Skip to content

Microkernels vs hypervisors

2008/04/03

I get asked this question a lot: what is the difference between a hypervisor and a microkernel? Frequently the question is accompanied by competitor-planted bullshit such as: isn’t it better to use a hypervsior for virtualization, as it is secifically designed for that, while a microkernel isn’t? But the question also pops up at scientific meetings, such as this week’s IIES workshop.

The short answer is that a microkernel is a possible implementation of a hypervsior (the right implementation, IMHO), but can do much more than just providing virtual machines.

For the long answer we have to dig a bit deeper, as the two have different motivations:

  • A hypervisor, also called a virtual-machine monitor, is the software that implements virtual machines. It is designed for the sole purpose of running de-privileged “guest” operating systems on top (except for the deceptive pseudo-virtualizers). As such it is (or contains) a kernel (defined as software running in the most privileged mode of the hardware).
  • A microkernel is a minmal base for building arbitrary systems (including virtual machines). It is characterised as containing the minmal amount of code that must run in the most privileged mode of the hardware in order to build arbitrary (yet secure) systems.

So the primary difference between the two is purpose, and that has implications on structure and APIs.

By definition (the generality requirement), a microkernel can be used to implement a hypervisor. This is what we are doing with OKL4, and has been done with verious members of the L4 microkernel family for over ten years. In fact, the 1997 SOSP paper by Härtig et al was the first to demonstrate a high-performance para-virtualized main-stream OS (Linux), and there are no published data on a para-virtualized Linux on ARM processors that out-performs OK Linux. Obviously, (well-designed) microkernels are an excellent base for hypervisors.

How about the other way round? Can a hypervisor be used to implement a microkernel?

In general not. As said above, a hypervisor is designed for a single purpose, and that is to run guest OSes. It could be used to virtualize a microkernel, but that isn’t the same (and would certainly result in sucking performance).

The reason is that a hypervisor generally lacks the minimality of a microkernel. While less powerful (in the sense that it doesn’t have the generality of a microkernel) it typically has a much larger trusted computing base (TCB) than a microkernel. It contains all the virtualization logic, and all physical device drivers needed to support the virtual machines. For example, the Xen hypervisor itself is about 5–10 times the size (in LOC) of the OKL4 microkernel. In addition, it has the privileged special virtual machine “Dom0”, which contains a complete Linux system, all part of the TCB (which is therefore of the order of a MLOC). Compare this to OKL4 which lets you run security-critical code with a TCB as small as 15kLOC. A small TCB is important for safety, security and reliability (it’s a consequence of the security principle of least authority, POLA), and as such especially important in mission-critical embedded systems.

So, what about the people who claim “virtual machine monitors are microkernels done right?” as (Xen co-inventor) Steven Hand did tounge-in-cheek at HotOS’05? Steven essentially claims that the microkernel folks have been focussing on the wrong things, such as fast IPC. I debunked his arguments in a follow-up paper. At that HotOS workshop I also predicted that the VMM folks only pretended that IPC didn’t matter, and that within two years they would be writing papers about fast communication between VMs (a problem microkernels solved 15 years ago). I was right, of course.

And the reality is that hypervisors are starting to become more like microkernels. People are starting to discover that virtualization by itself doesn’t solve many problems, particularly the security and reliability issures resulting from mushrooming complexity. (For an overview of those issues see my recent paper on the role of virtualization in embedded systems.) Anyone who has recently heard a talk by VMware founder Mendel Rosenblum knows what I mean. In fact, when he gave his keynote at last year’s Usenix conference, he was asked (not by a microkernel guy!) “aren’t you re-inventing microkernels?” Touché

If even the “memory is cheap” server folks are discovering the importance of a small TCB, people who want to use virtualization in embedded systems should certainy take notice.

In summary, microkernels have demonstrated that they can do what hypervisors can. But hypervisors are far away from doing what microkernels can. And the most powerful of those is to make your TCB truly trustworthy. For the foreseeable future, this is only possible with microkernels.

The conclusion seems obvious: microkernels are virtual-machine monitors done right, and more.

To learn more, see some of my recent white papers:

as well as my recent blogs, specifically

Advertisements
One Comment
  1. Susannah Martin permalink

    Thank you for this explanation, it has helped me. I am a customer trainer with Intel FPGA, and was needing to know the difference since hypervisors are becoming so en vogue now. However, much of my older class material refers to “secure micro OS” or “secure microkernel.” I have to anticipate my students’ questions, and I thought hypervisor vs secure microkernel would be a potential one.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: