driver executing in an
isolated driver
domain
, a virtual machine specific to that driver
or to a set of drivers. Data communication takes
place through a ring buffer, and control is com-
municated through the Xen Hypervisor.
In the driver VM, the
real driver
runs inside a
standard operating system, and the Xen hypervi-
sor provides it with access to physical devices.
Xen also provides code to receive incoming I/O
requests from guest VMs and invoke the real
driver. A failure of the driver may cause the
operating system and other drivers in the driver
VM to fail, but the guest OS and its applications
are unaffected.
This architecture provides several distinct
benefits:
systems or versions of a single operating
system.
4.
Performance is comparable to Nooks, as
passing data to a driver requires changing
memory protection or copying, and invoking
a driver requires changing page tables when
changing virtual machines.
However, this architecture also imposes ad-
ditional performance costs by running an entire
operating system in the driver's protection domain.
This requires additional memory and may require
additional administration, to apply patches to
this OS.
reSearch directionS
1.
The driver VM can execute unmodified
device drivers, providing compatibility with
existing code.
Within the operating research community, two
further approaches for driver fault tolerance have
been investigated: pushing user-mode drivers
further, to remove all drivers from the kernel; and
applying language-level protections, such as type
safety, to driver code.
2.
The operating system in the guest VM and
the driver VM may be different, enabling
drivers for one operating system (e.g., Linux
in the driver VM) to be used for device ac-
cess a different guest OS (e.g., Solaris).
user-mode drivers in microkernels
3.
The code in the guest OS is relatively simple.
In contrast to the thousands of lines of
wrapper code in Nooks, Xen requires only a
small virtual driver. In addition, this virtual
driver is easier to port between operating
All preceding approachs to driver reliability were
constrained by the need to execute within an
existing monolithic operating system. The Minix
3 operating system is a research system investi-
Search WWH ::
Custom Search